diff --git a/README.md b/README.md index 02ec37444..eeff20a5c 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,7 @@ The SAF CLI is the successor to [Heimdall Tools](https://github.com/mitre/heimda ### Convert Other Formats to HDF * [Convert To HDF](#convert-to-hdf) + * [Anchore Grype to HDF](#anchore-grype-to-hdf) * [ASFF to HDF](#asff-to-hdf) * [AWS Config to HDF](#aws-config-to-hdf) * [Burp Suite to HDF](#burp-suite-to-hdf) @@ -280,6 +281,23 @@ Want to Recommend or Help Develop a Converter? See [the wiki](https://github.com ### Convert From HDF +[top](#convert-other-formats-to-hdf) +#### Anchore Grype to HDF +``` +convert anchoregrype2hdf Translate a Anchore Grype output file into an HDF results set + + USAGE + $ saf convert anchoregrype2hdf -i -o + + FLAGS + -h, --help Show CLI help. + -i, --input= (required) Input Anchore Grype file + -o, --output= (required) Output HDF JSON File + + EXAMPLES + $ saf convert anchoregrype2hdf -i anchoregrype.json -o output-hdf-name.json +``` + #### HDF to ASFF diff --git a/src/commands/convert/anchoregrype2hdf.ts b/src/commands/convert/anchoregrype2hdf.ts new file mode 100644 index 000000000..2c9fcb782 --- /dev/null +++ b/src/commands/convert/anchoregrype2hdf.ts @@ -0,0 +1,27 @@ +import {Command, Flags} from '@oclif/core' +import fs from 'fs' +import {AnchoreGrypeMapper as Mapper} from '@mitre/hdf-converters' +import {checkSuffix} from '../../utils/global' + +export default class AnchoreGrype2HDF extends Command { + static usage = 'convert anchoregrype2hdf -i -o ' + + static description = 'Translate a Anchore Grype output file into an HDF results set' + + static examples = ['saf convert anchoregrype2hdf -i anchoregrype.json -o output-hdf-name.json'] + + static flags = { + help: Flags.help({char: 'h'}), + input: Flags.string({char: 'i', required: true, description: 'Input Anchore Grype file'}), + output: Flags.string({char: 'o', required: true, description: 'Output HDF file'}), + 'with-raw': Flags.boolean({char: 'w', required: false}), + } + + async run() { + const {flags} = await this.parse(AnchoreGrype2HDF) + const input = fs.readFileSync(flags.input, 'utf8') + + const converter = new Mapper(input, flags['with-raw']) + fs.writeFileSync(checkSuffix(flags.output), JSON.stringify(converter.toHdf(), null, 2)) + } +} diff --git a/src/commands/convert/index.ts b/src/commands/convert/index.ts index 4b7a79800..0dc69c788 100644 --- a/src/commands/convert/index.ts +++ b/src/commands/convert/index.ts @@ -1,4 +1,4 @@ -import {ASFFResults, ChecklistResults, BurpSuiteMapper, ConveyorResults, CycloneDXSBOMResults, DBProtectMapper, fingerprint, FortifyMapper, JfrogXrayMapper, MsftSecureScoreMapper, NessusResults, NetsparkerMapper, NiktoMapper, PrismaMapper, SarifMapper, ScoutsuiteMapper, SnykResults, TrufflehogResults, TwistlockResults, XCCDFResultsMapper, ZapMapper} from '@mitre/hdf-converters' +import {AnchoreGrypeMapper, ASFFResults, ChecklistResults, BurpSuiteMapper, ConveyorResults, CycloneDXSBOMResults, DBProtectMapper, fingerprint, FortifyMapper, JfrogXrayMapper, MsftSecureScoreMapper, NessusResults, NetsparkerMapper, NiktoMapper, PrismaMapper, SarifMapper, ScoutsuiteMapper, SnykResults, TrufflehogResults, TwistlockResults, XCCDFResultsMapper, ZapMapper} from '@mitre/hdf-converters' import fs from 'fs' import _ from 'lodash' import {checkSuffix, convertFullPathToFilename} from '../../utils/global' @@ -39,6 +39,7 @@ export default class Convert extends Command { return Zap2HDF.flags } + case 'anchoregrype': case 'burp': case 'conveyor': case 'checklist': @@ -71,6 +72,12 @@ export default class Convert extends Command { const {flags} = await this.parse(Convert) let converter switch (Convert.detectedType) { + case 'anchoregrype': { + converter = new AnchoreGrypeMapper(fs.readFileSync(flags.input, 'utf8')) + fs.writeFileSync(checkSuffix(flags.output), JSON.stringify(converter.toHdf(), null, 2)) + break + } + case 'asff': { let securityhub = _.get(flags, 'securityhub') as string[] if (securityhub) { diff --git a/test/commands/convert/anchoregrype2hdf.test.ts b/test/commands/convert/anchoregrype2hdf.test.ts new file mode 100644 index 000000000..948b93862 --- /dev/null +++ b/test/commands/convert/anchoregrype2hdf.test.ts @@ -0,0 +1,188 @@ +import { expect, test } from "@oclif/test"; +import tmp from "tmp"; +import path from "path"; +import fs from "fs"; +import { omitHDFChangingFields } from "../utils"; + +describe("Test anchore grype", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/anchore_grype.json" + ), + "-o", + `${tmpobj.name}/anchore-grype-hdf.json`, + ]) + .it("hdf-converter output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/anchore-grype-hdf.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/anchore-grype-hdf.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); +}); + +describe("Test anchore grype withraw flag", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/anchore_grype.json" + ), + "-o", + `${tmpobj.name}/anchore-grype-withraw.json`, + "-w", + ]) + .it("hdf-converter withraw output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/anchore-grype-withraw.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/anchore-grype-withraw.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); +}); + +describe("Test amazon anchore grype", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/amazon.json" + ), + "-o", + `${tmpobj.name}/amazon-grype-hdf.json`, + ]) + .it("hdf-converter output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/amazon-grype-hdf.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/amazon-grype-hdf.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); + }); + + describe("Test amazon anchore grype withraw flag", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/amazon.json" + ), + "-o", + `${tmpobj.name}/amazon-grype-withraw.json`, + "-w", + ]) + .it("hdf-converter withraw output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/amazon-grype-withraw.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/amazon-grype-withraw.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); + }); + + describe("Test tensorflow anchore grype", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/tensorflow.json" + ), + "-o", + `${tmpobj.name}/tensorflow-grype-hdf.json`, + ]) + .it("hdf-converter output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/tensorflow-grype-hdf.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/tensorflow-grype-hdf.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); + }); + + describe("Test tensorflow anchore grype withraw flag", () => { + const tmpobj = tmp.dirSync({ unsafeCleanup: true }); + + test + .stdout() + .command([ + "convert anchoregrype2hdf", + "-i", + path.resolve( + "./test/sample_data/anchoregrype/sample_input_report/tensorflow.json" + ), + "-o", + `${tmpobj.name}/tensorflow-grype-withraw.json`, + "-w", + ]) + .it("hdf-converter withraw output test", () => { + const converted = JSON.parse( + fs.readFileSync(`${tmpobj.name}/tensorflow-grype-withraw.json`, "utf8") + ); + const sample = JSON.parse( + fs.readFileSync( + path.resolve("./test/sample_data/anchoregrype/tensorflow-grype-withraw.json"), + "utf8" + ) + ); + expect(omitHDFChangingFields(converted)).to.eql( + omitHDFChangingFields(sample) + ); + }); + }); \ No newline at end of file diff --git a/test/sample_data/anchoregrype/amazon-grype-hdf.json b/test/sample_data/anchoregrype/amazon-grype-hdf.json new file mode 100644 index 000000000..4c80aaa71 --- /dev/null +++ b/test/sample_data/anchoregrype/amazon-grype-hdf.json @@ -0,0 +1,981 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2607", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2023.2.68-1.amzn2.0.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html" + }, + { + "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463" + }, + { + "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc" + }, + { + "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2607 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2607", + "desc": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\" (CVE-2024-39689)", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2607\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html\"\n ],\n \"description\": \"Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \\\"long-running and unresolved compliance issues.\\\" (CVE-2024-39689)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2023.2.68-1.amzn2.0.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39689\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39689\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463\",\n \"https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc\",\n \"https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI\"\n ],\n \"description\": \"Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \\\"long-running and unresolved compliance issues.\\\"\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"ca-certificates\",\n \"version\": \"0:2023.2.64-1.amzn2.0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2023.2.68-1.amzn2.0.1 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2607\"\n }\n }\n]", + "message": "{\n \"id\": \"3fdee4f2791be89b\",\n \"name\": \"ca-certificates\",\n \"version\": \"2023.2.64-1.amzn2.0.1\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Public Domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ca-certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca-certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca_certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca_certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/ca-certificates@2023.2.64-1.amzn2.0.1?arch=noarch&upstream=ca-certificates-2023.2.64-1.amzn2.0.1.src.rpm&distro=amzn-2\",\n \"upstreams\": [],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": null,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2595", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.15.1-55.amzn2.2.8", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2595 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2595", + "desc": "krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2595\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html\"\n ],\n \"description\": \"krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.15.1-55.amzn2.2.8\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37370\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n },\n {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37371\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"krb5-libs\",\n \"version\": \"0:1.15.1-55.amzn2.2.7\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.15.1-55.amzn2.2.8 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2595\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.15.1-55.amzn2.2.7\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.15.1-55.amzn2.2.8 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2595\"\n }\n }\n]", + "message": "{\n \"id\": \"3bb967025c5652e0\",\n \"name\": \"krb5-libs\",\n \"version\": \"1.15.1-55.amzn2.2.7\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:amazonlinux:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5-libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5-libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5_libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5_libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/krb5-libs@1.15.1-55.amzn2.2.7?arch=aarch64&upstream=krb5-1.15.1-55.amzn2.2.7.src.rpm&distro=amzn-2\",\n \"upstreams\": [\n {\n \"name\": \"krb5\",\n \"version\": \"1.15.1-55.amzn2.2.7\"\n }\n ],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": null,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2604", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.0.2k-24.amzn2.0.13", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2604 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2604", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \"no overlap\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2604\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.0.2k-24.amzn2.0.13\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"openssl-libs\",\n \"version\": \"1:1.0.2k-24.amzn2.0.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.2k-24.amzn2.0.13 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2604\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.0.2k-24.amzn2.0.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.2k-24.amzn2.0.13 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2604\"\n }\n }\n]", + "message": "{\n \"id\": \"ca07aa6bdda5c274\",\n \"name\": \"openssl-libs\",\n \"version\": \"1:1.0.2k-24.amzn2.0.12\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl-libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl-libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl_libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl_libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/openssl-libs@1.0.2k-24.amzn2.0.12?arch=aarch64&epoch=1&upstream=openssl-1.0.2k-24.amzn2.0.12.src.rpm&distro=amzn-2\",\n \"upstreams\": [\n {\n \"name\": \"openssl\",\n \"version\": \"1.0.2k-24.amzn2.0.12\"\n }\n ],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": 1,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-mq26-g339-26xf", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 23.3", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-mq26-g339-26xf" + }, + { + "url": "https://github.com/pypa/pip/pull/12306" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-mq26-g339-26xf in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-mq26-g339-26xf", + "desc": "Command Injection in pip when used with Mercurial", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"dataSource\": \"https://github.com/advisories/GHSA-mq26-g339-26xf\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-mq26-g339-26xf\"\n ],\n \"description\": \"Command Injection in pip when used with Mercurial\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"Medium\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"23.3\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/pypa/pip/pull/12306\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/\"\n ],\n \"description\": \"When installing a package from a Mercurial VCS URL (ie \\\"pip install \\nhg+...\\\") with pip prior to v23.3, the specified Mercurial revision could\\n be used to inject arbitrary configuration options to the \\\"hg clone\\\" \\ncall (ie \\\"--config\\\"). Controlling the Mercurial configuration can modify\\n how and which repository is installed. This vulnerability does not \\naffect users who aren't installing from Mercurial.\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"pip\",\n \"version\": \"23.0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<23.3 (python)\",\n \"vulnerabilityID\": \"GHSA-mq26-g339-26xf\"\n }\n }\n]", + "message": "{\n \"id\": \"8cac57bcd656efc6\",\n \"name\": \"pip\",\n \"version\": \"23.0.1\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:pip_developers_project:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers_project:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers_project:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:pip:23.0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/pip@23.0.1\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7592", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/issues/123067" + }, + { + "url": "https://github.com/python/cpython/pull/123075" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7592 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-7592", + "desc": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7592\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/123067\",\n \"https://github.com/python/cpython/pull/123075\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/\"\n ],\n \"description\": \"There is a LOW severity vulnerability affecting CPython, specifically the\\n'http.cookies' standard library module.\\n\\n\\nWhen parsing cookies that contained backslashes for quoted characters in\\nthe cookie value, the parser would use an algorithm with quadratic\\ncomplexity, resulting in excess CPU resources being used while parsing the\\nvalue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-7592\",\n \"versionConstraint\": \"<= 3.13.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0397", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/2" + }, + { + "url": "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d" + }, + { + "url": "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524" + }, + { + "url": "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e" + }, + { + "url": "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286" + }, + { + "url": "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa" + }, + { + "url": "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab" + }, + { + "url": "https://github.com/python/cpython/issues/114572" + }, + { + "url": "https://github.com/python/cpython/pull/114573" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0397 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-0397", + "desc": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/2\",\n \"https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d\",\n \"https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524\",\n \"https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e\",\n \"https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286\",\n \"https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa\",\n \"https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab\",\n \"https://github.com/python/cpython/issues/114572\",\n \"https://github.com/python/cpython/pull/114573\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/\"\n ],\n \"description\": \"A defect was discovered in the Python “ssl” module where there is a memory\\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\\n“get_ca_certs()”. The race condition can be triggered if the methods are\\ncalled at the same time as certificates are loaded into the SSLContext,\\nsuch as during the TLS handshake with a certificate directory configured.\\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0397\",\n \"versionConstraint\": \">= 3.13.0a1, < 3.13.0a5 || >= 3.12.0, < 3.12.3 || >= 3.11.0, < 3.11.9 || < 3.10.14 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-36632", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://docs.python.org/3/library/email.html" + }, + { + "url": "https://docs.python.org/3/library/email.utils.html" + }, + { + "url": "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py" + }, + { + "url": "https://github.com/python/cpython/issues/103800" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-36632 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2023-36632", + "desc": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-36632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-36632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://docs.python.org/3/library/email.html\",\n \"https://docs.python.org/3/library/email.utils.html\",\n \"https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py\",\n \"https://github.com/python/cpython/issues/103800\"\n ],\n \"description\": \"The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \\\"RecursionError: maximum recursion depth exceeded while calling a Python object\\\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-36632\",\n \"versionConstraint\": \"<= 3.11.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7" + }, + { + "url": "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0" + }, + { + "url": "https://github.com/python/cpython/issues/121650" + }, + { + "url": "https://github.com/python/cpython/pull/122233" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6923 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-6923", + "desc": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7\",\n \"https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0\",\n \"https://github.com/python/cpython/issues/121650\",\n \"https://github.com/python/cpython/pull/122233\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/\"\n ],\n \"description\": \"There is a MEDIUM severity vulnerability affecting CPython.\\n\\nThe \\nemail module didn’t properly quote newlines for email headers when \\nserializing an email message allowing for header injection when an email\\n is serialized.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-6923\",\n \"versionConstraint\": \">= 3.13.0a1, <= 3.13.0rc2 || < 3.12.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-27043", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://python.org" + }, + { + "url": "https://github.com/python/cpython/issues/102988" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/" + }, + { + "url": "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-27043 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2023-27043", + "desc": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-27043\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://python.org\",\n \"https://github.com/python/cpython/issues/102988\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/\",\n \"https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0003/\"\n ],\n \"description\": \"The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-27043\",\n \"versionConstraint\": \"<= 2.7.18 || >= 3.0, <= 3.11 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-8088", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e" + }, + { + "url": "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64" + }, + { + "url": "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea" + }, + { + "url": "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db" + }, + { + "url": "https://github.com/python/cpython/issues/122905" + }, + { + "url": "https://github.com/python/cpython/issues/123270" + }, + { + "url": "https://github.com/python/cpython/pull/122906" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-8088 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-8088", + "desc": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-8088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e\",\n \"https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64\",\n \"https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea\",\n \"https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db\",\n \"https://github.com/python/cpython/issues/122905\",\n \"https://github.com/python/cpython/issues/123270\",\n \"https://github.com/python/cpython/pull/122906\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/\"\n ],\n \"description\": \"There is a HIGH severity vulnerability affecting the CPython \\\"zipfile\\\"\\nmodule affecting \\\"zipfile.Path\\\". Note that the more common API \\\"zipfile.ZipFile\\\" class is unaffected.\\n\\n\\n\\n\\n\\nWhen iterating over names of entries in a zip archive (for example, methods\\nof \\\"zipfile.Path\\\" like \\\"namelist()\\\", \\\"iterdir()\\\", etc)\\nthe process can be put into an infinite loop with a maliciously crafted\\nzip archive. This defect applies when reading only metadata or extracting\\nthe contents of the zip archive. Programs that are not handling\\nuser-controlled zip archives are not affected.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-8088\",\n \"versionConstraint\": \"<= 3.13.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5642", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e" + }, + { + "url": "https://github.com/python/cpython/issues/121227" + }, + { + "url": "https://github.com/python/cpython/pull/23014" + }, + { + "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5642 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-5642", + "desc": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\",\n \"https://github.com/python/cpython/issues/121227\",\n \"https://github.com/python/cpython/pull/23014\",\n \"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0005/\"\n ],\n \"description\": \"CPython 3.9 and earlier doesn't disallow configuring an empty list (\\\"[]\\\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5642\",\n \"versionConstraint\": \"< 3.10.0b1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4032", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/3" + }, + { + "url": "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8" + }, + { + "url": "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f" + }, + { + "url": "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3" + }, + { + "url": "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb" + }, + { + "url": "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906" + }, + { + "url": "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3" + }, + { + "url": "https://github.com/python/cpython/issues/113171" + }, + { + "url": "https://github.com/python/cpython/pull/113179" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0004/" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4032 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-4032", + "desc": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/3\",\n \"https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8\",\n \"https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f\",\n \"https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3\",\n \"https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb\",\n \"https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906\",\n \"https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3\",\n \"https://github.com/python/cpython/issues/113171\",\n \"https://github.com/python/cpython/pull/113179\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0004/\",\n \"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\n \"https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\"\n ],\n \"description\": \"The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\\n\\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-4032\",\n \"versionConstraint\": \"< 3.12.4 || >= 3.13.0a1, < 3.13.0a6 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-r9hx-vwmv-q579", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 65.5.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-r9hx-vwmv-q579" + }, + { + "url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200" + }, + { + "url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be" + }, + { + "url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/" + }, + { + "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/" + }, + { + "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230214-0001/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-r9hx-vwmv-q579 in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-r9hx-vwmv-q579", + "desc": "pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"dataSource\": \"https://github.com/advisories/GHSA-r9hx-vwmv-q579\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-r9hx-vwmv-q579\"\n ],\n \"description\": \"pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"High\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"65.5.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-40897\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40897\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200\",\n \"https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be\",\n \"https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/\",\n \"https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/\",\n \"https://pyup.io/vulnerabilities/CVE-2022-40897/52495/\",\n \"https://security.netapp.com/advisory/ntap-20230214-0001/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\"\n ],\n \"description\": \"Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<65.5.1 (python)\",\n \"vulnerabilityID\": \"GHSA-r9hx-vwmv-q579\"\n }\n }\n]", + "message": "{\n \"id\": \"bc6c39be42a59eb7\",\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/setuptools@58.1.0\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-cx63-2mw6-8hw5", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 70.0.0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5" + }, + { + "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" + }, + { + "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-cx63-2mw6-8hw5 in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-cx63-2mw6-8hw5", + "desc": "setuptools vulnerable to Command Injection via package URL", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"dataSource\": \"https://github.com/advisories/GHSA-cx63-2mw6-8hw5\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-cx63-2mw6-8hw5\"\n ],\n \"description\": \"setuptools vulnerable to Command Injection via package URL\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {\n \"base_severity\": \"High\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"70.0.0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6345\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0\",\n \"https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5\"\n ],\n \"description\": \"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<70.0.0 (python)\",\n \"vulnerabilityID\": \"GHSA-cx63-2mw6-8hw5\"\n }\n }\n]", + "message": "{\n \"id\": \"bc6c39be42a59eb7\",\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/setuptools@58.1.0\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24791", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://go.dev/cl/591255" + }, + { + "url": "https://go.dev/issue/67555" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2024-2963" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24791 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-24791", + "desc": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://go.dev/cl/591255\",\n \"https://go.dev/issue/67555\",\n \"https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ\",\n \"https://pkg.go.dev/vuln/GO-2024-2963\"\n ],\n \"description\": \"The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \\\"Expect: 100-continue\\\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \\\"Expect: 100-continue\\\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"go-module-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"go1.22.4\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-24791\",\n \"versionConstraint\": \"< 1.21.12 || >= 1.22.0-0, < 1.22.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c93538cbf3d8e93b\",\n \"name\": \"stdlib\",\n \"version\": \"go1.22.4\",\n \"type\": \"go-module\",\n \"locations\": [\n {\n \"path\": \"/usr/local/bin/aws-lambda-rie\",\n \"layerID\": \"sha256:9a9b5814afc2b76039ada8e0f4445eeec0c487bcf7637b36b20a7f25bb15b369\"\n }\n ],\n \"language\": \"go\",\n \"licenses\": [\n \"BSD-3-Clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:golang/stdlib@1.22.4\",\n \"upstreams\": [],\n \"metadataType\": \"GolangBinMetadata\",\n \"metadata\": {\n \"goCompiledVersion\": \"go1.22.4\",\n \"architecture\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-34jh-p97f-mpxf", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.26.19", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf" + }, + { + "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + }, + { + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-34jh-p97f-mpxf in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-34jh-p97f-mpxf", + "desc": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"dataSource\": \"https://github.com/advisories/GHSA-34jh-p97f-mpxf\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \"urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects \",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"Medium\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"1.26.19\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e\",\n \"https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \" urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"urllib3\",\n \"version\": \"1.26.18\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<1.26.19 (python)\",\n \"vulnerabilityID\": \"GHSA-34jh-p97f-mpxf\"\n }\n }\n]", + "message": "{\n \"id\": \"18a6c87286e142af\",\n \"name\": \"urllib3\",\n \"version\": \"1.26.18\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/METADATA\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n },\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/RECORD\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n },\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/top_level.txt\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:urllib3:1.26.18:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/urllib3@1.26.18\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + } + ], + "sha256": "2170ec5567c87f86622f3c24c3f21c220ac81773ca25a481e17cd64cab559fee" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ] + } +} \ No newline at end of file diff --git a/test/sample_data/anchoregrype/amazon-grype-withraw.json b/test/sample_data/anchoregrype/amazon-grype-withraw.json new file mode 100644 index 000000000..9acbac770 --- /dev/null +++ b/test/sample_data/anchoregrype/amazon-grype-withraw.json @@ -0,0 +1,2613 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2607", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2023.2.68-1.amzn2.0.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html" + }, + { + "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463" + }, + { + "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc" + }, + { + "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2607 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2607", + "desc": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\" (CVE-2024-39689)", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2607\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html\"\n ],\n \"description\": \"Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \\\"long-running and unresolved compliance issues.\\\" (CVE-2024-39689)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2023.2.68-1.amzn2.0.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39689\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39689\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463\",\n \"https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc\",\n \"https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI\"\n ],\n \"description\": \"Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \\\"long-running and unresolved compliance issues.\\\"\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"ca-certificates\",\n \"version\": \"0:2023.2.64-1.amzn2.0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2023.2.68-1.amzn2.0.1 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2607\"\n }\n }\n]", + "message": "{\n \"id\": \"3fdee4f2791be89b\",\n \"name\": \"ca-certificates\",\n \"version\": \"2023.2.64-1.amzn2.0.1\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Public Domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ca-certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca-certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca_certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca_certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ca:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/ca-certificates@2023.2.64-1.amzn2.0.1?arch=noarch&upstream=ca-certificates-2023.2.64-1.amzn2.0.1.src.rpm&distro=amzn-2\",\n \"upstreams\": [],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": null,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2595", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.15.1-55.amzn2.2.8", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2595 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2595", + "desc": "krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2595\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html\"\n ],\n \"description\": \"krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.15.1-55.amzn2.2.8\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37370\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n },\n {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37371\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"krb5-libs\",\n \"version\": \"0:1.15.1-55.amzn2.2.7\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.15.1-55.amzn2.2.8 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2595\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.15.1-55.amzn2.2.7\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.15.1-55.amzn2.2.8 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2595\"\n }\n }\n]", + "message": "{\n \"id\": \"3bb967025c5652e0\",\n \"name\": \"krb5-libs\",\n \"version\": \"1.15.1-55.amzn2.2.7\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:amazonlinux:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5-libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5-libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5_libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5_libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:krb5:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/krb5-libs@1.15.1-55.amzn2.2.7?arch=aarch64&upstream=krb5-1.15.1-55.amzn2.2.7.src.rpm&distro=amzn-2\",\n \"upstreams\": [\n {\n \"name\": \"krb5\",\n \"version\": \"1.15.1-55.amzn2.2.7\"\n }\n ],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": null,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "ALAS-2024-2604", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.0.2k-24.amzn2.0.13", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to ALAS-2024-2604 in cloudwatch_to_s3:latest", + "id": "Grype/ALAS-2024-2604", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \"no overlap\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"ALAS-2024-2604\",\n \"dataSource\": \"https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html\",\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.0.2k-24.amzn2.0.13\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"openssl-libs\",\n \"version\": \"1:1.0.2k-24.amzn2.0.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.2k-24.amzn2.0.13 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2604\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"rpm-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"amazonlinux\",\n \"version\": \"2\"\n },\n \"namespace\": \"amazon:distro:amazonlinux:2\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.0.2k-24.amzn2.0.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.2k-24.amzn2.0.13 (rpm)\",\n \"vulnerabilityID\": \"ALAS-2024-2604\"\n }\n }\n]", + "message": "{\n \"id\": \"ca07aa6bdda5c274\",\n \"name\": \"openssl-libs\",\n \"version\": \"1:1.0.2k-24.amzn2.0.12\",\n \"type\": \"rpm\",\n \"locations\": [\n {\n \"path\": \"/var/lib/rpm/Packages\",\n \"layerID\": \"sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl-libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl-libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl_libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl_libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:amazonlinux:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:rpm/amzn/openssl-libs@1.0.2k-24.amzn2.0.12?arch=aarch64&epoch=1&upstream=openssl-1.0.2k-24.amzn2.0.12.src.rpm&distro=amzn-2\",\n \"upstreams\": [\n {\n \"name\": \"openssl\",\n \"version\": \"1.0.2k-24.amzn2.0.12\"\n }\n ],\n \"metadataType\": \"RpmMetadata\",\n \"metadata\": {\n \"epoch\": 1,\n \"modularityLabel\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-mq26-g339-26xf", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 23.3", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-mq26-g339-26xf" + }, + { + "url": "https://github.com/pypa/pip/pull/12306" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-mq26-g339-26xf in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-mq26-g339-26xf", + "desc": "Command Injection in pip when used with Mercurial", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"dataSource\": \"https://github.com/advisories/GHSA-mq26-g339-26xf\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-mq26-g339-26xf\"\n ],\n \"description\": \"Command Injection in pip when used with Mercurial\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"Medium\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"23.3\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/pypa/pip/pull/12306\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/\"\n ],\n \"description\": \"When installing a package from a Mercurial VCS URL (ie \\\"pip install \\nhg+...\\\") with pip prior to v23.3, the specified Mercurial revision could\\n be used to inject arbitrary configuration options to the \\\"hg clone\\\" \\ncall (ie \\\"--config\\\"). Controlling the Mercurial configuration can modify\\n how and which repository is installed. This vulnerability does not \\naffect users who aren't installing from Mercurial.\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"pip\",\n \"version\": \"23.0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<23.3 (python)\",\n \"vulnerabilityID\": \"GHSA-mq26-g339-26xf\"\n }\n }\n]", + "message": "{\n \"id\": \"8cac57bcd656efc6\",\n \"name\": \"pip\",\n \"version\": \"23.0.1\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:pip_developers_project:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers_project:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers_project:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig_project:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developersproject:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sigproject:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip_developers:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils-sig:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:distutils_sig:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:python-pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:python_pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python-pip:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python_pip:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pypa:pip:23.0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:pip:pip:23.0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/pip@23.0.1\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7592", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/issues/123067" + }, + { + "url": "https://github.com/python/cpython/pull/123075" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7592 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-7592", + "desc": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7592\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/123067\",\n \"https://github.com/python/cpython/pull/123075\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/\"\n ],\n \"description\": \"There is a LOW severity vulnerability affecting CPython, specifically the\\n'http.cookies' standard library module.\\n\\n\\nWhen parsing cookies that contained backslashes for quoted characters in\\nthe cookie value, the parser would use an algorithm with quadratic\\ncomplexity, resulting in excess CPU resources being used while parsing the\\nvalue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-7592\",\n \"versionConstraint\": \"<= 3.13.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0397", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/2" + }, + { + "url": "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d" + }, + { + "url": "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524" + }, + { + "url": "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e" + }, + { + "url": "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286" + }, + { + "url": "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa" + }, + { + "url": "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab" + }, + { + "url": "https://github.com/python/cpython/issues/114572" + }, + { + "url": "https://github.com/python/cpython/pull/114573" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0397 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-0397", + "desc": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/2\",\n \"https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d\",\n \"https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524\",\n \"https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e\",\n \"https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286\",\n \"https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa\",\n \"https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab\",\n \"https://github.com/python/cpython/issues/114572\",\n \"https://github.com/python/cpython/pull/114573\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/\"\n ],\n \"description\": \"A defect was discovered in the Python “ssl” module where there is a memory\\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\\n“get_ca_certs()”. The race condition can be triggered if the methods are\\ncalled at the same time as certificates are loaded into the SSLContext,\\nsuch as during the TLS handshake with a certificate directory configured.\\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0397\",\n \"versionConstraint\": \">= 3.13.0a1, < 3.13.0a5 || >= 3.12.0, < 3.12.3 || >= 3.11.0, < 3.11.9 || < 3.10.14 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-36632", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://docs.python.org/3/library/email.html" + }, + { + "url": "https://docs.python.org/3/library/email.utils.html" + }, + { + "url": "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py" + }, + { + "url": "https://github.com/python/cpython/issues/103800" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-36632 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2023-36632", + "desc": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-36632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-36632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://docs.python.org/3/library/email.html\",\n \"https://docs.python.org/3/library/email.utils.html\",\n \"https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py\",\n \"https://github.com/python/cpython/issues/103800\"\n ],\n \"description\": \"The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \\\"RecursionError: maximum recursion depth exceeded while calling a Python object\\\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-36632\",\n \"versionConstraint\": \"<= 3.11.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7" + }, + { + "url": "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0" + }, + { + "url": "https://github.com/python/cpython/issues/121650" + }, + { + "url": "https://github.com/python/cpython/pull/122233" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6923 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-6923", + "desc": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7\",\n \"https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0\",\n \"https://github.com/python/cpython/issues/121650\",\n \"https://github.com/python/cpython/pull/122233\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/\"\n ],\n \"description\": \"There is a MEDIUM severity vulnerability affecting CPython.\\n\\nThe \\nemail module didn’t properly quote newlines for email headers when \\nserializing an email message allowing for header injection when an email\\n is serialized.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-6923\",\n \"versionConstraint\": \">= 3.13.0a1, <= 3.13.0rc2 || < 3.12.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-27043", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://python.org" + }, + { + "url": "https://github.com/python/cpython/issues/102988" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/" + }, + { + "url": "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-27043 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2023-27043", + "desc": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-27043\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://python.org\",\n \"https://github.com/python/cpython/issues/102988\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/\",\n \"https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0003/\"\n ],\n \"description\": \"The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-27043\",\n \"versionConstraint\": \"<= 2.7.18 || >= 3.0, <= 3.11 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-8088", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e" + }, + { + "url": "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64" + }, + { + "url": "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea" + }, + { + "url": "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db" + }, + { + "url": "https://github.com/python/cpython/issues/122905" + }, + { + "url": "https://github.com/python/cpython/issues/123270" + }, + { + "url": "https://github.com/python/cpython/pull/122906" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-8088 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-8088", + "desc": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-8088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e\",\n \"https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64\",\n \"https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea\",\n \"https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db\",\n \"https://github.com/python/cpython/issues/122905\",\n \"https://github.com/python/cpython/issues/123270\",\n \"https://github.com/python/cpython/pull/122906\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/\"\n ],\n \"description\": \"There is a HIGH severity vulnerability affecting the CPython \\\"zipfile\\\"\\nmodule affecting \\\"zipfile.Path\\\". Note that the more common API \\\"zipfile.ZipFile\\\" class is unaffected.\\n\\n\\n\\n\\n\\nWhen iterating over names of entries in a zip archive (for example, methods\\nof \\\"zipfile.Path\\\" like \\\"namelist()\\\", \\\"iterdir()\\\", etc)\\nthe process can be put into an infinite loop with a maliciously crafted\\nzip archive. This defect applies when reading only metadata or extracting\\nthe contents of the zip archive. Programs that are not handling\\nuser-controlled zip archives are not affected.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-8088\",\n \"versionConstraint\": \"<= 3.13.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5642", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e" + }, + { + "url": "https://github.com/python/cpython/issues/121227" + }, + { + "url": "https://github.com/python/cpython/pull/23014" + }, + { + "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5642 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-5642", + "desc": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\",\n \"https://github.com/python/cpython/issues/121227\",\n \"https://github.com/python/cpython/pull/23014\",\n \"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0005/\"\n ],\n \"description\": \"CPython 3.9 and earlier doesn't disallow configuring an empty list (\\\"[]\\\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5642\",\n \"versionConstraint\": \"< 3.10.0b1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4032", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/3" + }, + { + "url": "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8" + }, + { + "url": "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f" + }, + { + "url": "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3" + }, + { + "url": "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb" + }, + { + "url": "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906" + }, + { + "url": "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3" + }, + { + "url": "https://github.com/python/cpython/issues/113171" + }, + { + "url": "https://github.com/python/cpython/pull/113179" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0004/" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4032 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-4032", + "desc": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/3\",\n \"https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8\",\n \"https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f\",\n \"https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3\",\n \"https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb\",\n \"https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906\",\n \"https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3\",\n \"https://github.com/python/cpython/issues/113171\",\n \"https://github.com/python/cpython/pull/113179\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0004/\",\n \"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\n \"https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\"\n ],\n \"description\": \"The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\\n\\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"stock-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"python\",\n \"version\": \"3.9.19\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-4032\",\n \"versionConstraint\": \"< 3.12.4 || >= 3.13.0a1, < 3.13.0a6 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"a120648b38c61b3b\",\n \"name\": \"python\",\n \"version\": \"3.9.19\",\n \"type\": \"binary\",\n \"locations\": [\n {\n \"path\": \"/var/lang/bin/python3.9\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/libpython3.9.so.1.0\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:generic/python@3.9.19\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-r9hx-vwmv-q579", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 65.5.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-r9hx-vwmv-q579" + }, + { + "url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200" + }, + { + "url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be" + }, + { + "url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/" + }, + { + "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/" + }, + { + "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230214-0001/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-r9hx-vwmv-q579 in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-r9hx-vwmv-q579", + "desc": "pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"dataSource\": \"https://github.com/advisories/GHSA-r9hx-vwmv-q579\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-r9hx-vwmv-q579\"\n ],\n \"description\": \"pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"High\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"65.5.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-40897\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40897\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200\",\n \"https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be\",\n \"https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/\",\n \"https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/\",\n \"https://pyup.io/vulnerabilities/CVE-2022-40897/52495/\",\n \"https://security.netapp.com/advisory/ntap-20230214-0001/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\"\n ],\n \"description\": \"Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<65.5.1 (python)\",\n \"vulnerabilityID\": \"GHSA-r9hx-vwmv-q579\"\n }\n }\n]", + "message": "{\n \"id\": \"bc6c39be42a59eb7\",\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/setuptools@58.1.0\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-cx63-2mw6-8hw5", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 70.0.0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5" + }, + { + "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" + }, + { + "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-cx63-2mw6-8hw5 in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-cx63-2mw6-8hw5", + "desc": "setuptools vulnerable to Command Injection via package URL", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"dataSource\": \"https://github.com/advisories/GHSA-cx63-2mw6-8hw5\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-cx63-2mw6-8hw5\"\n ],\n \"description\": \"setuptools vulnerable to Command Injection via package URL\",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {\n \"base_severity\": \"High\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"70.0.0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6345\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0\",\n \"https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5\"\n ],\n \"description\": \"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<70.0.0 (python)\",\n \"vulnerabilityID\": \"GHSA-cx63-2mw6-8hw5\"\n }\n }\n]", + "message": "{\n \"id\": \"bc6c39be42a59eb7\",\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n },\n {\n \"path\": \"/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt\",\n \"layerID\": \"sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/setuptools@58.1.0\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24791", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://go.dev/cl/591255" + }, + { + "url": "https://go.dev/issue/67555" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2024-2963" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24791 in cloudwatch_to_s3:latest", + "id": "Grype/CVE-2024-24791", + "desc": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://go.dev/cl/591255\",\n \"https://go.dev/issue/67555\",\n \"https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ\",\n \"https://pkg.go.dev/vuln/GO-2024-2963\"\n ],\n \"description\": \"The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \\\"Expect: 100-continue\\\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \\\"Expect: 100-continue\\\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"go-module-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"go1.22.4\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-24791\",\n \"versionConstraint\": \"< 1.21.12 || >= 1.22.0-0, < 1.22.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c93538cbf3d8e93b\",\n \"name\": \"stdlib\",\n \"version\": \"go1.22.4\",\n \"type\": \"go-module\",\n \"locations\": [\n {\n \"path\": \"/usr/local/bin/aws-lambda-rie\",\n \"layerID\": \"sha256:9a9b5814afc2b76039ada8e0f4445eeec0c487bcf7637b36b20a7f25bb15b369\"\n }\n ],\n \"language\": \"go\",\n \"licenses\": [\n \"BSD-3-Clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:golang/stdlib@1.22.4\",\n \"upstreams\": [],\n \"metadataType\": \"GolangBinMetadata\",\n \"metadata\": {\n \"goCompiledVersion\": \"go1.22.4\",\n \"architecture\": \"\"\n }\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "GHSA-34jh-p97f-mpxf", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.26.19", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf" + }, + { + "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + }, + { + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to GHSA-34jh-p97f-mpxf in cloudwatch_to_s3:latest", + "id": "Grype/GHSA-34jh-p97f-mpxf", + "desc": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"dataSource\": \"https://github.com/advisories/GHSA-34jh-p97f-mpxf\",\n \"namespace\": \"github:language:python\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \"urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects \",\n \"cvss\": [\n {\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {\n \"base_severity\": \"Medium\",\n \"status\": \"N/A\"\n }\n }\n ],\n \"fix\": {\n \"versions\": [\n \"1.26.19\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e\",\n \"https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \" urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"python-matcher\",\n \"searchedBy\": {\n \"language\": \"python\",\n \"namespace\": \"github:language:python\",\n \"package\": {\n \"name\": \"urllib3\",\n \"version\": \"1.26.18\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"<1.26.19 (python)\",\n \"vulnerabilityID\": \"GHSA-34jh-p97f-mpxf\"\n }\n }\n]", + "message": "{\n \"id\": \"18a6c87286e142af\",\n \"name\": \"urllib3\",\n \"version\": \"1.26.18\",\n \"type\": \"python\",\n \"locations\": [\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/METADATA\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n },\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/RECORD\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n },\n {\n \"path\": \"/var/runtime/urllib3-1.26.18.dist-info/top_level.txt\",\n \"layerID\": \"sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03\"\n }\n ],\n \"language\": \"python\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python:urllib3:1.26.18:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:pypi/urllib3@1.26.18\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:47:41.623667-04:00" + } + ] + } + ], + "sha256": "2170ec5567c87f86622f3c24c3f21c220ac81773ca25a481e17cd64cab559fee" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ], + "raw": { + "wrapper": { + "matches": [ + { + "vulnerability": { + "id": "ALAS-2024-2607", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Low", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html" + ], + "description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\" (CVE-2024-39689)", + "cvss": [], + "fix": { + "versions": [ + "2023.2.68-1.amzn2.0.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39689", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", + "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI" + ], + "description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "ca-certificates", + "version": "0:2023.2.64-1.amzn2.0.1" + } + }, + "found": { + "versionConstraint": "< 2023.2.68-1.amzn2.0.1 (rpm)", + "vulnerabilityID": "ALAS-2024-2607" + } + } + ], + "artifact": { + "id": "3fdee4f2791be89b", + "name": "ca-certificates", + "version": "2023.2.64-1.amzn2.0.1", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "Public Domain" + ], + "cpes": [ + "cpe:2.3:a:ca-certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca-certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca_certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca_certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/ca-certificates@2023.2.64-1.amzn2.0.1?arch=noarch&upstream=ca-certificates-2023.2.64-1.amzn2.0.1.src.rpm&distro=amzn-2", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "ALAS-2024-2595", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Medium", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html" + ], + "description": "krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)", + "cvss": [], + "fix": { + "versions": [ + "1.15.1-55.amzn2.2.8" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + }, + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "krb5-libs", + "version": "0:1.15.1-55.amzn2.2.7" + } + }, + "found": { + "versionConstraint": "< 1.15.1-55.amzn2.2.8 (rpm)", + "vulnerabilityID": "ALAS-2024-2595" + } + }, + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "krb5", + "version": "1.15.1-55.amzn2.2.7" + } + }, + "found": { + "versionConstraint": "< 1.15.1-55.amzn2.2.8 (rpm)", + "vulnerabilityID": "ALAS-2024-2595" + } + } + ], + "artifact": { + "id": "3bb967025c5652e0", + "name": "krb5-libs", + "version": "1.15.1-55.amzn2.2.7", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:amazonlinux:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5-libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5-libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5_libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5_libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/krb5-libs@1.15.1-55.amzn2.2.7?arch=aarch64&upstream=krb5-1.15.1-55.amzn2.2.7.src.rpm&distro=amzn-2", + "upstreams": [ + { + "name": "krb5", + "version": "1.15.1-55.amzn2.2.7" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "ALAS-2024-2604", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Medium", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \"no overlap\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)", + "cvss": [], + "fix": { + "versions": [ + "1.0.2k-24.amzn2.0.13" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "openssl-libs", + "version": "1:1.0.2k-24.amzn2.0.12" + } + }, + "found": { + "versionConstraint": "< 1.0.2k-24.amzn2.0.13 (rpm)", + "vulnerabilityID": "ALAS-2024-2604" + } + }, + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "openssl", + "version": "1.0.2k-24.amzn2.0.12" + } + }, + "found": { + "versionConstraint": "< 1.0.2k-24.amzn2.0.13 (rpm)", + "vulnerabilityID": "ALAS-2024-2604" + } + } + ], + "artifact": { + "id": "ca07aa6bdda5c274", + "name": "openssl-libs", + "version": "1:1.0.2k-24.amzn2.0.12", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:openssl-libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/openssl-libs@1.0.2k-24.amzn2.0.12?arch=aarch64&epoch=1&upstream=openssl-1.0.2k-24.amzn2.0.12.src.rpm&distro=amzn-2", + "upstreams": [ + { + "name": "openssl", + "version": "1.0.2k-24.amzn2.0.12" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": 1, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "GHSA-mq26-g339-26xf", + "dataSource": "https://github.com/advisories/GHSA-mq26-g339-26xf", + "namespace": "github:language:python", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-mq26-g339-26xf" + ], + "description": "Command Injection in pip when used with Mercurial", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "Medium", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "23.3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-5752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/pypa/pip/pull/12306", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + ], + "description": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "pip", + "version": "23.0.1" + } + }, + "found": { + "versionConstraint": "<23.3 (python)", + "vulnerabilityID": "GHSA-mq26-g339-26xf" + } + } + ], + "artifact": { + "id": "8cac57bcd656efc6", + "name": "pip", + "version": "23.0.1", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:pip_developers_project:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers_project:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers_project:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:pip:23.0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/pip@23.0.1", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-7592", + "versionConstraint": "<= 3.13.0 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0397", + "versionConstraint": ">= 3.13.0a1, < 3.13.0a5 || >= 3.12.0, < 3.12.3 || >= 3.11.0, < 3.11.9 || < 3.10.14 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-36632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-36632", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://docs.python.org/3/library/email.html", + "https://docs.python.org/3/library/email.utils.html", + "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py", + "https://github.com/python/cpython/issues/103800" + ], + "description": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-36632", + "versionConstraint": "<= 3.11.4 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-6923", + "versionConstraint": ">= 3.13.0a1, <= 3.13.0rc2 || < 3.12.5 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-27043", + "versionConstraint": "<= 2.7.18 || >= 3.0, <= 3.11 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-8088", + "versionConstraint": "<= 3.13.0 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e", + "https://github.com/python/cpython/issues/121227", + "https://github.com/python/cpython/pull/23014", + "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html", + "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/", + "https://security.netapp.com/advisory/ntap-20240726-0005/" + ], + "description": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5642", + "versionConstraint": "< 3.10.0b1 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-4032", + "versionConstraint": "< 3.12.4 || >= 3.13.0a1, < 3.13.0a6 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "GHSA-r9hx-vwmv-q579", + "dataSource": "https://github.com/advisories/GHSA-r9hx-vwmv-q579", + "namespace": "github:language:python", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-r9hx-vwmv-q579" + ], + "description": "pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "High", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "65.5.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-40897", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200", + "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be", + "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/", + "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/", + "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/", + "https://security.netapp.com/advisory/ntap-20230214-0001/", + "https://security.netapp.com/advisory/ntap-20240621-0006/" + ], + "description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "setuptools", + "version": "58.1.0" + } + }, + "found": { + "versionConstraint": "<65.5.1 (python)", + "vulnerabilityID": "GHSA-r9hx-vwmv-q579" + } + } + ], + "artifact": { + "id": "bc6c39be42a59eb7", + "name": "setuptools", + "version": "58.1.0", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "UNKNOWN" + ], + "cpes": [ + "cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/setuptools@58.1.0", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "GHSA-cx63-2mw6-8hw5", + "dataSource": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5", + "namespace": "github:language:python", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-cx63-2mw6-8hw5" + ], + "description": "setuptools vulnerable to Command Injection via package URL", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": { + "base_severity": "High", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "70.0.0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "setuptools", + "version": "58.1.0" + } + }, + "found": { + "versionConstraint": "<70.0.0 (python)", + "vulnerabilityID": "GHSA-cx63-2mw6-8hw5" + } + } + ], + "artifact": { + "id": "bc6c39be42a59eb7", + "name": "setuptools", + "version": "58.1.0", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "UNKNOWN" + ], + "cpes": [ + "cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/setuptools@58.1.0", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-24791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://go.dev/cl/591255", + "https://go.dev/issue/67555", + "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", + "https://pkg.go.dev/vuln/GO-2024-2963" + ], + "description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "go-module-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*" + ], + "package": { + "name": "stdlib", + "version": "go1.22.4" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-24791", + "versionConstraint": "< 1.21.12 || >= 1.22.0-0, < 1.22.5 (unknown)", + "cpes": [ + "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c93538cbf3d8e93b", + "name": "stdlib", + "version": "go1.22.4", + "type": "go-module", + "locations": [ + { + "path": "/usr/local/bin/aws-lambda-rie", + "layerID": "sha256:9a9b5814afc2b76039ada8e0f4445eeec0c487bcf7637b36b20a7f25bb15b369" + } + ], + "language": "go", + "licenses": [ + "BSD-3-Clause" + ], + "cpes": [ + "cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*" + ], + "purl": "pkg:golang/stdlib@1.22.4", + "upstreams": [], + "metadataType": "GolangBinMetadata", + "metadata": { + "goCompiledVersion": "go1.22.4", + "architecture": "" + } + } + }, + { + "vulnerability": { + "id": "GHSA-34jh-p97f-mpxf", + "dataSource": "https://github.com/advisories/GHSA-34jh-p97f-mpxf", + "namespace": "github:language:python", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "Medium", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "1.26.19" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "urllib3", + "version": "1.26.18" + } + }, + "found": { + "versionConstraint": "<1.26.19 (python)", + "vulnerabilityID": "GHSA-34jh-p97f-mpxf" + } + } + ], + "artifact": { + "id": "18a6c87286e142af", + "name": "urllib3", + "version": "1.26.18", + "type": "python", + "locations": [ + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/METADATA", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + }, + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/RECORD", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + }, + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/top_level.txt", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + } + ], + "language": "python", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:python:urllib3:1.26.18:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/urllib3@1.26.18", + "upstreams": [] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/test/sample_data/anchoregrype/anchore-grype-hdf.json b/test/sample_data/anchoregrype/anchore-grype-hdf.json new file mode 100644 index 000000000..2be269690 --- /dev/null +++ b/test/sample_data/anchoregrype/anchore-grype-hdf.json @@ -0,0 +1,3659 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-36159", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2.10.7-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-36159" + }, + { + "url": "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749" + }, + { + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-36159 in golang:1.12-alpine", + "id": "Grype/CVE-2021-36159", + "desc": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-36159\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-36159\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-36159\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2.10.7-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-36159\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-36159\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch\",\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E\"\n ],\n \"description\": \"libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\\\0' terminator one byte too late.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 10,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.7-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-36159\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.7-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-36159\"\n }\n }\n]", + "message": "{\n \"id\": \"1acb8fe52f3da542\",\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"apk-tools\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/apk\"\n },\n {\n \"path\": \"/etc/apk/keys\"\n },\n {\n \"path\": \"/etc/apk/protected_paths.d\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/apk\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/apk\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-30139", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2.10.6-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-30139" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-30139 in golang:1.12-alpine", + "id": "Grype/CVE-2021-30139", + "desc": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-30139\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-30139\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-30139\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2.10.6-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-30139\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-30139\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741\",\n \"https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606\"\n ],\n \"description\": \"In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.6-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-30139\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.6-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-30139\"\n }\n }\n]", + "message": "{\n \"id\": \"1acb8fe52f3da542\",\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"apk-tools\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/apk\"\n },\n {\n \"path\": \"/etc/apk/keys\"\n },\n {\n \"path\": \"/etc/apk/protected_paths.d\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/apk\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/apk\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48174", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15216" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48174 in golang:1.12-alpine", + "id": "Grype/CVE-2022-48174", + "desc": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48174\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48174\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.busybox.net/show_bug.cgi?id=15216\"\n ],\n \"description\": \"There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-48174\",\n \"versionConstraint\": \"< 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-48174\",\n \"versionConstraint\": \"< 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28391", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch" + }, + { + "url": "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28391 in golang:1.12-alpine", + "id": "Grype/CVE-2022-28391", + "desc": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28391\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-28391\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch\",\n \"https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch\",\n \"https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661\"\n ],\n \"description\": \"BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-28391\",\n \"versionConstraint\": \"<= 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-28391\",\n \"versionConstraint\": \"<= 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42386", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42386" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42386 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42386", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42386\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42386\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42386\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42386\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42386\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42385", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42385" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42385 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42385", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42385\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42385\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42385\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42385\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42385\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42384", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42384" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42384 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42384", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42384\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42384\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42384\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42384\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42384\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42383", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42383" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42383 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42383", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42383\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42383\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42383\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42383\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42383\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42382", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42382" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42382 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42382", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42382\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42382\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42382\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42382\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42382\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42381", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42381" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42381 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42381", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42381\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42381\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42381\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42381\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42381\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42380", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42380" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42380 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42380", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42380\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42380\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42380\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42380\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42380\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42379", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42379" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42379 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42379", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42379\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42379\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42379\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42379\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42379\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42378", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42378" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42378 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42378", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42378\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42378\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42378\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42378\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42378\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-28831", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r10", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-28831" + }, + { + "url": "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/" + }, + { + "url": "https://security.gentoo.org/glsa/202105-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-28831 in golang:1.12-alpine", + "id": "Grype/CVE-2021-28831", + "desc": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-28831\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-28831\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-28831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r10\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-28831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd\",\n \"https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/\",\n \"https://security.gentoo.org/glsa/202105-09\"\n ],\n \"description\": \"decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cve@mitre.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42374", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42374" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42374 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42374", + "desc": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42374\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42374\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42374\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42374\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42374\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5535", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5535 in golang:1.12-alpine", + "id": "Grype/CVE-2024-5535", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5535\",\n \"versionConstraint\": \">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5535\",\n \"versionConstraint\": \">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2068", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220707-0008/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5169" + }, + { + "url": "https://www.openssl.org/news/secadv/20220621.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2068 in golang:1.12-alpine", + "id": "Grype/CVE-2022-2068", + "desc": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/\",\n \"https://security.netapp.com/advisory/ntap-20220707-0008/\",\n \"https://www.debian.org/security/2022/dsa-5169\",\n \"https://www.openssl.org/news/secadv/20220621.txt\"\n ],\n \"description\": \"In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 10,\n \"exploitabilityScore\": 10,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2068\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2068\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1292", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220602-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220729-0004/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5139" + }, + { + "url": "https://www.openssl.org/news/secadv/20220503.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1292 in golang:1.12-alpine", + "id": "Grype/CVE-2022-1292", + "desc": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23\",\n \"https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220602-0009/\",\n \"https://security.netapp.com/advisory/ntap-20220729-0004/\",\n \"https://www.debian.org/security/2022/dsa-5139\",\n \"https://www.openssl.org/news/secadv/20220503.txt\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 10,\n \"exploitabilityScore\": 10,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-1292\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-1292\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3711", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1l-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3711" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/08/26/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46" + }, + { + "url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://security.gentoo.org/glsa/202209-02" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210827-0010/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211022-0003/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4963" + }, + { + "url": "https://www.openssl.org/news/secadv/20210824.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-16" + }, + { + "url": "https://www.tenable.com/security/tns-2022-02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3711 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3711", + "desc": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3711\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3711\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3711\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1l-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3711\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3711\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/08/26/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46\",\n \"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E\",\n \"https://security.gentoo.org/glsa/202209-02\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20210827-0010/\",\n \"https://security.netapp.com/advisory/ntap-20211022-0003/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4963\",\n \"https://www.openssl.org/news/secadv/20210824.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-16\",\n \"https://www.tenable.com/security/tns-2022-02\"\n ],\n \"description\": \"In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \\\"out\\\" parameter can be NULL and, on exit, the \\\"outlen\\\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \\\"out\\\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3711\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3711\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4807", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230921-0001/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230908.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4807 in golang:1.12-alpine", + "id": "Grype/CVE-2023-4807", + "desc": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\",\n \"https://security.netapp.com/advisory/ntap-20230921-0001/\",\n \"https://www.openssl.org/news/secadv/20230908.txt\"\n ],\n \"description\": \"Issue summary: The POLY1305 MAC (message authentication code) implementation\\ncontains a bug that might corrupt the internal state of applications on the\\nWindows 64 platform when running on newer X86_64 processors supporting the\\nAVX512-IFMA instructions.\\n\\nImpact summary: If in an application that uses the OpenSSL library an attacker\\ncan influence whether the POLY1305 MAC algorithm is used, the application\\nstate might be corrupted with various application dependent consequences.\\n\\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\\nnot save the contents of non-volatile XMM registers on Windows 64 platform\\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\\nthe caller all the XMM registers are set to zero rather than restoring their\\nprevious content. The vulnerable code is used only on newer x86_64 processors\\nsupporting the AVX512-IFMA instructions.\\n\\nThe consequences of this kind of internal application state corruption can\\nbe various - from no consequences, if the calling application does not\\ndepend on the contents of non-volatile XMM registers at all, to the worst\\nconsequences, where the attacker could get complete control of the application\\nprocess. However given the contents of the registers are just zeroized so\\nthe attacker cannot put arbitrary values inside, the most likely consequence,\\nif any, would be an incorrect result of some application dependent\\ncalculations or a crash leading to a denial of service.\\n\\nThe POLY1305 MAC algorithm is most frequently used as part of the\\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\\ncipher is used by the server. This implies that server applications using\\nOpenSSL can be potentially impacted. However we are currently not aware of\\nany concrete application that would be affected by this issue therefore we\\nconsider this a Low severity security issue.\\n\\nAs a workaround the AVX512-IFMA instructions support can be disabled at\\nruntime by setting the environment variable OPENSSL_ia32cap:\\n\\n OPENSSL_ia32cap=:~0x200000\\n\\nThe FIPS provider is not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-4807\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-4807\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0464", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.couchbase.com/alerts/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230322.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0464 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0464", + "desc": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0464\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0464\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.couchbase.com/alerts/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230322.txt\"\n ],\n \"description\": \"A security vulnerability has been identified in all supported versions\\n\\nof OpenSSL related to the verification of X.509 certificate chains\\nthat include policy constraints. Attackers may be able to exploit this\\nvulnerability by creating a malicious certificate chain that triggers\\nexponential use of computational resources, leading to a denial-of-service\\n(DoS) attack on affected systems.\\n\\nPolicy processing is disabled by default but can be enabled by passing\\nthe `-policy' argument to the command line utilities or by calling the\\n`X509_VERIFY_PARAM_set1_policies()' function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0464\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0464\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0286", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0286 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0286", + "desc": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt\",\n \"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"There is a type confusion vulnerability relating to X.400 address processing\\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\\nthe public structure definition for GENERAL_NAME incorrectly specified the type\\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\\nASN1_STRING.\\n\\nWhen CRL checking is enabled (i.e. the application sets the\\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\\narbitrary pointers to a memcmp call, enabling them to read memory contents or\\nenact a denial of service. In most cases, the attack requires the attacker to\\nprovide both the certificate chain and CRL, neither of which need to have a\\nvalid signature. If the attacker only controls one of these inputs, the other\\ninput must already contain an X.400 address as a CRL distribution point, which\\nis uncommon. As such, this vulnerability is most likely to only affect\\napplications which have implemented their own functionality for retrieving CRLs\\nover a network.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0286\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0286\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0215", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0215 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0215", + "desc": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0215\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0215\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230427-0007/\",\n \"https://security.netapp.com/advisory/ntap-20230427-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"The public API function BIO_new_NDEF is a helper function used for streaming\\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\\nend user applications.\\n\\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\\nBIO onto the front of it to form a BIO chain, and then returns the new head of\\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\\nrecipient public key is invalid, the new filter BIO is freed and the function\\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\\nis not properly cleaned up and the BIO passed by the caller still retains\\ninternal pointers to the previously freed filter BIO. If the caller then goes on\\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\\nlikely result in a crash.\\n\\n\\n\\nThis scenario occurs directly in the internal function B64_write_ASN1() which\\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\\nthe BIO. This internal function is in turn called by the public API functions\\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\\n\\nOther public API functions that may be impacted by this include\\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\\ni2d_PKCS7_bio_stream.\\n\\nThe OpenSSL cms and smime command line applications are similarly affected.\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0215\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0215\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4450", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4450 in golang:1.12-alpine", + "id": "Grype/CVE-2022-4450", + "desc": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\\ndecodes the \\\"name\\\" (e.g. \\\"CERTIFICATE\\\"), any header data and the payload data.\\nIf the function succeeds then the \\\"name_out\\\", \\\"header\\\" and \\\"data\\\" arguments are\\npopulated with pointers to buffers containing the relevant decoded data. The\\ncaller is responsible for freeing those buffers. It is possible to construct a\\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\\nwill return a failure code but will populate the header argument with a pointer\\nto a buffer that has already been freed. If the caller also frees this buffer\\nthen a double free will occur. This will most likely lead to a crash. This\\ncould be exploited by an attacker who has the ability to supply malicious PEM\\nfiles for parsing to achieve a denial of service attack.\\n\\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\\nPEM_read_bio_ex() and therefore these functions are also directly affected.\\n\\nThese functions are also called indirectly by a number of other OpenSSL\\nfunctions including PEM_X509_INFO_read_bio_ex() and\\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\\nuses of these functions are not vulnerable because the caller does not free the\\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\\nOpenSSL 3.0.\\n\\nThe OpenSSL asn1parse command line application is also impacted by this issue.\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4450\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4450\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0778", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220321-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220429-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "url": "https://www.openssl.org/news/secadv/20220315.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.tenable.com/security/tns-2022-06" + }, + { + "url": "https://www.tenable.com/security/tns-2022-07" + }, + { + "url": "https://www.tenable.com/security/tns-2022-08" + }, + { + "url": "https://www.tenable.com/security/tns-2022-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0778 in golang:1.12-alpine", + "id": "Grype/CVE-2022-0778", + "desc": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0778\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0778\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html\",\n \"http://seclists.org/fulldisclosure/2022/May/33\",\n \"http://seclists.org/fulldisclosure/2022/May/35\",\n \"http://seclists.org/fulldisclosure/2022/May/38\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246\",\n \"https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220321-0002/\",\n \"https://security.netapp.com/advisory/ntap-20220429-0005/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://support.apple.com/kb/HT213255\",\n \"https://support.apple.com/kb/HT213256\",\n \"https://support.apple.com/kb/HT213257\",\n \"https://www.debian.org/security/2022/dsa-5103\",\n \"https://www.openssl.org/news/secadv/20220315.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.tenable.com/security/tns-2022-06\",\n \"https://www.tenable.com/security/tns-2022-07\",\n \"https://www.tenable.com/security/tns-2022-08\",\n \"https://www.tenable.com/security/tns-2022-09\"\n ],\n \"description\": \"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-0778\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-0778\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3712", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1l-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3712" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/08/26/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" + }, + { + "url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202209-02" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210827-0010/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4963" + }, + { + "url": "https://www.openssl.org/news/secadv/20210824.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-16" + }, + { + "url": "https://www.tenable.com/security/tns-2022-02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3712 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3712", + "desc": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3712\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3712\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3712\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1l-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3712\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3712\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/08/26/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10366\",\n \"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html\",\n \"https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html\",\n \"https://security.gentoo.org/glsa/202209-02\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20210827-0010/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4963\",\n \"https://www.openssl.org/news/secadv/20210824.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-16\",\n \"https://www.tenable.com/security/tns-2022-02\"\n ],\n \"description\": \"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \\\"d2i\\\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \\\"data\\\" and \\\"length\\\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \\\"data\\\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3712\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3712\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3450", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1k-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3450" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/4" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/" + }, + { + "url": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0006/" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd" + }, + { + "url": "https://www.openssl.org/news/secadv/20210325.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-05" + }, + { + "url": "https://www.tenable.com/security/tns-2021-08" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3450 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3450", + "desc": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3450\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3450\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3450\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1k-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/03/27/1\",\n \"http://www.openwall.com/lists/oss-security/2021/03/27/2\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/3\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/4\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10356\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/\",\n \"https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210326-0006/\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd\",\n \"https://www.openssl.org/news/secadv/20210325.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-05\",\n \"https://www.tenable.com/security/tns-2021-08\",\n \"https://www.tenable.com/security/tns-2021-09\"\n ],\n \"description\": \"The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \\\"purpose\\\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \\\"purpose\\\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3450\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3450\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23840", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23840" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4855" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-03" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23840 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23840", + "desc": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23840\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23840\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10366\",\n \"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4855\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-03\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23840\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23840\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-1967", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1g-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1967" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" + }, + { + "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/May/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" + }, + { + "url": "https://github.com/irsl/CVE-2020-1967" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" + }, + { + "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202004-10" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4661" + }, + { + "url": "https://www.openssl.org/news/secadv/20200421.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" + }, + { + "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" + }, + { + "url": "https://www.tenable.com/security/tns-2020-03" + }, + { + "url": "https://www.tenable.com/security/tns-2020-04" + }, + { + "url": "https://www.tenable.com/security/tns-2020-11" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-1967 in golang:1.12-alpine", + "id": "Grype/CVE-2020-1967", + "desc": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-1967\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-1967\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-1967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1g-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-1967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html\",\n \"http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html\",\n \"http://seclists.org/fulldisclosure/2020/May/5\",\n \"http://www.openwall.com/lists/oss-security/2020/04/22/2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1\",\n \"https://github.com/irsl/CVE-2020-1967\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440\",\n \"https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc\",\n \"https://security.gentoo.org/glsa/202004-10\",\n \"https://security.netapp.com/advisory/ntap-20200424-0003/\",\n \"https://security.netapp.com/advisory/ntap-20200717-0004/\",\n \"https://www.debian.org/security/2020/dsa-4661\",\n \"https://www.openssl.org/news/secadv/20200421.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpujan2021.html\",\n \"https://www.oracle.com/security-alerts/cpujul2020.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2020.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.synology.com/security/advisory/Synology_SA_20_05\",\n \"https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL\",\n \"https://www.tenable.com/security/tns-2020-03\",\n \"https://www.tenable.com/security/tns-2020-04\",\n \"https://www.tenable.com/security/tns-2020-11\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \\\"signature_algorithms_cert\\\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1g-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1967\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1g-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1967\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0727", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240208-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0727 in golang:1.12-alpine", + "id": "Grype/CVE-2024-0727", + "desc": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0727\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0727\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/11/1\",\n \"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2\",\n \"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a\",\n \"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8\",\n \"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539\",\n \"https://security.netapp.com/advisory/ntap-20240208-0006/\",\n \"https://www.openssl.org/news/secadv/20240125.txt\"\n ],\n \"description\": \"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\\nto crash leading to a potential Denial of Service attack\\n\\nImpact summary: Applications loading files in the PKCS12 format from untrusted\\nsources might terminate abruptly.\\n\\nA file in PKCS12 format can contain certificates and keys and may come from an\\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\\ndereference that results in OpenSSL crashing. If an application processes PKCS12\\nfiles from an untrusted source using the OpenSSL APIs then that application will\\nbe vulnerable to this issue.\\n\\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\\nand PKCS12_newpass().\\n\\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\\nfunction is related to writing data we do not consider it security significant.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0727\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0727\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-5678", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-5678 in golang:1.12-alpine", + "id": "Grype/CVE-2023-5678", + "desc": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-5678\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5678\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/11/1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6\",\n \"https://security.netapp.com/advisory/ntap-20231130-0010/\",\n \"https://www.openssl.org/news/secadv/20231106.txt\"\n ],\n \"description\": \"Issue summary: Generating excessively long X9.42 DH keys or checking\\nexcessively long X9.42 DH keys or parameters may be very slow.\\n\\nImpact summary: Applications that use the functions DH_generate_key() to\\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\\nWhere the key or parameters that are being checked have been obtained from\\nan untrusted source this may lead to a Denial of Service.\\n\\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\\nDH_check_pub_key() doesn't make any of these checks, and is therefore\\nvulnerable for excessively large P and Q parameters.\\n\\nLikewise, while DH_generate_key() performs a check for an excessively large\\nP, it doesn't check for an excessively large Q.\\n\\nAn application that calls DH_generate_key() or DH_check_pub_key() and\\nsupplies a key or parameters obtained from an untrusted source could be\\nvulnerable to a Denial of Service attack.\\n\\nDH_generate_key() and DH_check_pub_key() are also called by a number of\\nother OpenSSL functions. An application calling any of those other\\nfunctions may similarly be affected. The other functions affected by this\\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\\n\\nAlso vulnerable are the OpenSSL pkey command line application when using the\\n\\\"-pubcheck\\\" option, as well as the OpenSSL genpkey command line application.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-5678\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-5678\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://seclists.org/fulldisclosure/2023/Jul/43" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/31/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230818-0014/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230731.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3817 in golang:1.12-alpine", + "id": "Grype/CVE-2023-3817", + "desc": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2023/Jul/43\",\n \"http://www.openwall.com/lists/oss-security/2023/07/31/1\",\n \"http://www.openwall.com/lists/oss-security/2023/09/22/11\",\n \"http://www.openwall.com/lists/oss-security/2023/09/22/9\",\n \"http://www.openwall.com/lists/oss-security/2023/11/06/2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5\",\n \"https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230818-0014/\",\n \"https://security.netapp.com/advisory/ntap-20231027-0008/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20230731.txt\"\n ],\n \"description\": \"Issue summary: Checking excessively long DH keys or parameters may be very slow.\\n\\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\\ndelays. Where the key or parameters that are being checked have been obtained\\nfrom an untrusted source this may lead to a Denial of Service.\\n\\nThe function DH_check() performs various checks on DH parameters. After fixing\\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\\nan overly long computation during some of these checks. A correct q value,\\nif present, cannot be larger than the modulus p parameter, thus it is\\nunnecessary to perform these checks if q is larger than p.\\n\\nAn application that calls DH_check() and supplies a key or parameters obtained\\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\\n\\nThe function DH_check() is itself called by a number of other OpenSSL functions.\\nAn application calling any of those other functions may similarly be affected.\\nThe other functions affected by this are DH_check_ex() and\\nEVP_PKEY_param_check().\\n\\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\\nwhen using the \\\"-check\\\" option.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-3817\",\n \"versionConstraint\": \">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-3817\",\n \"versionConstraint\": \">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-2650", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/05/30/1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230703-0001/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230530.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-2650 in golang:1.12-alpine", + "id": "Grype/CVE-2023-2650", + "desc": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-2650\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-2650\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/05/30/1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230703-0001/\",\n \"https://security.netapp.com/advisory/ntap-20231027-0009/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230530.txt\"\n ],\n \"description\": \"Issue summary: Processing some specially crafted ASN.1 object identifiers or\\ndata containing them may be very slow.\\n\\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\\nsize limit may experience notable to very long delays when processing those\\nmessages, which may lead to a Denial of Service.\\n\\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\\nperiods.\\n\\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\\nof KiBs), the translation to a decimal number in text may take a very long\\ntime. The time complexity is O(n^2) with 'n' being the size of the\\nsub-identifiers in bytes (*).\\n\\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\\nidentifiers in string form was introduced. This includes using OBJECT\\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\\nalgorithms.\\n\\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\\ndecrypt, or digest passed data.\\n\\nApplications that call OBJ_obj2txt() directly with untrusted data are\\naffected, with any version of OpenSSL. If the use is for the mere purpose\\nof display, the severity is considered low.\\n\\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\\ncertificates, including simple things like verifying its signature.\\n\\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\\n100KiB limit on the peer's certificate chain. Additionally, this only\\nimpacts clients, or servers that have explicitly enabled client\\nauthentication.\\n\\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\\nsuch as X.509 certificates. This is assumed to not happen in such a way\\nthat it would cause a Denial of Service, so these versions are considered\\nnot affected by this issue in such a way that it would be cause for concern,\\nand the severity is therefore considered low.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-2650\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-2650\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0466", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/28/4" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0466 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0466", + "desc": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0466\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0466\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/09/28/4\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230414-0001/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230328.txt\"\n ],\n \"description\": \"The function X509_VERIFY_PARAM_add0_policy() is documented to\\nimplicitly enable the certificate policy check when doing certificate\\nverification. However the implementation of the function does not\\nenable the check which allows certificates with invalid or incorrect\\npolicies to pass the certificate verification.\\n\\nAs suddenly enabling the policy check could break existing deployments it was\\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\\nfunction.\\n\\nInstead the applications that require OpenSSL to perform certificate\\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\\nthe X509_V_FLAG_POLICY_CHECK flag argument.\\n\\nCertificate policy checks are disabled by default in OpenSSL and are not\\ncommonly used by applications.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0466\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0466\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0465", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0465 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0465", + "desc": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0465\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0465\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230414-0001/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230328.txt\"\n ],\n \"description\": \"Applications that use a non-default option when verifying certificates may be\\nvulnerable to an attack from a malicious CA to circumvent certain checks.\\n\\nInvalid certificate policies in leaf certificates are silently ignored by\\nOpenSSL and other certificate policy checks are skipped for that certificate.\\nA malicious CA could use this to deliberately assert invalid certificate policies\\nin order to circumvent policy checking on the certificate altogether.\\n\\nPolicy processing is disabled by default but can be enabled by passing\\nthe `-policy' argument to the command line utilities or by calling the\\n`X509_VERIFY_PARAM_set1_policies()' function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0465\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0465\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4304", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4304 in golang:1.12-alpine", + "id": "Grype/CVE-2022-4304", + "desc": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"A timing based side channel exists in the OpenSSL RSA Decryption implementation\\nwhich could be sufficient to recover a plaintext across a network in a\\nBleichenbacher style attack. To achieve a successful decryption an attacker\\nwould have to be able to send a very large number of trial messages for\\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\\nRSA-OEAP and RSASVE.\\n\\nFor example, in a TLS connection, RSA is commonly used by a client to send an\\nencrypted pre-master secret to the server. An attacker that had observed a\\ngenuine connection between a client and a server could use this flaw to send\\ntrial messages to the server and record the time taken to process them. After a\\nsufficiently large number of messages the attacker could recover the pre-master\\nsecret used for the original connection and thus be able to decrypt the\\napplication data sent over that connection.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4304\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4304\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220715-0011/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230420-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5343" + }, + { + "url": "https://www.openssl.org/news/secadv/20220705.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2097 in golang:1.12-alpine", + "id": "Grype/CVE-2022-2097", + "desc": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93\",\n \"https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220715-0011/\",\n \"https://security.netapp.com/advisory/ntap-20230420-0008/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2023/dsa-5343\",\n \"https://www.openssl.org/news/secadv/20220705.txt\"\n ],\n \"description\": \"AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \\\"in place\\\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2097\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2097\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-4160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "url": "https://www.openssl.org/news/secadv/20220128.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-4160 in golang:1.12-alpine", + "id": "Grype/CVE-2021-4160", + "desc": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-4160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-4160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2022/dsa-5103\",\n \"https://www.openssl.org/news/secadv/20220128.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2021-4160\",\n \"versionConstraint\": \">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2021-4160\",\n \"versionConstraint\": \">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3449", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1k-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3449" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/4" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0006/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4875" + }, + { + "url": "https://www.openssl.org/news/secadv/20210325.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-05" + }, + { + "url": "https://www.tenable.com/security/tns-2021-06" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3449 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3449", + "desc": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3449\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3449\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3449\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1k-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3449\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3449\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/03/27/1\",\n \"http://www.openwall.com/lists/oss-security/2021/03/27/2\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/3\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/4\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10356\",\n \"https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210326-0006/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd\",\n \"https://www.debian.org/security/2021/dsa-4875\",\n \"https://www.openssl.org/news/secadv/20210325.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-05\",\n \"https://www.tenable.com/security/tns-2021-06\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3449\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3449\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23841" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/67" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/68" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/70" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://support.apple.com/kb/HT212528" + }, + { + "url": "https://support.apple.com/kb/HT212529" + }, + { + "url": "https://support.apple.com/kb/HT212534" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4855" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-03" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23841 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23841", + "desc": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23841\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23841\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2021/May/67\",\n \"http://seclists.org/fulldisclosure/2021/May/68\",\n \"http://seclists.org/fulldisclosure/2021/May/70\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://support.apple.com/kb/HT212528\",\n \"https://support.apple.com/kb/HT212529\",\n \"https://support.apple.com/kb/HT212534\",\n \"https://www.debian.org/security/2021/dsa-4855\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-03\",\n \"https://www.tenable.com/security/tns-2021-09\"\n ],\n \"description\": \"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23841\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23841\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-1971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1i-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1971" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676" + }, + { + "url": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202012-13" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20201218-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4807" + }, + { + "url": "https://www.openssl.org/news/secadv/20201208.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2020-11" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-1971 in golang:1.12-alpine", + "id": "Grype/CVE-2020-1971", + "desc": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-1971\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-1971\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-1971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1i-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-1971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/09/14/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676\",\n \"https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html\",\n \"https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc\",\n \"https://security.gentoo.org/glsa/202012-13\",\n \"https://security.netapp.com/advisory/ntap-20201218-0005/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2020/dsa-4807\",\n \"https://www.openssl.org/news/secadv/20201208.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2021.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2020-11\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \\\"-crl_download\\\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1i-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1971\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1i-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1971\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23839", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23839" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23839 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23839", + "desc": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23839\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23839\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n ],\n \"description\": \"OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.7,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23839\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23839\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2511", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/04/08/5" + }, + { + "url": "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce" + }, + { + "url": "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d" + }, + { + "url": "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0013/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2511 in golang:1.12-alpine", + "id": "Grype/CVE-2024-2511", + "desc": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/04/08/5\",\n \"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce\",\n \"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d\",\n \"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08\",\n \"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640\",\n \"https://security.netapp.com/advisory/ntap-20240503-0013/\",\n \"https://www.openssl.org/news/secadv/20240408.txt\"\n ],\n \"description\": \"Issue summary: Some non-default TLS server configurations can cause unbounded\\nmemory growth when processing TLSv1.3 sessions\\n\\nImpact summary: An attacker may exploit certain server configurations to trigger\\nunbounded memory growth that would lead to a Denial of Service\\n\\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\\nbeing used (but not if early_data support is also configured and the default\\nanti-replay protection is in use). In this case, under certain conditions, the\\nsession cache can get into an incorrect state and it will fail to flush properly\\nas it fills. The session cache will continue to grow in an unbounded manner. A\\nmalicious client could deliberately create the scenario for this failure to\\nforce a Denial of Service. It may also happen by accident in normal operation.\\n\\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\\nclients.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\\n1.0.2 is also not affected by this issue.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-2511\",\n \"versionConstraint\": \">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-2511\",\n \"versionConstraint\": \">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-28928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.24-r3", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-28928" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/11/20/4" + }, + { + "url": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/" + }, + { + "url": "https://musl.libc.org/releases.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-28928 in golang:1.12-alpine", + "id": "Grype/CVE-2020-28928", + "desc": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-28928\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-28928\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-28928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.24-r3\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-28928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2020/11/20/4\",\n \"https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/\",\n \"https://musl.libc.org/releases.html\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n ],\n \"description\": \"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n }\n]", + "message": "{\n \"id\": \"8d33328810d23c5f\",\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:musl-libc:musl:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_libc:musl:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl:1.1.24-r0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/musl@1.1.24-r0?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"musl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/ld-musl-aarch64.so.1\"\n },\n {\n \"path\": \"/lib/libc.musl-aarch64.so.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n }\n]", + "message": "{\n \"id\": \"e94d81063c43dac8\",\n \"name\": \"musl-utils\",\n \"version\": \"1.1.24-r0\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD\",\n \"GPL2+\",\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:musl-utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl-utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/musl-utils@1.1.24-r0?arch=aarch64&upstream=musl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"musl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/ldconfig\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ldd\"\n },\n {\n \"path\": \"/usr/bin/getconf\"\n },\n {\n \"path\": \"/usr/bin/iconv\"\n },\n {\n \"path\": \"/usr/bin/getent\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-45853", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10" + }, + { + "url": "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356" + }, + { + "url": "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" + }, + { + "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4" + }, + { + "url": "https://github.com/madler/zlib/pull/843" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" + }, + { + "url": "https://pypi.org/project/pyminizip/#history" + }, + { + "url": "https://security.gentoo.org/glsa/202401-18" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" + }, + { + "url": "https://www.winimage.com/zLibDll/minizip.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-45853 in golang:1.12-alpine", + "id": "Grype/CVE-2023-45853", + "desc": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-45853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/10/20/9\",\n \"http://www.openwall.com/lists/oss-security/2024/01/24/10\",\n \"https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356\",\n \"https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61\",\n \"https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4\",\n \"https://github.com/madler/zlib/pull/843\",\n \"https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html\",\n \"https://pypi.org/project/pyminizip/#history\",\n \"https://security.gentoo.org/glsa/202401-18\",\n \"https://security.netapp.com/advisory/ntap-20231130-0009/\",\n \"https://www.winimage.com/zLibDll/minizip.html\"\n ],\n \"description\": \"MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-45853\",\n \"versionConstraint\": \"< 1.3.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-37434", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.2.11-r4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-37434" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/37" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/38" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/41" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/42" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/05/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/09/1" + }, + { + "url": "https://github.com/curl/curl/issues/9271" + }, + { + "url": "https://github.com/ivd38/zlib_overflow" + }, + { + "url": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063" + }, + { + "url": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1" + }, + { + "url": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220901-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://support.apple.com/kb/HT213489" + }, + { + "url": "https://support.apple.com/kb/HT213490" + }, + { + "url": "https://support.apple.com/kb/HT213491" + }, + { + "url": "https://support.apple.com/kb/HT213493" + }, + { + "url": "https://support.apple.com/kb/HT213494" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5218" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-37434 in golang:1.12-alpine", + "id": "Grype/CVE-2022-37434", + "desc": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-37434\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2022-37434\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2022-37434\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.2.11-r4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-37434\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-37434\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2022/Oct/37\",\n \"http://seclists.org/fulldisclosure/2022/Oct/38\",\n \"http://seclists.org/fulldisclosure/2022/Oct/41\",\n \"http://seclists.org/fulldisclosure/2022/Oct/42\",\n \"http://www.openwall.com/lists/oss-security/2022/08/05/2\",\n \"http://www.openwall.com/lists/oss-security/2022/08/09/1\",\n \"https://github.com/curl/curl/issues/9271\",\n \"https://github.com/ivd38/zlib_overflow\",\n \"https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063\",\n \"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1\",\n \"https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764\",\n \"https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/\",\n \"https://security.netapp.com/advisory/ntap-20220901-0005/\",\n \"https://security.netapp.com/advisory/ntap-20230427-0007/\",\n \"https://support.apple.com/kb/HT213488\",\n \"https://support.apple.com/kb/HT213489\",\n \"https://support.apple.com/kb/HT213490\",\n \"https://support.apple.com/kb/HT213491\",\n \"https://support.apple.com/kb/HT213493\",\n \"https://support.apple.com/kb/HT213494\",\n \"https://www.debian.org/security/2022/dsa-5218\"\n ],\n \"description\": \"zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.2.11-r4 (apk)\",\n \"vulnerabilityID\": \"CVE-2022-37434\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.2.11-r4 (apk)\",\n \"vulnerabilityID\": \"CVE-2022-37434\"\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-25032", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/03/25/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/03/26/1" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf" + }, + { + "url": "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531" + }, + { + "url": "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12" + }, + { + "url": "https://github.com/madler/zlib/issues/605" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-42" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220526-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220729-0004/" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5111" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/24/1" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/28/1" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/28/3" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-25032 in golang:1.12-alpine", + "id": "Grype/CVE-2018-25032", + "desc": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-25032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-25032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2022/May/33\",\n \"http://seclists.org/fulldisclosure/2022/May/35\",\n \"http://seclists.org/fulldisclosure/2022/May/38\",\n \"http://www.openwall.com/lists/oss-security/2022/03/25/2\",\n \"http://www.openwall.com/lists/oss-security/2022/03/26/1\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf\",\n \"https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531\",\n \"https://github.com/madler/zlib/compare/v1.2.11...v1.2.12\",\n \"https://github.com/madler/zlib/issues/605\",\n \"https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/\",\n \"https://security.gentoo.org/glsa/202210-42\",\n \"https://security.netapp.com/advisory/ntap-20220526-0009/\",\n \"https://security.netapp.com/advisory/ntap-20220729-0004/\",\n \"https://support.apple.com/kb/HT213255\",\n \"https://support.apple.com/kb/HT213256\",\n \"https://support.apple.com/kb/HT213257\",\n \"https://www.debian.org/security/2022/dsa-5111\",\n \"https://www.openwall.com/lists/oss-security/2022/03/24/1\",\n \"https://www.openwall.com/lists/oss-security/2022/03/28/1\",\n \"https://www.openwall.com/lists/oss-security/2022/03/28/3\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2018-25032\",\n \"versionConstraint\": \"< 1.2.12 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + } + ], + "sha256": "ea1f2402024ada0c5f9e9638e16db526956e7a6bdfecce199c5d0beb869a2c2a" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ] + } +} \ No newline at end of file diff --git a/test/sample_data/anchoregrype/anchore-grype-withraw.json b/test/sample_data/anchoregrype/anchore-grype-withraw.json new file mode 100644 index 000000000..f00ddea6a --- /dev/null +++ b/test/sample_data/anchoregrype/anchore-grype-withraw.json @@ -0,0 +1,17382 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-36159", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2.10.7-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-36159" + }, + { + "url": "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749" + }, + { + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-36159 in golang:1.12-alpine", + "id": "Grype/CVE-2021-36159", + "desc": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-36159\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-36159\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-36159\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2.10.7-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-36159\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-36159\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch\",\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E\"\n ],\n \"description\": \"libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\\\0' terminator one byte too late.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 10,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.7-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-36159\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.7-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-36159\"\n }\n }\n]", + "message": "{\n \"id\": \"1acb8fe52f3da542\",\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"apk-tools\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/apk\"\n },\n {\n \"path\": \"/etc/apk/keys\"\n },\n {\n \"path\": \"/etc/apk/protected_paths.d\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/apk\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/apk\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-30139", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 2.10.6-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-30139" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-30139 in golang:1.12-alpine", + "id": "Grype/CVE-2021-30139", + "desc": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-30139\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-30139\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-30139\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"2.10.6-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-30139\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-30139\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741\",\n \"https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606\"\n ],\n \"description\": \"In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.6-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-30139\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 2.10.6-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-30139\"\n }\n }\n]", + "message": "{\n \"id\": \"1acb8fe52f3da542\",\n \"name\": \"apk-tools\",\n \"version\": \"2.10.4-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"apk-tools\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/apk\"\n },\n {\n \"path\": \"/etc/apk/keys\"\n },\n {\n \"path\": \"/etc/apk/protected_paths.d\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/apk\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/apk\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48174", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15216" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48174 in golang:1.12-alpine", + "id": "Grype/CVE-2022-48174", + "desc": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48174\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48174\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.busybox.net/show_bug.cgi?id=15216\"\n ],\n \"description\": \"There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-48174\",\n \"versionConstraint\": \"< 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-48174\",\n \"versionConstraint\": \"< 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28391", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch" + }, + { + "url": "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28391 in golang:1.12-alpine", + "id": "Grype/CVE-2022-28391", + "desc": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28391\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-28391\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch\",\n \"https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch\",\n \"https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661\"\n ],\n \"description\": \"BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-28391\",\n \"versionConstraint\": \"<= 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-28391\",\n \"versionConstraint\": \"<= 1.35.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42386", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42386" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42386 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42386", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42386\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42386\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42386\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42386\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42386\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42386\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42385", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42385" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42385 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42385", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42385\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42385\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42385\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42385\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42385\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42385\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42384", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42384" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42384 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42384", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42384\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42384\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42384\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42384\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42384\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42384\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42383", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42383" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42383 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42383", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42383\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42383\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42383\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42383\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42383\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42383\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42382", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42382" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42382 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42382", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42382\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42382\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42382\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42382\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42382\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42382\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42381", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42381" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42381 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42381", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42381\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42381\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42381\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42381\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42381\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42381\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42380", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42380" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42380 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42380", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42380\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42380\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42380\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42380\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42380\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42380\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42379", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42379" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42379 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42379", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42379\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42379\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42379\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42379\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42379\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42379\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42378", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42378" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42378 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42378", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42378\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42378\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42378\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42378\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42378\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 8,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42378\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-28831", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r10", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-28831" + }, + { + "url": "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/" + }, + { + "url": "https://security.gentoo.org/glsa/202105-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-28831 in golang:1.12-alpine", + "id": "Grype/CVE-2021-28831", + "desc": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-28831\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-28831\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-28831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r10\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-28831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd\",\n \"https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/\",\n \"https://security.gentoo.org/glsa/202105-09\"\n ],\n \"description\": \"decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cve@mitre.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r10 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-28831\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-42374", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.31.1-r11", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-42374" + }, + { + "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" + }, + { + "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-42374 in golang:1.12-alpine", + "id": "Grype/CVE-2021-42374", + "desc": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-42374\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-42374\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-42374\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.31.1-r11\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-42374\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-42374\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog\",\n \"https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/\",\n \"https://security.netapp.com/advisory/ntap-20211223-0002/\"\n ],\n \"description\": \"An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n },\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n }\n]", + "message": "{\n \"id\": \"112f3151bd878ae5\",\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/bin\"\n },\n {\n \"path\": \"/bin/sh\"\n },\n {\n \"path\": \"/bin/busybox\"\n },\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/udhcpd.conf\"\n },\n {\n \"path\": \"/etc/securetty\"\n },\n {\n \"path\": \"/etc/network\"\n },\n {\n \"path\": \"/etc/network/if-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-down.d\"\n },\n {\n \"path\": \"/etc/network/if-post-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d\"\n },\n {\n \"path\": \"/etc/network/if-up.d/dad\"\n },\n {\n \"path\": \"/etc/network/if-pre-down.d\"\n },\n {\n \"path\": \"/etc/network/if-pre-up.d\"\n },\n {\n \"path\": \"/etc/logrotate.d\"\n },\n {\n \"path\": \"/etc/logrotate.d/acpid\"\n },\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/tmp\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/sbin\"\n },\n {\n \"path\": \"/usr/share\"\n },\n {\n \"path\": \"/usr/share/udhcpc\"\n },\n {\n \"path\": \"/usr/share/udhcpc/default.script\"\n },\n {\n \"path\": \"/var\"\n },\n {\n \"path\": \"/var/lib\"\n },\n {\n \"path\": \"/var/lib/udhcpd\"\n },\n {\n \"path\": \"/var/cache\"\n },\n {\n \"path\": \"/var/cache/misc\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"busybox\",\n \"version\": \"1.31.1-r9\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.31.1-r11 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-42374\"\n }\n }\n]", + "message": "{\n \"id\": \"c2fec4fd671237bc\",\n \"name\": \"ssl_client\",\n \"version\": \"1.31.1-r9\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2.0-only\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"busybox\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ssl_client\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5535", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5535 in golang:1.12-alpine", + "id": "Grype/CVE-2024-5535", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5535\",\n \"versionConstraint\": \">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-5535\",\n \"versionConstraint\": \">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2068", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220707-0008/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5169" + }, + { + "url": "https://www.openssl.org/news/secadv/20220621.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2068 in golang:1.12-alpine", + "id": "Grype/CVE-2022-2068", + "desc": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/\",\n \"https://security.netapp.com/advisory/ntap-20220707-0008/\",\n \"https://www.debian.org/security/2022/dsa-5169\",\n \"https://www.openssl.org/news/secadv/20220621.txt\"\n ],\n \"description\": \"In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 10,\n \"exploitabilityScore\": 10,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2068\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2068\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1292", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220602-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220729-0004/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5139" + }, + { + "url": "https://www.openssl.org/news/secadv/20220503.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1292 in golang:1.12-alpine", + "id": "Grype/CVE-2022-1292", + "desc": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23\",\n \"https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220602-0009/\",\n \"https://security.netapp.com/advisory/ntap-20220729-0004/\",\n \"https://www.debian.org/security/2022/dsa-5139\",\n \"https://www.openssl.org/news/secadv/20220503.txt\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 10,\n \"exploitabilityScore\": 10,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-1292\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-1292\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3711", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1l-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3711" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/08/26/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46" + }, + { + "url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://security.gentoo.org/glsa/202209-02" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210827-0010/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20211022-0003/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4963" + }, + { + "url": "https://www.openssl.org/news/secadv/20210824.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-16" + }, + { + "url": "https://www.tenable.com/security/tns-2022-02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3711 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3711", + "desc": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3711\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3711\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3711\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1l-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3711\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3711\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/08/26/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46\",\n \"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E\",\n \"https://security.gentoo.org/glsa/202209-02\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20210827-0010/\",\n \"https://security.netapp.com/advisory/ntap-20211022-0003/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4963\",\n \"https://www.openssl.org/news/secadv/20210824.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-16\",\n \"https://www.tenable.com/security/tns-2022-02\"\n ],\n \"description\": \"In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \\\"out\\\" parameter can be NULL and, on exit, the \\\"outlen\\\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \\\"out\\\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3711\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3711\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4807", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230921-0001/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230908.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4807 in golang:1.12-alpine", + "id": "Grype/CVE-2023-4807", + "desc": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff\",\n \"https://security.netapp.com/advisory/ntap-20230921-0001/\",\n \"https://www.openssl.org/news/secadv/20230908.txt\"\n ],\n \"description\": \"Issue summary: The POLY1305 MAC (message authentication code) implementation\\ncontains a bug that might corrupt the internal state of applications on the\\nWindows 64 platform when running on newer X86_64 processors supporting the\\nAVX512-IFMA instructions.\\n\\nImpact summary: If in an application that uses the OpenSSL library an attacker\\ncan influence whether the POLY1305 MAC algorithm is used, the application\\nstate might be corrupted with various application dependent consequences.\\n\\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\\nnot save the contents of non-volatile XMM registers on Windows 64 platform\\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\\nthe caller all the XMM registers are set to zero rather than restoring their\\nprevious content. The vulnerable code is used only on newer x86_64 processors\\nsupporting the AVX512-IFMA instructions.\\n\\nThe consequences of this kind of internal application state corruption can\\nbe various - from no consequences, if the calling application does not\\ndepend on the contents of non-volatile XMM registers at all, to the worst\\nconsequences, where the attacker could get complete control of the application\\nprocess. However given the contents of the registers are just zeroized so\\nthe attacker cannot put arbitrary values inside, the most likely consequence,\\nif any, would be an incorrect result of some application dependent\\ncalculations or a crash leading to a denial of service.\\n\\nThe POLY1305 MAC algorithm is most frequently used as part of the\\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\\ncipher is used by the server. This implies that server applications using\\nOpenSSL can be potentially impacted. However we are currently not aware of\\nany concrete application that would be affected by this issue therefore we\\nconsider this a Low severity security issue.\\n\\nAs a workaround the AVX512-IFMA instructions support can be disabled at\\nruntime by setting the environment variable OPENSSL_ia32cap:\\n\\n OPENSSL_ia32cap=:~0x200000\\n\\nThe FIPS provider is not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-4807\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-4807\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0464", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.couchbase.com/alerts/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230322.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0464 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0464", + "desc": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0464\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0464\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.couchbase.com/alerts/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230322.txt\"\n ],\n \"description\": \"A security vulnerability has been identified in all supported versions\\n\\nof OpenSSL related to the verification of X.509 certificate chains\\nthat include policy constraints. Attackers may be able to exploit this\\nvulnerability by creating a malicious certificate chain that triggers\\nexponential use of computational resources, leading to a denial-of-service\\n(DoS) attack on affected systems.\\n\\nPolicy processing is disabled by default but can be enabled by passing\\nthe `-policy' argument to the command line utilities or by calling the\\n`X509_VERIFY_PARAM_set1_policies()' function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0464\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0464\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0286", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0286 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0286", + "desc": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt\",\n \"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"There is a type confusion vulnerability relating to X.400 address processing\\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\\nthe public structure definition for GENERAL_NAME incorrectly specified the type\\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\\nASN1_STRING.\\n\\nWhen CRL checking is enabled (i.e. the application sets the\\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\\narbitrary pointers to a memcmp call, enabling them to read memory contents or\\nenact a denial of service. In most cases, the attack requires the attacker to\\nprovide both the certificate chain and CRL, neither of which need to have a\\nvalid signature. If the attacker only controls one of these inputs, the other\\ninput must already contain an X.400 address as a CRL distribution point, which\\nis uncommon. As such, this vulnerability is most likely to only affect\\napplications which have implemented their own functionality for retrieving CRLs\\nover a network.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0286\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0286\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0215", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0215 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0215", + "desc": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0215\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0215\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230427-0007/\",\n \"https://security.netapp.com/advisory/ntap-20230427-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"The public API function BIO_new_NDEF is a helper function used for streaming\\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\\nend user applications.\\n\\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\\nBIO onto the front of it to form a BIO chain, and then returns the new head of\\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\\nrecipient public key is invalid, the new filter BIO is freed and the function\\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\\nis not properly cleaned up and the BIO passed by the caller still retains\\ninternal pointers to the previously freed filter BIO. If the caller then goes on\\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\\nlikely result in a crash.\\n\\n\\n\\nThis scenario occurs directly in the internal function B64_write_ASN1() which\\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\\nthe BIO. This internal function is in turn called by the public API functions\\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\\n\\nOther public API functions that may be impacted by this include\\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\\ni2d_PKCS7_bio_stream.\\n\\nThe OpenSSL cms and smime command line applications are similarly affected.\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0215\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0215\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4450", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4450 in golang:1.12-alpine", + "id": "Grype/CVE-2022-4450", + "desc": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\\ndecodes the \\\"name\\\" (e.g. \\\"CERTIFICATE\\\"), any header data and the payload data.\\nIf the function succeeds then the \\\"name_out\\\", \\\"header\\\" and \\\"data\\\" arguments are\\npopulated with pointers to buffers containing the relevant decoded data. The\\ncaller is responsible for freeing those buffers. It is possible to construct a\\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\\nwill return a failure code but will populate the header argument with a pointer\\nto a buffer that has already been freed. If the caller also frees this buffer\\nthen a double free will occur. This will most likely lead to a crash. This\\ncould be exploited by an attacker who has the ability to supply malicious PEM\\nfiles for parsing to achieve a denial of service attack.\\n\\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\\nPEM_read_bio_ex() and therefore these functions are also directly affected.\\n\\nThese functions are also called indirectly by a number of other OpenSSL\\nfunctions including PEM_X509_INFO_read_bio_ex() and\\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\\nuses of these functions are not vulnerable because the caller does not free the\\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\\nOpenSSL 3.0.\\n\\nThe OpenSSL asn1parse command line application is also impacted by this issue.\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4450\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4450\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0778", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220321-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220429-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "url": "https://www.openssl.org/news/secadv/20220315.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.tenable.com/security/tns-2022-06" + }, + { + "url": "https://www.tenable.com/security/tns-2022-07" + }, + { + "url": "https://www.tenable.com/security/tns-2022-08" + }, + { + "url": "https://www.tenable.com/security/tns-2022-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0778 in golang:1.12-alpine", + "id": "Grype/CVE-2022-0778", + "desc": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0778\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0778\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html\",\n \"http://seclists.org/fulldisclosure/2022/May/33\",\n \"http://seclists.org/fulldisclosure/2022/May/35\",\n \"http://seclists.org/fulldisclosure/2022/May/38\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246\",\n \"https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220321-0002/\",\n \"https://security.netapp.com/advisory/ntap-20220429-0005/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://support.apple.com/kb/HT213255\",\n \"https://support.apple.com/kb/HT213256\",\n \"https://support.apple.com/kb/HT213257\",\n \"https://www.debian.org/security/2022/dsa-5103\",\n \"https://www.openssl.org/news/secadv/20220315.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.tenable.com/security/tns-2022-06\",\n \"https://www.tenable.com/security/tns-2022-07\",\n \"https://www.tenable.com/security/tns-2022-08\",\n \"https://www.tenable.com/security/tns-2022-09\"\n ],\n \"description\": \"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-0778\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-0778\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3712", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1l-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3712" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/08/26/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" + }, + { + "url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202209-02" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210827-0010/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4963" + }, + { + "url": "https://www.openssl.org/news/secadv/20210824.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-16" + }, + { + "url": "https://www.tenable.com/security/tns-2022-02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3712 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3712", + "desc": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3712\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3712\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3712\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1l-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3712\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3712\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/08/26/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10366\",\n \"https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html\",\n \"https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html\",\n \"https://security.gentoo.org/glsa/202209-02\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20210827-0010/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4963\",\n \"https://www.openssl.org/news/secadv/20210824.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-16\",\n \"https://www.tenable.com/security/tns-2022-02\"\n ],\n \"description\": \"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \\\"d2i\\\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \\\"data\\\" and \\\"length\\\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \\\"data\\\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3712\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1l-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3712\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3450", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1k-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3450" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/4" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/" + }, + { + "url": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0006/" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd" + }, + { + "url": "https://www.openssl.org/news/secadv/20210325.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-05" + }, + { + "url": "https://www.tenable.com/security/tns-2021-08" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3450 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3450", + "desc": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3450\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3450\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3450\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1k-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/03/27/1\",\n \"http://www.openwall.com/lists/oss-security/2021/03/27/2\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/3\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/4\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10356\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/\",\n \"https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210326-0006/\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd\",\n \"https://www.openssl.org/news/secadv/20210325.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-05\",\n \"https://www.tenable.com/security/tns-2021-08\",\n \"https://www.tenable.com/security/tns-2021-09\"\n ],\n \"description\": \"The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \\\"purpose\\\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \\\"purpose\\\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3450\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3450\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23840", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23840" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4855" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-03" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23840 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23840", + "desc": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23840\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23840\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10366\",\n \"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2021/dsa-4855\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-03\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23840\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23840\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-1967", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1g-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1967" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" + }, + { + "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/May/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" + }, + { + "url": "https://github.com/irsl/CVE-2020-1967" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" + }, + { + "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202004-10" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4661" + }, + { + "url": "https://www.openssl.org/news/secadv/20200421.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" + }, + { + "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" + }, + { + "url": "https://www.tenable.com/security/tns-2020-03" + }, + { + "url": "https://www.tenable.com/security/tns-2020-04" + }, + { + "url": "https://www.tenable.com/security/tns-2020-11" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-1967 in golang:1.12-alpine", + "id": "Grype/CVE-2020-1967", + "desc": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-1967\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-1967\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-1967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1g-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-1967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html\",\n \"http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html\",\n \"http://seclists.org/fulldisclosure/2020/May/5\",\n \"http://www.openwall.com/lists/oss-security/2020/04/22/2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1\",\n \"https://github.com/irsl/CVE-2020-1967\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440\",\n \"https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc\",\n \"https://security.gentoo.org/glsa/202004-10\",\n \"https://security.netapp.com/advisory/ntap-20200424-0003/\",\n \"https://security.netapp.com/advisory/ntap-20200717-0004/\",\n \"https://www.debian.org/security/2020/dsa-4661\",\n \"https://www.openssl.org/news/secadv/20200421.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpujan2021.html\",\n \"https://www.oracle.com/security-alerts/cpujul2020.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2020.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.synology.com/security/advisory/Synology_SA_20_05\",\n \"https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL\",\n \"https://www.tenable.com/security/tns-2020-03\",\n \"https://www.tenable.com/security/tns-2020-04\",\n \"https://www.tenable.com/security/tns-2020-11\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \\\"signature_algorithms_cert\\\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1g-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1967\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1g-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1967\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0727", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240208-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0727 in golang:1.12-alpine", + "id": "Grype/CVE-2024-0727", + "desc": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0727\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0727\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/11/1\",\n \"https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2\",\n \"https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a\",\n \"https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8\",\n \"https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539\",\n \"https://security.netapp.com/advisory/ntap-20240208-0006/\",\n \"https://www.openssl.org/news/secadv/20240125.txt\"\n ],\n \"description\": \"Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\\nto crash leading to a potential Denial of Service attack\\n\\nImpact summary: Applications loading files in the PKCS12 format from untrusted\\nsources might terminate abruptly.\\n\\nA file in PKCS12 format can contain certificates and keys and may come from an\\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\\ndereference that results in OpenSSL crashing. If an application processes PKCS12\\nfiles from an untrusted source using the OpenSSL APIs then that application will\\nbe vulnerable to this issue.\\n\\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\\nand PKCS12_newpass().\\n\\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\\nfunction is related to writing data we do not consider it security significant.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0727\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-0727\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-5678", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-5678 in golang:1.12-alpine", + "id": "Grype/CVE-2023-5678", + "desc": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-5678\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5678\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/11/1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6\",\n \"https://security.netapp.com/advisory/ntap-20231130-0010/\",\n \"https://www.openssl.org/news/secadv/20231106.txt\"\n ],\n \"description\": \"Issue summary: Generating excessively long X9.42 DH keys or checking\\nexcessively long X9.42 DH keys or parameters may be very slow.\\n\\nImpact summary: Applications that use the functions DH_generate_key() to\\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\\nWhere the key or parameters that are being checked have been obtained from\\nan untrusted source this may lead to a Denial of Service.\\n\\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\\nDH_check_pub_key() doesn't make any of these checks, and is therefore\\nvulnerable for excessively large P and Q parameters.\\n\\nLikewise, while DH_generate_key() performs a check for an excessively large\\nP, it doesn't check for an excessively large Q.\\n\\nAn application that calls DH_generate_key() or DH_check_pub_key() and\\nsupplies a key or parameters obtained from an untrusted source could be\\nvulnerable to a Denial of Service attack.\\n\\nDH_generate_key() and DH_check_pub_key() are also called by a number of\\nother OpenSSL functions. An application calling any of those other\\nfunctions may similarly be affected. The other functions affected by this\\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\\n\\nAlso vulnerable are the OpenSSL pkey command line application when using the\\n\\\"-pubcheck\\\" option, as well as the OpenSSL genpkey command line application.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-5678\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-5678\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://seclists.org/fulldisclosure/2023/Jul/43" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/31/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230818-0014/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20230731.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3817 in golang:1.12-alpine", + "id": "Grype/CVE-2023-3817", + "desc": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2023/Jul/43\",\n \"http://www.openwall.com/lists/oss-security/2023/07/31/1\",\n \"http://www.openwall.com/lists/oss-security/2023/09/22/11\",\n \"http://www.openwall.com/lists/oss-security/2023/09/22/9\",\n \"http://www.openwall.com/lists/oss-security/2023/11/06/2\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5\",\n \"https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230818-0014/\",\n \"https://security.netapp.com/advisory/ntap-20231027-0008/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20230731.txt\"\n ],\n \"description\": \"Issue summary: Checking excessively long DH keys or parameters may be very slow.\\n\\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\\ndelays. Where the key or parameters that are being checked have been obtained\\nfrom an untrusted source this may lead to a Denial of Service.\\n\\nThe function DH_check() performs various checks on DH parameters. After fixing\\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\\nan overly long computation during some of these checks. A correct q value,\\nif present, cannot be larger than the modulus p parameter, thus it is\\nunnecessary to perform these checks if q is larger than p.\\n\\nAn application that calls DH_check() and supplies a key or parameters obtained\\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\\n\\nThe function DH_check() is itself called by a number of other OpenSSL functions.\\nAn application calling any of those other functions may similarly be affected.\\nThe other functions affected by this are DH_check_ex() and\\nEVP_PKEY_param_check().\\n\\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\\nwhen using the \\\"-check\\\" option.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-3817\",\n \"versionConstraint\": \">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-3817\",\n \"versionConstraint\": \">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-2650", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/05/30/1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230703-0001/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230530.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-2650 in golang:1.12-alpine", + "id": "Grype/CVE-2023-2650", + "desc": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-2650\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-2650\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/05/30/1\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230703-0001/\",\n \"https://security.netapp.com/advisory/ntap-20231027-0009/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230530.txt\"\n ],\n \"description\": \"Issue summary: Processing some specially crafted ASN.1 object identifiers or\\ndata containing them may be very slow.\\n\\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\\nsize limit may experience notable to very long delays when processing those\\nmessages, which may lead to a Denial of Service.\\n\\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\\nperiods.\\n\\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\\nof KiBs), the translation to a decimal number in text may take a very long\\ntime. The time complexity is O(n^2) with 'n' being the size of the\\nsub-identifiers in bytes (*).\\n\\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\\nidentifiers in string form was introduced. This includes using OBJECT\\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\\nalgorithms.\\n\\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\\ndecrypt, or digest passed data.\\n\\nApplications that call OBJ_obj2txt() directly with untrusted data are\\naffected, with any version of OpenSSL. If the use is for the mere purpose\\nof display, the severity is considered low.\\n\\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\\ncertificates, including simple things like verifying its signature.\\n\\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\\n100KiB limit on the peer's certificate chain. Additionally, this only\\nimpacts clients, or servers that have explicitly enabled client\\nauthentication.\\n\\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\\nsuch as X.509 certificates. This is assumed to not happen in such a way\\nthat it would cause a Denial of Service, so these versions are considered\\nnot affected by this issue in such a way that it would be cause for concern,\\nand the severity is therefore considered low.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-2650\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-2650\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0466", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/28/4" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0466 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0466", + "desc": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0466\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0466\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/09/28/4\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230414-0001/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230328.txt\"\n ],\n \"description\": \"The function X509_VERIFY_PARAM_add0_policy() is documented to\\nimplicitly enable the certificate policy check when doing certificate\\nverification. However the implementation of the function does not\\nenable the check which allows certificates with invalid or incorrect\\npolicies to pass the certificate verification.\\n\\nAs suddenly enabling the policy check could break existing deployments it was\\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\\nfunction.\\n\\nInstead the applications that require OpenSSL to perform certificate\\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\\nthe X509_V_FLAG_POLICY_CHECK flag argument.\\n\\nCertificate policy checks are disabled by default in OpenSSL and are not\\ncommonly used by applications.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0466\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0466\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0465", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0465 in golang:1.12-alpine", + "id": "Grype/CVE-2023-0465", + "desc": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0465\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0465\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95\",\n \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html\",\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://security.netapp.com/advisory/ntap-20230414-0001/\",\n \"https://www.debian.org/security/2023/dsa-5417\",\n \"https://www.openssl.org/news/secadv/20230328.txt\"\n ],\n \"description\": \"Applications that use a non-default option when verifying certificates may be\\nvulnerable to an attack from a malicious CA to circumvent certain checks.\\n\\nInvalid certificate policies in leaf certificates are silently ignored by\\nOpenSSL and other certificate policy checks are skipped for that certificate.\\nA malicious CA could use this to deliberately assert invalid certificate policies\\nin order to circumvent policy checking on the certificate altogether.\\n\\nPolicy processing is disabled by default but can be enabled by passing\\nthe `-policy' argument to the command line utilities or by calling the\\n`X509_VERIFY_PARAM_set1_policies()' function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0465\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-0465\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4304", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4304 in golang:1.12-alpine", + "id": "Grype/CVE-2022-4304", + "desc": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.gentoo.org/glsa/202402-08\",\n \"https://www.openssl.org/news/secadv/20230207.txt\"\n ],\n \"description\": \"A timing based side channel exists in the OpenSSL RSA Decryption implementation\\nwhich could be sufficient to recover a plaintext across a network in a\\nBleichenbacher style attack. To achieve a successful decryption an attacker\\nwould have to be able to send a very large number of trial messages for\\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\\nRSA-OEAP and RSASVE.\\n\\nFor example, in a TLS connection, RSA is commonly used by a client to send an\\nencrypted pre-master secret to the server. An attacker that had observed a\\ngenuine connection between a client and a server could use this flaw to send\\ntrial messages to the server and record the time taken to process them. After a\\nsufficiently large number of messages the attacker could recover the pre-master\\nsecret used for the original connection and thus be able to decrypt the\\napplication data sent over that connection.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4304\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-4304\",\n \"versionConstraint\": \">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220715-0011/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230420-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5343" + }, + { + "url": "https://www.openssl.org/news/secadv/20220705.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2097 in golang:1.12-alpine", + "id": "Grype/CVE-2022-2097", + "desc": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93\",\n \"https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20220715-0011/\",\n \"https://security.netapp.com/advisory/ntap-20230420-0008/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2023/dsa-5343\",\n \"https://www.openssl.org/news/secadv/20220705.txt\"\n ],\n \"description\": \"AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \\\"in place\\\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2097\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2022-2097\",\n \"versionConstraint\": \">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-4160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "url": "https://www.openssl.org/news/secadv/20220128.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-4160 in golang:1.12-alpine", + "id": "Grype/CVE-2021-4160", + "desc": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-4160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-4160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb\",\n \"https://security.gentoo.org/glsa/202210-02\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2022/dsa-5103\",\n \"https://www.openssl.org/news/secadv/20220128.txt\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2021-4160\",\n \"versionConstraint\": \">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2021-4160\",\n \"versionConstraint\": \">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3449", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1k-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3449" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/27/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/03/28/4" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10356" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0006/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4875" + }, + { + "url": "https://www.openssl.org/news/secadv/20210325.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-05" + }, + { + "url": "https://www.tenable.com/security/tns-2021-06" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3449 in golang:1.12-alpine", + "id": "Grype/CVE-2021-3449", + "desc": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3449\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-3449\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-3449\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1k-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3449\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3449\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/03/27/1\",\n \"http://www.openwall.com/lists/oss-security/2021/03/27/2\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/3\",\n \"http://www.openwall.com/lists/oss-security/2021/03/28/4\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845\",\n \"https://kc.mcafee.com/corporate/index?page=content&id=SB10356\",\n \"https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/\",\n \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210326-0006/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd\",\n \"https://www.debian.org/security/2021/dsa-4875\",\n \"https://www.openssl.org/news/secadv/20210325.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-05\",\n \"https://www.tenable.com/security/tns-2021-06\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3449\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1k-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-3449\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23841" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/67" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/68" + }, + { + "url": "http://seclists.org/fulldisclosure/2021/May/70" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://support.apple.com/kb/HT212528" + }, + { + "url": "https://support.apple.com/kb/HT212529" + }, + { + "url": "https://support.apple.com/kb/HT212534" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4855" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2021-03" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23841 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23841", + "desc": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23841\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23841\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2021/May/67\",\n \"http://seclists.org/fulldisclosure/2021/May/68\",\n \"http://seclists.org/fulldisclosure/2021/May/70\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://security.gentoo.org/glsa/202103-03\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://support.apple.com/kb/HT212528\",\n \"https://support.apple.com/kb/HT212529\",\n \"https://support.apple.com/kb/HT212534\",\n \"https://www.debian.org/security/2021/dsa-4855\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2021-03\",\n \"https://www.tenable.com/security/tns-2021-09\"\n ],\n \"description\": \"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23841\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23841\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-1971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1i-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1971" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/09/14/2" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676" + }, + { + "url": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc" + }, + { + "url": "https://security.gentoo.org/glsa/202012-13" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20201218-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210513-0002/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4807" + }, + { + "url": "https://www.openssl.org/news/secadv/20201208.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.tenable.com/security/tns-2020-11" + }, + { + "url": "https://www.tenable.com/security/tns-2021-09" + }, + { + "url": "https://www.tenable.com/security/tns-2021-10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-1971 in golang:1.12-alpine", + "id": "Grype/CVE-2020-1971", + "desc": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-1971\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-1971\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-1971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1i-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-1971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/09/14/2\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676\",\n \"https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E\",\n \"https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html\",\n \"https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/\",\n \"https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc\",\n \"https://security.gentoo.org/glsa/202012-13\",\n \"https://security.netapp.com/advisory/ntap-20201218-0005/\",\n \"https://security.netapp.com/advisory/ntap-20210513-0002/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.debian.org/security/2020/dsa-4807\",\n \"https://www.openssl.org/news/secadv/20201208.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpujan2021.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\",\n \"https://www.tenable.com/security/tns-2020-11\",\n \"https://www.tenable.com/security/tns-2021-09\",\n \"https://www.tenable.com/security/tns-2021-10\"\n ],\n \"description\": \"The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \\\"-crl_download\\\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1i-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1971\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1i-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-1971\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-23839", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.1j-r0", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23839" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547" + }, + { + "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-23839 in golang:1.12-alpine", + "id": "Grype/CVE-2021-23839", + "desc": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-23839\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2021-23839\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2021-23839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.1j-r0\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-23839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\",\n \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547\",\n \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846\",\n \"https://security.netapp.com/advisory/ntap-20210219-0009/\",\n \"https://security.netapp.com/advisory/ntap-20240621-0006/\",\n \"https://www.openssl.org/news/secadv/20210216.txt\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuApr2021.html\",\n \"https://www.oracle.com/security-alerts/cpuapr2022.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n ],\n \"description\": \"OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.7,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23839\"\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.1j-r0 (apk)\",\n \"vulnerabilityID\": \"CVE-2021-23839\"\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2511", + "severity": "Unknown" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2024/04/08/5" + }, + { + "url": "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce" + }, + { + "url": "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d" + }, + { + "url": "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0013/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2511 in golang:1.12-alpine", + "id": "Grype/CVE-2024-2511", + "desc": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/04/08/5\",\n \"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce\",\n \"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d\",\n \"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08\",\n \"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640\",\n \"https://security.netapp.com/advisory/ntap-20240503-0013/\",\n \"https://www.openssl.org/news/secadv/20240408.txt\"\n ],\n \"description\": \"Issue summary: Some non-default TLS server configurations can cause unbounded\\nmemory growth when processing TLSv1.3 sessions\\n\\nImpact summary: An attacker may exploit certain server configurations to trigger\\nunbounded memory growth that would lead to a Denial of Service\\n\\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\\nbeing used (but not if early_data support is also configured and the default\\nanti-replay protection is in use). In this case, under certain conditions, the\\nsession cache can get into an incorrect state and it will fail to flush properly\\nas it fills. The session cache will continue to grow in an unbounded manner. A\\nmalicious client could deliberately create the scenario for this failure to\\nforce a Denial of Service. It may also happen by accident in normal operation.\\n\\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\\nclients.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\\n1.0.2 is also not affected by this issue.\",\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-2511\",\n \"versionConstraint\": \">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"08cad6ac32c19e1e\",\n \"name\": \"libcrypto1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/etc\"\n },\n {\n \"path\": \"/etc/ssl\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/ct_log_list.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf\"\n },\n {\n \"path\": \"/etc/ssl/openssl.cnf.dist\"\n },\n {\n \"path\": \"/etc/ssl/certs\"\n },\n {\n \"path\": \"/etc/ssl/private\"\n },\n {\n \"path\": \"/etc/ssl/misc\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget.pl\"\n },\n {\n \"path\": \"/etc/ssl/misc/tsget\"\n },\n {\n \"path\": \"/etc/ssl/misc/CA.pl\"\n },\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libcrypto.so.1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/padlock.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/afalg.so\"\n },\n {\n \"path\": \"/usr/lib/engines-1.1/capi.so\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"1.1.1d-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2024-2511\",\n \"versionConstraint\": \">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"3ce41202583cf3fa\",\n \"name\": \"libssl1.1\",\n \"version\": \"1.1.1d-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"OpenSSL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libssl.so.1.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n },\n {\n \"path\": \"/usr/lib/libssl.so.1.1\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-28928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.1.24-r3", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-28928" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/11/20/4" + }, + { + "url": "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/" + }, + { + "url": "https://musl.libc.org/releases.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-28928 in golang:1.12-alpine", + "id": "Grype/CVE-2020-28928", + "desc": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-28928\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2020-28928\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2020-28928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.1.24-r3\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-28928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2020/11/20/4\",\n \"https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E\",\n \"https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/\",\n \"https://musl.libc.org/releases.html\",\n \"https://www.oracle.com//security-alerts/cpujul2021.html\",\n \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n ],\n \"description\": \"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n }\n]", + "message": "{\n \"id\": \"8d33328810d23c5f\",\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:musl-libc:musl:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_libc:musl:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl:1.1.24-r0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/musl@1.1.24-r0?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"musl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/ld-musl-aarch64.so.1\"\n },\n {\n \"path\": \"/lib/libc.musl-aarch64.so.1\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/lib\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"musl\",\n \"version\": \"1.1.24-r0\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.1.24-r3 (apk)\",\n \"vulnerabilityID\": \"CVE-2020-28928\"\n }\n }\n]", + "message": "{\n \"id\": \"e94d81063c43dac8\",\n \"name\": \"musl-utils\",\n \"version\": \"1.1.24-r0\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD\",\n \"GPL2+\",\n \"MIT\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:musl-utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl-utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl_utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl-utils:1.1.24-r0:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:musl:musl_utils:1.1.24-r0:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/musl-utils@1.1.24-r0?arch=aarch64&upstream=musl&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"musl\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/sbin\"\n },\n {\n \"path\": \"/sbin/ldconfig\"\n },\n {\n \"path\": \"/usr\"\n },\n {\n \"path\": \"/usr/bin\"\n },\n {\n \"path\": \"/usr/bin/ldd\"\n },\n {\n \"path\": \"/usr/bin/getconf\"\n },\n {\n \"path\": \"/usr/bin/iconv\"\n },\n {\n \"path\": \"/usr/bin/getent\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-45853", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10" + }, + { + "url": "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356" + }, + { + "url": "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" + }, + { + "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4" + }, + { + "url": "https://github.com/madler/zlib/pull/843" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" + }, + { + "url": "https://pypi.org/project/pyminizip/#history" + }, + { + "url": "https://security.gentoo.org/glsa/202401-18" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" + }, + { + "url": "https://www.winimage.com/zLibDll/minizip.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-45853 in golang:1.12-alpine", + "id": "Grype/CVE-2023-45853", + "desc": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-45853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/10/20/9\",\n \"http://www.openwall.com/lists/oss-security/2024/01/24/10\",\n \"https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356\",\n \"https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61\",\n \"https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4\",\n \"https://github.com/madler/zlib/pull/843\",\n \"https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html\",\n \"https://pypi.org/project/pyminizip/#history\",\n \"https://security.gentoo.org/glsa/202401-18\",\n \"https://security.netapp.com/advisory/ntap-20231130-0009/\",\n \"https://www.winimage.com/zLibDll/minizip.html\"\n ],\n \"description\": \"MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2023-45853\",\n \"versionConstraint\": \"< 1.3.1 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-37434", + "severity": "Critical" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.2.11-r4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-37434" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/37" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/38" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/41" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/Oct/42" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/05/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/09/1" + }, + { + "url": "https://github.com/curl/curl/issues/9271" + }, + { + "url": "https://github.com/ivd38/zlib_overflow" + }, + { + "url": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063" + }, + { + "url": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1" + }, + { + "url": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220901-0005/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://support.apple.com/kb/HT213489" + }, + { + "url": "https://support.apple.com/kb/HT213490" + }, + { + "url": "https://support.apple.com/kb/HT213491" + }, + { + "url": "https://support.apple.com/kb/HT213493" + }, + { + "url": "https://support.apple.com/kb/HT213494" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5218" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-37434 in golang:1.12-alpine", + "id": "Grype/CVE-2022-37434", + "desc": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "impact": 0.9, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-37434\",\n \"dataSource\": \"https://www.cve.org/CVERecord?id=CVE-2022-37434\",\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://www.cve.org/CVERecord?id=CVE-2022-37434\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.2.11-r4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-37434\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-37434\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2022/Oct/37\",\n \"http://seclists.org/fulldisclosure/2022/Oct/38\",\n \"http://seclists.org/fulldisclosure/2022/Oct/41\",\n \"http://seclists.org/fulldisclosure/2022/Oct/42\",\n \"http://www.openwall.com/lists/oss-security/2022/08/05/2\",\n \"http://www.openwall.com/lists/oss-security/2022/08/09/1\",\n \"https://github.com/curl/curl/issues/9271\",\n \"https://github.com/ivd38/zlib_overflow\",\n \"https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063\",\n \"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1\",\n \"https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764\",\n \"https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/\",\n \"https://security.netapp.com/advisory/ntap-20220901-0005/\",\n \"https://security.netapp.com/advisory/ntap-20230427-0007/\",\n \"https://support.apple.com/kb/HT213488\",\n \"https://support.apple.com/kb/HT213489\",\n \"https://support.apple.com/kb/HT213490\",\n \"https://support.apple.com/kb/HT213491\",\n \"https://support.apple.com/kb/HT213493\",\n \"https://support.apple.com/kb/HT213494\",\n \"https://www.debian.org/security/2022/dsa-5218\"\n ],\n \"description\": \"zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.2.11-r4 (apk)\",\n \"vulnerabilityID\": \"CVE-2022-37434\"\n }\n },\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"alpine\",\n \"version\": \"3.11.3\"\n },\n \"namespace\": \"alpine:distro:alpine:3.11\",\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.2.11-r4 (apk)\",\n \"vulnerabilityID\": \"CVE-2022-37434\"\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-25032", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/03/25/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/03/26/1" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf" + }, + { + "url": "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531" + }, + { + "url": "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12" + }, + { + "url": "https://github.com/madler/zlib/issues/605" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-42" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220526-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220729-0004/" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5111" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/24/1" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/28/1" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/03/28/3" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-25032 in golang:1.12-alpine", + "id": "Grype/CVE-2018-25032", + "desc": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-25032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-25032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2022/May/33\",\n \"http://seclists.org/fulldisclosure/2022/May/35\",\n \"http://seclists.org/fulldisclosure/2022/May/38\",\n \"http://www.openwall.com/lists/oss-security/2022/03/25/2\",\n \"http://www.openwall.com/lists/oss-security/2022/03/26/1\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf\",\n \"https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531\",\n \"https://github.com/madler/zlib/compare/v1.2.11...v1.2.12\",\n \"https://github.com/madler/zlib/issues/605\",\n \"https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html\",\n \"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/\",\n \"https://security.gentoo.org/glsa/202210-42\",\n \"https://security.netapp.com/advisory/ntap-20220526-0009/\",\n \"https://security.netapp.com/advisory/ntap-20220729-0004/\",\n \"https://support.apple.com/kb/HT213255\",\n \"https://support.apple.com/kb/HT213256\",\n \"https://support.apple.com/kb/HT213257\",\n \"https://www.debian.org/security/2022/dsa-5111\",\n \"https://www.openwall.com/lists/oss-security/2022/03/24/1\",\n \"https://www.openwall.com/lists/oss-security/2022/03/28/1\",\n \"https://www.openwall.com/lists/oss-security/2022/03/28/3\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ],\n \"fix\": {\n \"versions\": [],\n \"state\": \"unknown\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"cpe-match\",\n \"matcher\": \"apk-matcher\",\n \"searchedBy\": {\n \"namespace\": \"nvd:cpe\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"package\": {\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\"\n }\n },\n \"found\": {\n \"vulnerabilityID\": \"CVE-2018-25032\",\n \"versionConstraint\": \"< 1.2.12 (unknown)\",\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*\"\n ]\n }\n }\n]", + "message": "{\n \"id\": \"0551e4487bec111c\",\n \"name\": \"zlib\",\n \"version\": \"1.2.11-r3\",\n \"type\": \"apk\",\n \"locations\": [\n {\n \"path\": \"/lib/apk/db/installed\",\n \"layerID\": \"sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3\",\n \"upstreams\": [\n {\n \"name\": \"zlib\"\n }\n ],\n \"metadataType\": \"ApkMetadata\",\n \"metadata\": {\n \"files\": [\n {\n \"path\": \"/lib\"\n },\n {\n \"path\": \"/lib/libz.so.1\"\n },\n {\n \"path\": \"/lib/libz.so.1.2.11\"\n }\n ]\n }\n}", + "start_time": "2024-07-23T08:42:03.544511-04:00" + } + ] + } + ], + "sha256": "ea1f2402024ada0c5f9e9638e16db526956e7a6bdfecce199c5d0beb869a2c2a" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ], + "raw": { + "wrapper": { + "matches": [ + { + "vulnerability": { + "id": "CVE-2021-36159", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-36159", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-36159" + ], + "cvss": [], + "fix": { + "versions": [ + "2.10.7-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-36159", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", + "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" + ], + "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 10, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.7-r0 (apk)", + "vulnerabilityID": "CVE-2021-36159" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.7-r0 (apk)", + "vulnerabilityID": "CVE-2021-36159" + } + } + ], + "artifact": { + "id": "1acb8fe52f3da542", + "name": "apk-tools", + "version": "2.10.4-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL2" + ], + "cpes": [ + "cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "apk-tools" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/apk" + }, + { + "path": "/etc/apk/keys" + }, + { + "path": "/etc/apk/protected_paths.d" + }, + { + "path": "/sbin" + }, + { + "path": "/sbin/apk" + }, + { + "path": "/usr" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/apk" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-30139", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-30139", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-30139" + ], + "cvss": [], + "fix": { + "versions": [ + "2.10.6-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-30139", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-30139", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606" + ], + "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.6-r0 (apk)", + "vulnerabilityID": "CVE-2021-30139" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.6-r0 (apk)", + "vulnerabilityID": "CVE-2021-30139" + } + } + ], + "artifact": { + "id": "1acb8fe52f3da542", + "name": "apk-tools", + "version": "2.10.4-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL2" + ], + "cpes": [ + "cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "apk-tools" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/apk" + }, + { + "path": "/etc/apk/keys" + }, + { + "path": "/etc/apk/protected_paths.d" + }, + { + "path": "/sbin" + }, + { + "path": "/sbin/apk" + }, + { + "path": "/usr" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/apk" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-48174", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.busybox.net/show_bug.cgi?id=15216" + ], + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-48174", + "versionConstraint": "< 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-28391", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch", + "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + ], + "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-28391", + "versionConstraint": "<= 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42386", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42385", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42385", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42384", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42384", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42383", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42382", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42382", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42381", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42380", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42380", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42379", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42379", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42378", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-28831", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r10" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-28831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09" + ], + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cve@mitre.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42374", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42374", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 3.4, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5535", + "versionConstraint": ">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.netapp.com/advisory/ntap-20220707-0008/", + "https://www.debian.org/security/2022/dsa-5169", + "https://www.openssl.org/news/secadv/20220621.txt" + ], + "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2068", + "versionConstraint": ">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-1292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220602-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://www.debian.org/security/2022/dsa-5139", + "https://www.openssl.org/news/secadv/20220503.txt", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-1292", + "versionConstraint": ">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3711", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3711" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3711", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3711" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-4807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff", + "https://security.netapp.com/advisory/ntap-20230921-0001/", + "https://www.openssl.org/news/secadv/20230908.txt" + ], + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-4807", + "versionConstraint": ">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0464", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.couchbase.com/alerts/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230322.txt" + ], + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0464", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", + "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0286", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0215", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://security.netapp.com/advisory/ntap-20230427-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0215", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4450", + "versionConstraint": ">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-0778", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html", + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220321-0002/", + "https://security.netapp.com/advisory/ntap-20220429-0005/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220315.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.tenable.com/security/tns-2022-06", + "https://www.tenable.com/security/tns-2022-07", + "https://www.tenable.com/security/tns-2022-08", + "https://www.tenable.com/security/tns-2022-09" + ], + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-0778", + "versionConstraint": ">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3712", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3712" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3712", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3712" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3450", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3450" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3450" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23840", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23840" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23840" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1967", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1967" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1g-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1g-r0 (apk)", + "vulnerabilityID": "CVE-2020-1967" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-0727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0727", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-5678", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-5678", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-3817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2023/Jul/43", + "http://www.openwall.com/lists/oss-security/2023/07/31/1", + "http://www.openwall.com/lists/oss-security/2023/09/22/11", + "http://www.openwall.com/lists/oss-security/2023/09/22/9", + "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230818-0014/", + "https://security.netapp.com/advisory/ntap-20231027-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230731.txt" + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-3817", + "versionConstraint": ">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-2650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/05/30/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230703-0001/", + "https://security.netapp.com/advisory/ntap-20231027-0009/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230530.txt" + ], + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-2650", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/09/28/4", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0466", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0465", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0465", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4304", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220715-0011/", + "https://security.netapp.com/advisory/ntap-20230420-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2023/dsa-5343", + "https://www.openssl.org/news/secadv/20220705.txt" + ], + "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2097", + "versionConstraint": ">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-4160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220128.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2021-4160", + "versionConstraint": ">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3449", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3449" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3449", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3449" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23841", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23841" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23841" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1971", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1971" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1i-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1i-r0 (apk)", + "vulnerabilityID": "CVE-2020-1971" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23839", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Low", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23839" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.7, + "exploitabilityScore": 2.2, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23839" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-2511", + "versionConstraint": ">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5535", + "versionConstraint": ">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.netapp.com/advisory/ntap-20220707-0008/", + "https://www.debian.org/security/2022/dsa-5169", + "https://www.openssl.org/news/secadv/20220621.txt" + ], + "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2068", + "versionConstraint": ">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-1292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220602-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://www.debian.org/security/2022/dsa-5139", + "https://www.openssl.org/news/secadv/20220503.txt", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-1292", + "versionConstraint": ">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3711", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3711" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3711", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3711" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-4807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff", + "https://security.netapp.com/advisory/ntap-20230921-0001/", + "https://www.openssl.org/news/secadv/20230908.txt" + ], + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-4807", + "versionConstraint": ">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0464", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.couchbase.com/alerts/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230322.txt" + ], + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0464", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", + "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0286", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0215", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://security.netapp.com/advisory/ntap-20230427-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0215", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4450", + "versionConstraint": ">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-0778", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html", + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220321-0002/", + "https://security.netapp.com/advisory/ntap-20220429-0005/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220315.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.tenable.com/security/tns-2022-06", + "https://www.tenable.com/security/tns-2022-07", + "https://www.tenable.com/security/tns-2022-08", + "https://www.tenable.com/security/tns-2022-09" + ], + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-0778", + "versionConstraint": ">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3712", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3712" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3712", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3712" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3450", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3450" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3450" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23840", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23840" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23840" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1967", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1967" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1g-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1g-r0 (apk)", + "vulnerabilityID": "CVE-2020-1967" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-0727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0727", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-5678", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-5678", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-3817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2023/Jul/43", + "http://www.openwall.com/lists/oss-security/2023/07/31/1", + "http://www.openwall.com/lists/oss-security/2023/09/22/11", + "http://www.openwall.com/lists/oss-security/2023/09/22/9", + "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230818-0014/", + "https://security.netapp.com/advisory/ntap-20231027-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230731.txt" + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-3817", + "versionConstraint": ">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-2650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/05/30/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230703-0001/", + "https://security.netapp.com/advisory/ntap-20231027-0009/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230530.txt" + ], + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-2650", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/09/28/4", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0466", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0465", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0465", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4304", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220715-0011/", + "https://security.netapp.com/advisory/ntap-20230420-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2023/dsa-5343", + "https://www.openssl.org/news/secadv/20220705.txt" + ], + "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2097", + "versionConstraint": ">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-4160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220128.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2021-4160", + "versionConstraint": ">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3449", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3449" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3449", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3449" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23841", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23841" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23841" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1971", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1971" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1i-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1i-r0 (apk)", + "vulnerabilityID": "CVE-2020-1971" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23839", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Low", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23839" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.7, + "exploitabilityScore": 2.2, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23839" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-2511", + "versionConstraint": ">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-28928", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-28928" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.24-r3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-28928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + } + ], + "artifact": { + "id": "8d33328810d23c5f", + "name": "musl", + "version": "1.1.24-r0", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:musl-libc:musl:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_libc:musl:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl:1.1.24-r0:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/musl@1.1.24-r0?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "musl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/ld-musl-aarch64.so.1" + }, + { + "path": "/lib/libc.musl-aarch64.so.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-28928", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-28928" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.24-r3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-28928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + } + ], + "artifact": { + "id": "e94d81063c43dac8", + "name": "musl-utils", + "version": "1.1.24-r0", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "BSD", + "GPL2+", + "MIT" + ], + "cpes": [ + "cpe:2.3:a:musl-utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl-utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl_utils:1.1.24-r0:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/musl-utils@1.1.24-r0?arch=aarch64&upstream=musl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "musl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/sbin" + }, + { + "path": "/sbin/ldconfig" + }, + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ldd" + }, + { + "path": "/usr/bin/getconf" + }, + { + "path": "/usr/bin/iconv" + }, + { + "path": "/usr/bin/getent" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-48174", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.busybox.net/show_bug.cgi?id=15216" + ], + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-48174", + "versionConstraint": "< 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-28391", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch", + "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + ], + "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-28391", + "versionConstraint": "<= 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42386", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42385", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42385", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42384", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42384", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42383", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42382", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42382", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42381", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42380", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42380", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42379", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42379", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42378", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-28831", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r10" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-28831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09" + ], + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cve@mitre.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42374", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42374", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 3.4, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-45853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/10/20/9", + "http://www.openwall.com/lists/oss-security/2024/01/24/10", + "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", + "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", + "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", + "https://github.com/madler/zlib/pull/843", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", + "https://pypi.org/project/pyminizip/#history", + "https://security.gentoo.org/glsa/202401-18", + "https://security.netapp.com/advisory/ntap-20231130-0009/", + "https://www.winimage.com/zLibDll/minizip.html" + ], + "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-45853", + "versionConstraint": "< 1.3.1 (unknown)", + "cpes": [ + "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-37434", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2022-37434" + ], + "cvss": [], + "fix": { + "versions": [ + "1.2.11-r4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-37434", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://www.debian.org/security/2022/dsa-5218" + ], + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "versionConstraint": "< 1.2.11-r4 (apk)", + "vulnerabilityID": "CVE-2022-37434" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "versionConstraint": "< 1.2.11-r4 (apk)", + "vulnerabilityID": "CVE-2022-37434" + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2018-25032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "http://www.openwall.com/lists/oss-security/2022/03/25/2", + "http://www.openwall.com/lists/oss-security/2022/03/26/1", + "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", + "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531", + "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12", + "https://github.com/madler/zlib/issues/605", + "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", + "https://security.gentoo.org/glsa/202210-42", + "https://security.netapp.com/advisory/ntap-20220526-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5111", + "https://www.openwall.com/lists/oss-security/2022/03/24/1", + "https://www.openwall.com/lists/oss-security/2022/03/28/1", + "https://www.openwall.com/lists/oss-security/2022/03/28/3", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2018-25032", + "versionConstraint": "< 1.2.12 (unknown)", + "cpes": [ + "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/test/sample_data/anchoregrype/sample_input_report/amazon.json b/test/sample_data/anchoregrype/sample_input_report/amazon.json new file mode 100644 index 000000000..01789f190 --- /dev/null +++ b/test/sample_data/anchoregrype/sample_input_report/amazon.json @@ -0,0 +1,1852 @@ +{ + "matches": [ + { + "vulnerability": { + "id": "ALAS-2024-2607", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Low", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2607.html" + ], + "description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\" (CVE-2024-39689)", + "cvss": [], + "fix": { + "versions": [ + "2023.2.68-1.amzn2.0.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39689", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39689", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", + "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI" + ], + "description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "ca-certificates", + "version": "0:2023.2.64-1.amzn2.0.1" + } + }, + "found": { + "versionConstraint": "< 2023.2.68-1.amzn2.0.1 (rpm)", + "vulnerabilityID": "ALAS-2024-2607" + } + } + ], + "artifact": { + "id": "3fdee4f2791be89b", + "name": "ca-certificates", + "version": "2023.2.64-1.amzn2.0.1", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "Public Domain" + ], + "cpes": [ + "cpe:2.3:a:ca-certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca-certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca_certificates:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca_certificates:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca:ca-certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ca:ca_certificates:2023.2.64-1.amzn2.0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/ca-certificates@2023.2.64-1.amzn2.0.1?arch=noarch&upstream=ca-certificates-2023.2.64-1.amzn2.0.1.src.rpm&distro=amzn-2", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "ALAS-2024-2595", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Medium", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2595.html" + ], + "description": "krb5: GSS message token handling (CVE-2024-37370)In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)", + "cvss": [], + "fix": { + "versions": [ + "1.15.1-55.amzn2.2.8" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + }, + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "krb5-libs", + "version": "0:1.15.1-55.amzn2.2.7" + } + }, + "found": { + "versionConstraint": "< 1.15.1-55.amzn2.2.8 (rpm)", + "vulnerabilityID": "ALAS-2024-2595" + } + }, + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "krb5", + "version": "1.15.1-55.amzn2.2.7" + } + }, + "found": { + "versionConstraint": "< 1.15.1-55.amzn2.2.8 (rpm)", + "vulnerabilityID": "ALAS-2024-2595" + } + } + ], + "artifact": { + "id": "3bb967025c5652e0", + "name": "krb5-libs", + "version": "1.15.1-55.amzn2.2.7", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:amazonlinux:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5-libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5-libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5_libs:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5_libs:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5:krb5-libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*", + "cpe:2.3:a:krb5:krb5_libs:1.15.1-55.amzn2.2.7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/krb5-libs@1.15.1-55.amzn2.2.7?arch=aarch64&upstream=krb5-1.15.1-55.amzn2.2.7.src.rpm&distro=amzn-2", + "upstreams": [ + { + "name": "krb5", + "version": "1.15.1-55.amzn2.2.7" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "ALAS-2024-2604", + "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html", + "namespace": "amazon:distro:amazonlinux:2", + "severity": "Medium", + "urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2024-2604.html" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with anempty supported client protocols buffer may cause a crash or memory contents tobe sent to the peer.Impact summary: A buffer overread can have a range of potential consequencessuch as unexpected application beahviour or a crash. In particular this issuecould result in up to 255 bytes of arbitrary private data from memory being sentto the peer leading to a loss of confidentiality. However, only applicationsthat directly call the SSL_select_next_proto function with a 0 length list ofsupported client protocols are affected by this issue. This would normally neverbe a valid scenario and is typically not under attacker control but may occur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) or NPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a list ofprotocols from the server and a list of protocols from the client and returnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether an overlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (and reportsthat there was no overlap in the lists).This function is typically called from a server side application callback forALPN or a client side application callback for NPN. In the case of ALPN the listof protocols supplied by the client is guaranteed by libssl to never be zero inlength. The list of server protocols comes from the application and should nevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), then theapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a \"no overlap\"response (which would normally result in a handshake failure in ALPN) then itwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunistically selecta protocol when there is no overlap. OpenSSL returns the first client protocolin the no overlap case in support of this. The list of client protocols comesfrom the application and should never normally be expected to be of zero length.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. If theapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is notwidely used. It also requires an application configuration or programming error.Finally, this issue would not typically be under attacker control making activeexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available. (CVE-2024-5535)", + "cvss": [], + "fix": { + "versions": [ + "1.0.2k-24.amzn2.0.13" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "openssl-libs", + "version": "1:1.0.2k-24.amzn2.0.12" + } + }, + "found": { + "versionConstraint": "< 1.0.2k-24.amzn2.0.13 (rpm)", + "vulnerabilityID": "ALAS-2024-2604" + } + }, + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "amazonlinux", + "version": "2" + }, + "namespace": "amazon:distro:amazonlinux:2", + "package": { + "name": "openssl", + "version": "1.0.2k-24.amzn2.0.12" + } + }, + "found": { + "versionConstraint": "< 1.0.2k-24.amzn2.0.13 (rpm)", + "vulnerabilityID": "ALAS-2024-2604" + } + } + ], + "artifact": { + "id": "ca07aa6bdda5c274", + "name": "openssl-libs", + "version": "1:1.0.2k-24.amzn2.0.12", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/Packages", + "layerID": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:openssl-libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:amazonlinux:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1:1.0.2k-24.amzn2.0.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/amzn/openssl-libs@1.0.2k-24.amzn2.0.12?arch=aarch64&epoch=1&upstream=openssl-1.0.2k-24.amzn2.0.12.src.rpm&distro=amzn-2", + "upstreams": [ + { + "name": "openssl", + "version": "1.0.2k-24.amzn2.0.12" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": 1, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "GHSA-mq26-g339-26xf", + "dataSource": "https://github.com/advisories/GHSA-mq26-g339-26xf", + "namespace": "github:language:python", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-mq26-g339-26xf" + ], + "description": "Command Injection in pip when used with Mercurial", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "Medium", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "23.3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-5752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/pypa/pip/pull/12306", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + ], + "description": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "pip", + "version": "23.0.1" + } + }, + "found": { + "versionConstraint": "<23.3 (python)", + "vulnerabilityID": "GHSA-mq26-g339-26xf" + } + } + ], + "artifact": { + "id": "8cac57bcd656efc6", + "name": "pip", + "version": "23.0.1", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/pip-23.0.1.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:pip_developers_project:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers_project:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers_project:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig_project:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developersproject:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sigproject:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip_developers:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils-sig:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:distutils_sig:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:python-pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:python_pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python-pip:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python_pip:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pypa:pip:23.0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:pip:pip:23.0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/pip@23.0.1", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-7592", + "versionConstraint": "<= 3.13.0 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0397", + "versionConstraint": ">= 3.13.0a1, < 3.13.0a5 || >= 3.12.0, < 3.12.3 || >= 3.11.0, < 3.11.9 || < 3.10.14 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-36632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-36632", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://docs.python.org/3/library/email.html", + "https://docs.python.org/3/library/email.utils.html", + "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py", + "https://github.com/python/cpython/issues/103800" + ], + "description": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-36632", + "versionConstraint": "<= 3.11.4 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-6923", + "versionConstraint": ">= 3.13.0a1, <= 3.13.0rc2 || < 3.12.5 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-27043", + "versionConstraint": "<= 2.7.18 || >= 3.0, <= 3.11 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-8088", + "versionConstraint": "<= 3.13.0 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e", + "https://github.com/python/cpython/issues/121227", + "https://github.com/python/cpython/pull/23014", + "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html", + "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/", + "https://security.netapp.com/advisory/ntap-20240726-0005/" + ], + "description": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5642", + "versionConstraint": "< 3.10.0b1 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "stock-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "package": { + "name": "python", + "version": "3.9.19" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-4032", + "versionConstraint": "< 3.12.4 || >= 3.13.0a1, < 3.13.0a6 (unknown)", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "a120648b38c61b3b", + "name": "python", + "version": "3.9.19", + "type": "binary", + "locations": [ + { + "path": "/var/lang/bin/python3.9", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/libpython3.9.so.1.0", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:python_software_foundation:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*", + "cpe:2.3:a:python:python:3.9.19:*:*:*:*:*:*:*" + ], + "purl": "pkg:generic/python@3.9.19", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "GHSA-r9hx-vwmv-q579", + "dataSource": "https://github.com/advisories/GHSA-r9hx-vwmv-q579", + "namespace": "github:language:python", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-r9hx-vwmv-q579" + ], + "description": "pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "High", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "65.5.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-40897", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200", + "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be", + "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/", + "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/", + "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/", + "https://security.netapp.com/advisory/ntap-20230214-0001/", + "https://security.netapp.com/advisory/ntap-20240621-0006/" + ], + "description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "setuptools", + "version": "58.1.0" + } + }, + "found": { + "versionConstraint": "<65.5.1 (python)", + "vulnerabilityID": "GHSA-r9hx-vwmv-q579" + } + } + ], + "artifact": { + "id": "bc6c39be42a59eb7", + "name": "setuptools", + "version": "58.1.0", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "UNKNOWN" + ], + "cpes": [ + "cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/setuptools@58.1.0", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "GHSA-cx63-2mw6-8hw5", + "dataSource": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5", + "namespace": "github:language:python", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-cx63-2mw6-8hw5" + ], + "description": "setuptools vulnerable to Command Injection via package URL", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": { + "base_severity": "High", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "70.0.0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "setuptools", + "version": "58.1.0" + } + }, + "found": { + "versionConstraint": "<70.0.0 (python)", + "vulnerabilityID": "GHSA-cx63-2mw6-8hw5" + } + } + ], + "artifact": { + "id": "bc6c39be42a59eb7", + "name": "setuptools", + "version": "58.1.0", + "type": "python", + "locations": [ + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/RECORD", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + }, + { + "path": "/var/lang/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/top_level.txt", + "layerID": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0" + } + ], + "language": "python", + "licenses": [ + "UNKNOWN" + ], + "cpes": [ + "cpe:2.3:a:python:setuptools:58.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/setuptools@58.1.0", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-24791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://go.dev/cl/591255", + "https://go.dev/issue/67555", + "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", + "https://pkg.go.dev/vuln/GO-2024-2963" + ], + "description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "go-module-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*" + ], + "package": { + "name": "stdlib", + "version": "go1.22.4" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-24791", + "versionConstraint": "< 1.21.12 || >= 1.22.0-0, < 1.22.5 (unknown)", + "cpes": [ + "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c93538cbf3d8e93b", + "name": "stdlib", + "version": "go1.22.4", + "type": "go-module", + "locations": [ + { + "path": "/usr/local/bin/aws-lambda-rie", + "layerID": "sha256:9a9b5814afc2b76039ada8e0f4445eeec0c487bcf7637b36b20a7f25bb15b369" + } + ], + "language": "go", + "licenses": [ + "BSD-3-Clause" + ], + "cpes": [ + "cpe:2.3:a:golang:go:1.22.4:-:*:*:*:*:*:*" + ], + "purl": "pkg:golang/stdlib@1.22.4", + "upstreams": [], + "metadataType": "GolangBinMetadata", + "metadata": { + "goCompiledVersion": "go1.22.4", + "architecture": "" + } + } + }, + { + "vulnerability": { + "id": "GHSA-34jh-p97f-mpxf", + "dataSource": "https://github.com/advisories/GHSA-34jh-p97f-mpxf", + "namespace": "github:language:python", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": { + "base_severity": "Medium", + "status": "N/A" + } + } + ], + "fix": { + "versions": [ + "1.26.19" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "python-matcher", + "searchedBy": { + "language": "python", + "namespace": "github:language:python", + "package": { + "name": "urllib3", + "version": "1.26.18" + } + }, + "found": { + "versionConstraint": "<1.26.19 (python)", + "vulnerabilityID": "GHSA-34jh-p97f-mpxf" + } + } + ], + "artifact": { + "id": "18a6c87286e142af", + "name": "urllib3", + "version": "1.26.18", + "type": "python", + "locations": [ + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/METADATA", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + }, + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/RECORD", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + }, + { + "path": "/var/runtime/urllib3-1.26.18.dist-info/top_level.txt", + "layerID": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03" + } + ], + "language": "python", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:python:urllib3:1.26.18:*:*:*:*:*:*:*" + ], + "purl": "pkg:pypi/urllib3@1.26.18", + "upstreams": [] + } + } + ], + "source": { + "type": "image", + "target": { + "userInput": "cloudwatch_to_s3:latest", + "imageID": "sha256:7e36b65761f2da06282720b87b0d5924a7c3478fb655d38e39f8c5eee55b8317", + "manifestDigest": "sha256:256ebbfc5c837807131c5cdfbfb6b7654b75fdac1783ea0ada96f04027c781af", + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "tags": [ + "cloudwatch_to_s3:latest" + ], + "imageSize": 579981542, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:0044b36762beca646f20eb6730e3575ec671a8857b39485f38ba0e715d375483", + "size": 335259048 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:a8915dcae1e9ecf7d399d9ad10ac6d490a27c0b058bdd7336493ad04e7cedb94", + "size": 658034 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:91c63ef88078acd534edde8be18b12863689593ea79b6c86671426479a2e0111", + "size": 397 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:9a9b5814afc2b76039ada8e0f4445eeec0c487bcf7637b36b20a7f25bb15b369", + "size": 5963928 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:b98baf0908da50e172bd5dedbd8738e0ce574fe1d7229fec407c64e8725685c0", + "size": 216419370 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:734a487fcc033d64cea626bc74e5937eda7014ad9b80d4b3af36f5cce52d2b03", + "size": 21663150 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:a9fee2695ab32ff2b4699c3b605f75b64cc4481af914eff473f4037ae53bcd20", + "size": 8 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:604b2638b886f5a174251db33570afe12d60f3032f10f19ca584c9552b964c25", + "size": 1219 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:ee32108545f0755778ec959105632baa94507b72d5b381f9739e23c58aa59e60", + "size": 16388 + } + ], + "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo0NDUwLCJkaWdlc3QiOiJzaGEyNTY6N2UzNmI2NTc2MWYyZGEwNjI4MjcyMGI4N2IwZDU5MjRhN2MzNDc4ZmI2NTVkMzhlMzlmOGM1ZWVlNTViODMxNyJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjozNDU5NDgxNjAsImRpZ2VzdCI6InNoYTI1NjowMDQ0YjM2NzYyYmVjYTY0NmYyMGViNjczMGUzNTc1ZWM2NzFhODg1N2IzOTQ4NWYzOGJhMGU3MTVkMzc1NDgzIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6NjYwNDgwLCJkaWdlc3QiOiJzaGEyNTY6YTg5MTVkY2FlMWU5ZWNmN2QzOTlkOWFkMTBhYzZkNDkwYTI3YzBiMDU4YmRkNzMzNjQ5M2FkMDRlN2NlZGI5NCJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjI1NjAsImRpZ2VzdCI6InNoYTI1Njo5MWM2M2VmODgwNzhhY2Q1MzRlZGRlOGJlMThiMTI4NjM2ODk1OTNlYTc5YjZjODY2NzE0MjY0NzlhMmUwMTExIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6NTk2Nzg3MiwiZGlnZXN0Ijoic2hhMjU2OjlhOWI1ODE0YWZjMmI3NjAzOWFkYThlMGY0NDQ1ZWVlYzBjNDg3YmNmNzYzN2IzNmIyMGE3ZjI1YmIxNWIzNjkifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoyMjMzMzkwMDgsImRpZ2VzdCI6InNoYTI1NjpiOThiYWYwOTA4ZGE1MGUxNzJiZDVkZWRiZDg3MzhlMGNlNTc0ZmUxZDcyMjlmZWM0MDdjNjRlODcyNTY4NWMwIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjM5NDkzMTIsImRpZ2VzdCI6InNoYTI1Njo3MzRhNDg3ZmNjMDMzZDY0Y2VhNjI2YmM3NGU1OTM3ZWRhNzAxNGFkOWI4MGQ0YjNhZjM2ZjVjY2U1MmQyYjAzIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MzA3MiwiZGlnZXN0Ijoic2hhMjU2OmE5ZmVlMjY5NWFiMzJmZjJiNDY5OWMzYjYwNWY3NWI2NGNjNDQ4MWFmOTE0ZWZmNDczZjQwMzdhZTUzYmNkMjAifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo0MDk2LCJkaWdlc3QiOiJzaGEyNTY6NjA0YjI2MzhiODg2ZjVhMTc0MjUxZGIzMzU3MGFmZTEyZDYwZjMwMzJmMTBmMTljYTU4NGM5NTUyYjk2NGMyNSJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgwLCJkaWdlc3QiOiJzaGEyNTY6ZWUzMjEwODU0NWYwNzU1Nzc4ZWM5NTkxMDU2MzJiYWE5NDUwN2I3MmQ1YjM4MWY5NzM5ZTIzYzU4YWE1OWU2MCJ9XX0=", + "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJFbnYiOlsiTEFORz1lbl9VUy5VVEYtOCIsIlRaPTovZXRjL2xvY2FsdGltZSIsIlBBVEg9L3Zhci9sYW5nL2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2Jpbi86L2Jpbjovb3B0L2JpbiIsIkxEX0xJQlJBUllfUEFUSD0vdmFyL2xhbmcvbGliOi9saWI2NDovdXNyL2xpYjY0Oi92YXIvcnVudGltZTovdmFyL3J1bnRpbWUvbGliOi92YXIvdGFzazovdmFyL3Rhc2svbGliOi9vcHQvbGliIiwiTEFNQkRBX1RBU0tfUk9PVD0vdmFyL3Rhc2siLCJMQU1CREFfUlVOVElNRV9ESVI9L3Zhci9ydW50aW1lIiwiQVdTX0NBX0JVTkRMRT0vZXRjL3NzbC9jZXJ0cy9NSVRSRS1jaGFpbi50eHQiXSwiRW50cnlwb2ludCI6WyIvbGFtYmRhLWVudHJ5cG9pbnQuc2giXSwiQ21kIjpbImNsb3Vkd2F0Y2hfdG9fczMubGFtYmRhX2hhbmRsZXIiXSwiV29ya2luZ0RpciI6Ii92YXIvdGFzayIsIkxhYmVscyI6eyJjb20uYW1hem9uYXdzLmxhbWJkYS5wbGF0Zm9ybS5rZXJuZWwiOiJrNTEwZ2EifSwiQXJnc0VzY2FwZWQiOnRydWV9LCJjcmVhdGVkIjoiMjAyNC0wNy0xMVQxMjo1NToyNi4xNDc3NzIzNFoiLCJoaXN0b3J5IjpbeyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiQVJDSElURUNUVVJFIGFybTY0IiwiYXV0aG9yIjoiQVdTIExhbWJkYSIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEwVDExOjM4OjIyWiIsImNyZWF0ZWRfYnkiOiJWQVJJQU5UIHY4IiwiYXV0aG9yIjoiQVdTIExhbWJkYSIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEwVDExOjM4OjIyWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZTo4MmMzOGFhYzljZDcyZjY2YzQ1ZmVjODIxOTM0NmQ3NGFiNDZlZGZmNTM5NzU5ZmFiMDZkNzhiM2ZhOWY0NzExIC8iLCJhdXRob3IiOiJBV1MgTGFtYmRhIn0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGU6Njc1NzUzYWFiYjI5Njk4YzhmYTY4ZTU1ZTkzZjUzOGUyZTViOWRmMWE5ODEyZjQ3NjI2M2Q1ZTNhNjIxMTg4NSAvIiwiYXV0aG9yIjoiQVdTIExhbWJkYSJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTBUMTE6Mzg6MjJaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlOmE2MzM5Y2NmYzA1YmIyMDIzMjM2NzA2OThjNTA0ZTQ2NDRlOGY1NzcyZWNhNjdjODY2ZGNlZmU2Y2Y1NmJkZDQgLyIsImF1dGhvciI6IkFXUyBMYW1iZGEifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEwVDExOjM4OjIyWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZTo5NzEyMzc4MzI3NGQ0MDJmMTJjMzIwZWE1MWJjYWVkMzgwMzQyOTlmZWJiMzU4ZGVlZmNlM2QwOGYwY2E3NTZkIC8iLCJhdXRob3IiOiJBV1MgTGFtYmRhIn0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGU6NzExODkyNzlhYjA4YTFjNmY2ZDMzODYyYjkwODEwNTliZGIzMWRhMDU0MWZhNTI1MmI0Yjg3YTczZGEyZGUwMSAvIiwiYXV0aG9yIjoiQVdTIExhbWJkYSJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTBUMTE6Mzg6MjJaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlOmQ5NGUwMDEwMTRmODIwNzdiMTYzMDY1OTYwYjkzMjFiODZmYTQ2OWIxZWEzNTIwZDA2Mjc1ZjlmODM4ODM3OGEgLyIsImF1dGhvciI6IkFXUyBMYW1iZGEifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEwVDExOjM4OjIyWiIsImNyZWF0ZWRfYnkiOiJXT1JLRElSIC92YXIvdGFzayIsImF1dGhvciI6IkFXUyBMYW1iZGEiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiRU5WIExBTkc9ZW5fVVMuVVRGLTgiLCJhdXRob3IiOiJBV1MgTGFtYmRhIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTBUMTE6Mzg6MjJaIiwiY3JlYXRlZF9ieSI6IkVOViBUWj06L2V0Yy9sb2NhbHRpbWUiLCJhdXRob3IiOiJBV1MgTGFtYmRhIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTBUMTE6Mzg6MjJaIiwiY3JlYXRlZF9ieSI6IkVOViBQQVRIPS92YXIvbGFuZy9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4vOi9iaW46L29wdC9iaW4iLCJhdXRob3IiOiJBV1MgTGFtYmRhIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTBUMTE6Mzg6MjJaIiwiY3JlYXRlZF9ieSI6IkVOViBMRF9MSUJSQVJZX1BBVEg9L3Zhci9sYW5nL2xpYjovbGliNjQ6L3Vzci9saWI2NDovdmFyL3J1bnRpbWU6L3Zhci9ydW50aW1lL2xpYjovdmFyL3Rhc2s6L3Zhci90YXNrL2xpYjovb3B0L2xpYiIsImF1dGhvciI6IkFXUyBMYW1iZGEiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiRU5WIExBTUJEQV9UQVNLX1JPT1Q9L3Zhci90YXNrIiwiYXV0aG9yIjoiQVdTIExhbWJkYSIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEwVDExOjM4OjIyWiIsImNyZWF0ZWRfYnkiOiJFTlYgTEFNQkRBX1JVTlRJTUVfRElSPS92YXIvcnVudGltZSIsImF1dGhvciI6IkFXUyBMYW1iZGEiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTozODoyMloiLCJjcmVhdGVkX2J5IjoiRU5UUllQT0lOVCBbIFwiL2xhbWJkYS1lbnRyeXBvaW50LnNoXCIgXSIsImF1dGhvciI6IkFXUyBMYW1iZGEiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMFQxMTo0MToyOC45MDE3NTM0NjdaIiwiY3JlYXRlZF9ieSI6Ii9iaW4vc2ggLWMgIyhub3ApICBMQUJFTCBjb20uYW1hem9uYXdzLmxhbWJkYS5wbGF0Zm9ybS5rZXJuZWw9azUxMGdhIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTFUMTI6NTU6MjYuMTMyMTkwMTc0WiIsImNyZWF0ZWRfYnkiOiJDT1BZIGNsb3Vkd2F0Y2hfdG9fczMvcmVxdWlyZW1lbnRzLnR4dCAvdmFyL3Rhc2sgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMVQxMjo1NToyNi4xNDExMjQ3MTVaIiwiY3JlYXRlZF9ieSI6IkNPUFkgY2xvdWR3YXRjaF90b19zMy9jbG91ZHdhdGNoX3RvX3MzLnB5IC92YXIvdGFzayAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTExVDEyOjU1OjI2LjE0Nzc3MjM0WiIsImNyZWF0ZWRfYnkiOiJDT1BZIC4vTUlUUkUtY2hhaW4udHh0IC9ldGMvc3NsL2NlcnRzL01JVFJFLWNoYWluLnR4dCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTExVDEyOjU1OjI2LjE0Nzc3MjM0WiIsImNyZWF0ZWRfYnkiOiJFTlYgQVdTX0NBX0JVTkRMRT0vZXRjL3NzbC9jZXJ0cy9NSVRSRS1jaGFpbi50eHQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTExVDEyOjU1OjI2LjE0Nzc3MjM0WiIsImNyZWF0ZWRfYnkiOiJDTUQgW1wiY2xvdWR3YXRjaF90b19zMy5sYW1iZGFfaGFuZGxlclwiXSIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9XSwib3MiOiJsaW51eCIsInJvb3RmcyI6eyJ0eXBlIjoibGF5ZXJzIiwiZGlmZl9pZHMiOlsic2hhMjU2OjAwNDRiMzY3NjJiZWNhNjQ2ZjIwZWI2NzMwZTM1NzVlYzY3MWE4ODU3YjM5NDg1ZjM4YmEwZTcxNWQzNzU0ODMiLCJzaGEyNTY6YTg5MTVkY2FlMWU5ZWNmN2QzOTlkOWFkMTBhYzZkNDkwYTI3YzBiMDU4YmRkNzMzNjQ5M2FkMDRlN2NlZGI5NCIsInNoYTI1Njo5MWM2M2VmODgwNzhhY2Q1MzRlZGRlOGJlMThiMTI4NjM2ODk1OTNlYTc5YjZjODY2NzE0MjY0NzlhMmUwMTExIiwic2hhMjU2OjlhOWI1ODE0YWZjMmI3NjAzOWFkYThlMGY0NDQ1ZWVlYzBjNDg3YmNmNzYzN2IzNmIyMGE3ZjI1YmIxNWIzNjkiLCJzaGEyNTY6Yjk4YmFmMDkwOGRhNTBlMTcyYmQ1ZGVkYmQ4NzM4ZTBjZTU3NGZlMWQ3MjI5ZmVjNDA3YzY0ZTg3MjU2ODVjMCIsInNoYTI1Njo3MzRhNDg3ZmNjMDMzZDY0Y2VhNjI2YmM3NGU1OTM3ZWRhNzAxNGFkOWI4MGQ0YjNhZjM2ZjVjY2U1MmQyYjAzIiwic2hhMjU2OmE5ZmVlMjY5NWFiMzJmZjJiNDY5OWMzYjYwNWY3NWI2NGNjNDQ4MWFmOTE0ZWZmNDczZjQwMzdhZTUzYmNkMjAiLCJzaGEyNTY6NjA0YjI2MzhiODg2ZjVhMTc0MjUxZGIzMzU3MGFmZTEyZDYwZjMwMzJmMTBmMTljYTU4NGM5NTUyYjk2NGMyNSIsInNoYTI1NjplZTMyMTA4NTQ1ZjA3NTU3NzhlYzk1OTEwNTYzMmJhYTk0NTA3YjcyZDViMzgxZjk3MzllMjNjNThhYTU5ZTYwIl19LCJ2YXJpYW50IjoidjgifQ==", + "repoDigests": [], + "architecture": "arm64", + "os": "linux", + "labels": { + "com.amazonaws.lambda.platform.kernel": "k510ga" + } + } + }, + "distro": { + "name": "amazonlinux", + "version": "2", + "idLike": [ + "centos", + "rhel", + "fedora" + ] + }, + "descriptor": { + "name": "grype", + "version": "0.79.3", + "configuration": { + "output": [ + "json" + ], + "file": "", + "distro": "", + "add-cpes-if-none": false, + "output-template-file": "", + "check-for-app-update": true, + "only-fixed": false, + "only-notfixed": false, + "ignore-wontfix": "", + "platform": "", + "search": { + "scope": "squashed", + "unindexed-archives": false, + "indexed-archives": true + }, + "ignore": [ + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "kernel-headers", + "version": "", + "language": "", + "type": "rpm", + "location": "", + "upstream-name": "kernel" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-headers-.*", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-libc-dev", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + } + ], + "exclude": [], + "db": { + "cache-dir": "/Users/atang/Library/Caches/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": true, + "validate-by-hash-on-start": false, + "validate-age": true, + "max-allowed-built-age": 432000000000000, + "update-available-timeout": 30000000000, + "update-download-timeout": 120000000000 + }, + "externalSources": { + "enable": false, + "maven": { + "searchUpstreamBySha1": true, + "baseUrl": "https://search.maven.org/solrsearch/select" + } + }, + "match": { + "java": { + "using-cpes": false + }, + "dotnet": { + "using-cpes": false + }, + "golang": { + "using-cpes": false, + "always-use-cpe-for-stdlib": true, + "allow-main-module-pseudo-version-comparison": false + }, + "javascript": { + "using-cpes": false + }, + "python": { + "using-cpes": false + }, + "ruby": { + "using-cpes": false + }, + "rust": { + "using-cpes": false + }, + "stock": { + "using-cpes": true + } + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": null, + "ca-cert": "" + }, + "show-suppressed": false, + "by-cve": false, + "name": "", + "default-image-pull-source": "", + "vex-documents": [], + "vex-add": [], + "match-upstream-kernel-headers": false + }, + "db": { + "built": "2024-08-29T01:31:52Z", + "schemaVersion": 5, + "location": "/Users/atang/Library/Caches/grype/db/5", + "checksum": "sha256:755b4c6811bb129d58b2f2a7ff01473c8cbcd08f1916cc6a250144601a7d1d39", + "error": null + }, + "timestamp": "2024-08-29T13:47:41.623667-04:00" + } +} diff --git a/test/sample_data/anchoregrype/sample_input_report/anchore_grype.json b/test/sample_data/anchoregrype/sample_input_report/anchore_grype.json new file mode 100644 index 000000000..0379876c5 --- /dev/null +++ b/test/sample_data/anchoregrype/sample_input_report/anchore_grype.json @@ -0,0 +1,13918 @@ +{ + "matches": [ + { + "vulnerability": { + "id": "CVE-2021-36159", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-36159", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-36159" + ], + "cvss": [], + "fix": { + "versions": [ + "2.10.7-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-36159", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", + "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" + ], + "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 10, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.7-r0 (apk)", + "vulnerabilityID": "CVE-2021-36159" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.7-r0 (apk)", + "vulnerabilityID": "CVE-2021-36159" + } + } + ], + "artifact": { + "id": "1acb8fe52f3da542", + "name": "apk-tools", + "version": "2.10.4-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL2" + ], + "cpes": [ + "cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "apk-tools" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/apk" + }, + { + "path": "/etc/apk/keys" + }, + { + "path": "/etc/apk/protected_paths.d" + }, + { + "path": "/sbin" + }, + { + "path": "/sbin/apk" + }, + { + "path": "/usr" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/apk" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-30139", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-30139", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-30139" + ], + "cvss": [], + "fix": { + "versions": [ + "2.10.6-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-30139", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-30139", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10741", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/12606" + ], + "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.6-r0 (apk)", + "vulnerabilityID": "CVE-2021-30139" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "apk-tools", + "version": "2.10.4-r3" + } + }, + "found": { + "versionConstraint": "< 2.10.6-r0 (apk)", + "vulnerabilityID": "CVE-2021-30139" + } + } + ], + "artifact": { + "id": "1acb8fe52f3da542", + "name": "apk-tools", + "version": "2.10.4-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL2" + ], + "cpes": [ + "cpe:2.3:a:apk-tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk-tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk_tools:apk_tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk-tools:2.10.4-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:apk:apk_tools:2.10.4-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/apk-tools@2.10.4-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "apk-tools" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/apk" + }, + { + "path": "/etc/apk/keys" + }, + { + "path": "/etc/apk/protected_paths.d" + }, + { + "path": "/sbin" + }, + { + "path": "/sbin/apk" + }, + { + "path": "/usr" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/apk" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-48174", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.busybox.net/show_bug.cgi?id=15216" + ], + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-48174", + "versionConstraint": "< 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-28391", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch", + "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + ], + "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-28391", + "versionConstraint": "<= 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42386", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42385", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42385", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42384", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42384", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42383", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42382", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42382", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42381", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42380", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42380", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42379", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42379", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42378", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-28831", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r10" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-28831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09" + ], + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cve@mitre.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42374", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42374", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 3.4, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + }, + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + } + ], + "artifact": { + "id": "112f3151bd878ae5", + "name": "busybox", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/busybox@1.31.1-r9?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/bin" + }, + { + "path": "/bin/sh" + }, + { + "path": "/bin/busybox" + }, + { + "path": "/etc" + }, + { + "path": "/etc/udhcpd.conf" + }, + { + "path": "/etc/securetty" + }, + { + "path": "/etc/network" + }, + { + "path": "/etc/network/if-down.d" + }, + { + "path": "/etc/network/if-post-down.d" + }, + { + "path": "/etc/network/if-post-up.d" + }, + { + "path": "/etc/network/if-up.d" + }, + { + "path": "/etc/network/if-up.d/dad" + }, + { + "path": "/etc/network/if-pre-down.d" + }, + { + "path": "/etc/network/if-pre-up.d" + }, + { + "path": "/etc/logrotate.d" + }, + { + "path": "/etc/logrotate.d/acpid" + }, + { + "path": "/sbin" + }, + { + "path": "/tmp" + }, + { + "path": "/usr" + }, + { + "path": "/usr/sbin" + }, + { + "path": "/usr/share" + }, + { + "path": "/usr/share/udhcpc" + }, + { + "path": "/usr/share/udhcpc/default.script" + }, + { + "path": "/var" + }, + { + "path": "/var/lib" + }, + { + "path": "/var/lib/udhcpd" + }, + { + "path": "/var/cache" + }, + { + "path": "/var/cache/misc" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5535", + "versionConstraint": ">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.netapp.com/advisory/ntap-20220707-0008/", + "https://www.debian.org/security/2022/dsa-5169", + "https://www.openssl.org/news/secadv/20220621.txt" + ], + "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2068", + "versionConstraint": ">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-1292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220602-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://www.debian.org/security/2022/dsa-5139", + "https://www.openssl.org/news/secadv/20220503.txt", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-1292", + "versionConstraint": ">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3711", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3711" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3711", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3711" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-4807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff", + "https://security.netapp.com/advisory/ntap-20230921-0001/", + "https://www.openssl.org/news/secadv/20230908.txt" + ], + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-4807", + "versionConstraint": ">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0464", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.couchbase.com/alerts/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230322.txt" + ], + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0464", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", + "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0286", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0215", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://security.netapp.com/advisory/ntap-20230427-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0215", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4450", + "versionConstraint": ">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-0778", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html", + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220321-0002/", + "https://security.netapp.com/advisory/ntap-20220429-0005/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220315.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.tenable.com/security/tns-2022-06", + "https://www.tenable.com/security/tns-2022-07", + "https://www.tenable.com/security/tns-2022-08", + "https://www.tenable.com/security/tns-2022-09" + ], + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-0778", + "versionConstraint": ">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3712", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3712" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3712", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3712" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3450", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3450" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3450" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23840", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23840" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23840" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1967", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1967" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1g-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1g-r0 (apk)", + "vulnerabilityID": "CVE-2020-1967" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-0727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0727", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-5678", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-5678", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-3817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2023/Jul/43", + "http://www.openwall.com/lists/oss-security/2023/07/31/1", + "http://www.openwall.com/lists/oss-security/2023/09/22/11", + "http://www.openwall.com/lists/oss-security/2023/09/22/9", + "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230818-0014/", + "https://security.netapp.com/advisory/ntap-20231027-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230731.txt" + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-3817", + "versionConstraint": ">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-2650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/05/30/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230703-0001/", + "https://security.netapp.com/advisory/ntap-20231027-0009/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230530.txt" + ], + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-2650", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/09/28/4", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0466", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0465", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0465", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4304", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220715-0011/", + "https://security.netapp.com/advisory/ntap-20230420-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2023/dsa-5343", + "https://www.openssl.org/news/secadv/20220705.txt" + ], + "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2097", + "versionConstraint": ">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-4160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220128.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2021-4160", + "versionConstraint": ">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3449", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3449" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3449", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3449" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23841", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23841" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23841" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1971", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1971" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1i-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1i-r0 (apk)", + "vulnerabilityID": "CVE-2020-1971" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23839", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Low", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23839" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.7, + "exploitabilityScore": 2.2, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23839" + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-2511", + "versionConstraint": ">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "08cad6ac32c19e1e", + "name": "libcrypto1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libcrypto:libcrypto:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libcrypto1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/etc" + }, + { + "path": "/etc/ssl" + }, + { + "path": "/etc/ssl/ct_log_list.cnf.dist" + }, + { + "path": "/etc/ssl/ct_log_list.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf" + }, + { + "path": "/etc/ssl/openssl.cnf.dist" + }, + { + "path": "/etc/ssl/certs" + }, + { + "path": "/etc/ssl/private" + }, + { + "path": "/etc/ssl/misc" + }, + { + "path": "/etc/ssl/misc/tsget.pl" + }, + { + "path": "/etc/ssl/misc/tsget" + }, + { + "path": "/etc/ssl/misc/CA.pl" + }, + { + "path": "/lib" + }, + { + "path": "/lib/libcrypto.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libcrypto.so.1.1" + }, + { + "path": "/usr/lib/engines-1.1" + }, + { + "path": "/usr/lib/engines-1.1/padlock.so" + }, + { + "path": "/usr/lib/engines-1.1/afalg.so" + }, + { + "path": "/usr/lib/engines-1.1/capi.so" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-5535", + "versionConstraint": ">= 3.3.0, < 3.3.2 || >= 3.2.0, < 3.2.3 || >= 3.1.0, < 3.1.7 || >= 3.0.0, < 3.0.15 || >= 1.1.1, < 1.1.1za || >= 1.0.2, < 1.0.2zk (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.netapp.com/advisory/ntap-20220707-0008/", + "https://www.debian.org/security/2022/dsa-5169", + "https://www.openssl.org/news/secadv/20220621.txt" + ], + "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2068", + "versionConstraint": ">= 1.0.2, < 1.0.2zf || >= 1.1.1, < 1.1.1p || >= 3.0.0, < 3.0.4 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-1292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220602-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://www.debian.org/security/2022/dsa-5139", + "https://www.openssl.org/news/secadv/20220503.txt", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 10, + "exploitabilityScore": 10, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-1292", + "versionConstraint": ">= 1.0.2, < 1.0.2ze || >= 1.1.1, < 1.1.1o || >= 3.0.0, < 3.0.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3711", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3711", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3711" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3711", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20211022-0003/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3711" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-4807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff", + "https://security.netapp.com/advisory/ntap-20230921-0001/", + "https://www.openssl.org/news/secadv/20230908.txt" + ], + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-4807", + "versionConstraint": ">= 1.1.1, < 1.1.1w || >= 3.0.0, < 3.0.11 || >= 3.1.0, < 3.1.3 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0464", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.couchbase.com/alerts/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230322.txt" + ], + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0464", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", + "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0286", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0215", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://security.netapp.com/advisory/ntap-20230427-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0215", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4450", + "versionConstraint": ">= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-0778", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html", + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220321-0002/", + "https://security.netapp.com/advisory/ntap-20220429-0005/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220315.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.tenable.com/security/tns-2022-06", + "https://www.tenable.com/security/tns-2022-07", + "https://www.tenable.com/security/tns-2022-08", + "https://www.tenable.com/security/tns-2022-09" + ], + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-0778", + "versionConstraint": ">= 1.0.2, < 1.0.2zd || >= 1.1.0, < 1.1.1n || >= 3.0.0, < 3.0.2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3712", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3712" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1l-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3712", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/08/26/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://security.gentoo.org/glsa/202209-02", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20210827-0010/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4963", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-16", + "https://www.tenable.com/security/tns-2022-02" + ], + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1l-r0 (apk)", + "vulnerabilityID": "CVE-2021-3712" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3450", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3450", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3450" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-08", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3450" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23840", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23840", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23840" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23840" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1967", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1967", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1967" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1g-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html", + "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html", + "http://seclists.org/fulldisclosure/2020/May/5", + "http://www.openwall.com/lists/oss-security/2020/04/22/2", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1", + "https://github.com/irsl/CVE-2020-1967", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440", + "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc", + "https://security.gentoo.org/glsa/202004-10", + "https://security.netapp.com/advisory/ntap-20200424-0003/", + "https://security.netapp.com/advisory/ntap-20200717-0004/", + "https://www.debian.org/security/2020/dsa-4661", + "https://www.openssl.org/news/secadv/20200421.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.synology.com/security/advisory/Synology_SA_20_05", + "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL", + "https://www.tenable.com/security/tns-2020-03", + "https://www.tenable.com/security/tns-2020-04", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1g-r0 (apk)", + "vulnerabilityID": "CVE-2020-1967" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-0727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", + "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", + "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", + "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", + "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", + "https://security.netapp.com/advisory/ntap-20240208-0006/", + "https://www.openssl.org/news/secadv/20240125.txt" + ], + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-0727", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 || = 3.2.0 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-5678", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/11/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", + "https://security.netapp.com/advisory/ntap-20231130-0010/", + "https://www.openssl.org/news/secadv/20231106.txt" + ], + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-5678", + "versionConstraint": ">= 1.0.2, < 1.0.2zj || >= 1.1.1, < 1.1.1x || >= 3.0.0, < 3.0.13 || >= 3.1.0, < 3.1.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-3817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2023/Jul/43", + "http://www.openwall.com/lists/oss-security/2023/07/31/1", + "http://www.openwall.com/lists/oss-security/2023/09/22/11", + "http://www.openwall.com/lists/oss-security/2023/09/22/9", + "http://www.openwall.com/lists/oss-security/2023/11/06/2", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230818-0014/", + "https://security.netapp.com/advisory/ntap-20231027-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20230731.txt" + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-3817", + "versionConstraint": ">= 3.0.0, < 3.0.10 || >= 3.1.0, < 3.1.2 || = 1.0.2 || = 1.0.2-beta1 || = 1.0.2-beta2 || = 1.0.2-beta3 || = 1.0.2a || = 1.0.2b || = 1.0.2c || = 1.0.2d || = 1.0.2e || = 1.0.2f || = 1.0.2g || = 1.0.2h || = 1.0.2i || = 1.0.2j || = 1.0.2k || = 1.0.2l || = 1.0.2m || = 1.0.2n || = 1.0.2o || = 1.0.2p || = 1.0.2q || = 1.0.2r || = 1.0.2s || = 1.0.2t || = 1.0.2u || = 1.0.2v || = 1.0.2w || = 1.0.2x || = 1.0.2y || = 1.0.2za || = 1.0.2zb || = 1.0.2zc || = 1.0.2zd || = 1.0.2ze || = 1.0.2zf || = 1.0.2zg || = 1.0.2zh || = 1.1.1 || = 1.1.1-pre1 || = 1.1.1-pre2 || = 1.1.1-pre3 || = 1.1.1-pre4 || = 1.1.1-pre5 || = 1.1.1-pre6 || = 1.1.1-pre7 || = 1.1.1-pre8 || = 1.1.1-pre9 || = 1.1.1a || = 1.1.1b || = 1.1.1c || = 1.1.1d || = 1.1.1e || = 1.1.1f || = 1.1.1g || = 1.1.1h || = 1.1.1i || = 1.1.1j || = 1.1.1k || = 1.1.1l || = 1.1.1m || = 1.1.1n || = 1.1.1o || = 1.1.1p || = 1.1.1q || = 1.1.1r || = 1.1.1s || = 1.1.1t || = 1.1.1u (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl:1.1.1d:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-2650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/05/30/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230703-0001/", + "https://security.netapp.com/advisory/ntap-20231027-0009/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230530.txt" + ], + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-2650", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/09/28/4", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0466", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-0465", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://security.gentoo.org/glsa/202402-08", + "https://security.netapp.com/advisory/ntap-20230414-0001/", + "https://www.debian.org/security/2023/dsa-5417", + "https://www.openssl.org/news/secadv/20230328.txt" + ], + "description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-0465", + "versionConstraint": ">= 1.0.2, < 1.0.2zh || >= 1.1.1, < 1.1.1u || >= 3.0.0, < 3.0.9 || >= 3.1.0, < 3.1.1 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-4304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230207.txt" + ], + "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-4304", + "versionConstraint": ">= 1.0.2, < 1.0.2zg || >= 1.1.1, < 1.1.1t || >= 3.0.0, < 3.0.8 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-2097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20220715-0011/", + "https://security.netapp.com/advisory/ntap-20230420-0008/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2023/dsa-5343", + "https://www.openssl.org/news/secadv/20220705.txt" + ], + "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-2097", + "versionConstraint": ">= 1.1.1, < 1.1.1q || >= 3.0.0, < 3.0.5 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-4160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3bf7b73ea7123045b8f972badc67ed6878e6c37f", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6fc1aaaf303185aa5e483e06bdfae16daa9193a7", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb", + "https://security.gentoo.org/glsa/202210-02", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2022/dsa-5103", + "https://www.openssl.org/news/secadv/20220128.txt", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2021-4160", + "versionConstraint": ">= 1.0.2, <= 1.0.2zb || >= 1.1.1, < 1.1.1m || = 3.0.0 || = 3.0.0-alpha1 || = 3.0.0-alpha10 || = 3.0.0-alpha11 || = 3.0.0-alpha12 || = 3.0.0-alpha13 || = 3.0.0-alpha14 || = 3.0.0-alpha15 || = 3.0.0-alpha16 || = 3.0.0-alpha17 || = 3.0.0-alpha2 || = 3.0.0-alpha3 || = 3.0.0-alpha4 || = 3.0.0-alpha5 || = 3.0.0-alpha6 || = 3.0.0-alpha7 || = 3.0.0-alpha8 || = 3.0.0-alpha9 || = 3.0.0-beta1 || = 3.0.0-beta2 (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-3449", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-3449", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-3449" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1k-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3449", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/03/27/1", + "http://www.openwall.com/lists/oss-security/2021/03/27/2", + "http://www.openwall.com/lists/oss-security/2021/03/28/3", + "http://www.openwall.com/lists/oss-security/2021/03/28/4", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845", + "https://kc.mcafee.com/corporate/index?page=content&id=SB10356", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210326-0006/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd", + "https://www.debian.org/security/2021/dsa-4875", + "https://www.openssl.org/news/secadv/20210325.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-05", + "https://www.tenable.com/security/tns-2021-06", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1k-r0 (apk)", + "vulnerabilityID": "CVE-2021-3449" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23841", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23841" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/fulldisclosure/2021/May/67", + "http://seclists.org/fulldisclosure/2021/May/68", + "http://seclists.org/fulldisclosure/2021/May/70", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.gentoo.org/glsa/202103-03", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://support.apple.com/kb/HT212528", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212534", + "https://www.debian.org/security/2021/dsa-4855", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2021-03", + "https://www.tenable.com/security/tns-2021-09" + ], + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23841" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-1971", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-1971" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1i-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-1971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/09/14/2", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://security.gentoo.org/glsa/202012-13", + "https://security.netapp.com/advisory/ntap-20201218-0005/", + "https://security.netapp.com/advisory/ntap-20210513-0002/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.tenable.com/security/tns-2020-11", + "https://www.tenable.com/security/tns-2021-09", + "https://www.tenable.com/security/tns-2021-10" + ], + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1i-r0 (apk)", + "vulnerabilityID": "CVE-2020-1971" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-23839", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-23839", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Low", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-23839" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.1j-r0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-23839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-23839", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846", + "https://security.netapp.com/advisory/ntap-20210219-0009/", + "https://security.netapp.com/advisory/ntap-20240621-0006/", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.7, + "exploitabilityScore": 2.2, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "versionConstraint": "< 1.1.1j-r0 (apk)", + "vulnerabilityID": "CVE-2021-23839" + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:openssl:openssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "openssl", + "version": "1.1.1d-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2024-2511", + "versionConstraint": ">= 3.2.0, < 3.2.2 || >= 3.1.0, < 3.1.6 || >= 3.0.0, < 3.0.14 || >= 1.1.1, < 1.1.1y (unknown)", + "cpes": [ + "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "3ce41202583cf3fa", + "name": "libssl1.1", + "version": "1.1.1d-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "OpenSSL" + ], + "cpes": [ + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl1.1:libssl:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl1.1:1.1.1d-r3:*:*:*:*:*:*:*", + "cpe:2.3:a:libssl:libssl:1.1.1d-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/libssl1.1@1.1.1d-r3?arch=aarch64&upstream=openssl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "openssl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libssl.so.1.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + }, + { + "path": "/usr/lib/libssl.so.1.1" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-28928", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-28928" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.24-r3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-28928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + } + ], + "artifact": { + "id": "8d33328810d23c5f", + "name": "musl", + "version": "1.1.24-r0", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:musl-libc:musl:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_libc:musl:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl:1.1.24-r0:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/musl@1.1.24-r0?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "musl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/ld-musl-aarch64.so.1" + }, + { + "path": "/lib/libc.musl-aarch64.so.1" + }, + { + "path": "/usr" + }, + { + "path": "/usr/lib" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2020-28928", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2020-28928", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2020-28928" + ], + "cvss": [], + "fix": { + "versions": [ + "1.1.24-r3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-28928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-28928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/11/20/4", + "https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/", + "https://musl.libc.org/releases.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "musl", + "version": "1.1.24-r0" + } + }, + "found": { + "versionConstraint": "< 1.1.24-r3 (apk)", + "vulnerabilityID": "CVE-2020-28928" + } + } + ], + "artifact": { + "id": "e94d81063c43dac8", + "name": "musl-utils", + "version": "1.1.24-r0", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "BSD", + "GPL2+", + "MIT" + ], + "cpes": [ + "cpe:2.3:a:musl-utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl-utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_utils:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl_utils:musl_utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl-utils:1.1.24-r0:*:*:*:*:*:*:*", + "cpe:2.3:a:musl:musl_utils:1.1.24-r0:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/musl-utils@1.1.24-r0?arch=aarch64&upstream=musl&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "musl" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/sbin" + }, + { + "path": "/sbin/ldconfig" + }, + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ldd" + }, + { + "path": "/usr/bin/getconf" + }, + { + "path": "/usr/bin/iconv" + }, + { + "path": "/usr/bin/getent" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-48174", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.busybox.net/show_bug.cgi?id=15216" + ], + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-48174", + "versionConstraint": "< 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-28391", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch", + "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch", + "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661" + ], + "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:busybox:busybox:1.31.1-r9:*:*:*:*:*:*:*" + ], + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "vulnerabilityID": "CVE-2022-28391", + "versionConstraint": "<= 1.35.0 (unknown)", + "cpes": [ + "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42386", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42386", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42386" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42386", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42386" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42385", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42385", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42385" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42385", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42385", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42385" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42384", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42384", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42384" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42384", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42384" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42383", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42383", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42383" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42383", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42383" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42382", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42382", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42382" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42382", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42382", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42382" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42381", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42381", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42381" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42381", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42381" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42380", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42380", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42380" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42380", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42380", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42380" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42379", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42379", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42379" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42379", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42379", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42379" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42378", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42378", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42378" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 8, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42378" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-28831", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-28831", + "namespace": "alpine:distro:alpine:3.11", + "severity": "High", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-28831" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r10" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-28831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://security.gentoo.org/glsa/202105-09" + ], + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cve@mitre.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r10 (apk)", + "vulnerabilityID": "CVE-2021-28831" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2021-42374", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2021-42374", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Medium", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2021-42374" + ], + "cvss": [], + "fix": { + "versions": [ + "1.31.1-r11" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-42374", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", + "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/", + "https://security.netapp.com/advisory/ntap-20211223-0002/" + ], + "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 3.4, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "busybox", + "version": "1.31.1-r9" + } + }, + "found": { + "versionConstraint": "< 1.31.1-r11 (apk)", + "vulnerabilityID": "CVE-2021-42374" + } + } + ], + "artifact": { + "id": "c2fec4fd671237bc", + "name": "ssl_client", + "version": "1.31.1-r9", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "GPL-2.0-only" + ], + "cpes": [ + "cpe:2.3:a:ssl-client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.31.1-r9:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.31.1-r9:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/ssl_client@1.31.1-r9?arch=aarch64&upstream=busybox&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "busybox" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/usr" + }, + { + "path": "/usr/bin" + }, + { + "path": "/usr/bin/ssl_client" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2023-45853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/10/20/9", + "http://www.openwall.com/lists/oss-security/2024/01/24/10", + "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", + "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", + "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", + "https://github.com/madler/zlib/pull/843", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", + "https://pypi.org/project/pyminizip/#history", + "https://security.gentoo.org/glsa/202401-18", + "https://security.netapp.com/advisory/ntap-20231130-0009/", + "https://www.winimage.com/zLibDll/minizip.html" + ], + "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2023-45853", + "versionConstraint": "< 1.3.1 (unknown)", + "cpes": [ + "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2022-37434", + "dataSource": "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "namespace": "alpine:distro:alpine:3.11", + "severity": "Critical", + "urls": [ + "https://www.cve.org/CVERecord?id=CVE-2022-37434" + ], + "cvss": [], + "fix": { + "versions": [ + "1.2.11-r4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-37434", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://seclists.org/fulldisclosure/2022/Oct/37", + "http://seclists.org/fulldisclosure/2022/Oct/38", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "http://seclists.org/fulldisclosure/2022/Oct/42", + "http://www.openwall.com/lists/oss-security/2022/08/05/2", + "http://www.openwall.com/lists/oss-security/2022/08/09/1", + "https://github.com/curl/curl/issues/9271", + "https://github.com/ivd38/zlib_overflow", + "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", + "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", + "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://security.netapp.com/advisory/ntap-20220901-0005/", + "https://security.netapp.com/advisory/ntap-20230427-0007/", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213489", + "https://support.apple.com/kb/HT213490", + "https://support.apple.com/kb/HT213491", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://www.debian.org/security/2022/dsa-5218" + ], + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "versionConstraint": "< 1.2.11-r4 (apk)", + "vulnerabilityID": "CVE-2022-37434" + } + }, + { + "type": "exact-indirect-match", + "matcher": "apk-matcher", + "searchedBy": { + "distro": { + "type": "alpine", + "version": "3.11.3" + }, + "namespace": "alpine:distro:alpine:3.11", + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "versionConstraint": "< 1.2.11-r4 (apk)", + "vulnerabilityID": "CVE-2022-37434" + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + }, + { + "vulnerability": { + "id": "CVE-2018-25032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2022/May/33", + "http://seclists.org/fulldisclosure/2022/May/35", + "http://seclists.org/fulldisclosure/2022/May/38", + "http://www.openwall.com/lists/oss-security/2022/03/25/2", + "http://www.openwall.com/lists/oss-security/2022/03/26/1", + "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", + "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531", + "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12", + "https://github.com/madler/zlib/issues/605", + "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", + "https://security.gentoo.org/glsa/202210-42", + "https://security.netapp.com/advisory/ntap-20220526-0009/", + "https://security.netapp.com/advisory/ntap-20220729-0004/", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213257", + "https://www.debian.org/security/2022/dsa-5111", + "https://www.openwall.com/lists/oss-security/2022/03/24/1", + "https://www.openwall.com/lists/oss-security/2022/03/28/1", + "https://www.openwall.com/lists/oss-security/2022/03/28/3", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "fix": { + "versions": [], + "state": "unknown" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "cpe-match", + "matcher": "apk-matcher", + "searchedBy": { + "namespace": "nvd:cpe", + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "package": { + "name": "zlib", + "version": "1.2.11-r3" + } + }, + "found": { + "vulnerabilityID": "CVE-2018-25032", + "versionConstraint": "< 1.2.12 (unknown)", + "cpes": [ + "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*" + ] + } + } + ], + "artifact": { + "id": "0551e4487bec111c", + "name": "zlib", + "version": "1.2.11-r3", + "type": "apk", + "locations": [ + { + "path": "/lib/apk/db/installed", + "layerID": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b" + } + ], + "language": "", + "licenses": [ + "Zlib" + ], + "cpes": [ + "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*" + ], + "purl": "pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.3", + "upstreams": [ + { + "name": "zlib" + } + ], + "metadataType": "ApkMetadata", + "metadata": { + "files": [ + { + "path": "/lib" + }, + { + "path": "/lib/libz.so.1" + }, + { + "path": "/lib/libz.so.1.2.11" + } + ] + } + } + } + ], + "source": { + "type": "image", + "target": { + "userInput": "golang:1.12-alpine", + "imageID": "sha256:9d993b748f324b8291a4f202c2bc07b3485f7b9c7c799ee8925f657a760749cd", + "manifestDigest": "sha256:5b6d42c254b9928b3cbc541bbcd52c6e91b239d2246e8e6f9825246980ed1664", + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "tags": [ + "golang:1.12-alpine" + ], + "imageSize": 340592955, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:53745f29fdbf5642c5275f34b9803e69742e082df0a7bb3316ece48ba45c622f", + "size": 5345038 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:9c60a09a3ecd837e13b7a944fdd5b15a2474f2e90c7816d4c28658263fcd525c", + "size": 536055 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:1e344161583c7ea28934eb5e22d72155510bdd29547dc503702fddac86a9a05f", + "size": 17 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:ccad0a45fab58237077eb38a0356a11b62854af2b99830dc1426bf04fa879b5b", + "size": 334711845 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:65e02ee814f79aa3782a18c14543f4c0586491bf438d01f0d2dfa79d726915e7", + "size": 0 + } + ], + "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjozODM1LCJkaWdlc3QiOiJzaGEyNTY6OWQ5OTNiNzQ4ZjMyNGI4MjkxYTRmMjAyYzJiYzA3YjM0ODVmN2I5YzdjNzk5ZWU4OTI1ZjY1N2E3NjA3NDljZCJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo1NjE2MTI4LCJkaWdlc3QiOiJzaGEyNTY6NTM3NDVmMjlmZGJmNTY0MmM1Mjc1ZjM0Yjk4MDNlNjk3NDJlMDgyZGYwYTdiYjMzMTZlY2U0OGJhNDVjNjIyZiJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjgyMzI5NiwiZGlnZXN0Ijoic2hhMjU2OjljNjBhMDlhM2VjZDgzN2UxM2I3YTk0NGZkZDViMTVhMjQ3NGYyZTkwYzc4MTZkNGMyODY1ODI2M2ZjZDUyNWMifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoyNTYwLCJkaWdlc3QiOiJzaGEyNTY6MWUzNDQxNjE1ODNjN2VhMjg5MzRlYjVlMjJkNzIxNTU1MTBiZGQyOTU0N2RjNTAzNzAyZmRkYWM4NmE5YTA1ZiJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjM0MjIwODAwMCwiZGlnZXN0Ijoic2hhMjU2OmNjYWQwYTQ1ZmFiNTgyMzcwNzdlYjM4YTAzNTZhMTFiNjI4NTRhZjJiOTk4MzBkYzE0MjZiZjA0ZmE4NzliNWIifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjozMDcyLCJkaWdlc3QiOiJzaGEyNTY6NjVlMDJlZTgxNGY3OWFhMzc4MmExOGMxNDU0M2Y0YzA1ODY0OTFiZjQzOGQwMWYwZDJkZmE3OWQ3MjY5MTVlNyJ9XX0=", + "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOlsiUEFUSD0vZ28vYmluOi91c3IvbG9jYWwvZ28vYmluOi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIsIkdPTEFOR19WRVJTSU9OPTEuMTIuMTciLCJHT1BBVEg9L2dvIl0sIkNtZCI6WyIvYmluL3NoIl0sIkFyZ3NFc2NhcGVkIjp0cnVlLCJJbWFnZSI6InNoYTI1NjoxMmQ3NGIzMWQyOTIzNTc3YTYwYjhiNWJlZjM0OTA1NGFjMzIyNzQ1YWU3ZWY3NjhjYjVjMDRhZWUxMjBmMTY0IiwiVm9sdW1lcyI6bnVsbCwiV29ya2luZ0RpciI6Ii9nbyIsIkVudHJ5cG9pbnQiOm51bGwsIk9uQnVpbGQiOm51bGwsIkxhYmVscyI6bnVsbH0sImNvbnRhaW5lciI6ImY2YWE5Mzc4YmMxODFmZjliMmQyZGU4MzE0NWNhOWZmNzc0NTIzYzg1ZGIzMDRjZGM3ZjFjZGI3NWZmOWNkNTciLCJjb250YWluZXJfY29uZmlnIjp7Ikhvc3RuYW1lIjoiZjZhYTkzNzhiYzE4IiwiRG9tYWlubmFtZSI6IiIsIlVzZXIiOiIiLCJBdHRhY2hTdGRpbiI6ZmFsc2UsIkF0dGFjaFN0ZG91dCI6ZmFsc2UsIkF0dGFjaFN0ZGVyciI6ZmFsc2UsIlR0eSI6ZmFsc2UsIk9wZW5TdGRpbiI6ZmFsc2UsIlN0ZGluT25jZSI6ZmFsc2UsIkVudiI6WyJQQVRIPS9nby9iaW46L3Vzci9sb2NhbC9nby9iaW46L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluIiwiR09MQU5HX1ZFUlNJT049MS4xMi4xNyIsIkdPUEFUSD0vZ28iXSwiQ21kIjpbIi9iaW4vc2giLCItYyIsIiMobm9wKSBXT1JLRElSIC9nbyJdLCJBcmdzRXNjYXBlZCI6dHJ1ZSwiSW1hZ2UiOiJzaGEyNTY6MTJkNzRiMzFkMjkyMzU3N2E2MGI4YjViZWYzNDkwNTRhYzMyMjc0NWFlN2VmNzY4Y2I1YzA0YWVlMTIwZjE2NCIsIlZvbHVtZXMiOm51bGwsIldvcmtpbmdEaXIiOiIvZ28iLCJFbnRyeXBvaW50IjpudWxsLCJPbkJ1aWxkIjpudWxsLCJMYWJlbHMiOnt9fSwiY3JlYXRlZCI6IjIwMjAtMDItMTRUMDA6NTE6NDguOTE0MTQxNTA3WiIsImRvY2tlcl92ZXJzaW9uIjoiMTguMDkuNyIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIwLTAxLTE4VDAxOjM5OjQzLjA3NjMwNjE0MloiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgQUREIGZpbGU6NDEwOWZhODZkZDgwODUwZTg0YzY4OWZmOWU2YTMyNDNlMzBhYjFiYmNjMDBjNzY1OTY5YjMwMTFiZmJiNDNlMSBpbiAvICJ9LHsiY3JlYXRlZCI6IjIwMjAtMDEtMThUMDE6Mzk6NDMuODA5NDc5NTkxWiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgQ01EIFtcIi9iaW4vc2hcIl0iLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMC0wMS0xOFQwNjoxMDoyOS42MDUxNjg3NTJaIiwiY3JlYXRlZF9ieSI6Ii9iaW4vc2ggLWMgYXBrIGFkZCAtLW5vLWNhY2hlIFx0XHRjYS1jZXJ0aWZpY2F0ZXMifSx7ImNyZWF0ZWQiOiIyMDIwLTAxLTE4VDA2OjEwOjM2LjkzMDI0OTEzNloiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyBbICEgLWUgL2V0Yy9uc3N3aXRjaC5jb25mIF0gXHUwMDI2XHUwMDI2IGVjaG8gJ2hvc3RzOiBmaWxlcyBkbnMnIFx1MDAzZSAvZXRjL25zc3dpdGNoLmNvbmYifSx7ImNyZWF0ZWQiOiIyMDIwLTAyLTE0VDAwOjQ5OjI4LjY0MTg0NjYxN1oiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgIEVOViBHT0xBTkdfVkVSU0lPTj0xLjEyLjE3IiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjAtMDItMTRUMDA6NTE6MzguMjU3MDUzMzg1WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jIHNldCAtZXV4OyBcdGFwayBhZGQgLS1uby1jYWNoZSAtLXZpcnR1YWwgLmJ1aWxkLWRlcHMgXHRcdGJhc2ggXHRcdGdjYyBcdFx0bXVzbC1kZXYgXHRcdG9wZW5zc2wgXHRcdGdvIFx0OyBcdGV4cG9ydCBcdFx0R09ST09UX0JPT1RTVFJBUD1cIiQoZ28gZW52IEdPUk9PVClcIiBcdFx0R09PUz1cIiQoZ28gZW52IEdPT1MpXCIgXHRcdEdPQVJDSD1cIiQoZ28gZW52IEdPQVJDSClcIiBcdFx0R09IT1NUT1M9XCIkKGdvIGVudiBHT0hPU1RPUylcIiBcdFx0R09IT1NUQVJDSD1cIiQoZ28gZW52IEdPSE9TVEFSQ0gpXCIgXHQ7IFx0YXBrQXJjaD1cIiQoYXBrIC0tcHJpbnQtYXJjaClcIjsgXHRjYXNlIFwiJGFwa0FyY2hcIiBpbiBcdFx0YXJtaGYpIGV4cG9ydCBHT0FSTT0nNicgOzsgXHRcdGFybXY3KSBleHBvcnQgR09BUk09JzcnIDs7IFx0XHR4ODYpIGV4cG9ydCBHTzM4Nj0nMzg3JyA7OyBcdGVzYWM7IFx0XHR3Z2V0IC1PIGdvLnRneiBcImh0dHBzOi8vZ29sYW5nLm9yZy9kbC9nbyRHT0xBTkdfVkVSU0lPTi5zcmMudGFyLmd6XCI7IFx0ZWNobyAnZGU4NzgyMThjNDNhYTNjM2JhZDU0YzFjNTJkOTVlM2IwZTVkMzM2ZTEyODVjNjQ3MzgzZTc3NTU0MWEyOGIyNSAqZ28udGd6JyB8IHNoYTI1NnN1bSAtYyAtOyBcdHRhciAtQyAvdXNyL2xvY2FsIC14emYgZ28udGd6OyBcdHJtIGdvLnRnejsgXHRcdGNkIC91c3IvbG9jYWwvZ28vc3JjOyBcdC4vbWFrZS5iYXNoOyBcdFx0cm0gLXJmIFx0XHQvdXNyL2xvY2FsL2dvL3BrZy9ib290c3RyYXAgXHRcdC91c3IvbG9jYWwvZ28vcGtnL29iaiBcdDsgXHRhcGsgZGVsIC5idWlsZC1kZXBzOyBcdFx0ZXhwb3J0IFBBVEg9XCIvdXNyL2xvY2FsL2dvL2JpbjokUEFUSFwiOyBcdGdvIHZlcnNpb24ifSx7ImNyZWF0ZWQiOiIyMDIwLTAyLTE0VDAwOjUxOjM5Ljg2MjY0NTA4MloiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgIEVOViBHT1BBVEg9L2dvIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjAtMDItMTRUMDA6NTE6NDMuNDg2Mjc2NjMyWiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgRU5WIFBBVEg9L2dvL2JpbjovdXNyL2xvY2FsL2dvL2JpbjovdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMC0wMi0xNFQwMDo1MTo0Ny43MTk1NTM5NFoiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyBta2RpciAtcCBcIiRHT1BBVEgvc3JjXCIgXCIkR09QQVRIL2JpblwiIFx1MDAyNlx1MDAyNiBjaG1vZCAtUiA3NzcgXCIkR09QQVRIXCIifSx7ImNyZWF0ZWQiOiIyMDIwLTAyLTE0VDAwOjUxOjQ4LjkxNDE0MTUwN1oiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgV09SS0RJUiAvZ28iLCJlbXB0eV9sYXllciI6dHJ1ZX1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6NTM3NDVmMjlmZGJmNTY0MmM1Mjc1ZjM0Yjk4MDNlNjk3NDJlMDgyZGYwYTdiYjMzMTZlY2U0OGJhNDVjNjIyZiIsInNoYTI1Njo5YzYwYTA5YTNlY2Q4MzdlMTNiN2E5NDRmZGQ1YjE1YTI0NzRmMmU5MGM3ODE2ZDRjMjg2NTgyNjNmY2Q1MjVjIiwic2hhMjU2OjFlMzQ0MTYxNTgzYzdlYTI4OTM0ZWI1ZTIyZDcyMTU1NTEwYmRkMjk1NDdkYzUwMzcwMmZkZGFjODZhOWEwNWYiLCJzaGEyNTY6Y2NhZDBhNDVmYWI1ODIzNzA3N2ViMzhhMDM1NmExMWI2Mjg1NGFmMmI5OTgzMGRjMTQyNmJmMDRmYTg3OWI1YiIsInNoYTI1Njo2NWUwMmVlODE0Zjc5YWEzNzgyYTE4YzE0NTQzZjRjMDU4NjQ5MWJmNDM4ZDAxZjBkMmRmYTc5ZDcyNjkxNWU3Il19fQ==", + "repoDigests": [ + "golang@sha256:3f8e3ad3e7c128d29ac3004ac8314967c5ddbfa5bfa7caa59b0de493fc01686a" + ], + "architecture": "arm64", + "os": "linux" + } + }, + "distro": { + "name": "alpine", + "version": "3.11.3", + "idLike": [] + }, + "descriptor": { + "name": "grype", + "version": "0.79.3", + "configuration": { + "output": [ + "json" + ], + "file": "", + "distro": "", + "add-cpes-if-none": false, + "output-template-file": "", + "check-for-app-update": true, + "only-fixed": false, + "only-notfixed": false, + "ignore-wontfix": "", + "platform": "", + "search": { + "scope": "all-layers", + "unindexed-archives": false, + "indexed-archives": true + }, + "ignore": [ + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "kernel-headers", + "version": "", + "language": "", + "type": "rpm", + "location": "", + "upstream-name": "kernel" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-headers-.*", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-libc-dev", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + } + ], + "exclude": [], + "db": { + "cache-dir": "/Users/atang/Library/Caches/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": true, + "validate-by-hash-on-start": false, + "validate-age": true, + "max-allowed-built-age": 432000000000000, + "update-available-timeout": 30000000000, + "update-download-timeout": 120000000000 + }, + "externalSources": { + "enable": false, + "maven": { + "searchUpstreamBySha1": true, + "baseUrl": "https://search.maven.org/solrsearch/select" + } + }, + "match": { + "java": { + "using-cpes": false + }, + "dotnet": { + "using-cpes": false + }, + "golang": { + "using-cpes": false, + "always-use-cpe-for-stdlib": true, + "allow-main-module-pseudo-version-comparison": false + }, + "javascript": { + "using-cpes": false + }, + "python": { + "using-cpes": false + }, + "ruby": { + "using-cpes": false + }, + "rust": { + "using-cpes": false + }, + "stock": { + "using-cpes": true + } + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": null, + "ca-cert": "" + }, + "show-suppressed": false, + "by-cve": false, + "name": "", + "default-image-pull-source": "", + "vex-documents": [], + "vex-add": [], + "match-upstream-kernel-headers": false + }, + "db": { + "built": "2024-07-23T01:30:37Z", + "schemaVersion": 5, + "location": "/Users/atang/Library/Caches/grype/db/5", + "checksum": "sha256:972d0f51e180d424f3fff2637a1559e06940f35eda6bd03593be2a3db8f28971", + "error": null + }, + "timestamp": "2024-07-23T08:42:03.544511-04:00" + } +} diff --git a/test/sample_data/anchoregrype/sample_input_report/tensorflow.json b/test/sample_data/anchoregrype/sample_input_report/tensorflow.json new file mode 100644 index 000000000..534b7ae54 --- /dev/null +++ b/test/sample_data/anchoregrype/sample_input_report/tensorflow.json @@ -0,0 +1,182646 @@ +{ + "matches": [ + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2781", + "dataSource": "https://ubuntu.com/security/CVE-2016-2781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "coreutils", + "version": "8.32-4.1ubuntu1.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2781" + } + } + ], + "artifact": { + "id": "ba31f56208da56da", + "name": "coreutils", + "version": "8.32-4.1ubuntu1.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/coreutils/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/coreutils.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-3" + ], + "cpes": [ + "cpe:2.3:a:coreutils:coreutils:8.32-4.1ubuntu1.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1.2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "324465965a47402a", + "name": "curl", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/curl/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/curl.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:curl:curl:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-34969", + "dataSource": "https://ubuntu.com/security/CVE-2023-34969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-34969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-34969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/", + "https://security.netapp.com/advisory/ntap-20231208-0007/" + ], + "description": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "dbus", + "version": "1.12.20-2ubuntu4.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-34969" + } + } + ], + "artifact": { + "id": "60da06608335c6e9", + "name": "dbus", + "version": "1.12.20-2ubuntu4.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/dbus/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/dbus.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/dbus.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "AFL-2.1", + "BSD-3-clause", + "BSD-3-clause-generic", + "Expat", + "GPL-2", + "GPL-2+", + "Tcl-BSDish", + "g10-permissive" + ], + "cpes": [ + "cpe:2.3:a:dbus:dbus:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/dbus@1.12.20-2ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "efa651c03e29c607", + "name": "dirmngr", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/dirmngr/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/dirmngr.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:dirmngr:dirmngr:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/dirmngr@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "0d7332e43f485d8d", + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gcc-12-base:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "0d7332e43f485d8d", + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gcc-12-base:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "3e0695ea8a15e043", + "name": "gir1.2-packagekitglib-1.0", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gir1.2-packagekitglib-1.0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "3e0695ea8a15e043", + "name": "gir1.2-packagekitglib-1.0", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gir1.2-packagekitglib-1.0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "1d53afeb1b2bed73", + "name": "gnupg", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg:gnupg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "50e44f27e2b0c800", + "name": "gnupg-l10n", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg-l10n/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg-l10n.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg-l10n@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "1d0ecf2cdf605099", + "name": "gnupg-utils", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg-utils/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg-utils.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg-utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg-utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg-utils@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "22ea11b15ccb9d9a", + "name": "gpg", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg:gpg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "6b1172046efd6589", + "name": "gpg-agent", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-agent/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-agent.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-agent.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-agent@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "165b537d3990d094", + "name": "gpg-wks-client", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-wks-client/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-wks-client.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-wks-client@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "89c2406ff86aa601", + "name": "gpg-wks-server", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-wks-server/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-wks-server.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-wks-server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks-server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-wks-server@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "775f261341147b3c", + "name": "gpgconf", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgconf/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpgconf.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgconf:gpgconf:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgconf@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "5e764c44f36dd32a", + "name": "gpgsm", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgsm/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpgsm.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgsm:gpgsm:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgsm@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "9b32ff71df8828aa", + "name": "gpgv", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgv/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gpgv.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgv:gpgv:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-1585", + "dataSource": "https://ubuntu.com/security/CVE-2016-1585", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2016-1585" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-1585", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-1585", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.launchpad.net/apparmor/+bug/1597017", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@ubuntu.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 3.9, + "exploitabilityScore": 0.5, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "apparmor", + "version": "3.0.4-2ubuntu2.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-1585" + } + } + ], + "artifact": { + "id": "20b7d6a703b1cdb0", + "name": "libapparmor1", + "version": "3.0.4-2ubuntu2.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libapparmor1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libapparmor1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libapparmor1:libapparmor1:3.0.4-2ubuntu2.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libapparmor1@3.0.4-2ubuntu2.3?arch=amd64&upstream=apparmor&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "apparmor" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "816f5e3fe2b8694c", + "name": "libatomic1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libatomic1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "816f5e3fe2b8694c", + "name": "libatomic1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libatomic1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "534613922e3db6d7", + "name": "libc-bin", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc-bin.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc-bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "57746bb623c8ca26", + "name": "libc-dev-bin", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc-dev-bin/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libc-dev-bin.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc-dev-bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev-bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev_bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev_bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc-dev-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "cde0d63aef474648", + "name": "libc6", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc6:libc6:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "ce5bb87ce346e38b", + "name": "libc6-dev", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc6-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libc6-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc6-dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6-dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6_dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6_dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc6-dev@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "a69323dca274b473", + "name": "libcc1-0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libcc1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "a69323dca274b473", + "name": "libcc1-0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libcc1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "b4d74f55020f24c9", + "name": "libcurl3-gnutls", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libcurl3-gnutls/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libcurl3-gnutls:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcurl3-gnutls@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "curl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "52b4ac2b67a9ecd2", + "name": "libcurl4", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libcurl4/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libcurl4:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libcurl4:libcurl4:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcurl4@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "curl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-34969", + "dataSource": "https://ubuntu.com/security/CVE-2023-34969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-34969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-34969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/", + "https://security.netapp.com/advisory/ntap-20231208-0007/" + ], + "description": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "dbus", + "version": "1.12.20-2ubuntu4.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-34969" + } + } + ], + "artifact": { + "id": "0c67a21e65bd16ee", + "name": "libdbus-1-3", + "version": "1.12.20-2ubuntu4.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libdbus-1-3/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libdbus-1-3:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "AFL-2.1", + "BSD-3-clause", + "BSD-3-clause-generic", + "Expat", + "GPL-2", + "GPL-2+", + "Tcl-BSDish", + "g10-permissive" + ], + "cpes": [ + "cpe:2.3:a:libdbus-1-3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1-3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1_3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1_3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libdbus-1-3@1.12.20-2ubuntu4.1?arch=amd64&upstream=dbus&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "dbus" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-25260", + "dataSource": "https://ubuntu.com/security/CVE-2024-25260", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25260" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25260", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/schsiung/fuzzer_issues/issues/1", + "https://sourceware.org/bugzilla/show_bug.cgi?id=31058", + "https://sourceware.org/elfutils/" + ], + "description": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4, + "exploitabilityScore": 2.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "elfutils", + "version": "0.186-1build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25260" + } + } + ], + "artifact": { + "id": "84f06d819a7d441b", + "name": "libdw1", + "version": "0.186-1build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libdw1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libdw1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-3", + "LGPL-3" + ], + "cpes": [ + "cpe:2.3:a:libdw1:libdw1:0.186-1build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libdw1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "elfutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-25260", + "dataSource": "https://ubuntu.com/security/CVE-2024-25260", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25260" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25260", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/schsiung/fuzzer_issues/issues/1", + "https://sourceware.org/bugzilla/show_bug.cgi?id=31058", + "https://sourceware.org/elfutils/" + ], + "description": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4, + "exploitabilityScore": 2.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "elfutils", + "version": "0.186-1build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25260" + } + } + ], + "artifact": { + "id": "db43cdc9ed146fdf", + "name": "libelf1", + "version": "0.186-1build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libelf1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libelf1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-3", + "LGPL-3" + ], + "cpes": [ + "cpe:2.3:a:libelf1:libelf1:0.186-1build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libelf1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "elfutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "e06d1fc320a8a1ac", + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcc-s1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e06d1fc320a8a1ac", + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcc-s1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2236", + "dataSource": "https://ubuntu.com/security/CVE-2024-2236", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2236" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2236", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2236", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-2236", + "https://bugzilla.redhat.com/show_bug.cgi?id=2245218", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268268" + ], + "description": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", + "cvss": [ + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-2236" + } + } + ], + "artifact": { + "id": "8bd34a8029c4772d", + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgcrypt20/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcrypt20:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.9.4-3ubuntu3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "c8cf906bd8b6dcd3", + "name": "libgomp1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgomp1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "c8cf906bd8b6dcd3", + "name": "libgomp1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgomp1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-0347", + "dataSource": "https://ubuntu.com/security/CVE-2020-0347", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-0347" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-0347", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-0347", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://source.android.com/security/bulletin/android-11" + ], + "description": "In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.7, + "exploitabilityScore": 0.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "iptables", + "version": "1.8.7-1ubuntu5.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-0347" + } + } + ], + "artifact": { + "id": "6e9c18c8e88097db", + "name": "libip4tc2", + "version": "1.8.7-1ubuntu5.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libip4tc2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libip4tc2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GPL-2", + "GPL-2+", + "custom" + ], + "cpes": [ + "cpe:2.3:a:libip4tc2:libip4tc2:1.8.7-1ubuntu5.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libip4tc2@1.8.7-1ubuntu5.2?arch=amd64&upstream=iptables&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "iptables" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "3df6bfc8ac5188d7", + "name": "libitm1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libitm1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "3df6bfc8ac5188d7", + "name": "libitm1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libitm1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "e41baeef893dc672", + "name": "liblsan0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/liblsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e41baeef893dc672", + "name": "liblsan0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/liblsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "9d631babdfb8df3e", + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncurses6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "9d631babdfb8df3e", + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncurses6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "0532d09628a2ff0b", + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncursesw6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "0532d09628a2ff0b", + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncursesw6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "4e2ed93a3f00508b", + "name": "libpackagekit-glib2-18", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpackagekit-glib2-18/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "4e2ed93a3f00508b", + "name": "libpackagekit-glib2-18", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpackagekit-glib2-18/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "4d802af324d0c968", + "name": "libpam-systemd", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpam-systemd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpam-systemd:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libpam-systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam-systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam_systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam_systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpam-systemd@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-41409", + "dataSource": "https://ubuntu.com/security/CVE-2022-41409", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-41409" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-41409", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35", + "https://github.com/PCRE2Project/pcre2/issues/141" + ], + "description": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "pcre2", + "version": "10.39-3ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-41409" + } + } + ], + "artifact": { + "id": "b83e437a170b2b4b", + "name": "libpcre2-8-0", + "version": "10.39-3ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpcre2-8-0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libpcre2-8-0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:libpcre2-8-0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8-0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8_0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8_0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&upstream=pcre2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "pcre2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-11164", + "dataSource": "https://ubuntu.com/security/CVE-2017-11164", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-11164" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-11164", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.openwall.com/lists/oss-security/2023/04/11/1", + "http://www.openwall.com/lists/oss-security/2023/04/12/1", + "http://www.securityfocus.com/bid/99575", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 10, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "pcre3", + "version": "2:8.39-13ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-11164" + } + } + ], + "artifact": { + "id": "c17e17a6c3b778e9", + "name": "libpcre3", + "version": "2:8.39-13ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpcre3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libpcre3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:libpcre3:libpcre3:2:8.39-13ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpcre3@2:8.39-13ubuntu0.22.04.1?arch=amd64&upstream=pcre3&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "pcre3" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "75f309e7896cc7d5", + "name": "libpolkit-agent-1-0", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpolkit-agent-1-0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpolkit-agent-1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpolkit-agent-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "ff118ec3fae758b1", + "name": "libpolkit-gobject-1-0", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpolkit-gobject-1-0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpolkit-gobject-1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpolkit-gobject-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "851fee7a303de1b7", + "name": "libquadmath0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libquadmath0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "851fee7a303de1b7", + "name": "libquadmath0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libquadmath0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-41996", + "dataSource": "https://ubuntu.com/security/CVE-2024-41996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41996" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + ], + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41996" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://ubuntu.com/security/CVE-2024-5535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5535" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-5535" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4741", + "dataSource": "https://ubuntu.com/security/CVE-2024-4741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4741" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4741" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4603", + "dataSource": "https://ubuntu.com/security/CVE-2024-4603", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4603" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4603", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/16/2", + "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", + "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", + "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", + "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", + "https://security.netapp.com/advisory/ntap-20240621-0001/", + "https://www.openssl.org/news/secadv/20240516.txt" + ], + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4603" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://ubuntu.com/security/CVE-2024-2511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2511" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-2511" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "4ddc88716174352d", + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libstdc++6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "4ddc88716174352d", + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libstdc++6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "837dfa89fb7aecbb", + "name": "libsystemd0", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libsystemd0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libsystemd0:libsystemd0:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46848", + "dataSource": "https://ubuntu.com/security/CVE-2021-46848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.gentoo.org/866237", + "https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5", + "https://gitlab.com/gnutls/libtasn1/-/issues/32", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/", + "https://security.netapp.com/advisory/ntap-20221118-0006/" + ], + "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libtasn1-6", + "version": "4.18.0-4build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46848" + } + } + ], + "artifact": { + "id": "48034bac058cf4d8", + "name": "libtasn1-6", + "version": "4.18.0-4build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtasn1-6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtasn1-6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-3", + "LGPL", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libtasn1-6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1-6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1_6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1_6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "e392e94b182b72b9", + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtinfo6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "e392e94b182b72b9", + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtinfo6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "0bd42c1a89f86d7c", + "name": "libubsan1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libubsan1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "0bd42c1a89f86d7c", + "name": "libubsan1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libubsan1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "dfcf0201a1ab32bf", + "name": "libudev1", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libudev1/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libudev1:libudev1:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-34459", + "dataSource": "https://ubuntu.com/security/CVE-2024-34459", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34459" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + ], + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libxml2", + "version": "2.9.13+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34459" + } + } + ], + "artifact": { + "id": "2c561f4e739dd13a", + "name": "libxml2", + "version": "2.9.13+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libxml2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libxml2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "ISC", + "MIT-1" + ], + "cpes": [ + "cpe:2.3:a:libxml2:libxml2:2.9.13+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libxml2@2.9.13%2Bdfsg-1ubuntu0.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35328", + "dataSource": "https://ubuntu.com/security/CVE-2024-35328", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35328" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35328", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35328", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35328" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35326", + "dataSource": "https://ubuntu.com/security/CVE-2024-35326", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35326" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35326", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35326", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35326" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35325", + "dataSource": "https://ubuntu.com/security/CVE-2024-35325", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35325" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35325", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35325", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35325" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-4899", + "dataSource": "https://ubuntu.com/security/CVE-2022-4899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-4899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-4899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/facebook/zstd/issues/3200", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", + "https://security.netapp.com/advisory/ntap-20230725-0005/" + ], + "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libzstd", + "version": "1.4.8+dfsg-3build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-4899" + } + } + ], + "artifact": { + "id": "db01fe463729db55", + "name": "libzstd1", + "version": "1.4.8+dfsg-3build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libzstd1/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libzstd1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "Expat", + "GPL-2", + "zlib" + ], + "cpes": [ + "cpe:2.3:a:libzstd1:libzstd1:1.4.8+dfsg-3build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&upstream=libzstd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libzstd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-29383", + "dataSource": "https://ubuntu.com/security/CVE-2023-29383", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-29383" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-29383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "shadow", + "version": "1:4.8.1-2ubuntu2.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-29383" + } + } + ], + "artifact": { + "id": "c25e61c8104d045b", + "name": "login", + "version": "1:4.8.1-2ubuntu2.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/login/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/login.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/login.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:login:login:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/login@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "shadow" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "3760343f92af5dba", + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "3760343f92af5dba", + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "38ed2d1a224f9399", + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "38ed2d1a224f9399", + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-41996", + "dataSource": "https://ubuntu.com/security/CVE-2024-41996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41996" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + ], + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41996" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://ubuntu.com/security/CVE-2024-5535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5535" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-5535" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4741", + "dataSource": "https://ubuntu.com/security/CVE-2024-4741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4741" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4741" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4603", + "dataSource": "https://ubuntu.com/security/CVE-2024-4603", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4603" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4603", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/16/2", + "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", + "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", + "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", + "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", + "https://security.netapp.com/advisory/ntap-20240621-0001/", + "https://www.openssl.org/news/secadv/20240516.txt" + ], + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4603" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://ubuntu.com/security/CVE-2024-2511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2511" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-2511" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "cb13b67d8759b594", + "name": "packagekit", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/packagekit/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "cb13b67d8759b594", + "name": "packagekit", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/packagekit/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-29383", + "dataSource": "https://ubuntu.com/security/CVE-2023-29383", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-29383" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-29383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "shadow", + "version": "1:4.8.1-2ubuntu2.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-29383" + } + } + ], + "artifact": { + "id": "fdb7dd2a267a46c4", + "name": "passwd", + "version": "1:4.8.1-2ubuntu2.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/passwd/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/passwd.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/passwd.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:passwd:passwd:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/passwd@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "shadow" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-45261", + "dataSource": "https://ubuntu.com/security/CVE-2021-45261", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2021-45261" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-45261", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-45261", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://savannah.gnu.org/bugs/?61685" + ], + "description": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-45261" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2019-20633", + "dataSource": "https://ubuntu.com/security/CVE-2019-20633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-20633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-20633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20633", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://savannah.gnu.org/bugs/index.php?56683" + ], + "description": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-20633" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2018-6952", + "dataSource": "https://ubuntu.com/security/CVE-2018-6952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-6952" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-6952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6952", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/103047", + "https://access.redhat.com/errata/RHSA-2019:2033", + "https://savannah.gnu.org/bugs/index.php?53133", + "https://security.gentoo.org/glsa/201904-17" + ], + "description": "A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-6952" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "d55289a43c85d6a4", + "name": "pkexec", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/pkexec/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/pkexec.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:pkexec:pkexec:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/pkexec@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "d757443f44e8916c", + "name": "policykit-1", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/policykit-1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/policykit-1.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:policykit-1:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit-1:policykit_1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit_1:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit_1:policykit_1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit:policykit_1:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/policykit-1@0.105-33?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "6ace8efb10979881", + "name": "polkitd", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/polkitd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/polkitd.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/polkitd.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:polkitd:polkitd:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/polkitd@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-21240", + "dataSource": "https://ubuntu.com/security/CVE-2021-21240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-21240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-21240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", + "https://github.com/httplib2/httplib2/pull/182", + "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", + "https://pypi.org/project/httplib2" + ], + "description": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-httplib2", + "version": "0.20.2-2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-21240" + } + } + ], + "artifact": { + "id": "9a3b917c64001b05", + "name": "python3-httplib2", + "version": "0.20.2-2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-httplib2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-httplib2.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3", + "Expat", + "GPL-2", + "GPL-2+", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-1.1" + ], + "cpes": [ + "cpe:2.3:a:python3-httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-httplib2@0.20.2-2?arch=all&upstream=python-httplib2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-httplib2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-3651", + "dataSource": "https://ubuntu.com/security/CVE-2024-3651", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-3651" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-3651", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", + "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + ], + "description": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-3651" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35195", + "dataSource": "https://ubuntu.com/security/CVE-2024-35195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac", + "https://github.com/psf/requests/pull/6655", + "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/" + ], + "description": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 5.6, + "exploitabilityScore": 0.3, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35195" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-5752", + "dataSource": "https://ubuntu.com/security/CVE-2023-5752", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-5752" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-5752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/pypa/pip/pull/12306", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + ], + "description": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-5752" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-32681", + "dataSource": "https://ubuntu.com/security/CVE-2023-32681", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-32681" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", + "https://github.com/psf/requests/releases/tag/v2.31.0", + "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", + "https://security.gentoo.org/glsa/202309-08" + ], + "description": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.6, + "impactScore": 4 + }, + "vendorMetadata": {} + }, + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.6, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-32681" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37891", + "dataSource": "https://ubuntu.com/security/CVE-2024-37891", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37891" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37891" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "setuptools", + "version": "59.6.0-1.2ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "96186ba8ec8bad45", + "name": "python3-pkg-resources", + "version": "59.6.0-1.2ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pkg-resources/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-pkg-resources.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-3-clause" + ], + "cpes": [ + "cpe:2.3:a:python3-pkg-resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg-resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg_resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg_resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pkg-resources@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "setuptools" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "setuptools", + "version": "59.6.0-1.2ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "2806aa205839c7c6", + "name": "python3-setuptools-whl", + "version": "59.6.0-1.2ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-setuptools-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-setuptools-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-3-clause" + ], + "cpes": [ + "cpe:2.3:a:python3-setuptools-whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools-whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools_whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools_whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-setuptools-whl@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "setuptools" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5569", + "dataSource": "https://ubuntu.com/security/CVE-2024-5569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5569" + ], + "cvss": [], + "fix": { + "versions": [ + "1.0.0-3ubuntu0.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd", + "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae" + ], + "description": "A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-zipp", + "version": "1.0.0-3" + } + }, + "found": { + "versionConstraint": "< 1.0.0-3ubuntu0.1 (deb)", + "vulnerabilityID": "CVE-2024-5569" + } + } + ], + "artifact": { + "id": "e3bc49624ab198ff", + "name": "python3-zipp", + "version": "1.0.0-3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-zipp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-zipp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat" + ], + "cpes": [ + "cpe:2.3:a:python3-zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_zipp:1.0.0-3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-zipp@1.0.0-3?arch=all&upstream=python-zipp&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-zipp" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "08e5107537f6b389", + "name": "systemd", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/systemd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:systemd:systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/systemd@249.11-0ubuntu3.12?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "6a9688725c2c3e10", + "name": "systemd-sysv", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/systemd-sysv/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd-sysv.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:systemd-sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd-sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd_sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd_sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/systemd-sysv@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-31879", + "dataSource": "https://ubuntu.com/security/CVE-2021-31879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-31879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-31879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31879", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html", + "https://security.netapp.com/advisory/ntap-20210618-0002/" + ], + "description": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "wget", + "version": "1.21.2-2ubuntu1.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-31879" + } + } + ], + "artifact": { + "id": "313cc77842f860d3", + "name": "wget", + "version": "1.21.2-2ubuntu1.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/wget/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/wget.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/wget.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.2", + "GPL-3" + ], + "cpes": [ + "cpe:2.3:a:wget:wget:1.21.2-2ubuntu1.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/wget@1.21.2-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + } + ], + "ignoredMatches": [ + { + "vulnerability": { + "id": "CVE-2012-4542", + "dataSource": "https://ubuntu.com/security/CVE-2012-4542", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2012-4542" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2012-4542", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2012-4542", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://marc.info/?l=linux-kernel&m=135903967015813&w=2", + "http://marc.info/?l=linux-kernel&m=135904012416042&w=2", + "http://rhn.redhat.com/errata/RHSA-2013-0496.html", + "http://rhn.redhat.com/errata/RHSA-2013-0579.html", + "http://rhn.redhat.com/errata/RHSA-2013-0882.html", + "http://rhn.redhat.com/errata/RHSA-2013-0928.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=875360", + "https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8" + ], + "description": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2012-4542" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2013-7445", + "dataSource": "https://ubuntu.com/security/CVE-2013-7445", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2013-7445" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2013-7445", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-7445", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.kernel.org/show_bug.cgi?id=60533" + ], + "description": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 10, + "impactScore": 6.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2013-7445" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2015-8553", + "dataSource": "https://ubuntu.com/security/CVE-2015-8553", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2015-8553" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2015-8553", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2015-8553", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://xenbits.xen.org/xsa/advisory-120.html", + "https://seclists.org/bugtraq/2019/Aug/18", + "https://www.debian.org/security/2019/dsa-4497" + ], + "description": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2015-8553" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2016-8660", + "dataSource": "https://ubuntu.com/security/CVE-2016-8660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2016-8660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-8660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-8660", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/10/13/8", + "http://www.securityfocus.com/bid/93558", + "https://bugzilla.redhat.com/show_bug.cgi?id=1384851" + ], + "description": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-8660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-0537", + "dataSource": "https://ubuntu.com/security/CVE-2017-0537", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-0537" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-0537", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-0537", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/96831", + "http://www.securitytracker.com/id/1037968", + "https://source.android.com/security/bulletin/2017-03-01", + "https://source.android.com/security/bulletin/2017-03-01.html" + ], + "description": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.6, + "exploitabilityScore": 4.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-0537" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13165", + "dataSource": "https://ubuntu.com/security/CVE-2017-13165", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13165" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13165", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13165", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://source.android.com/security/bulletin/pixel/2017-12-01" + ], + "description": "An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13165" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13693", + "dataSource": "https://ubuntu.com/security/CVE-2017-13693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13693", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/100502", + "https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732", + "https://patchwork.kernel.org/patch/9919053/" + ], + "description": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13694", + "dataSource": "https://ubuntu.com/security/CVE-2017-13694", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13694" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13694", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13694", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/100500", + "https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0", + "https://patchwork.kernel.org/patch/9806085/" + ], + "description": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13694" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-1121", + "dataSource": "https://ubuntu.com/security/CVE-2018-1121", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-1121" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-1121", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-1121", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/oss-sec/2018/q2/122", + "http://www.securityfocus.com/bid/104214", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", + "https://www.exploit-db.com/exploits/44806/", + "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + ], + "description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "metrics": { + "baseScore": 3.9, + "exploitabilityScore": 1.3, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-1121" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12928", + "dataSource": "https://ubuntu.com/security/CVE-2018-12928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/104593", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384", + "https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2" + ], + "description": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12929", + "dataSource": "https://ubuntu.com/security/CVE-2018-12929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12929", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12930", + "dataSource": "https://ubuntu.com/security/CVE-2018-12930", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12930" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12930", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12930", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12930" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12931", + "dataSource": "https://ubuntu.com/security/CVE-2018-12931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12931", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-17977", + "dataSource": "https://ubuntu.com/security/CVE-2018-17977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2018-17977" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-17977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-17977", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/105539", + "https://www.openwall.com/lists/oss-security/2018/10/05/5" + ], + "description": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-17977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-14899", + "dataSource": "https://ubuntu.com/security/CVE-2019-14899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-14899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-14899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-14899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2020/Dec/32", + "http://seclists.org/fulldisclosure/2020/Jul/23", + "http://seclists.org/fulldisclosure/2020/Jul/24", + "http://seclists.org/fulldisclosure/2020/Jul/25", + "http://seclists.org/fulldisclosure/2020/Nov/20", + "http://www.openwall.com/lists/oss-security/2020/08/13/2", + "http://www.openwall.com/lists/oss-security/2020/10/07/3", + "http://www.openwall.com/lists/oss-security/2021/07/05/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899", + "https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/", + "https://support.apple.com/kb/HT211288", + "https://support.apple.com/kb/HT211289", + "https://support.apple.com/kb/HT211290", + "https://support.apple.com/kb/HT211850", + "https://support.apple.com/kb/HT211931" + ], + "description": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 4.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-14899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-15213", + "dataSource": "https://ubuntu.com/security/CVE-2019-15213", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15213" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15213", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15213", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html", + "http://www.openwall.com/lists/oss-security/2019/08/20/2", + "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7", + "https://security.netapp.com/advisory/ntap-20190905-0002/", + "https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced" + ], + "description": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15213" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-19378", + "dataSource": "https://ubuntu.com/security/CVE-2019-19378", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-19378" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-19378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378", + "https://security.netapp.com/advisory/ntap-20200103-0001/" + ], + "description": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-19378" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-19814", + "dataSource": "https://ubuntu.com/security/CVE-2019-19814", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-19814" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-19814", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19814", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814", + "https://security.netapp.com/advisory/ntap-20200103-0001/" + ], + "description": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 9.3, + "exploitabilityScore": 8.6, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-19814" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-20794", + "dataSource": "https://ubuntu.com/security/CVE-2019-20794", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-20794" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-20794", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20794", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/08/24/1", + "https://github.com/sargun/fuse-example", + "https://security.netapp.com/advisory/ntap-20200608-0001/", + "https://sourceforge.net/p/fuse/mailman/message/36598753/" + ], + "description": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 3.4, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-20794" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-11935", + "dataSource": "https://ubuntu.com/security/CVE-2020-11935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-11935" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-11935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-11935", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugs.launchpad.net/bugs/1873074", + "https://ubuntu.com/security/CVE-2020-11935" + ], + "description": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@ubuntu.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-11935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-14304", + "dataSource": "https://ubuntu.com/security/CVE-2020-14304", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-14304" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-14304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304" + ], + "description": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-14304" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-15802", + "dataSource": "https://ubuntu.com/security/CVE-2020-15802", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-15802" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-15802", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-15802", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709", + "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/", + "https://www.kb.cert.org/vuls/id/589825" + ], + "description": "Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-15802" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26140", + "dataSource": "https://ubuntu.com/security/CVE-2020-26140", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26140" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26140", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26140", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 6.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26140" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26142", + "dataSource": "https://ubuntu.com/security/CVE-2020-26142", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26142" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26142", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26142", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.6, + "exploitabilityScore": 4.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26142" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26143", + "dataSource": "https://ubuntu.com/security/CVE-2020-26143", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26143" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26143", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26143", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 6.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26143" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26146", + "dataSource": "https://ubuntu.com/security/CVE-2020-26146", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26146" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26146", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26146", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26146" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26556", + "dataSource": "https://ubuntu.com/security/CVE-2020-26556", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26556" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26556", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26556", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/", + "https://www.kb.cert.org/vuls/id/799380" + ], + "description": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26556" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26557", + "dataSource": "https://ubuntu.com/security/CVE-2020-26557", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26557" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26557", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26557", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26557" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26559", + "dataSource": "https://ubuntu.com/security/CVE-2020-26559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26559", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 6.5, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26560", + "dataSource": "https://ubuntu.com/security/CVE-2020-26560", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26560" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26560", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26560", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 6.5, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26560" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-35501", + "dataSource": "https://ubuntu.com/security/CVE-2020-35501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-35501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-35501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1908577" + ], + "description": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 3.6, + "exploitabilityScore": 3.9, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 3.4, + "exploitabilityScore": 0.8, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-35501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-26934", + "dataSource": "https://ubuntu.com/security/CVE-2021-26934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2021-26934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-26934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-26934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://xenbits.xen.org/xsa/advisory-363.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/", + "https://security.netapp.com/advisory/ntap-20210326-0001/" + ], + "description": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-26934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-31615", + "dataSource": "https://ubuntu.com/security/CVE-2021-31615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-31615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-31615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31615", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bluetooth.com", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/" + ], + "description": "Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-31615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-33096", + "dataSource": "https://ubuntu.com/security/CVE-2021-33096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-33096" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-33096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-33096", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20220210-0010/", + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html" + ], + "description": "Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-33096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3714", + "dataSource": "https://ubuntu.com/security/CVE-2021-3714", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3714" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3714", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3714", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2021-3714", + "https://arxiv.org/abs/2111.08553", + "https://arxiv.org/pdf/2111.08553.pdf", + "https://bugzilla.redhat.com/show_bug.cgi?id=1931327" + ], + "description": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3714" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3773", + "dataSource": "https://ubuntu.com/security/CVE-2021-3773", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3773" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3773", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3773", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2004949", + "https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3773" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3864", + "dataSource": "https://ubuntu.com/security/CVE-2021-3864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2021-3864", + "https://bugzilla.redhat.com/show_bug.cgi?id=2015046", + "https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/", + "https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/", + "https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/", + "https://security-tracker.debian.org/tracker/CVE-2021-3864", + "https://www.openwall.com/lists/oss-security/2021/10/20/2" + ], + "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-4095", + "dataSource": "https://ubuntu.com/security/CVE-2021-4095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-4095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-4095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4095", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2022/01/17/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=2031194", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/" + ], + "description": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.9, + "exploitabilityScore": 3.4, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-4095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-46928", + "dataSource": "https://ubuntu.com/security/CVE-2021-46928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26", + "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8", + "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47432", + "dataSource": "https://ubuntu.com/security/CVE-2021-47432", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47432" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47432", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47432", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac", + "https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0", + "https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437", + "https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Don't overflow in peek()\n\nWhen we started spreading new inode numbers throughout most of the 64\nbit inode space, that triggered some corner case bugs, in particular\nsome integer overflows related to the radix tree code. Oops.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47432" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47472", + "dataSource": "https://ubuntu.com/security/CVE-2021-47472", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47472" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47472", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47472", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47472" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47599", + "dataSource": "https://ubuntu.com/security/CVE-2021-47599", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47599" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47599", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47599", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2", + "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47599" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47615", + "dataSource": "https://ubuntu.com/security/CVE-2021-47615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47615", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9", + "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701", + "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it's\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn't udata, which indicates that this isn't a user MR.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0400", + "dataSource": "https://ubuntu.com/security/CVE-2022-0400", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0400" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0400", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-0400", + "https://bugzilla.redhat.com/show_bug.cgi?id=2040604", + "https://bugzilla.redhat.com/show_bug.cgi?id=2044575" + ], + "description": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0400" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0480", + "dataSource": "https://ubuntu.com/security/CVE-2022-0480", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0480" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0480", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0480", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-0480", + "https://bugzilla.redhat.com/show_bug.cgi?id=2049700", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042", + "https://github.com/kata-containers/kata-containers/issues/3373", + "https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/", + "https://ubuntu.com/security/CVE-2022-0480" + ], + "description": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0480" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0854", + "dataSource": "https://ubuntu.com/security/CVE-2022-0854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0854", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13", + "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html", + "https://www.debian.org/security/2022/dsa-5161", + "https://www.debian.org/security/2022/dsa-5173" + ], + "description": "A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0995", + "dataSource": "https://ubuntu.com/security/CVE-2022-0995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0995", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html", + "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=2063786", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb", + "https://security.netapp.com/advisory/ntap-20220429-0001/" + ], + "description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-1205", + "dataSource": "https://ubuntu.com/security/CVE-2022-1205", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-1205" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-1205", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1205", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-1205", + "https://bugzilla.redhat.com/show_bug.cgi?id=2071047", + "https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0", + "https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009", + "https://www.openwall.com/lists/oss-security/2022/04/02/4" + ], + "description": "A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-1205" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-1247", + "dataSource": "https://ubuntu.com/security/CVE-2022-1247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-1247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-1247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1247", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-1247", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066799" + ], + "description": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-1247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-23825", + "dataSource": "https://ubuntu.com/security/CVE-2022-23825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-23825" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-23825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23825", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2022/11/08/1", + "http://www.openwall.com/lists/oss-security/2022/11/10/2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/", + "https://security.gentoo.org/glsa/202402-07", + "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037", + "https://www.debian.org/security/2022/dsa-5184" + ], + "description": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-23825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25265", + "dataSource": "https://ubuntu.com/security/CVE-2022-25265", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25265" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25265", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294", + "https://github.com/x0reaxeax/exec-prot-bypass", + "https://security.netapp.com/advisory/ntap-20220318-0005/" + ], + "description": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25265" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25836", + "dataSource": "https://ubuntu.com/security/CVE-2022-25836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25836", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.2, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25837", + "dataSource": "https://ubuntu.com/security/CVE-2022-25837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25837", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.2, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-26047", + "dataSource": "https://ubuntu.com/security/CVE-2022-26047", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-26047" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-26047", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-26047", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-26047" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-28667", + "dataSource": "https://ubuntu.com/security/CVE-2022-28667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-28667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-28667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28667", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html" + ], + "description": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-28667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-28693", + "dataSource": "https://ubuntu.com/security/CVE-2022-28693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-28693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-28693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-2961", + "dataSource": "https://ubuntu.com/security/CVE-2022-2961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-2961" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-2961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2961", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-2961", + "https://security.netapp.com/advisory/ntap-20230214-0004/" + ], + "description": "A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-2961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3114", + "dataSource": "https://ubuntu.com/security/CVE-2022-3114", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3114" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3114", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3114", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2153054", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037" + ], + "description": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3114" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3238", + "dataSource": "https://ubuntu.com/security/CVE-2022-3238", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3238" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3238", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2127927" + ], + "description": "A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3238" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3523", + "dataSource": "https://ubuntu.com/security/CVE-2022-3523", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3523" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3523", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3523", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33", + "https://vuldb.com/?id.211020" + ], + "description": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3523" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-38096", + "dataSource": "https://ubuntu.com/security/CVE-2022-38096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-38096" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-38096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2022-38096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-38457", + "dataSource": "https://ubuntu.com/security/CVE-2022-38457", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-38457" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-38457", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074" + ], + "description": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-38457" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-40133", + "dataSource": "https://ubuntu.com/security/CVE-2022-40133", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-40133" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-40133", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" + ], + "description": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-40133" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-41848", + "dataSource": "https://ubuntu.com/security/CVE-2022-41848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-41848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-41848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-41848", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c", + "https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270" + ], + "description": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.2, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-41848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44032", + "dataSource": "https://ubuntu.com/security/CVE-2022-44032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44032", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/", + "https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44033", + "dataSource": "https://ubuntu.com/security/CVE-2022-44033", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44033" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44033", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44033", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/", + "https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44033" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44034", + "dataSource": "https://ubuntu.com/security/CVE-2022-44034", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44034" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44034", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44034", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/", + "https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44034" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-4543", + "dataSource": "https://ubuntu.com/security/CVE-2022-4543", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-4543" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-4543", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4543", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.openwall.com/lists/oss-security/2022/12/16/3", + "https://www.willsroot.io/2022/12/entrybleed.html" + ], + "description": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-4543" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45884", + "dataSource": "https://ubuntu.com/security/CVE-2022-45884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45884", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45885", + "dataSource": "https://ubuntu.com/security/CVE-2022-45885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45885", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45887", + "dataSource": "https://ubuntu.com/security/CVE-2022-45887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45887", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45888", + "dataSource": "https://ubuntu.com/security/CVE-2022-45888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45888" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45888", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920", + "https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48628", + "dataSource": "https://ubuntu.com/security/CVE-2022-48628", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48628" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48628", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48628", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571", + "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5", + "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48628" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48631", + "dataSource": "https://ubuntu.com/security/CVE-2022-48631", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48631" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48631", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48631", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0", + "https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d", + "https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc", + "https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0", + "https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\n\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\nassumes that the extent header has been previously validated. However, there\nare no checks that verify that the number of entries (eh->eh_entries) is\nnon-zero when depth is > 0. And this will lead to problems because the\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\n\n[ 135.245946] ------------[ cut here ]------------\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\n[ 135.256475] Code:\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\n[ 135.277952] Call Trace:\n[ 135.278635] \n[ 135.279247] ? preempt_count_add+0x6d/0xa0\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\n[ 135.283745] ? xa_load+0x6f/0xa0\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\n[ 135.285646] read_pages+0x67/0x1d0\n[ 135.286492] ? folio_add_lru+0x51/0x80\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\n[ 135.289457] ? path_openat+0xa72/0xdd0\n[ 135.290332] filemap_read+0xbf/0x300\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\n[ 135.292192] new_sync_read+0x103/0x170\n[ 135.293014] vfs_read+0x15d/0x180\n[ 135.293745] ksys_read+0xa1/0xe0\n[ 135.294461] do_syscall_64+0x3c/0x80\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\neh_entries is not 0 when eh_depth is > 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48631" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48632", + "dataSource": "https://ubuntu.com/security/CVE-2022-48632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8", + "https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e", + "https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2", + "https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\n\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48633", + "dataSource": "https://ubuntu.com/security/CVE-2022-48633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48633", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474", + "https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\n\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\ngets destroyed by drm_gem_object_release() move the\ndrm_gem_object_release() call in psb_gem_free_object() to after\nthe unpin to fix the below warning:\n\n[ 79.693962] ------------[ cut here ]------------\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\n[ 79.694734] Call Trace:\n[ 79.694749] \n[ 79.694761] ? __schedule+0x47f/0x1670\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\n[ 79.694885] ? __cond_resched+0x1c/0x30\n[ 79.694902] ww_mutex_lock+0x38/0xa0\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\n[ 79.695042] idr_for_each+0x4b/0xb0\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 79.695095] drm_gem_release+0x1c/0x30\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\n[ 79.695150] drm_release+0x6a/0x120\n[ 79.695175] __fput+0x9f/0x260\n[ 79.695203] task_work_run+0x59/0xa0\n[ 79.695227] do_exit+0x387/0xbe0\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695304] do_group_exit+0x33/0xb0\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\n[ 79.695353] do_syscall_64+0x58/0x80\n[ 79.695376] ? up_read+0x17/0x20\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48633" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48634", + "dataSource": "https://ubuntu.com/security/CVE-2022-48634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281", + "https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd", + "https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd", + "https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\n\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\ncrtc_funcs->mode_set_base() which takes ww_mutex.\n\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\non mode_set_base() errors.\n\nInstead unlock it after setting gma_crtc->page_flip_event and on\nerrors re-take the lock and clear gma_crtc->page_flip_event it\nit is still set.\n\nThis fixes the following WARN/stacktrace:\n\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\n[ 512.123031] preempt_count: 1, expected: 0\n[ 512.123048] RCU nest depth: 0, expected: 0\n[ 512.123066] INFO: lockdep is turned off.\n[ 512.123080] irq event stamp: 0\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 512.123233] Preemption disabled at:\n[ 512.123241] [<0000000000000000>] 0x0\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 512.123323] Call Trace:\n[ 512.123346] \n[ 512.123370] dump_stack_lvl+0x5b/0x77\n[ 512.123412] __might_resched.cold+0xff/0x13a\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\n[ 512.123984] drm_ioctl+0x21f/0x420\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\n[ 512.124104] ? lock_release+0x1ef/0x2d0\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\n[ 512.124203] do_syscall_64+0x58/0x80\n[ 512.124239] ? do_syscall_64+0x67/0x80\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\n[ 512.124300] ? do_syscall_64+0x67/0x80\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\n[ 512.124647] ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48635", + "dataSource": "https://ubuntu.com/security/CVE-2022-48635", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48635" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48635", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48635", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3", + "https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0", + "https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got an infinite loop and a WARNING report when executing a tail command\nin virtiofs.\n\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\n Modules linked in:\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\n Call Trace:\n \n dax_iomap_rw+0xea/0x620\n ? __this_cpu_preempt_check+0x13/0x20\n fuse_dax_read_iter+0x47/0x80\n fuse_file_read_iter+0xae/0xd0\n new_sync_read+0xfe/0x180\n ? 0xffffffff81000000\n vfs_read+0x14d/0x1a0\n ksys_read+0x6d/0xf0\n __x64_sys_read+0x1a/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe tail command will call read() with a count of 0. In this case,\niomap_iter() will report this WARNING, and always return 1 which casuing\nthe infinite loop in dax_iomap_rw().\n\nFixing by checking count whether is 0 in dax_iomap_rw().", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48635" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48636", + "dataSource": "https://ubuntu.com/security/CVE-2022-48636", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48636" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48636", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1", + "https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4", + "https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac", + "https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1", + "https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6", + "https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70", + "https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d", + "https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\n\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\n\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\n\nFix by checking the pavgroup pointer with lcu->lock held.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48636" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48637", + "dataSource": "https://ubuntu.com/security/CVE-2022-48637", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48637" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48637", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48637", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6", + "https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338", + "https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: prevent skb UAF after handing over to PTP worker\n\nWhen reading the timestamp is required bnxt_tx_int() hands\nover the ownership of the completed skb to the PTP worker.\nThe skb should not be used afterwards, as the worker may\nrun before the rest of our code and free the skb, leading\nto a use-after-free.\n\nSince dev_kfree_skb_any() accepts NULL make the loss of\nownership more obvious and set skb to NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48637" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48638", + "dataSource": "https://ubuntu.com/security/CVE-2022-48638", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48638" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48638", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48638", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b", + "https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad", + "https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\n\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\nespecially cgroup id is provide from userspace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48638" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48639", + "dataSource": "https://ubuntu.com/security/CVE-2022-48639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88", + "https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596", + "https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a", + "https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5", + "https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix possible refcount leak in tc_new_tfilter()\n\ntfilter_put need to be called to put the refount got by tp->ops->get to\navoid possible refcount leak when chain->tmplt_ops != NULL and\nchain->tmplt_ops != tp->ops.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48640", + "dataSource": "https://ubuntu.com/security/CVE-2022-48640", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48640" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48640", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48640", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6", + "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7", + "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n [ 334.694703] Mem abort info:\n [ 334.697486] ESR = 0x0000000096000004\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 334.706536] SET = 0, FnV = 0\n [ 334.709579] EA = 0, S1PTW = 0\n [ 334.712719] FSC = 0x04: level 0 translation fault\n [ 334.717586] Data abort info:\n [ 334.720454] ISV = 0, ISS = 0x00000004\n [ 334.724288] CM = 0, WnR = 0\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.807962] sp : ffff8000221733e0\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n [ 334.882532] Call trace:\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\n [ 334.913799] arp_xmit+0x3c/0xbc\n [ 334.916932] arp_send_dst+0x98/0xd0\n [ 334.920410] arp_solicit+0xe8/0x230\n [ 334.923888] neigh_probe+0x60/0xb0\n [ 334.927279] __neigh_event_send+0x3b0/0x470\n [ 334.931453] neigh_resolve_output+0x70/0x90\n [ 334.935626] ip_finish_output2+0x158/0x514\n [ 334.939714] __ip_finish_output+0xac/0x1a4\n [ 334.943800] ip_finish_output+0x40/0xfc\n [ 334.947626] ip_output+0xf8/0x1a4\n [ 334.950931] ip_send_skb+0x5c/0x100\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\n [ 334.958758] raw_sendmsg+0x458/0x6d0\n [ 334.962325] inet_sendmsg+0x50/0x80\n [ 334.965805] sock_sendmsg+0x60/0x6c\n [ 334.969286] __sys_sendto+0xc8/0x134\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48640" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48641", + "dataSource": "https://ubuntu.com/security/CVE-2022-48641", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48641" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48641", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48641", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab", + "https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e", + "https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33", + "https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9", + "https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1", + "https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f", + "https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix memory leak when blob is malformed\n\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48641" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48642", + "dataSource": "https://ubuntu.com/security/CVE-2022-48642", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48642" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852", + "https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714", + "https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac", + "https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\n\nIt seems to me that percpu memory for chain stats started leaking since\ncommit 3bc158f8d0330f0a (\"netfilter: nf_tables: map basechain priority to\nhardware priority\") when nft_chain_offload_priority() returned an error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48642" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48643", + "dataSource": "https://ubuntu.com/security/CVE-2022-48643", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48643" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48643", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48643", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378", + "https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91", + "https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d", + "https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\n\nsyzbot is reporting underflow of nft_counters_enabled counter at\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\"netfilter:\nnf_tables: do not leave chain stats enabled on error\") missed that\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\nnf_tables_addchain() decrements the counter because nft_basechain_init()\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\n\nIncrement the counter immediately after returning from\nnft_basechain_init().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48643" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48644", + "dataSource": "https://ubuntu.com/security/CVE-2022-48644", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48644" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48644", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48644", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb", + "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", + "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76", + "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92", + "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48644" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48645", + "dataSource": "https://ubuntu.com/security/CVE-2022-48645", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48645" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48645", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48645", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f", + "https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7", + "https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\n\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\n\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\n\nMoreover, attempting to access these registers crashes the kernel:\n\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\n\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48645" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48646", + "dataSource": "https://ubuntu.com/security/CVE-2022-48646", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48646" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48646", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48646", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa", + "https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\n\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\npointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48646" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48647", + "dataSource": "https://ubuntu.com/security/CVE-2022-48647", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48647" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48647", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48647", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b", + "https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff", + "https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c", + "https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interrupts\n\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\nthe offset is 0 because the tx queues are in the single existing channel\nat index 0, together with the rx queue.\n\nWithout this fix, as soon as you try to send any traffic, it tries to\nget the tx queues from an uninitialized channel getting these errors:\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48647" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48648", + "dataSource": "https://ubuntu.com/security/CVE-2022-48648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3", + "https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998", + "https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7", + "https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn't\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it's wrong anyway so let's fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48650", + "dataSource": "https://ubuntu.com/security/CVE-2022-48650", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48650" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48650", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf", + "https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7", + "https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\n\nCommit 8f394da36a36 (\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\")\nmade the __qlt_24xx_handle_abts() function return early if\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\nup the allocated memory for the management command.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48650" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48651", + "dataSource": "https://ubuntu.com/security/CVE-2022-48651", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48651" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48651", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48651", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca", + "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be", + "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4", + "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7", + "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638", + "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241", + "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef", + "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\n and skb->protocol is not specified as in packet_parse_headers()\n\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\n\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb->head + skb->mac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48651" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48653", + "dataSource": "https://ubuntu.com/security/CVE-2022-48653", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48653" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48653", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48653", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93", + "https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783", + "https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't double unplug aux on peer initiated reset\n\nIn the IDC callback that is accessed when the aux drivers request a reset,\nthe function to unplug the aux devices is called. This function is also\ncalled in the ice_prepare_for_reset function. This double call is causing\na \"scheduling while atomic\" BUG.\n\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\n\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\n\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\n\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\n\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\n r ttm\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\n[ 662.815557] Preemption disabled at:\n[ 662.815558] [<0000000000000000>] 0x0\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\n[ 662.815568] Call Trace:\n[ 662.815572] \n[ 662.815574] dump_stack_lvl+0x33/0x42\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\n[ 662.815588] __schedule+0x798/0x990\n[ 662.815595] schedule+0x44/0xc0\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\n[ 662.815633] device_del+0x37/0x3d0\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\n[ 662.815764] handle_irq_event+0x34/0x60\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\n[ 662.815770] __common_interrupt+0x62/0x100\n[ 662.815774] common_interrupt+0xb4/0xd0\n[ 662.815779] \n[ 662.815780] \n[ 662.815780] asm_common_interrupt+0x1e/0x40\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\n[ 662.815795] RDX: 0000009a52da2d08 R\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48653" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48654", + "dataSource": "https://ubuntu.com/security/CVE-2022-48654", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48654" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48654", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48654", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8", + "https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47", + "https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e", + "https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764", + "https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48654" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48656", + "dataSource": "https://ubuntu.com/security/CVE-2022-48656", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48656" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48656", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48656", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2", + "https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5", + "https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d", + "https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48656" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48658", + "dataSource": "https://ubuntu.com/security/CVE-2022-48658", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48658" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48658", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48658", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b", + "https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a", + "https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48658" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48659", + "dataSource": "https://ubuntu.com/security/CVE-2022-48659", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48659" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48659", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48659", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9", + "https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296", + "https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c", + "https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124", + "https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd", + "https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c", + "https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457", + "https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48659" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48660", + "dataSource": "https://ubuntu.com/security/CVE-2022-48660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48660", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd", + "https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1", + "https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168", + "https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48661", + "dataSource": "https://ubuntu.com/security/CVE-2022-48661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48661", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933", + "https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872", + "https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48664", + "dataSource": "https://ubuntu.com/security/CVE-2022-48664", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48664" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48664", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48664", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8", + "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b", + "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b", + "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\n Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\n Sep 07 11:55:32 debian9 kernel: Call Trace:\n Sep 07 11:55:32 debian9 kernel: \n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: \n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n block group, but the metadata reservation can not be satisfied right\n away, so a reservation ticket is created and it starts the async\n metadata reclaim task (fs_info->async_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n (generic/562 creates a lot of 2K files with the goal of filling\n metadata space). We try to create an inline extent for them, but we\n fail when trying to insert the inline extent with -ENOSPC (at\n cow_file_range_inline()) - since this is not critical, we fallback\n to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48664" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48666", + "dataSource": "https://ubuntu.com/security/CVE-2022-48666", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48666" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48666", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48666", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a", + "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f", + "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506", + "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.4, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48666" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48667", + "dataSource": "https://ubuntu.com/security/CVE-2022-48667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48667", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e", + "https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in insert range\n\ninsert range doesn't discard the affected cached region\nso can risk temporarily corrupting file data.\n\nAlso includes some minor cleanup (avoiding rereading\ninode size repeatedly unnecessarily) to make it clearer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48668", + "dataSource": "https://ubuntu.com/security/CVE-2022-48668", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48668" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48668", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48668", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9", + "https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in collapse range\n\ncollapse range doesn't discard the affected cached region\nso can risk temporarily corrupting the file data. This\nfixes xfstest generic/031\n\nI also decided to merge a minor cleanup to this into the same patch\n(avoiding rereading inode size repeatedly unnecessarily) to make it\nclearer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48668" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48672", + "dataSource": "https://ubuntu.com/security/CVE-2022-48672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48672", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e", + "https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0", + "https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181", + "https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7", + "https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853", + "https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf", + "https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48673", + "dataSource": "https://ubuntu.com/security/CVE-2022-48673", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48673" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48673", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48673", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde", + "https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48673" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48675", + "dataSource": "https://ubuntu.com/security/CVE-2022-48675", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48675" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48675", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48675", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785", + "https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3", + "https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833", + "https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48675" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48686", + "dataSource": "https://ubuntu.com/security/CVE-2022-48686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48686", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5", + "https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea", + "https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3", + "https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff", + "https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48687", + "dataSource": "https://ubuntu.com/security/CVE-2022-48687", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48687" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48687", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48687", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa", + "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c", + "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093", + "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3", + "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35", + "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864", + "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48687" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48688", + "dataSource": "https://ubuntu.com/security/CVE-2022-48688", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48688" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48688", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48688", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae", + "https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc", + "https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9", + "https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc", + "https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746", + "https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48688" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48689", + "dataSource": "https://ubuntu.com/security/CVE-2022-48689", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48689" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48689", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48689", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775", + "https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83", + "https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48689" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48691", + "dataSource": "https://ubuntu.com/security/CVE-2022-48691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48691", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157", + "https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65", + "https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4", + "https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48692", + "dataSource": "https://ubuntu.com/security/CVE-2022-48692", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48692" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48692", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48692", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa", + "https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb", + "https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624", + "https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48692" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48693", + "dataSource": "https://ubuntu.com/security/CVE-2022-48693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48693", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883", + "https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1", + "https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d", + "https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b", + "https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82", + "https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48695", + "dataSource": "https://ubuntu.com/security/CVE-2022-48695", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48695" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48695", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48695", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b", + "https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5", + "https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7", + "https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16", + "https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34", + "https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82", + "https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6", + "https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48695" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48697", + "dataSource": "https://ubuntu.com/security/CVE-2022-48697", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48697" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48697", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48697", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e", + "https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060", + "https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52", + "https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717", + "https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b", + "https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48697" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48698", + "dataSource": "https://ubuntu.com/security/CVE-2022-48698", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48698" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48698", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48698", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05", + "https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54", + "https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48698" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48699", + "dataSource": "https://ubuntu.com/security/CVE-2022-48699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48699" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3", + "https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2", + "https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48700", + "dataSource": "https://ubuntu.com/security/CVE-2022-48700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986", + "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03", + "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46", + "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere's currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it's not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there's no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48701", + "dataSource": "https://ubuntu.com/security/CVE-2022-48701", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48701" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48701", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48701", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712", + "https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936", + "https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf", + "https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0", + "https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251", + "https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd", + "https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061", + "https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48701" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48702", + "dataSource": "https://ubuntu.com/security/CVE-2022-48702", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48702" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48702", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48702", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c", + "https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178", + "https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2", + "https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1", + "https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa", + "https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275", + "https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7", + "https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48702" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48703", + "dataSource": "https://ubuntu.com/security/CVE-2022-48703", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48703" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48703", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48703", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d", + "https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48703" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48704", + "dataSource": "https://ubuntu.com/security/CVE-2022-48704", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48704" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48704", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48704", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40", + "https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8", + "https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d", + "https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c", + "https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe", + "https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3", + "https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d", + "https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [] ra = [] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[] si_dma_is_lockup+0x34/0xd0\n[] radeon_fence_check_lockup+0xd0/0x290\n[] process_one_work+0x280/0x550\n[] worker_thread+0x70/0x7c0\n[] worker_thread+0x130/0x7c0\n[] kthread+0x200/0x210\n[] worker_thread+0x0/0x7c0\n[] kthread+0x14c/0x210\n[] ret_from_kernel_thread+0x18/0x20\n[] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48704" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48706", + "dataSource": "https://ubuntu.com/security/CVE-2022-48706", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48706" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48706", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48706", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e", + "https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48706" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48708", + "dataSource": "https://ubuntu.com/security/CVE-2022-48708", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48708" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48708", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48708", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db", + "https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb", + "https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208", + "https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26", + "https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2", + "https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b", + "https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference\n\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48708" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48710", + "dataSource": "https://ubuntu.com/security/CVE-2022-48710", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48710" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48710", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48710", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17", + "https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f", + "https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60", + "https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9", + "https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29", + "https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f", + "https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9", + "https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479", + "https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48710" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48744", + "dataSource": "https://ubuntu.com/security/CVE-2022-48744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e", + "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48766", + "dataSource": "https://ubuntu.com/security/CVE-2022-48766", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48766" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48766", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48766", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f", + "https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48766" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48771", + "dataSource": "https://ubuntu.com/security/CVE-2022-48771", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48771" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48771", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48771", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", + "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", + "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", + "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", + "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", + "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", + "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48771" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48772", + "dataSource": "https://ubuntu.com/security/CVE-2022-48772", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48772" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48772", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea", + "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87", + "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0", + "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115", + "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4", + "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d", + "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] \n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48772" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48781", + "dataSource": "https://ubuntu.com/security/CVE-2022-48781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48781", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3", + "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48781" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48808", + "dataSource": "https://ubuntu.com/security/CVE-2022-48808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48808", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7", + "https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae", + "https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48816", + "dataSource": "https://ubuntu.com/security/CVE-2022-48816", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48816" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48816", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48816", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07", + "https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48816" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48833", + "dataSource": "https://ubuntu.com/security/CVE-2022-48833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec", + "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82", + "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] \n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48834", + "dataSource": "https://ubuntu.com/security/CVE-2022-48834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48834", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e", + "https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952", + "https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016", + "https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7", + "https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48835", + "dataSource": "https://ubuntu.com/security/CVE-2022-48835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48835", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f", + "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05", + "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3", + "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48836", + "dataSource": "https://ubuntu.com/security/CVE-2022-48836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48836", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7", + "https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8", + "https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821", + "https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f", + "https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c", + "https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31", + "https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a", + "https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n \n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48837", + "dataSource": "https://ubuntu.com/security/CVE-2022-48837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48837", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7", + "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e", + "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65", + "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c", + "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa", + "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b", + "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90", + "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48838", + "dataSource": "https://ubuntu.com/security/CVE-2022-48838", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48838" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48838", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48838", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646", + "https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740", + "https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a", + "https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5", + "https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e", + "https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b", + "https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e", + "https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48838" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48839", + "dataSource": "https://ubuntu.com/security/CVE-2022-48839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48839", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d", + "https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02", + "https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a", + "https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da", + "https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33", + "https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0", + "https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a", + "https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n \n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n==================================================================", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48840", + "dataSource": "https://ubuntu.com/security/CVE-2022-48840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48840", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57", + "https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813", + "https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48846", + "dataSource": "https://ubuntu.com/security/CVE-2022-48846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48846", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29", + "https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e", + "https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48868", + "dataSource": "https://ubuntu.com/security/CVE-2022-48868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7", + "https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960", + "https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48869", + "dataSource": "https://ubuntu.com/security/CVE-2022-48869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3", + "https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4", + "https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae", + "https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9", + "https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48870", + "dataSource": "https://ubuntu.com/security/CVE-2022-48870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f", + "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", + "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48871", + "dataSource": "https://ubuntu.com/security/CVE-2022-48871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a", + "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2", + "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a", + "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48872", + "dataSource": "https://ubuntu.com/security/CVE-2022-48872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907", + "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4", + "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1", + "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb", + "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48873", + "dataSource": "https://ubuntu.com/security/CVE-2022-48873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330", + "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8", + "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b", + "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7", + "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48875", + "dataSource": "https://ubuntu.com/security/CVE-2022-48875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef", + "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df", + "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e", + "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48877", + "dataSource": "https://ubuntu.com/security/CVE-2022-48877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48877" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb", + "https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91", + "https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31", + "https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0", + "https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692", + "https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8", + "https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48878", + "dataSource": "https://ubuntu.com/security/CVE-2022-48878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8", + "https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3", + "https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587", + "https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48879", + "dataSource": "https://ubuntu.com/security/CVE-2022-48879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5", + "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794", + "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452", + "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104", + "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747", + "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48880", + "dataSource": "https://ubuntu.com/security/CVE-2022-48880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48880" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb", + "https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884", + "https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48887", + "dataSource": "https://ubuntu.com/security/CVE-2022-48887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a", + "https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48891", + "dataSource": "https://ubuntu.com/security/CVE-2022-48891", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48891" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48891", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb", + "https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91", + "https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01", + "https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53", + "https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5", + "https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae", + "https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48891" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48892", + "dataSource": "https://ubuntu.com/security/CVE-2022-48892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc", + "https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8", + "https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48893", + "dataSource": "https://ubuntu.com/security/CVE-2022-48893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112", + "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48895", + "dataSource": "https://ubuntu.com/security/CVE-2022-48895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48895" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a", + "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48896", + "dataSource": "https://ubuntu.com/security/CVE-2022-48896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0", + "https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8", + "https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18", + "https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07", + "https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48898", + "dataSource": "https://ubuntu.com/security/CVE-2022-48898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169", + "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1", + "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a", + "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48899", + "dataSource": "https://ubuntu.com/security/CVE-2022-48899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8", + "https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea", + "https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e", + "https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2", + "https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317", + "https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48900", + "dataSource": "https://ubuntu.com/security/CVE-2022-48900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48929", + "dataSource": "https://ubuntu.com/security/CVE-2022-48929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48929", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1", + "https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae", + "https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-0030", + "dataSource": "https://ubuntu.com/security/CVE-2023-0030", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-0030" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-0030", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2157270", + "https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10", + "https://security.netapp.com/advisory/ntap-20230413-0010/" + ], + "description": "A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-0030" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-0160", + "dataSource": "https://ubuntu.com/security/CVE-2023-0160", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-0160" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-0160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-0160", + "https://bugzilla.redhat.com/show_bug.cgi?id=2159764", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56", + "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + ], + "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-0160" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1193", + "dataSource": "https://ubuntu.com/security/CVE-2023-1193", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1193" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1193", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-1193", + "https://bugzilla.redhat.com/show_bug.cgi?id=2154177", + "https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/" + ], + "description": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1193" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1872", + "dataSource": "https://ubuntu.com/security/CVE-2023-1872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1872", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html", + "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be", + "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", + "https://security.netapp.com/advisory/ntap-20230601-0002/" + ], + "description": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "cve-coordination@google.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1989", + "dataSource": "https://ubuntu.com/security/CVE-2023-1989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1989" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1989", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", + "https://security.netapp.com/advisory/ntap-20230601-0004/", + "https://www.debian.org/security/2023/dsa-5492" + ], + "description": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-2007", + "dataSource": "https://ubuntu.com/security/CVE-2023-2007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-2007" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-2007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", + "https://security.netapp.com/advisory/ntap-20240119-0011/", + "https://www.debian.org/security/2023/dsa-5480" + ], + "description": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-2007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-20569", + "dataSource": "https://ubuntu.com/security/CVE-2023-20569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2023-20569" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-20569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-20569", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/08/08/4", + "http://xenbits.xen.org/xsa/advisory-434.html", + "https://comsec.ethz.ch/research/microarch/inception/", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/", + "https://security.netapp.com/advisory/ntap-20240605-0006/", + "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005", + "https://www.debian.org/security/2023/dsa-5475" + ], + "description": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-20569" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-26242", + "dataSource": "https://ubuntu.com/security/CVE-2023-26242", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-26242" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-26242", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-26242", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.suse.com/show_bug.cgi?id=1208518", + "https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com", + "https://security.netapp.com/advisory/ntap-20230406-0002/" + ], + "description": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-26242" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-28327", + "dataSource": "https://ubuntu.com/security/CVE-2023-28327", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-28327" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-28327", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-28327", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2177382" + ], + "description": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-28327" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-31082", + "dataSource": "https://ubuntu.com/security/CVE-2023-31082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-31082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-31082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.suse.com/show_bug.cgi?id=1210781", + "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/", + "https://security.netapp.com/advisory/ntap-20230929-0003/" + ], + "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-31082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-33053", + "dataSource": "https://ubuntu.com/security/CVE-2023-33053", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-33053" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-33053", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-33053", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin" + ], + "description": "Memory corruption in Kernel while parsing metadata.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "product-security@qualcomm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-33053" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-3397", + "dataSource": "https://ubuntu.com/security/CVE-2023-3397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-3397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-3397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-3397", + "https://bugzilla.redhat.com/show_bug.cgi?id=2217271", + "https://www.spinics.net/lists/kernel/msg4788636.html" + ], + "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 1, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-3397" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-3640", + "dataSource": "https://ubuntu.com/security/CVE-2023-3640", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-3640" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-3640", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-3640", + "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + ], + "description": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-3640" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-38417", + "dataSource": "https://ubuntu.com/security/CVE-2023-38417", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-38417" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-38417", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-38417", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-38417" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-4010", + "dataSource": "https://ubuntu.com/security/CVE-2023-4010", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4010" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4010", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-4010", + "https://bugzilla.redhat.com/show_bug.cgi?id=2227726", + "https://github.com/wanrenmi/a-usb-kernel-bug" + ], + "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4010" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-4133", + "dataSource": "https://ubuntu.com/security/CVE-2023-4133", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4133" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4133", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2394", + "https://access.redhat.com/errata/RHSA-2024:2950", + "https://access.redhat.com/errata/RHSA-2024:3138", + "https://access.redhat.com/security/cve/CVE-2023-4133", + "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + ], + "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4133" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-44452", + "dataSource": "https://ubuntu.com/security/CVE-2023-44452", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-44452" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-44452", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-44452", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736", + "https://www.zerodayinitiative.com/advisories/ZDI-23-1836/" + ], + "description": "Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.", + "cvss": [ + { + "source": "zdi-disclosures@trendmicro.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-44452" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-47210", + "dataSource": "https://ubuntu.com/security/CVE-2023-47210", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-47210" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-47210", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-47210", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-47210" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52438", + "dataSource": "https://ubuntu.com/security/CVE-2023-52438", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52438" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52438", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906", + "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6", + "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56", + "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869", + "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3", + "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c", + "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52438" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52439", + "dataSource": "https://ubuntu.com/security/CVE-2023-52439", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52439" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52439", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52439", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2", + "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea", + "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c", + "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad", + "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7", + "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570", + "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41", + "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52439" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52452", + "dataSource": "https://ubuntu.com/security/CVE-2023-52452", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52452" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52452", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19", + "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529", + "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52452" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52475", + "dataSource": "https://ubuntu.com/security/CVE-2023-52475", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52475" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52475", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46", + "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd", + "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc", + "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc", + "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f", + "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9", + "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06", + "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52475" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52476", + "dataSource": "https://ubuntu.com/security/CVE-2023-52476", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52476" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52476", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52476", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c", + "https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c", + "https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265", + "https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52476" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52477", + "dataSource": "https://ubuntu.com/security/CVE-2023-52477", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52477" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52477", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52477", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289", + "https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c", + "https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b", + "https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3", + "https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d", + "https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81", + "https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee", + "https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52477" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52478", + "dataSource": "https://ubuntu.com/security/CVE-2023-52478", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52478" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52478", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52478", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1", + "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528", + "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c", + "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5", + "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b", + "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452", + "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e", + "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52478" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52479", + "dataSource": "https://ubuntu.com/security/CVE-2023-52479", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52479" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52479", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52479", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd", + "https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930", + "https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce", + "https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52479" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52481", + "dataSource": "https://ubuntu.com/security/CVE-2023-52481", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52481" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52481", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52481", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25", + "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513", + "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52481" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52482", + "dataSource": "https://ubuntu.com/security/CVE-2023-52482", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52482" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52482", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52482", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96", + "https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d", + "https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4", + "https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d", + "https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52482" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52483", + "dataSource": "https://ubuntu.com/security/CVE-2023-52483", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52483" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52483", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a", + "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4", + "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c", + "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52483" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52484", + "dataSource": "https://ubuntu.com/security/CVE-2023-52484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52484" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52484", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429", + "https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6", + "https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b", + "https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52485", + "dataSource": "https://ubuntu.com/security/CVE-2023-52485", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52485" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52485", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009", + "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52485" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52488", + "dataSource": "https://ubuntu.com/security/CVE-2023-52488", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52488" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52488", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52488", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db", + "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573", + "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611", + "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23", + "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b", + "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52488" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52499", + "dataSource": "https://ubuntu.com/security/CVE-2023-52499", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52499" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52499", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52499", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820", + "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746", + "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3", + "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR: 00000030 CR: 00001000 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52499" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52500", + "dataSource": "https://ubuntu.com/security/CVE-2023-52500", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52500" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52500", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52500", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749", + "https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7", + "https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4", + "https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172", + "https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52500" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52501", + "dataSource": "https://ubuntu.com/security/CVE-2023-52501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52501", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d", + "https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a", + "https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca", + "https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49", + "https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52502", + "dataSource": "https://ubuntu.com/security/CVE-2023-52502", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52502" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52502", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52502", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93", + "https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9", + "https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d", + "https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c", + "https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8", + "https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc", + "https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52502" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52503", + "dataSource": "https://ubuntu.com/security/CVE-2023-52503", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52503" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52503", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52503", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116", + "https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce", + "https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c", + "https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27", + "https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52503" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52504", + "dataSource": "https://ubuntu.com/security/CVE-2023-52504", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52504" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52504", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52504", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae", + "https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1", + "https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b", + "https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e", + "https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4", + "https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61", + "https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52504" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52507", + "dataSource": "https://ubuntu.com/security/CVE-2023-52507", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52507" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52507", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52507", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213", + "https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53", + "https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0", + "https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da", + "https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848", + "https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb", + "https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802", + "https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52507" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52508", + "dataSource": "https://ubuntu.com/security/CVE-2023-52508", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52508" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52508", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52508", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c", + "https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea", + "https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52508" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52509", + "dataSource": "https://ubuntu.com/security/CVE-2023-52509", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52509" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52509", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52509", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705", + "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89", + "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6", + "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5", + "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965", + "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52509" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52510", + "dataSource": "https://ubuntu.com/security/CVE-2023-52510", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52510" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52510", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52510", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66", + "https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add", + "https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f", + "https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e", + "https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc", + "https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640", + "https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d", + "https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52510" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52511", + "dataSource": "https://ubuntu.com/security/CVE-2023-52511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52511" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18", + "https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355", + "https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb", + "https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52511" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52516", + "dataSource": "https://ubuntu.com/security/CVE-2023-52516", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52516" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52516", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52516", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c", + "https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab", + "https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae", + "https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1", + "https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52516" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52517", + "dataSource": "https://ubuntu.com/security/CVE-2023-52517", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52517" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52517", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52517", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d", + "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209", + "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097", + "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52517" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52522", + "dataSource": "https://ubuntu.com/security/CVE-2023-52522", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52522" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52522", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52522", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa", + "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd", + "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0", + "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af", + "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc", + "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52522" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52524", + "dataSource": "https://ubuntu.com/security/CVE-2023-52524", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52524" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52524", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52524", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391", + "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391", + "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b", + "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082", + "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb", + "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52524" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52527", + "dataSource": "https://ubuntu.com/security/CVE-2023-52527", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52527" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52527", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52527", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6", + "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59", + "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844", + "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed", + "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070", + "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb", + "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f", + "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52527" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52528", + "dataSource": "https://ubuntu.com/security/CVE-2023-52528", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52528" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52528", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52528", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed", + "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5", + "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825", + "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4", + "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d", + "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09", + "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812", + "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52528" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52531", + "dataSource": "https://ubuntu.com/security/CVE-2023-52531", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52531" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52531", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52531", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0", + "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef", + "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d", + "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52531" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52532", + "dataSource": "https://ubuntu.com/security/CVE-2023-52532", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52532" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52532", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52532", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80", + "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c", + "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52532" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52559", + "dataSource": "https://ubuntu.com/security/CVE-2023-52559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52559", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e", + "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0", + "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e", + "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52561", + "dataSource": "https://ubuntu.com/security/CVE-2023-52561", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52561" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52561", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52561", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6", + "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2", + "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\n\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\n\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52561" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52566", + "dataSource": "https://ubuntu.com/security/CVE-2023-52566", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52566" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52566", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52566", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33", + "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2", + "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8", + "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7", + "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc", + "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c", + "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b", + "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52566" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52569", + "dataSource": "https://ubuntu.com/security/CVE-2023-52569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52569" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52569", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9", + "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f", + "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52569" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52572", + "dataSource": "https://ubuntu.com/security/CVE-2023-52572", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52572" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52572", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52572", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a", + "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3", + "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52572" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52574", + "dataSource": "https://ubuntu.com/security/CVE-2023-52574", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52574" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52574", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52574", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457", + "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58", + "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd", + "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7", + "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7", + "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d", + "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d", + "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52574" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52576", + "dataSource": "https://ubuntu.com/security/CVE-2023-52576", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52576" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52576", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52576", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b", + "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204", + "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52576" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52578", + "dataSource": "https://ubuntu.com/security/CVE-2023-52578", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52578" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52578", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52578", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd", + "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4", + "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2", + "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394", + "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5", + "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839", + "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52578" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52582", + "dataSource": "https://ubuntu.com/security/CVE-2023-52582", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52582" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52582", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52582", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a", + "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412", + "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52582" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52584", + "dataSource": "https://ubuntu.com/security/CVE-2023-52584", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52584" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52584", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8", + "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e", + "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9", + "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 3.8, + "exploitabilityScore": 1.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52584" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52585", + "dataSource": "https://ubuntu.com/security/CVE-2023-52585", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52585" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52585", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a", + "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49", + "https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626", + "https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b", + "https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915", + "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680", + "https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2023-52585" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52586", + "dataSource": "https://ubuntu.com/security/CVE-2023-52586", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52586" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52586", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f", + "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52586" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52589", + "dataSource": "https://ubuntu.com/security/CVE-2023-52589", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52589" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52589", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", + "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395", + "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe", + "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52589" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52590", + "dataSource": "https://ubuntu.com/security/CVE-2023-52590", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52590" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52590", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc", + "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52590" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52591", + "dataSource": "https://ubuntu.com/security/CVE-2023-52591", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52591" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52591", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc", + "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed", + "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52591" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52593", + "dataSource": "https://ubuntu.com/security/CVE-2023-52593", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52593" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52593", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878", + "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03", + "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132", + "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52593" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52596", + "dataSource": "https://ubuntu.com/security/CVE-2023-52596", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52596" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52596", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede", + "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489", + "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52596" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52621", + "dataSource": "https://ubuntu.com/security/CVE-2023-52621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d", + "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d", + "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304", + "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52624", + "dataSource": "https://ubuntu.com/security/CVE-2023-52624", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52624" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52624", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d", + "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52624" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52625", + "dataSource": "https://ubuntu.com/security/CVE-2023-52625", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52625" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52625", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f", + "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52625" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52629", + "dataSource": "https://ubuntu.com/security/CVE-2023-52629", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52629" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52629", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65", + "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2023-52629" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52632", + "dataSource": "https://ubuntu.com/security/CVE-2023-52632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4", + "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340", + "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c", + "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52634", + "dataSource": "https://ubuntu.com/security/CVE-2023-52634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662", + "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52639", + "dataSource": "https://ubuntu.com/security/CVE-2023-52639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082", + "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc", + "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380", + "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52646", + "dataSource": "https://ubuntu.com/security/CVE-2023-52646", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52646" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52646", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52646", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1", + "https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2", + "https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95", + "https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1", + "https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d", + "https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f", + "https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix mremap after fork null-deref\n\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\n\n[jmoyer@redhat.com: fix 80 column issue]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52646" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52648", + "dataSource": "https://ubuntu.com/security/CVE-2023-52648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461", + "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92", + "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba", + "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52653", + "dataSource": "https://ubuntu.com/security/CVE-2023-52653", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52653" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52653", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4", + "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c", + "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822", + "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52653" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52655", + "dataSource": "https://ubuntu.com/security/CVE-2023-52655", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52655" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52655", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52655", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e", + "https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab", + "https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd", + "https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204", + "https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a", + "https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aqc111: check packet for fixup for true limit\n\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\n\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\n\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52655" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52657", + "dataSource": "https://ubuntu.com/security/CVE-2023-52657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52657", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94", + "https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488", + "https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f", + "https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/pm: resolve reboot exception for si oland\"\n\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\n\nThis causes hangs on SI when DC is enabled and errors on driver\nreboot and power off cycles.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52657" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52660", + "dataSource": "https://ubuntu.com/security/CVE-2023-52660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52660", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63", + "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee", + "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587", + "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52664", + "dataSource": "https://ubuntu.com/security/CVE-2023-52664", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52664" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52664", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d", + "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928", + "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf", + "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52664" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52666", + "dataSource": "https://ubuntu.com/security/CVE-2023-52666", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52666" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52666", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52666", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52666" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52667", + "dataSource": "https://ubuntu.com/security/CVE-2023-52667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52667", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8", + "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779", + "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1", + "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e", + "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft->g. However, its caller\nfs_any_create_table() will free ft->g again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft->g to NULL in fs_any_create_groups().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52669", + "dataSource": "https://ubuntu.com/security/CVE-2023-52669", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52669" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52669", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52669", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285", + "https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79", + "https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b", + "https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e", + "https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23", + "https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left. Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52669" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52670", + "dataSource": "https://ubuntu.com/security/CVE-2023-52670", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52670" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52670", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52670", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08", + "https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6", + "https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a", + "https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30", + "https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43", + "https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687", + "https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d", + "https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.6, + "exploitabilityScore": 0.7, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52670" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52671", + "dataSource": "https://ubuntu.com/security/CVE-2023-52671", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52671" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52671", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52671", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5", + "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239", + "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52671" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52672", + "dataSource": "https://ubuntu.com/security/CVE-2023-52672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52672", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8", + "https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9", + "https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24", + "https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55", + "https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f", + "https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner : rewrite to account for watch queues]", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52673", + "dataSource": "https://ubuntu.com/security/CVE-2023-52673", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52673" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52673", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a", + "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52673" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52674", + "dataSource": "https://ubuntu.com/security/CVE-2023-52674", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52674" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52674", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52674", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572", + "https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7", + "https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2", + "https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810", + "https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\n\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52674" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52675", + "dataSource": "https://ubuntu.com/security/CVE-2023-52675", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52675" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52675", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52675", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032", + "https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3", + "https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34", + "https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05", + "https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3", + "https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec", + "https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6", + "https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52675" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52676", + "dataSource": "https://ubuntu.com/security/CVE-2023-52676", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52676" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52676", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52676", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760", + "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2", + "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52676" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52677", + "dataSource": "https://ubuntu.com/security/CVE-2023-52677", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52677" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52677", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52677", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f", + "https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f", + "https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7", + "https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc", + "https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Check if the code to patch lies in the exit section\n\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52677" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52679", + "dataSource": "https://ubuntu.com/security/CVE-2023-52679", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52679" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52679", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52679", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db", + "https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21", + "https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b", + "https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2", + "https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8", + "https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd", + "https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7", + "https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52679" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52680", + "dataSource": "https://ubuntu.com/security/CVE-2023-52680", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52680" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52680", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52680", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51", + "https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e", + "https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3", + "https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3", + "https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52680" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52682", + "dataSource": "https://ubuntu.com/security/CVE-2023-52682", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52682" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52682", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52682", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2", + "https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00", + "https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3", + "https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52682" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52683", + "dataSource": "https://ubuntu.com/security/CVE-2023-52683", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52683" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52683", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52683", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782", + "https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee", + "https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad", + "https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de", + "https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae", + "https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1", + "https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4", + "https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52683" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52685", + "dataSource": "https://ubuntu.com/security/CVE-2023-52685", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52685" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52685", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52685", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52685" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52686", + "dataSource": "https://ubuntu.com/security/CVE-2023-52686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52686", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4", + "https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050", + "https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9", + "https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877", + "https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7", + "https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42", + "https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf", + "https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52690", + "dataSource": "https://ubuntu.com/security/CVE-2023-52690", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52690" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52690", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52690", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b", + "https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19", + "https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742", + "https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13", + "https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9", + "https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2", + "https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52690" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52691", + "dataSource": "https://ubuntu.com/security/CVE-2023-52691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52691", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706", + "https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334", + "https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30", + "https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4", + "https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0", + "https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a", + "https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2", + "https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52692", + "dataSource": "https://ubuntu.com/security/CVE-2023-52692", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52692" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52692", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52692", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3", + "https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99", + "https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467", + "https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88", + "https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52692" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52693", + "dataSource": "https://ubuntu.com/security/CVE-2023-52693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52693", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3", + "https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95", + "https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c", + "https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af", + "https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8", + "https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f", + "https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f", + "https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52694", + "dataSource": "https://ubuntu.com/security/CVE-2023-52694", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52694" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52694", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52694", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5", + "https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205", + "https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1", + "https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2", + "https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114", + "https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52694" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52696", + "dataSource": "https://ubuntu.com/security/CVE-2023-52696", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52696" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52696", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52696", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664", + "https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219", + "https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc", + "https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1", + "https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab", + "https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d", + "https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52696" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52698", + "dataSource": "https://ubuntu.com/security/CVE-2023-52698", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52698" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52698", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52698", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149", + "https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53", + "https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031", + "https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01", + "https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da", + "https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded", + "https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99", + "https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: fix memory leak in netlbl_calipso_add_pass()\n\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\n\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n hex dump (first 32 bytes):\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<...>] kmalloc include/linux/slab.h:552 [inline]\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\n\n[PM: merged via the LSM tree at Jakub Kicinski request]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52698" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52699", + "dataSource": "https://ubuntu.com/security/CVE-2023-52699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52699" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76", + "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f", + "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09", + "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1", + "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac", + "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3", + "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e", + "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52700", + "dataSource": "https://ubuntu.com/security/CVE-2023-52700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc", + "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52701", + "dataSource": "https://ubuntu.com/security/CVE-2023-52701", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52701" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52701", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52701", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5", + "https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use a bounce buffer for copying skb->mark\n\nsyzbot found arm64 builds would crash in sock_recv_mark()\nwhen CONFIG_HARDENED_USERCOPY=y\n\nx86 and powerpc are not detecting the issue because\nthey define user_access_begin.\nThis will be handled in a different patch,\nbecause a check_object_size() is missing.\n\nOnly data from skb->cb[] can be copied directly to/from user space,\nas explained in commit 79a8a642bf05 (\"net: Whitelist\nthe skbuff_head_cache \"cb\" field\")\n\nsyzbot report was:\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nsp : ffff80000fb9b9a0\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\nCall trace:\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\ncheck_heap_object mm/usercopy.c:196 [inline]\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\ncheck_object_size include/linux/thread_info.h:199 [inline]\n__copy_to_user include/linux/uaccess.h:115 [inline]\nput_cmsg+0x408/0x464 net/core/scm.c:238\nsock_recv_mark net/socket.c:975 [inline]\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\n____sys_recvmsg+0x110/0x3a0\n___sys_recvmsg net/socket.c:2737 [inline]\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\n__do_sys_recvmsg net/socket.c:2777 [inline]\n__se_sys_recvmsg net/socket.c:2774 [inline]\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52701" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52702", + "dataSource": "https://ubuntu.com/security/CVE-2023-52702", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52702" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52702", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52702", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536", + "https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5", + "https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6", + "https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\n\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52702" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52703", + "dataSource": "https://ubuntu.com/security/CVE-2023-52703", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52703" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52703", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52703", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc", + "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5", + "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb", + "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030", + "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081", + "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042", + "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52703" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52705", + "dataSource": "https://ubuntu.com/security/CVE-2023-52705", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52705" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52705", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52705", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5", + "https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b", + "https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f", + "https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d", + "https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205", + "https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4", + "https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes. Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks. This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord state:D stack:23456 pid:5067 ppid:2\n flags:0x00004000\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n schedule+0xc3/0x190 kernel/sched/core.c:6682\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n kthread+0x270/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n ...\n Call Trace:\n \n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52705" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52707", + "dataSource": "https://ubuntu.com/security/CVE-2023-52707", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52707" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52707", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52707", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38", + "https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe", + "https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a", + "https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a", + "https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\n\nIf a non-root cgroup gets removed when there is a thread that registered\ntrigger and is polling on a pressure file within the cgroup, the polling\nwaitqueue gets freed in the following path:\n\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n\nHowever, the polling thread still has a reference to the pressure file and\nwill access the freed waitqueue when the file is closed or upon exit:\n\n fput\n ep_eventpoll_release\n ep_free\n ep_remove_wait_queue\n remove_wait_queue\n\nThis results in use-after-free as pasted below.\n\nThe fundamental problem here is that cgroup_file_release() (and\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\nwith the comment at commit 42288cb44c4b (\"wait: add wake_up_pollfree()\")\nsince the waitqueue's lifetime is not tied to file's one and can be\nconsidered as another special case. While this would be fixable by somehow\nmaking cgroup_file_release() be tied to the fput(), it would require\nsizable refactoring at cgroups or higher layer which might be more\njustifiable if we identify more cases like this.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\n\n\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\n\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\n\tCall Trace:\n\t\n\tdump_stack_lvl+0x73/0xa0\n\tprint_report+0x16c/0x4e0\n\tkasan_report+0xc3/0xf0\n\tkasan_check_range+0x2d2/0x310\n\t_raw_spin_lock_irqsave+0x60/0xc0\n\tremove_wait_queue+0x1a/0xa0\n\tep_free+0x12c/0x170\n\tep_eventpoll_release+0x26/0x30\n\t__fput+0x202/0x400\n\ttask_work_run+0x11d/0x170\n\tdo_exit+0x495/0x1130\n\tdo_group_exit+0x100/0x100\n\tget_signal+0xd67/0xde0\n\tarch_do_signal_or_restart+0x2a/0x2b0\n\texit_to_user_mode_prepare+0x94/0x100\n\tsyscall_exit_to_user_mode+0x20/0x40\n\tdo_syscall_64+0x52/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\t\n\n Allocated by task 4404:\n\n\tkasan_set_track+0x3d/0x60\n\t__kasan_kmalloc+0x85/0x90\n\tpsi_trigger_create+0x113/0x3e0\n\tpressure_write+0x146/0x2e0\n\tcgroup_file_write+0x11c/0x250\n\tkernfs_fop_write_iter+0x186/0x220\n\tvfs_write+0x3d8/0x5c0\n\tksys_write+0x90/0x110\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Freed by task 4407:\n\n\tkasan_set_track+0x3d/0x60\n\tkasan_save_free_info+0x27/0x40\n\t____kasan_slab_free+0x11d/0x170\n\tslab_free_freelist_hook+0x87/0x150\n\t__kmem_cache_free+0xcb/0x180\n\tpsi_trigger_destroy+0x2e8/0x310\n\tcgroup_file_release+0x4f/0xb0\n\tkernfs_drain_open_files+0x165/0x1f0\n\tkernfs_drain+0x162/0x1a0\n\t__kernfs_remove+0x1fb/0x310\n\tkernfs_remove_by_name_ns+0x95/0xe0\n\tcgroup_addrm_files+0x67f/0x700\n\tcgroup_destroy_locked+0x283/0x3c0\n\tcgroup_rmdir+0x29/0x100\n\tkernfs_iop_rmdir+0xd1/0x140\n\tvfs_rmdir+0xfe/0x240\n\tdo_rmdir+0x13d/0x280\n\t__x64_sys_rmdir+0x2c/0x30\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52707" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52708", + "dataSource": "https://ubuntu.com/security/CVE-2023-52708", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52708" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52708", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52708", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be", + "https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f", + "https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714", + "https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd", + "https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\n\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\n\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52708" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52730", + "dataSource": "https://ubuntu.com/security/CVE-2023-52730", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52730" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52730", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd", + "https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931", + "https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a", + "https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded", + "https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e", + "https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58", + "https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52730" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52732", + "dataSource": "https://ubuntu.com/security/CVE-2023-52732", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52732" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52732", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52732", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c", + "https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: blocklist the kclient when receiving corrupted snap trace\n\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\n\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\n\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52732" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52733", + "dataSource": "https://ubuntu.com/security/CVE-2023-52733", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52733" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52733", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52733", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb", + "https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2", + "https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b", + "https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9", + "https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/decompressor: specify __decompress() buf len to avoid overflow\n\nHistorically calls to __decompress() didn't specify \"out_len\" parameter\non many architectures including s390, expecting that no writes beyond\nuncompressed kernel image are performed. This has changed since commit\n2aa14b1ab2c4 (\"zstd: import usptream v1.5.2\") which includes zstd library\ncommit 6a7ede3dfccb (\"Reduce size of dctx by reutilizing dst buffer\n(#2751)\"). Now zstd decompression code might store literal buffer in\nthe unwritten portion of the destination buffer. Since \"out_len\" is\nnot set, it is considered to be unlimited and hence free to use for\noptimization needs. On s390 this might corrupt initrd or ipl report\nwhich are often placed right after the decompressor buffer. Luckily the\nsize of uncompressed kernel image is already known to the decompressor,\nso to avoid the problem simply specify it in the \"out_len\" parameter.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52733" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52734", + "dataSource": "https://ubuntu.com/security/CVE-2023-52734", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52734" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52734", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52734", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52734" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52735", + "dataSource": "https://ubuntu.com/security/CVE-2023-52735", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52735" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52735", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52735", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9", + "https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49", + "https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\n\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\n\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52735" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52736", + "dataSource": "https://ubuntu.com/security/CVE-2023-52736", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52736" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52736", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52736", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0", + "https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8", + "https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a", + "https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Do not unset preset when cleaning up codec\n\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\n\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\n\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52736" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52737", + "dataSource": "https://ubuntu.com/security/CVE-2023-52737", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52737" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52737", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52737", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508", + "https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52737" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52738", + "dataSource": "https://ubuntu.com/security/CVE-2023-52738", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52738" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52738", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52738", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b", + "https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd", + "https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52738" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52739", + "dataSource": "https://ubuntu.com/security/CVE-2023-52739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52739" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52739", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23", + "https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5", + "https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673", + "https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52740", + "dataSource": "https://ubuntu.com/security/CVE-2023-52740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52740", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1", + "https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673", + "https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\n\nThe RFI and STF security mitigation options can flip the\ninterrupt_exit_not_reentrant static branch condition concurrently with\nthe interrupt exit code which tests that branch.\n\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\nagain in the case a soft-masked interrupt is found pending, to recover\nthe MSR so the interrupt can be replayed before attempting to exit\nagain. If the condition changes between these two tests, the MSR and irq\nsoft-mask state will become corrupted, leading to warnings and possible\ncrashes. For example, if the branch is initially true then false,\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\nenabled, leading to warnings in irq_64.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52741", + "dataSource": "https://ubuntu.com/security/CVE-2023-52741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52741" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52741", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52741", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0", + "https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e", + "https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211", + "https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages()\n\nWhen the network status is unstable, use-after-free may occur when\nread data from the server.\n\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\n\n Call Trace:\n \n dump_stack_lvl+0x38/0x4c\n print_report+0x16f/0x4a6\n kasan_report+0xb7/0x130\n readpages_fill_pages+0x14c/0x7e0\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n \n\n Allocated by task 2535:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x82/0x90\n cifs_readdata_direct_alloc+0x2c/0x110\n cifs_readdata_alloc+0x2d/0x60\n cifs_readahead+0x393/0xfe0\n read_pages+0x12f/0x470\n page_cache_ra_unbounded+0x1b1/0x240\n filemap_get_pages+0x1c8/0x9a0\n filemap_read+0x1c0/0x540\n cifs_strict_readv+0x21b/0x240\n vfs_read+0x395/0x4b0\n ksys_read+0xb8/0x150\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 79:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2e/0x50\n __kasan_slab_free+0x10e/0x1a0\n __kmem_cache_free+0x7a/0x1a0\n cifs_readdata_release+0x49/0x60\n process_one_work+0x46c/0x760\n worker_thread+0x2a4/0x6f0\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\n Last potentially related work creation:\n kasan_save_stack+0x22/0x50\n __kasan_record_aux_stack+0x95/0xb0\n insert_work+0x2b/0x130\n __queue_work+0x1fe/0x660\n queue_work_on+0x4b/0x60\n smb2_readv_callback+0x396/0x800\n cifs_abort_connection+0x474/0x6a0\n cifs_reconnect+0x5cb/0xa50\n cifs_readv_from_socket.cold+0x22/0x6c\n cifs_read_page_from_socket+0xc1/0x100\n readpages_fill_pages.cold+0x2f/0x46\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\nThe following function calls will cause UAF of the rdata pointer.\n\nreadpages_fill_pages\n cifs_read_page_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n __cifs_reconnect\n cifs_abort_connection\n mid->callback() --> smb2_readv_callback\n queue_work(&rdata->work) # if the worker completes first,\n # the rdata is freed\n cifs_readv_complete\n kref_put\n cifs_readdata_release\n kfree(rdata)\n return rdata->... # UAF in readpages_fill_pages()\n\nSimilarly, this problem also occurs in the uncache_fill_pages().\n\nFix this by adjusts the order of condition judgment in the return\nstatement.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52741" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52742", + "dataSource": "https://ubuntu.com/security/CVE-2023-52742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52742" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc", + "https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727", + "https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1", + "https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9", + "https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63", + "https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f", + "https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52743", + "dataSource": "https://ubuntu.com/security/CVE-2023-52743", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52743" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52743", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52743", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255", + "https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39", + "https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634", + "https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede", + "https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] \n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52743" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52744", + "dataSource": "https://ubuntu.com/security/CVE-2023-52744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d", + "https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e", + "https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix potential NULL-ptr-dereference\n\nin_dev_get() can return NULL which will cause a failure once idev is\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\ncheck for NULL value in idev beforehand.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52745", + "dataSource": "https://ubuntu.com/security/CVE-2023-52745", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52745" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52745", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52745", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6", + "https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f", + "https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc", + "https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf", + "https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\n\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\n\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52745" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52746", + "dataSource": "https://ubuntu.com/security/CVE-2023-52746", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52746" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52746", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52746", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d", + "https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5", + "https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0", + "https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\n\n int type = nla_type(nla);\n\n if (type > XFRMA_MAX) {\n return -EOPNOTSUPP;\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\n if (nla_len(nla) < compat_policy[type].len) {\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52746" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52747", + "dataSource": "https://ubuntu.com/security/CVE-2023-52747", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52747" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52747", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52747", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45", + "https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae", + "https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68", + "https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321", + "https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef", + "https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Restore allocated resources on failed copyout\n\nFix a resource leak if an error occurs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52747" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52748", + "dataSource": "https://ubuntu.com/security/CVE-2023-52748", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52748" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52748", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52748", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f", + "https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79", + "https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00", + "https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f", + "https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063", + "https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid format-overflow warning\n\nWith gcc and W=1 option, there's a warning like this:\n\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\n\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52748" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52749", + "dataSource": "https://ubuntu.com/security/CVE-2023-52749", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52749" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52749", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52749", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068", + "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e", + "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr->cur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52749" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52750", + "dataSource": "https://ubuntu.com/security/CVE-2023-52750", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52750" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52750", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52750", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848", + "https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28", + "https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9", + "https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a", + "https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a", + "https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\n\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\n\nThis went unnoticed until commit:\n\n 34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\n\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\n\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\n\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x13c/0x340\n| el1t_64_irq_handler+0x0/0x1c\n| el1_abort+0x0/0x5c\n| el1h_64_sync+0x64/0x68\n| __pi_strcmp+0x1c/0x150\n| unflatten_dt_nodes+0x1e8/0x2d8\n| __unflatten_device_tree+0x5c/0x15c\n| unflatten_device_tree+0x38/0x50\n| setup_arch+0x164/0x1e0\n| start_kernel+0x64/0x38c\n| __primary_switched+0xbc/0xc4\n\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52750" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52751", + "dataSource": "https://ubuntu.com/security/CVE-2023-52751", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52751" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52751", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52751", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b", + "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9", + "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52751" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52752", + "dataSource": "https://ubuntu.com/security/CVE-2023-52752", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52752" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52752", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a", + "https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7", + "https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09", + "https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2023-52752" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52753", + "dataSource": "https://ubuntu.com/security/CVE-2023-52753", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52753" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52753", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52753", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd", + "https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9", + "https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68", + "https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db", + "https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c", + "https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6", + "https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89", + "https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52753" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52754", + "dataSource": "https://ubuntu.com/security/CVE-2023-52754", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52754" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52754", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52754", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f", + "https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9", + "https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f", + "https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a", + "https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7", + "https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: fix access to invalid resource for the second interface\n\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver. It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor. Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\n\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52754" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52755", + "dataSource": "https://ubuntu.com/security/CVE-2023-52755", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52755" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52755", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52755", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70", + "https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb", + "https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa", + "https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819", + "https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52755" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52756", + "dataSource": "https://ubuntu.com/security/CVE-2023-52756", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52756" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52756", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52756", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52756" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52757", + "dataSource": "https://ubuntu.com/security/CVE-2023-52757", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52757" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52757", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52757", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29", + "https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf", + "https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26", + "https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0 CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\n release_mid()\n spin_lock(&server->mid_lock);\n spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t spin_lock(&server->mid_lock)\n __release_mid()\n smb2_find_smb_tcon()\n spin_lock(&cifs_tcp_ses_lock) *deadlock*", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52757" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52759", + "dataSource": "https://ubuntu.com/security/CVE-2023-52759", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52759" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52759", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52759", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b", + "https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4", + "https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c", + "https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae", + "https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2", + "https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5", + "https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3", + "https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3", + "https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: ignore negated quota changes\n\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\n\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\n\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\n\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\n\ngfs2_quota_change\n do_qc\n qd_hold\n slot_hold\n\nLater, when the changes are to be synced:\n\ngfs2_quota_sync\n qd_fish\n qd_check_sync\n gets qd ref via lockref_get_not_dead\n do_sync\n do_qc(QC_SYNC)\n qd_put\n\t lockref_put_or_lock\n qd_unlock\n qd_put\n lockref_put_or_lock\n\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52759" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52760", + "dataSource": "https://ubuntu.com/security/CVE-2023-52760", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52760" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52760", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81", + "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba", + "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2023-52760" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52761", + "dataSource": "https://ubuntu.com/security/CVE-2023-52761", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52761" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52761", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788", + "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76", + "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52761" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52762", + "dataSource": "https://ubuntu.com/security/CVE-2023-52762", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52762" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52762", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52762", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9", + "https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48", + "https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b", + "https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90", + "https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\n\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\n\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52762" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52763", + "dataSource": "https://ubuntu.com/security/CVE-2023-52763", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52763" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52763", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52763", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442", + "https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781", + "https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b", + "https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9", + "https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\n\nThe `i3c_master_bus_init` function may attach the I2C devices before the\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\nthe DAT `cleanup` will execute before the device is detached, which will\nexecue DAT `free_entry` function. The above scenario can cause the driver\nto use DAT_data when it is NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52763" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52764", + "dataSource": "https://ubuntu.com/security/CVE-2023-52764", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52764" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52764", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52764", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953", + "https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26", + "https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb", + "https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060", + "https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b", + "https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809", + "https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177", + "https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a", + "https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\n\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\n\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52764" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52766", + "dataSource": "https://ubuntu.com/security/CVE-2023-52766", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52766" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52766", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52766", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574", + "https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65", + "https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6", + "https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b", + "https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\n\nDo not loop over ring headers in hci_dma_irq_handler() that are not\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\nwill occur from rings->headers[i] access when i >= number of allocated\nring headers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52766" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52768", + "dataSource": "https://ubuntu.com/security/CVE-2023-52768", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52768" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52768", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52768", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3", + "https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c", + "https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27", + "https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8", + "https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: use vmm_table as array in wilc struct\n\nEnabling KASAN and running some iperf tests raises some memory issues with\nvmm_table:\n\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\n\nKASAN detects that we are writing data beyond range allocated to vmm_table.\nThere is indeed a mismatch between the size passed to allocator in\nwilc_wlan_init, and the range of possible indexes used later: allocation\nsize is missing a multiplication by sizeof(u32)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52768" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52772", + "dataSource": "https://ubuntu.com/security/CVE-2023-52772", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52772" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52772", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52772", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce", + "https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d", + "https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef", + "https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700", + "https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52772" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52774", + "dataSource": "https://ubuntu.com/security/CVE-2023-52774", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52774" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52774", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52774", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250", + "https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240", + "https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a", + "https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885", + "https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be", + "https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f", + "https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d", + "https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52774" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52775", + "dataSource": "https://ubuntu.com/security/CVE-2023-52775", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52775" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52775", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52775", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c", + "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1", + "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c", + "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add", + "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n ¦ clc proposal\n ------------->\n ¦ clc accept\n <-------------\n ¦ clc confirm\n ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n ¦failed llc confirm\n ¦ x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n ¦ decline\n -------------->\n ¦ decline\n <--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52775" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52781", + "dataSource": "https://ubuntu.com/security/CVE-2023-52781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52781", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702", + "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8", + "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc", + "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223", + "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a 'goto' statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52781" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52784", + "dataSource": "https://ubuntu.com/security/CVE-2023-52784", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52784" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52784", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52784", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4", + "https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc", + "https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2", + "https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c", + "https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c", + "https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe", + "https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: stop the device in bond_setup_by_slave()\n\nCommit 9eed321cde22 (\"net: lapbether: only support ethernet devices\")\nhas been able to keep syzbot away from net/lapb, until today.\n\nIn the following splat [1], the issue is that a lapbether device has\nbeen created on a bonding device without members. Then adding a non\nARPHRD_ETHER member forced the bonding master to change its type.\n\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\nso that the potential linked lapbether devices (or any other devices\nhaving assumptions on the physical device) are removed.\n\nA similar bug has been addressed in commit 40baec225765\n(\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\")\n\n[1]\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\nkernel BUG at net/core/skbuff.c:192 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic net/core/skbuff.c:188 [inline]\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nlr : skb_panic net/core/skbuff.c:188 [inline]\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nsp : ffff800096a06aa0\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\nCall trace:\nskb_panic net/core/skbuff.c:188 [inline]\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\ndev_hard_header include/linux/netdevice.h:3136 [inline]\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\ndev_ifsioc+0x754/0x9ac\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52784" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52788", + "dataSource": "https://ubuntu.com/security/CVE-2023-52788", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52788" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52788", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52788", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98", + "https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1", + "https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83", + "https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e", + "https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\n\nWhen i915 perf interface is not available dereferencing it will lead to\nNULL dereferences.\n\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\navailable.\n\n[tursulin: added stable tag]\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52788" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52789", + "dataSource": "https://ubuntu.com/security/CVE-2023-52789", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52789" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52789", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52789", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3", + "https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac", + "https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9", + "https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc", + "https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06", + "https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2", + "https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a", + "https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200", + "https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vcc: Add check for kstrdup() in vcc_probe()\n\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52789" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52791", + "dataSource": "https://ubuntu.com/security/CVE-2023-52791", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52791" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52791", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c", + "https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0", + "https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809", + "https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91", + "https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1", + "https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02", + "https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Run atomic i2c xfer when !preemptible\n\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\n\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\n\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\n\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52791" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52796", + "dataSource": "https://ubuntu.com/security/CVE-2023-52796", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52796" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52796", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52796", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458", + "https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2", + "https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f", + "https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02", + "https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542", + "https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a", + "https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760", + "https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: add ipvlan_route_v6_outbound() helper\n\nInspired by syzbot reports using a stack of multiple ipvlan devices.\n\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\n\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\n\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\n\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n\n\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[] cpu_online include/linux/cpumask.h:1092 [inline]\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\n[dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52799" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52800", + "dataSource": "https://ubuntu.com/security/CVE-2023-52800", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52800" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52800", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52800", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679", + "https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e", + "https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d", + "https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8", + "https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c", + "https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52800" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52802", + "dataSource": "https://ubuntu.com/security/CVE-2023-52802", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52802" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52802", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52802", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52802" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52803", + "dataSource": "https://ubuntu.com/security/CVE-2023-52803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52803", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a", + "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df", + "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618", + "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680", + "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5", + "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264", + "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a", + "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52804", + "dataSource": "https://ubuntu.com/security/CVE-2023-52804", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52804" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52804", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52804", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e", + "https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f", + "https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b", + "https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f", + "https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e", + "https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb", + "https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a", + "https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809", + "https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add validity check for db_maxag and db_agpref\n\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\n\nThe following is related bug reported by Syzbot:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\n\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52804" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52805", + "dataSource": "https://ubuntu.com/security/CVE-2023-52805", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52805" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52805", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52805", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483", + "https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8", + "https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1", + "https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9", + "https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641", + "https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777", + "https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c", + "https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d", + "https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52805" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52806", + "dataSource": "https://ubuntu.com/security/CVE-2023-52806", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52806" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52806", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52806", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250", + "https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7", + "https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4", + "https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd", + "https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e", + "https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323", + "https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b", + "https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236", + "https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52806" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52808", + "dataSource": "https://ubuntu.com/security/CVE-2023-52808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52808", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec", + "https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be", + "https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db", + "https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be", + "https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\n\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\n\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000] down_write+0x24/0x70\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175] pci_device_remove+0x48/0xd8\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\n[ 1669.993282] device_release_driver+0x28/0x38\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244] remove_store+0xfc/0x140\n[ 1670.010802] dev_attr_store+0x44/0x60\n[ 1670.014448] sysfs_kf_write+0x58/0x80\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000] __vfs_write+0x60/0x190\n[ 1670.025472] vfs_write+0xac/0x1c0\n[ 1670.028771] ksys_write+0x6c/0xd8\n[ 1670.032071] __arm64_sys_write+0x24/0x30\n[ 1670.035977] el0_svc_common+0x78/0x130\n[ 1670.039710] el0_svc_handler+0x38/0x78\n[ 1670.043442] el0_svc+0x8/0xc\n\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52809", + "dataSource": "https://ubuntu.com/security/CVE-2023-52809", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52809" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52809", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52809", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba", + "https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f", + "https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b", + "https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106", + "https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa", + "https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e", + "https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00", + "https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01", + "https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52809" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52810", + "dataSource": "https://ubuntu.com/security/CVE-2023-52810", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52810" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52810", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52810", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6", + "https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b", + "https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45", + "https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907", + "https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa", + "https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f", + "https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc", + "https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1", + "https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add check for negative db_l2nbperpage\n\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\n\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\n\nSyzbot reported this bug:\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52810" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52811", + "dataSource": "https://ubuntu.com/security/CVE-2023-52811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52811" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4", + "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d", + "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f", + "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8", + "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue's event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52812", + "dataSource": "https://ubuntu.com/security/CVE-2023-52812", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52812" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52812", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52812", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a", + "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec", + "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52812" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52813", + "dataSource": "https://ubuntu.com/security/CVE-2023-52813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52813" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0", + "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28", + "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316", + "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523", + "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e", + "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7", + "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf", + "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d", + "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst->flags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst->flags & PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52815", + "dataSource": "https://ubuntu.com/security/CVE-2023-52815", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52815" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52815", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52815", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f", + "https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a", + "https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34", + "https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c", + "https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52815" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52816", + "dataSource": "https://ubuntu.com/security/CVE-2023-52816", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52816" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52816", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52816", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c", + "https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5", + "https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f", + "https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c", + "https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix shift out-of-bounds issue\n\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\n[ 567.614748] Call Trace:\n[ 567.614750] \n[ 567.614753] dump_stack_lvl+0x48/0x70\n[ 567.614761] dump_stack+0x10/0x20\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\n[ 567.615286] do_swap_page+0x7b6/0xa30\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615294] ? __free_pages+0x119/0x130\n[ 567.615299] handle_pte_fault+0x227/0x280\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\n[ 567.615311] handle_mm_fault+0x119/0x330\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\n[ 567.615323] exc_page_fault+0x81/0x1b0\n[ 567.615328] asm_exc_page_fault+0x27/0x30\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52816" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52817", + "dataSource": "https://ubuntu.com/security/CVE-2023-52817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52817" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455", + "https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9", + "https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad", + "https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736", + "https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288", + "https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996", + "https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398", + "https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52818", + "dataSource": "https://ubuntu.com/security/CVE-2023-52818", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52818" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52818", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94", + "https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3", + "https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4", + "https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97", + "https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47", + "https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f", + "https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928", + "https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498", + "https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52818" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52819", + "dataSource": "https://ubuntu.com/security/CVE-2023-52819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52819" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356", + "https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6", + "https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216", + "https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92", + "https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1", + "https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e", + "https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18", + "https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4", + "https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52821", + "dataSource": "https://ubuntu.com/security/CVE-2023-52821", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52821" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52821", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52821", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190", + "https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4", + "https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402", + "https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992", + "https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229", + "https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52821" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52825", + "dataSource": "https://ubuntu.com/security/CVE-2023-52825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52825" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52825", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e", + "https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74", + "https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34", + "https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf", + "https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\n\nprange->svm_bo unref can happen in both mmu callback and a callback after\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\nunref operation to avoid random \"use-after-free\".", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52826", + "dataSource": "https://ubuntu.com/security/CVE-2023-52826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52826", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea", + "https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c", + "https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc", + "https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca", + "https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f", + "https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52826" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52828", + "dataSource": "https://ubuntu.com/security/CVE-2023-52828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52828" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52828", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5", + "https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18", + "https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21", + "https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922", + "https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f", + "https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52829", + "dataSource": "https://ubuntu.com/security/CVE-2023-52829", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52829" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52829", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e", + "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c", + "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52829" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52831", + "dataSource": "https://ubuntu.com/security/CVE-2023-52831", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52831" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52831", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63", + "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13", + "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908", + "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don't offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(&doms, &attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52831" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52832", + "dataSource": "https://ubuntu.com/security/CVE-2023-52832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52832", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f", + "https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846", + "https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62", + "https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6", + "https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7", + "https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea", + "https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a", + "https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f", + "https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52833", + "dataSource": "https://ubuntu.com/security/CVE-2023-52833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30", + "https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a", + "https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9", + "https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3", + "https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0", + "https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52834", + "dataSource": "https://ubuntu.com/security/CVE-2023-52834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52834", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb", + "https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa", + "https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6", + "https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf", + "https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\natl1c: Work around the DMA RX overflow issue\n\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\n\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\n\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\n\nTested on AR8131 on Acer 4540.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52835", + "dataSource": "https://ubuntu.com/security/CVE-2023-52835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece", + "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a", + "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb", + "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916", + "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734", + "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f", + "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a", + "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52836", + "dataSource": "https://ubuntu.com/security/CVE-2023-52836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52836", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479", + "https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75", + "https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e", + "https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc", + "https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389", + "https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715", + "https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5", + "https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c", + "https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/ww_mutex/test: Fix potential workqueue corruption\n\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\n\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\n\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\n\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\n\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\n\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52837", + "dataSource": "https://ubuntu.com/security/CVE-2023-52837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b", + "https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3", + "https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe", + "https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_open\n\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\n\nFix this by implementing ->free_disk and free private data in it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52838", + "dataSource": "https://ubuntu.com/security/CVE-2023-52838", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52838" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52838", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52838", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a", + "https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485", + "https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d", + "https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d", + "https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513", + "https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4", + "https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b", + "https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imsttfb: fix a resource leak in probe\n\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52838" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52840", + "dataSource": "https://ubuntu.com/security/CVE-2023-52840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52840", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f", + "https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2", + "https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff", + "https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5", + "https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f", + "https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585", + "https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683", + "https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\n\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52841", + "dataSource": "https://ubuntu.com/security/CVE-2023-52841", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52841" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52841", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78", + "https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb", + "https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68", + "https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4", + "https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785", + "https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: mux: Add check and kfree for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52841" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52843", + "dataSource": "https://ubuntu.com/security/CVE-2023-52843", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52843" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52843", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52843", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a", + "https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b", + "https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779", + "https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b", + "https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535", + "https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c", + "https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f", + "https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29", + "https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: verify mac len before reading mac header\n\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\n\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\n\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\n\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\n\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\n\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\n\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\n\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52843" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52844", + "dataSource": "https://ubuntu.com/security/CVE-2023-52844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9", + "https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0", + "https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad", + "https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d", + "https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a", + "https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: psi: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52845", + "dataSource": "https://ubuntu.com/security/CVE-2023-52845", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52845" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52845", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52845", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579", + "https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0", + "https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6", + "https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8", + "https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4", + "https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709", + "https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d", + "https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04", + "https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\n\nsyzbot reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\n\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\n\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52845" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52846", + "dataSource": "https://ubuntu.com/security/CVE-2023-52846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52846", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18", + "https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db", + "https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d", + "https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da", + "https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363", + "https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Prevent use after free in prp_create_tagged_frame()\n\nThe prp_fill_rct() function can fail. In that situation, it frees the\nskb and returns NULL. Meanwhile on the success path, it returns the\noriginal skb. So it's straight forward to fix bug by using the returned\nvalue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52847", + "dataSource": "https://ubuntu.com/security/CVE-2023-52847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267", + "https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226", + "https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b", + "https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574", + "https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132", + "https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a", + "https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9", + "https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bttv: fix use after free error due to btv->timeout timer\n\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\n\nThis bug is found by static analysis, it may be false positive.\n\nFix it by adding del_timer_sync invoking to the remove function.\n\ncpu0 cpu1\n bttv_probe\n ->timer_setup\n ->bttv_set_dma\n ->mod_timer;\nbttv_remove\n ->kfree(btv);\n ->bttv_irq_timeout\n ->USE btv", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52849", + "dataSource": "https://ubuntu.com/security/CVE-2023-52849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52849" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c", + "https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f", + "https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b", + "https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209", + "https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that removing cxl_mock_mem causes a crash with the following\ntrace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000044\n [..]\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x29/0x40 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n device_unregister+0x13/0x60\n devm_release_action+0x4d/0x90\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\n delete_endpoint+0x121/0x130 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n ? lock_release+0x142/0x290\n cdev_device_del+0x15/0x50\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\n\nThis crash is due to the clearing out the cxl_memdev's driver context\n(@cxlds) before the subsystem is done with it. This is ultimately due to\nthe region(s), that this memdev is a member, being torn down and expecting\nto be able to de-reference @cxlds, like here:\n\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\n...\n if (cxlds->rcd)\n goto endpoint_reset;\n...\n\nFix it by keeping the driver context valid until memdev-device\nunregistration, and subsequently the entire stack of related\ndependencies, unwinds.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52852", + "dataSource": "https://ubuntu.com/security/CVE-2023-52852", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52852" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52852", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52852", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5", + "https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401", + "https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c", + "https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2", + "https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52852" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52853", + "dataSource": "https://ubuntu.com/security/CVE-2023-52853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52853", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf", + "https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd", + "https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819", + "https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38", + "https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6", + "https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42", + "https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c", + "https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52854", + "dataSource": "https://ubuntu.com/security/CVE-2023-52854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52854", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5", + "https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b", + "https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f", + "https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d", + "https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f", + "https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix refcnt handling in padata_free_shell()\n\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\n\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\n\n```c\nstruct request {\n struct padata_priv padata;\n struct completion *done;\n};\n\nvoid parallel(struct padata_priv *padata) {\n do_something();\n}\n\nvoid serial(struct padata_priv *padata) {\n struct request *request = container_of(padata,\n \t\t\t\tstruct request,\n\t\t\t\tpadata);\n complete(request->done);\n}\n\nvoid user_function() {\n DECLARE_COMPLETION(done)\n padata->parallel = parallel;\n padata->serial = serial;\n padata_do_parallel();\n wait_for_completion(&done);\n padata_free_shell();\n}\n```\n\nIn the corresponding padata.c file, there's the following code:\n\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n ...\n cnt = 0;\n\n while (!list_empty(&local_list)) {\n ...\n padata->serial(padata);\n cnt++;\n }\n\n local_bh_enable();\n\n if (refcount_sub_and_test(cnt, &pd->refcnt))\n padata_free_pd(pd);\n}\n```\n\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\n\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52855", + "dataSource": "https://ubuntu.com/security/CVE-2023-52855", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52855" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52855", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52855", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72", + "https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d", + "https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e", + "https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790", + "https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90", + "https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6", + "https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6", + "https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001", + "https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\n\nIn _dwc2_hcd_urb_enqueue(), \"urb->hcpriv = NULL\" is executed without\nholding the lock \"hsotg->lock\". In _dwc2_hcd_urb_dequeue():\n\n spin_lock_irqsave(&hsotg->lock, flags);\n ...\n\tif (!urb->hcpriv) {\n\t\tdev_dbg(hsotg->dev, \"## urb->hcpriv is NULL ##\\n\");\n\t\tgoto out;\n\t}\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\n ...\nout:\n spin_unlock_irqrestore(&hsotg->lock, flags);\n\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\nconcurrently executed, the NULL check of \"urb->hcpriv\" can be executed\nbefore \"urb->hcpriv = NULL\". After urb->hcpriv is NULL, it can be used\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\npointer dereference.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by myself. This tool analyzes the locking APIs to extract\nfunction pairs that can be concurrently executed, and then analyzes the\ninstructions in the paired functions to identify possible concurrency\nbugs including data races and atomicity violations. The above possible\nbug is reported, when my tool analyzes the source code of Linux 6.5.\n\nTo fix this possible bug, \"urb->hcpriv = NULL\" should be executed with\nholding the lock \"hsotg->lock\". After using this patch, my tool never\nreports the possible bug, with the kernelconfiguration allyesconfig for\nx86_64. Because I have no associated hardware, I cannot test the patch\nin runtime testing, and just verify it according to the code logic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52855" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52856", + "dataSource": "https://ubuntu.com/security/CVE-2023-52856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52856", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e", + "https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347", + "https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a", + "https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6", + "https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: lt8912b: Fix crash on bridge detach\n\nThe lt8912b driver, in its bridge detach function, calls\ndrm_connector_unregister() and drm_connector_cleanup().\n\ndrm_connector_unregister() should be called only for connectors\nexplicitly registered with drm_connector_register(), which is not the\ncase in lt8912b.\n\nThe driver's drm_connector_funcs.destroy hook is set to\ndrm_connector_cleanup().\n\nThus the driver should not call either drm_connector_unregister() nor\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\ncrash on bridge detach:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\nsp : ffff800082ed3a90\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n drm_connector_cleanup+0x78/0x2d4 [drm]\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\n drm_bridge_detach+0x44/0x84 [drm]\n drm_encoder_cleanup+0x40/0xb8 [drm]\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\n drm_managed_release+0xac/0x148 [drm]\n drm_dev_put.part.0+0x88/0xb8 [drm]\n devm_drm_dev_init_release+0x14/0x24 [drm]\n devm_action_release+0x14/0x20\n release_nodes+0x5c/0x90\n devres_release_all+0x8c/0xe0\n device_unbind_cleanup+0x18/0x68\n device_release_driver_internal+0x208/0x23c\n driver_detach+0x4c/0x94\n bus_remove_driver+0x70/0xf4\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\n __arm64_sys_delete_module+0x1a0/0x2b4\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x60/0x10c\n do_el0_svc_compat+0x1c/0x40\n el0_svc_compat+0x40/0xac\n el0t_32_sync_handler+0xb0/0x138\n el0t_32_sync+0x194/0x198\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52857", + "dataSource": "https://ubuntu.com/security/CVE-2023-52857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52857" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52857", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396", + "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c", + "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52858", + "dataSource": "https://ubuntu.com/security/CVE-2023-52858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52858" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52858", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0", + "https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa", + "https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee", + "https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d", + "https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0", + "https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e", + "https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52859", + "dataSource": "https://ubuntu.com/security/CVE-2023-52859", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52859" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52859", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52859", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2", + "https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda", + "https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63", + "https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5", + "https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: hisi: Fix use-after-free when register pmu fails\n\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52859" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52863", + "dataSource": "https://ubuntu.com/security/CVE-2023-52863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0", + "https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105", + "https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a", + "https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062", + "https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb", + "https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\n\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52864", + "dataSource": "https://ubuntu.com/security/CVE-2023-52864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52864", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e", + "https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e", + "https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203", + "https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6", + "https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453", + "https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097", + "https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6", + "https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: wmi: Fix opening of char device\n\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\n\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52865", + "dataSource": "https://ubuntu.com/security/CVE-2023-52865", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52865" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52865", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52865", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478", + "https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3", + "https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c", + "https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4", + "https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836", + "https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2", + "https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf", + "https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235", + "https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52865" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52867", + "dataSource": "https://ubuntu.com/security/CVE-2023-52867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783", + "https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45", + "https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58", + "https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94", + "https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896", + "https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f", + "https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855", + "https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4", + "https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: possible buffer overflow\n\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52868", + "dataSource": "https://ubuntu.com/security/CVE-2023-52868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97", + "https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb", + "https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c", + "https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c", + "https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521", + "https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8", + "https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8", + "https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5", + "https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: prevent potential string overflow\n\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX. If it's too high then these sprintf()s will overflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52869", + "dataSource": "https://ubuntu.com/security/CVE-2023-52869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52869", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a", + "https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688", + "https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9", + "https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c", + "https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f", + "https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/platform: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52870", + "dataSource": "https://ubuntu.com/security/CVE-2023-52870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480", + "https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a", + "https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946", + "https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc", + "https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830", + "https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52871", + "dataSource": "https://ubuntu.com/security/CVE-2023-52871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493", + "https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2", + "https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0", + "https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c", + "https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c", + "https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8", + "https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: llcc: Handle a second device without data corruption\n\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52872", + "dataSource": "https://ubuntu.com/security/CVE-2023-52872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890", + "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243", + "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444", + "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a", + "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52873", + "dataSource": "https://ubuntu.com/security/CVE-2023-52873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0", + "https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a", + "https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e", + "https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b", + "https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e", + "https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b", + "https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52875", + "dataSource": "https://ubuntu.com/security/CVE-2023-52875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96", + "https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3", + "https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d", + "https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7", + "https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802", + "https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739", + "https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055", + "https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95", + "https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52876", + "dataSource": "https://ubuntu.com/security/CVE-2023-52876", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52876" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52876", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52876", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9", + "https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7", + "https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22", + "https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783", + "https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592", + "https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b", + "https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52876" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52877", + "dataSource": "https://ubuntu.com/security/CVE-2023-52877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52877" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b", + "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08", + "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b", + "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac", + "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port->partner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port->partner to avoid dereferencing a NULL pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52878", + "dataSource": "https://ubuntu.com/security/CVE-2023-52878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4", + "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc", + "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057", + "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444", + "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52879", + "dataSource": "https://ubuntu.com/security/CVE-2023-52879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706", + "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976", + "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d", + "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e", + "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f", + "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4", + "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52880", + "dataSource": "https://ubuntu.com/security/CVE-2023-52880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52880" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167", + "https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a", + "https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88", + "https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58", + "https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed", + "https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52881", + "dataSource": "https://ubuntu.com/security/CVE-2023-52881", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52881" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52881", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52881", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440", + "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc", + "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757", + "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27", + "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a", + "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57", + "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0", + "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK < SND.UNA wouldn't be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\n\ntp->bytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52881" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52882", + "dataSource": "https://ubuntu.com/security/CVE-2023-52882", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52882" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52882", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52882", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a", + "https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069", + "https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff", + "https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90", + "https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175", + "https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019", + "https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2023-52882" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52884", + "dataSource": "https://ubuntu.com/security/CVE-2023-52884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52884", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6", + "https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7", + "https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd", + "https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc", + "https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52885", + "dataSource": "https://ubuntu.com/security/CVE-2023-52885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52885", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b", + "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f", + "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428", + "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065", + "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254", + "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e", + "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee", + "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n \n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n \n \n ...\n \n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52886", + "dataSource": "https://ubuntu.com/security/CVE-2023-52886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52886" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52886", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5", + "https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee", + "https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f", + "https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848", + "https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5", + "https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52887", + "dataSource": "https://ubuntu.com/security/CVE-2023-52887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed", + "https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea", + "https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4", + "https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2", + "https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb", + "https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9", + "https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\n\nThis patch enhances error handling in scenarios with RTS (Request to\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\nbacktraces with a new error handling method. This provides clearer error\nmessages and allows for the early termination of problematic sessions.\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\n\nPotentially this could be reproduced with something like:\ntestj1939 -r vcan0:0x80 &\nwhile true; do\n\t# send first RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send second RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send abort\n\tcansend vcan0 18EC8090#ff00000000002301;\ndone", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52888", + "dataSource": "https://ubuntu.com/security/CVE-2023-52888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52888" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52888", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04", + "https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91", + "https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn't do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52889", + "dataSource": "https://ubuntu.com/security/CVE-2023-52889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52889" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52889", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1", + "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697", + "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81", + "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2", + "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961", + "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2", + "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n BUG: kernel NULL pointer dereference, address: 000000000000004c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n RIP: 0010:aa_label_next_confined+0xb/0x40\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? aa_label_next_confined+0xb/0x40\n apparmor_secmark_check+0xec/0x330\n security_sock_rcv_skb+0x35/0x50\n sk_filter_trim_cap+0x47/0x250\n sock_queue_rcv_skb_reason+0x20/0x60\n raw_rcv+0x13c/0x210\n raw_local_deliver+0x1f3/0x250\n ip_protocol_deliver_rcu+0x4f/0x2f0\n ip_local_deliver_finish+0x76/0xa0\n __netif_receive_skb_one_core+0x89/0xa0\n netif_receive_skb+0x119/0x170\n ? __netdev_alloc_skb+0x3d/0x140\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n __napi_poll+0x28/0x1b0\n net_rx_action+0x2a4/0x380\n __do_softirq+0xd1/0x2c8\n __irq_exit_rcu+0xbb/0xf0\n common_interrupt+0x86/0xa0\n \n \n asm_common_interrupt+0x26/0x40\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n ? __pfx_apparmor_socket_post_create+0x10/0x10\n security_socket_post_create+0x4b/0x80\n __sock_create+0x176/0x1f0\n __sys_socket+0x89/0x100\n __x64_sys_socket+0x17/0x20\n do_syscall_64+0x5d/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52893", + "dataSource": "https://ubuntu.com/security/CVE-2023-52893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a", + "https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393", + "https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8", + "https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd", + "https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2", + "https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b", + "https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52894", + "dataSource": "https://ubuntu.com/security/CVE-2023-52894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52894", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497", + "https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763", + "https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6", + "https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea", + "https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2", + "https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7", + "https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52896", + "dataSource": "https://ubuntu.com/security/CVE-2023-52896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1", + "https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a", + "https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd", + "https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233", + "https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52898", + "dataSource": "https://ubuntu.com/security/CVE-2023-52898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e", + "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368", + "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1", + "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7", + "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea", + "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52899", + "dataSource": "https://ubuntu.com/security/CVE-2023-52899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833", + "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d", + "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96", + "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e", + "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87", + "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52900", + "dataSource": "https://ubuntu.com/security/CVE-2023-52900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04", + "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545", + "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062", + "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243", + "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051", + "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d", + "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52901", + "dataSource": "https://ubuntu.com/security/CVE-2023-52901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52901", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f", + "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5", + "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a", + "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c", + "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766", + "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654", + "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52903", + "dataSource": "https://ubuntu.com/security/CVE-2023-52903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52903", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7", + "https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b", + "https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4", + "https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52904", + "dataSource": "https://ubuntu.com/security/CVE-2023-52904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8", + "https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52905", + "dataSource": "https://ubuntu.com/security/CVE-2023-52905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3", + "https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52906", + "dataSource": "https://ubuntu.com/security/CVE-2023-52906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61", + "https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457", + "https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644", + "https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2", + "https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52907", + "dataSource": "https://ubuntu.com/security/CVE-2023-52907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a", + "https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0", + "https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2", + "https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1", + "https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4", + "https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b", + "https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52910", + "dataSource": "https://ubuntu.com/security/CVE-2023-52910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f", + "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e", + "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52911", + "dataSource": "https://ubuntu.com/security/CVE-2023-52911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e", + "https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [] lr : [] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52912", + "dataSource": "https://ubuntu.com/security/CVE-2023-52912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199", + "https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] \n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52913", + "dataSource": "https://ubuntu.com/security/CVE-2023-52913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52913", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa", + "https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6240", + "dataSource": "https://ubuntu.com/security/CVE-2023-6240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:1881", + "https://access.redhat.com/errata/RHSA-2024:1882", + "https://access.redhat.com/errata/RHSA-2024:2758", + "https://access.redhat.com/errata/RHSA-2024:3414", + "https://access.redhat.com/errata/RHSA-2024:3421", + "https://access.redhat.com/errata/RHSA-2024:3618", + "https://access.redhat.com/errata/RHSA-2024:3627", + "https://access.redhat.com/security/cve/CVE-2023-6240", + "https://bugzilla.redhat.com/show_bug.cgi?id=2250843", + "https://people.redhat.com/~hkario/marvin/", + "https://security.netapp.com/advisory/ntap-20240628-0002/", + "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + ], + "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.2, + "impactScore": 4.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.2, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6240" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6356", + "dataSource": "https://ubuntu.com/security/CVE-2023-6356", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6356" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6356", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6356", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254054", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0002/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6356" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6535", + "dataSource": "https://ubuntu.com/security/CVE-2023-6535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6535" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6535", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254053", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0003/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6535" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6536", + "dataSource": "https://ubuntu.com/security/CVE-2023-6536", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6536" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6536", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6536", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254052", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0001/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6536" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6610", + "dataSource": "https://ubuntu.com/security/CVE-2023-6610", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6610" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6610", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:1404", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/security/cve/CVE-2023-6610", + "https://bugzilla.kernel.org/show_bug.cgi?id=218219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2253614" + ], + "description": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6610" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6915", + "dataSource": "https://ubuntu.com/security/CVE-2023-6915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2394", + "https://access.redhat.com/errata/RHSA-2024:2950", + "https://access.redhat.com/errata/RHSA-2024:3138", + "https://access.redhat.com/security/cve/CVE-2023-6915", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254982", + "https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-0564", + "dataSource": "https://ubuntu.com/security/CVE-2024-0564", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0564" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0564", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0564", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513", + "https://bugzilla.redhat.com/show_bug.cgi?id=2258514", + "https://link.springer.com/conference/wisa", + "https://wisa.or.kr/accepted" + ], + "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0564" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-21803", + "dataSource": "https://ubuntu.com/security/CVE-2024-21803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-21803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-21803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8081" + ], + "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.5, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-21803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-21823", + "dataSource": "https://ubuntu.com/security/CVE-2024-21823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-21823" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-21823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-21823", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/15/1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/", + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + ], + "description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.1, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-21823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-2193", + "dataSource": "https://ubuntu.com/security/CVE-2024-2193", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2193" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2193", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2193", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/12/14", + "https://download.vusec.net/papers/ghostrace_sec24.pdf", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23", + "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace", + "https://kb.cert.org/vuls/id/488902", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html", + "https://www.kb.cert.org/vuls/id/488902", + "https://www.vusec.net/projects/ghostrace/", + "https://xenbits.xen.org/xsa/advisory-453.html" + ], + "description": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-2193" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-22386", + "dataSource": "https://ubuntu.com/security/CVE-2024-22386", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-22386" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-22386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8147" + ], + "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-22386" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-23307", + "dataSource": "https://ubuntu.com/security/CVE-2024-23307", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-23307" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-23307", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=7975" + ], + "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-23307" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-23848", + "dataSource": "https://ubuntu.com/security/CVE-2024-23848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-23848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-23848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/" + ], + "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-23848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24856", + "dataSource": "https://ubuntu.com/security/CVE-2024-24856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24856", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8764" + ], + "description": "The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\nsuccessful allocation, but the subsequent code directly dereferences the\npointer that receives it, which may lead to null pointer dereference.\n\nTo fix this issue, a null pointer check should be added. If it is null, \nreturn exception code AE_NO_MEMORY.", + "cvss": [ + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24857", + "dataSource": "https://ubuntu.com/security/CVE-2024-24857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24857" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8155", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 1.6, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24858", + "dataSource": "https://ubuntu.com/security/CVE-2024-24858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24858" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8154", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24859", + "dataSource": "https://ubuntu.com/security/CVE-2024-24859", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24859" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24859", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8153" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 1.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24859" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24861", + "dataSource": "https://ubuntu.com/security/CVE-2024-24861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24861" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 1, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 0.8, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24862", + "dataSource": "https://ubuntu.com/security/CVE-2024-24862", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24862" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24862", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24862", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24862" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24863", + "dataSource": "https://ubuntu.com/security/CVE-2024-24863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\nCVE-2024-24863 has been replaced by CVE-2024-36014.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24864", + "dataSource": "https://ubuntu.com/security/CVE-2024-24864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8178" + ], + "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25739", + "dataSource": "https://ubuntu.com/security/CVE-2024-25739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25739" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9", + "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://www.spinics.net/lists/kernel/msg5074816.html" + ], + "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-25739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25740", + "dataSource": "https://ubuntu.com/security/CVE-2024-25740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/" + ], + "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25741", + "dataSource": "https://ubuntu.com/security/CVE-2024-25741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25741" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25741", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://www.spinics.net/lists/linux-usb/msg252167.html" + ], + "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25741" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25742", + "dataSource": "https://ubuntu.com/security/CVE-2024-25742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25742" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9", + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f", + "https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + ], + "description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-25742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25743", + "dataSource": "https://ubuntu.com/security/CVE-2024-25743", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25743" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25743", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25743", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2270836", + "https://bugzilla.suse.com/show_bug.cgi?id=1223307", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + ], + "description": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25743" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25744", + "dataSource": "https://ubuntu.com/security/CVE-2024-25744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30" + ], + "description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26595", + "dataSource": "https://ubuntu.com/security/CVE-2024-26595", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26595" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26595", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39", + "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f", + "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26595" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26605", + "dataSource": "https://ubuntu.com/security/CVE-2024-26605", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26605" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26605", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3", + "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20", + "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c", + "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26605" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26607", + "dataSource": "https://ubuntu.com/security/CVE-2024-26607", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26607" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26607", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26607", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9", + "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c", + "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1", + "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26607" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26629", + "dataSource": "https://ubuntu.com/security/CVE-2024-26629", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26629" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26629", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098", + "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f", + "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b", + "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a", + "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03", + "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26629" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26639", + "dataSource": "https://ubuntu.com/security/CVE-2024-26639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26642", + "dataSource": "https://ubuntu.com/security/CVE-2024-26642", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26642" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1", + "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a", + "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199", + "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7", + "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12", + "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9", + "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f", + "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26642" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26647", + "dataSource": "https://ubuntu.com/security/CVE-2024-26647", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26647" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26647", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207", + "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c", + "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26647" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26648", + "dataSource": "https://ubuntu.com/security/CVE-2024-26648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935", + "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c", + "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26654", + "dataSource": "https://ubuntu.com/security/CVE-2024-26654", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26654" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26654", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457", + "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04", + "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2", + "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901", + "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5", + "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046", + "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845", + "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", + "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26654" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26656", + "dataSource": "https://ubuntu.com/security/CVE-2024-26656", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26656" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26656", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e", + "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c", + "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c", + "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26656" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26658", + "dataSource": "https://ubuntu.com/security/CVE-2024-26658", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26658" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26658", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec", + "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26658" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26661", + "dataSource": "https://ubuntu.com/security/CVE-2024-26661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a", + "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667", + "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26662", + "dataSource": "https://ubuntu.com/security/CVE-2024-26662", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26662" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26662", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5", + "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d", + "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26662" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26669", + "dataSource": "https://ubuntu.com/security/CVE-2024-26669", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26669" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26669", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8", + "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97", + "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26669" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26672", + "dataSource": "https://ubuntu.com/security/CVE-2024-26672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0", + "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26677", + "dataSource": "https://ubuntu.com/security/CVE-2024-26677", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26677" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26677", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2", + "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae", + "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26677" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26680", + "dataSource": "https://ubuntu.com/security/CVE-2024-26680", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26680" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26680", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56", + "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887", + "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12", + "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26680" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26686", + "dataSource": "https://ubuntu.com/security/CVE-2024-26686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071", + "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305", + "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26687", + "dataSource": "https://ubuntu.com/security/CVE-2024-26687", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26687" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26687", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd", + "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4", + "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5", + "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44", + "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b", + "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3", + "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26687" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26691", + "dataSource": "https://ubuntu.com/security/CVE-2024-26691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc", + "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc", + "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26699", + "dataSource": "https://ubuntu.com/security/CVE-2024-26699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26699" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc", + "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26700", + "dataSource": "https://ubuntu.com/security/CVE-2024-26700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238", + "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f", + "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5", + "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26714", + "dataSource": "https://ubuntu.com/security/CVE-2024-26714", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26714" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26714", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7", + "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0", + "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0", + "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26714" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26718", + "dataSource": "https://ubuntu.com/security/CVE-2024-26718", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26718" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26718", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189", + "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257", + "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94", + "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26718" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26719", + "dataSource": "https://ubuntu.com/security/CVE-2024-26719", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26719" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26719", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0", + "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9", + "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26719" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26726", + "dataSource": "https://ubuntu.com/security/CVE-2024-26726", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26726" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26726", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555", + "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade", + "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7", + "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26726" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26727", + "dataSource": "https://ubuntu.com/security/CVE-2024-26727", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26727" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f", + "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468", + "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d", + "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430", + "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", + "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26727" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26739", + "dataSource": "https://ubuntu.com/security/CVE-2024-26739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26739" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210", + "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d", + "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26740", + "dataSource": "https://ubuntu.com/security/CVE-2024-26740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17", + "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be", + "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26742", + "dataSource": "https://ubuntu.com/security/CVE-2024-26742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26742" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe", + "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df", + "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a", + "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26756", + "dataSource": "https://ubuntu.com/security/CVE-2024-26756", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26756" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26756", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417", + "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26756" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26757", + "dataSource": "https://ubuntu.com/security/CVE-2024-26757", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26757" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26757", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3", + "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26757" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26758", + "dataSource": "https://ubuntu.com/security/CVE-2024-26758", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26758" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26758", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757", + "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26758" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26759", + "dataSource": "https://ubuntu.com/security/CVE-2024-26759", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26759" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26759", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458", + "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95", + "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a", + "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26759" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26767", + "dataSource": "https://ubuntu.com/security/CVE-2024-26767", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26767" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26767", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738", + "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375", + "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26767" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26770", + "dataSource": "https://ubuntu.com/security/CVE-2024-26770", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26770" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26770", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100", + "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183", + "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26770" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26775", + "dataSource": "https://ubuntu.com/security/CVE-2024-26775", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26775" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26775", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77", + "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26", + "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c", + "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26775" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26800", + "dataSource": "https://ubuntu.com/security/CVE-2024-26800", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26800" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26800", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0", + "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1", + "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe", + "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26800" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26807", + "dataSource": "https://ubuntu.com/security/CVE-2024-26807", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26807" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61", + "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc", + "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe ->probe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during ->probe(), as ->probe() enables the device using PM\nruntime, leading the ->runtime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26807" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26810", + "dataSource": "https://ubuntu.com/security/CVE-2024-26810", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26810" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26810", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26810", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf", + "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651", + "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42", + "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3", + "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5", + "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40", + "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7", + "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26810" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26811", + "dataSource": "https://ubuntu.com/security/CVE-2024-26811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26811" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd", + "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896", + "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300", + "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c", + "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26812", + "dataSource": "https://ubuntu.com/security/CVE-2024-26812", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26812" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26812", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034", + "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d", + "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897", + "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834", + "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c", + "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e", + "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3", + "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26812" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26813", + "dataSource": "https://ubuntu.com/security/CVE-2024-26813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26813" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e", + "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5", + "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29", + "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086", + "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375", + "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362", + "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a", + "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26814", + "dataSource": "https://ubuntu.com/security/CVE-2024-26814", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26814" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26814", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417", + "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d", + "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9", + "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012", + "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede", + "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d", + "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26814" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26817", + "dataSource": "https://ubuntu.com/security/CVE-2024-26817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26817" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a", + "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7", + "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29", + "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0", + "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad", + "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751", + "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a", + "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26822", + "dataSource": "https://ubuntu.com/security/CVE-2024-26822", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26822" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26822", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26822", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157", + "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb", + "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26822" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26828", + "dataSource": "https://ubuntu.com/security/CVE-2024-26828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26828" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512", + "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204", + "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301", + "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26830", + "dataSource": "https://ubuntu.com/security/CVE-2024-26830", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26830" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26830", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26830", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893", + "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc", + "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404", + "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26830" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26837", + "dataSource": "https://ubuntu.com/security/CVE-2024-26837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f", + "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db", + "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b", + "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26842", + "dataSource": "https://ubuntu.com/security/CVE-2024-26842", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26842" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26842", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26842", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe", + "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb", + "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26842" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26844", + "dataSource": "https://ubuntu.com/security/CVE-2024-26844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26844", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956", + "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", + "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b", + "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26848", + "dataSource": "https://ubuntu.com/security/CVE-2024-26848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26848", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470", + "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05", + "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4", + "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31", + "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4", + "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863", + "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b", + "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a", + "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0", + "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809", + "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27", + "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064", + "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a", + "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26853", + "dataSource": "https://ubuntu.com/security/CVE-2024-26853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26853", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f", + "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2", + "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a", + "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26866", + "dataSource": "https://ubuntu.com/security/CVE-2024-26866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f", + "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861", + "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68", + "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26869", + "dataSource": "https://ubuntu.com/security/CVE-2024-26869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253", + "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189", + "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65", + "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26876", + "dataSource": "https://ubuntu.com/security/CVE-2024-26876", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26876" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26876", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26876", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e", + "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c", + "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26876" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26886", + "dataSource": "https://ubuntu.com/security/CVE-2024-26886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26886", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955", + "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c", + "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7", + "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae", + "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-26886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26893", + "dataSource": "https://ubuntu.com/security/CVE-2024-26893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4", + "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c", + "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773", + "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d", + "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26896", + "dataSource": "https://ubuntu.com/security/CVE-2024-26896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3", + "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b", + "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3", + "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc", + "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26900", + "dataSource": "https://ubuntu.com/security/CVE-2024-26900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26900" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366", + "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4", + "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea", + "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995", + "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9", + "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9", + "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26905", + "dataSource": "https://ubuntu.com/security/CVE-2024-26905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26917", + "dataSource": "https://ubuntu.com/security/CVE-2024-26917", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26917" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26917", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26917", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b", + "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21", + "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783", + "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5", + "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0", + "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b", + "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6", + "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26917" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26921", + "dataSource": "https://ubuntu.com/security/CVE-2024-26921", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26921" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26921", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26921", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272", + "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325", + "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981", + "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26921" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26922", + "dataSource": "https://ubuntu.com/security/CVE-2024-26922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26922" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d", + "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284", + "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75", + "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2", + "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa", + "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d", + "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee", + "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26923", + "dataSource": "https://ubuntu.com/security/CVE-2024-26923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26923" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26923", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3", + "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f", + "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51", + "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9", + "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423", + "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c", + "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009", + "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26923" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26925", + "dataSource": "https://ubuntu.com/security/CVE-2024-26925", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26925" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26925", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26925", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27", + "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494", + "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428", + "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30", + "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae", + "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1", + "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26925" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26926", + "dataSource": "https://ubuntu.com/security/CVE-2024-26926", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26926" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26926", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26926", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc", + "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc", + "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12", + "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c", + "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76", + "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40", + "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26926" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26928", + "dataSource": "https://ubuntu.com/security/CVE-2024-26928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88", + "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1", + "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d", + "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26929", + "dataSource": "https://ubuntu.com/security/CVE-2024-26929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26929" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26929", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e", + "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525", + "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774", + "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b", + "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04", + "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26931", + "dataSource": "https://ubuntu.com/security/CVE-2024-26931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26931" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211", + "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac", + "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d", + "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d", + "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1", + "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a", + "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a", + "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9", + "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26934", + "dataSource": "https://ubuntu.com/security/CVE-2024-26934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6", + "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384", + "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947", + "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a", + "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5", + "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f", + "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5", + "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057", + "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26935", + "dataSource": "https://ubuntu.com/security/CVE-2024-26935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26935" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26935", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac", + "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889", + "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1", + "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee", + "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c", + "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320", + "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84", + "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26936", + "dataSource": "https://ubuntu.com/security/CVE-2024-26936", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26936" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26936", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26936", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a", + "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674", + "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6", + "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11", + "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26936" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26937", + "dataSource": "https://ubuntu.com/security/CVE-2024-26937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26937" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325", + "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895", + "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a", + "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62", + "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c", + "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f", + "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703", + "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26938", + "dataSource": "https://ubuntu.com/security/CVE-2024-26938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26938" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549", + "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6", + "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac", + "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f", + "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26944", + "dataSource": "https://ubuntu.com/security/CVE-2024-26944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26944" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302", + "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26945", + "dataSource": "https://ubuntu.com/security/CVE-2024-26945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26945", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7", + "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26947", + "dataSource": "https://ubuntu.com/security/CVE-2024-26947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26947" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff", + "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc", + "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7", + "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26948", + "dataSource": "https://ubuntu.com/security/CVE-2024-26948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26948", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98", + "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26950", + "dataSource": "https://ubuntu.com/security/CVE-2024-26950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5", + "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068", + "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5", + "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f", + "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996", + "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37", + "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26951", + "dataSource": "https://ubuntu.com/security/CVE-2024-26951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26951" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04", + "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d", + "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4", + "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87", + "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b", + "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac", + "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26952", + "dataSource": "https://ubuntu.com/security/CVE-2024-26952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26952" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5", + "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63", + "https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e", + "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-26952" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26953", + "dataSource": "https://ubuntu.com/security/CVE-2024-26953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26953" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", + "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664", + "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34", + "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26954", + "dataSource": "https://ubuntu.com/security/CVE-2024-26954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26954" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26954", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57", + "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178", + "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26955", + "dataSource": "https://ubuntu.com/security/CVE-2024-26955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26955", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c", + "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5", + "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20", + "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07", + "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39", + "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d", + "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183", + "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c", + "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26956", + "dataSource": "https://ubuntu.com/security/CVE-2024-26956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26956" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26956", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84", + "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7", + "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4", + "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e", + "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713", + "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35", + "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb", + "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba", + "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26957", + "dataSource": "https://ubuntu.com/security/CVE-2024-26957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26957" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484", + "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c", + "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd", + "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058", + "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55", + "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6", + "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca", + "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d", + "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26958", + "dataSource": "https://ubuntu.com/security/CVE-2024-26958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26958" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26958", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af", + "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab", + "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3", + "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", + "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f", + "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95", + "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26960", + "dataSource": "https://ubuntu.com/security/CVE-2024-26960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a", + "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a", + "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e", + "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b", + "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39", + "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e", + "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26961", + "dataSource": "https://ubuntu.com/security/CVE-2024-26961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26961" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26961", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531", + "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d", + "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1", + "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88", + "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821", + "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", + "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26962", + "dataSource": "https://ubuntu.com/security/CVE-2024-26962", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26962" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26962", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26962", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677", + "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1", + "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26962" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26964", + "dataSource": "https://ubuntu.com/security/CVE-2024-26964", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26964" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26964", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26964", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd", + "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4", + "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757", + "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d", + "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea", + "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26964" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26965", + "dataSource": "https://ubuntu.com/security/CVE-2024-26965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26965" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060", + "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589", + "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362", + "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089", + "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194", + "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95", + "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f", + "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2", + "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26966", + "dataSource": "https://ubuntu.com/security/CVE-2024-26966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26966" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99", + "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9", + "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2", + "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8", + "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38", + "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03", + "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f", + "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d", + "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26969", + "dataSource": "https://ubuntu.com/security/CVE-2024-26969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429", + "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94", + "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe", + "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f", + "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d", + "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566", + "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255", + "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27", + "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26970", + "dataSource": "https://ubuntu.com/security/CVE-2024-26970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26970" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26970", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52", + "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb", + "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6", + "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b", + "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d", + "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d", + "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26972", + "dataSource": "https://ubuntu.com/security/CVE-2024-26972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae", + "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26973", + "dataSource": "https://ubuntu.com/security/CVE-2024-26973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26973" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb", + "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688", + "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63", + "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6", + "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee", + "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375", + "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6", + "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f", + "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26974", + "dataSource": "https://ubuntu.com/security/CVE-2024-26974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26974" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be", + "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7", + "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f", + "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c", + "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc", + "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81", + "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828", + "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71", + "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26976", + "dataSource": "https://ubuntu.com/security/CVE-2024-26976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26976" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26976", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157", + "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750", + "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb", + "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac", + "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98", + "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5", + "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff", + "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b", + "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26977", + "dataSource": "https://ubuntu.com/security/CVE-2024-26977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26977" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26977", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6", + "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8", + "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637", + "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed", + "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f", + "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26979", + "dataSource": "https://ubuntu.com/security/CVE-2024-26979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26980", + "dataSource": "https://ubuntu.com/security/CVE-2024-26980", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26980" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26980", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26980", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085", + "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1", + "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248", + "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20", + "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26980" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26981", + "dataSource": "https://ubuntu.com/security/CVE-2024-26981", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26981" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26981", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26981", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243", + "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9", + "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1", + "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611", + "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f", + "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8", + "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0", + "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26981" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26982", + "dataSource": "https://ubuntu.com/security/CVE-2024-26982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26982" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26982", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5", + "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395", + "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26983", + "dataSource": "https://ubuntu.com/security/CVE-2024-26983", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26983" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26983", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26983", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918", + "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35", + "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0", + "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26983" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26984", + "dataSource": "https://ubuntu.com/security/CVE-2024-26984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26984" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26984", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716", + "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7", + "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52", + "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572", + "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525", + "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039", + "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9", + "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26988", + "dataSource": "https://ubuntu.com/security/CVE-2024-26988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26988" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4", + "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a", + "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9", + "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea", + "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8", + "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26989", + "dataSource": "https://ubuntu.com/security/CVE-2024-26989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26989" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3", + "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4", + "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457", + "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069", + "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26993", + "dataSource": "https://ubuntu.com/security/CVE-2024-26993", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26993" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26993", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26993", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c", + "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063", + "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b", + "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17", + "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4", + "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78", + "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957", + "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26993" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26994", + "dataSource": "https://ubuntu.com/security/CVE-2024-26994", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26994" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26994", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26994", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8", + "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76", + "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222", + "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f", + "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595", + "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f", + "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c", + "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26994" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26996", + "dataSource": "https://ubuntu.com/security/CVE-2024-26996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26996" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93", + "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e", + "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7", + "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca", + "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26996" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26999", + "dataSource": "https://ubuntu.com/security/CVE-2024-26999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26999" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907", + "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7", + "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce", + "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef", + "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928", + "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f", + "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729", + "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27000", + "dataSource": "https://ubuntu.com/security/CVE-2024-27000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27000" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27000", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37", + "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a", + "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270", + "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495", + "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026", + "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad", + "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37", + "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27001", + "dataSource": "https://ubuntu.com/security/CVE-2024-27001", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27001" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27001", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27001", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9", + "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696", + "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2", + "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b", + "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b", + "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f", + "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8", + "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27001" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27002", + "dataSource": "https://ubuntu.com/security/CVE-2024-27002", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27002" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27002", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27002", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8", + "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3", + "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5", + "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27002" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27004", + "dataSource": "https://ubuntu.com/security/CVE-2024-27004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27004" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c", + "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba", + "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123", + "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5", + "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034", + "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc", + "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27005", + "dataSource": "https://ubuntu.com/security/CVE-2024-27005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27005" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6", + "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42", + "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27008", + "dataSource": "https://ubuntu.com/security/CVE-2024-27008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27008" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27008", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062", + "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5", + "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1", + "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face", + "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042", + "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb", + "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e", + "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27009", + "dataSource": "https://ubuntu.com/security/CVE-2024-27009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27009" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27009", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48", + "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49", + "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538", + "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e", + "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27010", + "dataSource": "https://ubuntu.com/security/CVE-2024-27010", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27010" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27010", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27010", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11", + "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27010" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27011", + "dataSource": "https://ubuntu.com/security/CVE-2024-27011", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27011" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27011", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27011", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6", + "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27011" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27012", + "dataSource": "https://ubuntu.com/security/CVE-2024-27012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637", + "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27013", + "dataSource": "https://ubuntu.com/security/CVE-2024-27013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27013" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421", + "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad", + "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3", + "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa", + "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713", + "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588", + "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb", + "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27014", + "dataSource": "https://ubuntu.com/security/CVE-2024-27014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc", + "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b", + "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b", + "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27015", + "dataSource": "https://ubuntu.com/security/CVE-2024-27015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27015" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d", + "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27", + "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d", + "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56", + "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27016", + "dataSource": "https://ubuntu.com/security/CVE-2024-27016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27016" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf", + "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7", + "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9", + "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163", + "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27017", + "dataSource": "https://ubuntu.com/security/CVE-2024-27017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27017" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73", + "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-27017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27018", + "dataSource": "https://ubuntu.com/security/CVE-2024-27018", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27018" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27018", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d", + "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615", + "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178", + "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6", + "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27018" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27019", + "dataSource": "https://ubuntu.com/security/CVE-2024-27019", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27019" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27019", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920", + "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73", + "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e", + "https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88", + "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484", + "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27019" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27020", + "dataSource": "https://ubuntu.com/security/CVE-2024-27020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27020" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f", + "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907", + "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5", + "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05", + "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a", + "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b", + "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c", + "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27025", + "dataSource": "https://ubuntu.com/security/CVE-2024-27025", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27025" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27025", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27025", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d", + "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e", + "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced", + "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8", + "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797", + "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983", + "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a", + "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27025" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27032", + "dataSource": "https://ubuntu.com/security/CVE-2024-27032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58", + "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c", + "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1", + "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67", + "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27035", + "dataSource": "https://ubuntu.com/security/CVE-2024-27035", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27035" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27035", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27035", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532", + "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed", + "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00", + "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684", + "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27035" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27041", + "dataSource": "https://ubuntu.com/security/CVE-2024-27041", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27041" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27041", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27041", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b", + "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c", + "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957", + "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27041" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27056", + "dataSource": "https://ubuntu.com/security/CVE-2024-27056", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27056" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27056", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27056", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f", + "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27056" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27057", + "dataSource": "https://ubuntu.com/security/CVE-2024-27057", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27057" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27057", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27057", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759", + "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2", + "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27057" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27059", + "dataSource": "https://ubuntu.com/security/CVE-2024-27059", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27059" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27059", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49", + "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133", + "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636", + "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964", + "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325", + "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34", + "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f", + "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27059" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27062", + "dataSource": "https://ubuntu.com/security/CVE-2024-27062", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27062" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27062", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27062", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7", + "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589", + "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27062" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27072", + "dataSource": "https://ubuntu.com/security/CVE-2024-27072", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27072" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27072", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27072", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2", + "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27072" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27389", + "dataSource": "https://ubuntu.com/security/CVE-2024-27389", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27389" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27389", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6", + "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3", + "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3", + "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a", + "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27389" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27393", + "dataSource": "https://ubuntu.com/security/CVE-2024-27393", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27393" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27393", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27393", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/08/4", + "http://xenbits.xen.org/xsa/advisory-457.html", + "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f", + "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629", + "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1", + "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6", + "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27393" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27395", + "dataSource": "https://ubuntu.com/security/CVE-2024-27395", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27395" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27395", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27395", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994", + "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3", + "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424", + "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2", + "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4", + "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1", + "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137", + "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27395" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27396", + "dataSource": "https://ubuntu.com/security/CVE-2024-27396", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27396" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27396", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27396", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58", + "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd", + "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29", + "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6", + "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07", + "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7", + "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474", + "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27396" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27397", + "dataSource": "https://ubuntu.com/security/CVE-2024-27397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d", + "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3", + "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15", + "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379", + "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01", + "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe", + "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27397" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27398", + "dataSource": "https://ubuntu.com/security/CVE-2024-27398", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27398" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27398", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2", + "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249", + "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014", + "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53", + "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546", + "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178", + "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5", + "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27398" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27399", + "dataSource": "https://ubuntu.com/security/CVE-2024-27399", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27399" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27399", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27399", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c", + "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9", + "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33", + "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0", + "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c", + "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae", + "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79", + "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27399" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27400", + "dataSource": "https://ubuntu.com/security/CVE-2024-27400", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27400" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27400", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27400", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d", + "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be", + "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480", + "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27400" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27401", + "dataSource": "https://ubuntu.com/security/CVE-2024-27401", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27401" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27401", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27401", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa", + "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98", + "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f", + "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c", + "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285", + "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b", + "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239", + "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27401" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27402", + "dataSource": "https://ubuntu.com/security/CVE-2024-27402", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27402" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27402", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27402", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277", + "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5", + "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88", + "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27402" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27407", + "dataSource": "https://ubuntu.com/security/CVE-2024-27407", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27407" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27407", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27407", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7", + "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb", + "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27407" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27408", + "dataSource": "https://ubuntu.com/security/CVE-2024-27408", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27408" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27408", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27408", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba", + "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3", + "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27408" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27418", + "dataSource": "https://ubuntu.com/security/CVE-2024-27418", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27418" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27418", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27418", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3", + "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd", + "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b", + "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27418" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27435", + "dataSource": "https://ubuntu.com/security/CVE-2024-27435", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27435" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27435", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27435", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8", + "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818", + "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96", + "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d", + "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27435" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27437", + "dataSource": "https://ubuntu.com/security/CVE-2024-27437", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27437" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27437", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060", + "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351", + "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2", + "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda", + "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5", + "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438", + "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec", + "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27437" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-31076", + "dataSource": "https://ubuntu.com/security/CVE-2024-31076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-31076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-31076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f", + "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76", + "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420", + "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8", + "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32", + "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30", + "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1", + "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-31076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-33621", + "dataSource": "https://ubuntu.com/security/CVE-2024-33621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-33621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-33621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-33621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989", + "https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381", + "https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48", + "https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761", + "https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0", + "https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5", + "https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a", + "https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-33621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-33847", + "dataSource": "https://ubuntu.com/security/CVE-2024-33847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-33847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-33847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-33847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee", + "https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec", + "https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c", + "https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b", + "https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d", + "https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-33847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-34027", + "dataSource": "https://ubuntu.com/security/CVE-2024-34027", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34027" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34027", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34027", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019", + "https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b", + "https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f", + "https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4", + "https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b", + "https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34027" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-34777", + "dataSource": "https://ubuntu.com/security/CVE-2024-34777", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34777" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34777", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34777", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad", + "https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b", + "https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936", + "https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87", + "https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34777" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35247", + "dataSource": "https://ubuntu.com/security/CVE-2024-35247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35247", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019", + "https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702", + "https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8", + "https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093", + "https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8", + "https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35784", + "dataSource": "https://ubuntu.com/security/CVE-2024-35784", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35784" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35784", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35784", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b", + "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd", + "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35784" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35785", + "dataSource": "https://ubuntu.com/security/CVE-2024-35785", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35785" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35785", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7", + "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee", + "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac", + "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4", + "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3", + "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35785" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35789", + "dataSource": "https://ubuntu.com/security/CVE-2024-35789", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35789" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35789", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35789", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc", + "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685", + "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7", + "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b", + "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931", + "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f", + "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb", + "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e", + "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35789" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35790", + "dataSource": "https://ubuntu.com/security/CVE-2024-35790", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35790" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35790", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35790", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9", + "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531", + "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35790" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35791", + "dataSource": "https://ubuntu.com/security/CVE-2024-35791", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35791" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35791", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4", + "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d", + "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865", + "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807", + "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7", + "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35791" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35794", + "dataSource": "https://ubuntu.com/security/CVE-2024-35794", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35794" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35794", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35794", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73", + "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b", + "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35794" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35796", + "dataSource": "https://ubuntu.com/security/CVE-2024-35796", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35796" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35796", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35796", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11", + "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3", + "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a", + "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e", + "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48", + "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8", + "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35796" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35799", + "dataSource": "https://ubuntu.com/security/CVE-2024-35799", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35799" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35799", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35799", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48", + "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06", + "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38", + "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35799" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35801", + "dataSource": "https://ubuntu.com/security/CVE-2024-35801", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35801" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35801", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422", + "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd", + "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d", + "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8", + "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35801" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35803", + "dataSource": "https://ubuntu.com/security/CVE-2024-35803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35803", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926", + "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc", + "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31", + "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02", + "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35804", + "dataSource": "https://ubuntu.com/security/CVE-2024-35804", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35804" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35804", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35804", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71", + "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06", + "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902", + "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551", + "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35804" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35805", + "dataSource": "https://ubuntu.com/security/CVE-2024-35805", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35805" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35805", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35805", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7", + "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1", + "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683", + "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc", + "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c", + "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2", + "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e", + "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35805" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35806", + "dataSource": "https://ubuntu.com/security/CVE-2024-35806", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35806" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35806", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35806", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397", + "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f", + "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3", + "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a", + "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03", + "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd", + "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9", + "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec", + "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35806" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35807", + "dataSource": "https://ubuntu.com/security/CVE-2024-35807", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35807" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35807", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6", + "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5", + "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd", + "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1", + "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc", + "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c", + "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a", + "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c", + "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35807" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35808", + "dataSource": "https://ubuntu.com/security/CVE-2024-35808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35808", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc", + "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669", + "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35809", + "dataSource": "https://ubuntu.com/security/CVE-2024-35809", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35809" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35809", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1", + "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970", + "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674", + "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b", + "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6", + "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf", + "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491", + "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5", + "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35809" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35811", + "dataSource": "https://ubuntu.com/security/CVE-2024-35811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35811" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb", + "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744", + "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78", + "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a", + "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169", + "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a", + "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731", + "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1", + "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35813", + "dataSource": "https://ubuntu.com/security/CVE-2024-35813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35813" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56", + "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6", + "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2", + "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304", + "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28", + "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55", + "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68", + "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35815", + "dataSource": "https://ubuntu.com/security/CVE-2024-35815", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35815" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35815", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35815", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3", + "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7", + "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50", + "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596", + "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2", + "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a", + "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410", + "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35815" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35817", + "dataSource": "https://ubuntu.com/security/CVE-2024-35817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35817" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe", + "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d", + "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb", + "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3", + "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3", + "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35819", + "dataSource": "https://ubuntu.com/security/CVE-2024-35819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35819" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02", + "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1", + "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa", + "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e", + "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506", + "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14", + "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df", + "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc", + "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35821", + "dataSource": "https://ubuntu.com/security/CVE-2024-35821", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35821" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35821", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35821", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3", + "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566", + "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e", + "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e", + "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f", + "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310", + "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f", + "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3", + "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35821" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35822", + "dataSource": "https://ubuntu.com/security/CVE-2024-35822", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35822" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35822", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35822", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e", + "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8", + "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252", + "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c", + "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a", + "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c", + "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290", + "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf", + "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35822" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35823", + "dataSource": "https://ubuntu.com/security/CVE-2024-35823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35823" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35823", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f", + "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d", + "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90", + "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1", + "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda", + "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51", + "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d", + "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35825", + "dataSource": "https://ubuntu.com/security/CVE-2024-35825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35825" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35825", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c", + "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7", + "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b", + "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f", + "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c", + "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779", + "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03", + "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35826", + "dataSource": "https://ubuntu.com/security/CVE-2024-35826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35826", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367", + "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6", + "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65", + "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2", + "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35826" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35832", + "dataSource": "https://ubuntu.com/security/CVE-2024-35832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35832", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555", + "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35833", + "dataSource": "https://ubuntu.com/security/CVE-2024-35833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3", + "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24", + "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8", + "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59", + "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714", + "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6", + "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35835", + "dataSource": "https://ubuntu.com/security/CVE-2024-35835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7", + "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b", + "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb", + "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b", + "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7", + "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056", + "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5", + "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35837", + "dataSource": "https://ubuntu.com/security/CVE-2024-35837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f", + "https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b", + "https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38", + "https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa", + "https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec", + "https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35839", + "dataSource": "https://ubuntu.com/security/CVE-2024-35839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35839", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c", + "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b", + "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547", + "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\n\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(&neigh->arp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb->dev = nf_bridge->physindev\n br_handle_frame_finish\n\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35840", + "dataSource": "https://ubuntu.com/security/CVE-2024-35840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35840", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453", + "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c", + "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a", + "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721", + "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35843", + "dataSource": "https://ubuntu.com/security/CVE-2024-35843", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35843" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35843", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35843", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15", + "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 2.5, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35843" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35847", + "dataSource": "https://ubuntu.com/security/CVE-2024-35847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35847" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792", + "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137", + "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438", + "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52", + "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662", + "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91", + "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9", + "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35848", + "dataSource": "https://ubuntu.com/security/CVE-2024-35848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35848" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35848", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a", + "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676", + "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc", + "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6", + "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da", + "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-35848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35849", + "dataSource": "https://ubuntu.com/security/CVE-2024-35849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35849" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf", + "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6", + "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc", + "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772", + "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86", + "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6", + "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d", + "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35851", + "dataSource": "https://ubuntu.com/security/CVE-2024-35851", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35851" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35851", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35851", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489", + "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88", + "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371", + "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189", + "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35851" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35852", + "dataSource": "https://ubuntu.com/security/CVE-2024-35852", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35852" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35852", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35852", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758", + "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04", + "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f", + "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d", + "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d", + "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab", + "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35852" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35853", + "dataSource": "https://ubuntu.com/security/CVE-2024-35853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35853" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf", + "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e", + "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1", + "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977", + "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d", + "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76", + "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 1.6, + "impactScore": 4.7 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35854", + "dataSource": "https://ubuntu.com/security/CVE-2024-35854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35854" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35854", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049", + "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121", + "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519", + "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887", + "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1", + "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1", + "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35855", + "dataSource": "https://ubuntu.com/security/CVE-2024-35855", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35855" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35855", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35855", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0", + "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4", + "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770", + "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a", + "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758", + "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef", + "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35855" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35857", + "dataSource": "https://ubuntu.com/security/CVE-2024-35857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35857" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35857", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401", + "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767", + "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270", + "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941", + "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35861", + "dataSource": "https://ubuntu.com/security/CVE-2024-35861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35861" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1", + "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4", + "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f", + "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35862", + "dataSource": "https://ubuntu.com/security/CVE-2024-35862", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35862" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35862", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35862", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d", + "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01", + "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645", + "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35862" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35863", + "dataSource": "https://ubuntu.com/security/CVE-2024-35863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2", + "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825", + "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac", + "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35864", + "dataSource": "https://ubuntu.com/security/CVE-2024-35864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35864", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1", + "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb", + "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5", + "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35865", + "dataSource": "https://ubuntu.com/security/CVE-2024-35865", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35865" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35865", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35865", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd", + "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4", + "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628", + "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35865" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35866", + "dataSource": "https://ubuntu.com/security/CVE-2024-35866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682", + "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113", + "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35867", + "dataSource": "https://ubuntu.com/security/CVE-2024-35867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/29/2", + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65", + "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49", + "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7", + "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35868", + "dataSource": "https://ubuntu.com/security/CVE-2024-35868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b", + "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72", + "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7", + "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35869", + "dataSource": "https://ubuntu.com/security/CVE-2024-35869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35869", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a", + "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc", + "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35870", + "dataSource": "https://ubuntu.com/security/CVE-2024-35870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa", + "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5", + "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35871", + "dataSource": "https://ubuntu.com/security/CVE-2024-35871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35871" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4", + "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5", + "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8", + "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9", + "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef", + "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35872", + "dataSource": "https://ubuntu.com/security/CVE-2024-35872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35872" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5", + "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8", + "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706", + "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e", + "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35875", + "dataSource": "https://ubuntu.com/security/CVE-2024-35875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e", + "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374", + "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5", + "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35877", + "dataSource": "https://ubuntu.com/security/CVE-2024-35877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35877" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221", + "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173", + "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6", + "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec", + "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a", + "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f", + "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4", + "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35878", + "dataSource": "https://ubuntu.com/security/CVE-2024-35878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898", + "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987", + "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35879", + "dataSource": "https://ubuntu.com/security/CVE-2024-35879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35879" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a", + "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c", + "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951", + "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82", + "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84", + "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35884", + "dataSource": "https://ubuntu.com/security/CVE-2024-35884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35884" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19", + "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8", + "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4", + "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f", + "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd", + "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35885", + "dataSource": "https://ubuntu.com/security/CVE-2024-35885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35885" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35885", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6", + "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4", + "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971", + "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4", + "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35886", + "dataSource": "https://ubuntu.com/security/CVE-2024-35886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35886", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2", + "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778", + "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061", + "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe", + "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985", + "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae", + "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776", + "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35887", + "dataSource": "https://ubuntu.com/security/CVE-2024-35887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b", + "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9", + "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35888", + "dataSource": "https://ubuntu.com/security/CVE-2024-35888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35888" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35888", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac", + "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446", + "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0", + "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d", + "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d", + "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85", + "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5", + "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35890", + "dataSource": "https://ubuntu.com/security/CVE-2024-35890", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35890" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35890", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35890", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad", + "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f", + "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f", + "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486", + "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35890" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35892", + "dataSource": "https://ubuntu.com/security/CVE-2024-35892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1", + "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b", + "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460", + "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35893", + "dataSource": "https://ubuntu.com/security/CVE-2024-35893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35893" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", + "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5", + "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", + "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", + "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14", + "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd", + "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", + "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35895", + "dataSource": "https://ubuntu.com/security/CVE-2024-35895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35895" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86", + "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd", + "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5", + "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec", + "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75", + "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058", + "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35896", + "dataSource": "https://ubuntu.com/security/CVE-2024-35896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35896" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc", + "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6", + "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5", + "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b", + "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018", + "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35897", + "dataSource": "https://ubuntu.com/security/CVE-2024-35897", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35897" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35897", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35897", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518", + "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4", + "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb", + "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927", + "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827", + "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78", + "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362", + "https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35897" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35898", + "dataSource": "https://ubuntu.com/security/CVE-2024-35898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35898" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304", + "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8", + "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007", + "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df", + "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331", + "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b", + "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77", + "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35899", + "dataSource": "https://ubuntu.com/security/CVE-2024-35899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35899" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35899", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2", + "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7", + "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31", + "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e", + "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6", + "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86", + "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.8, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35900", + "dataSource": "https://ubuntu.com/security/CVE-2024-35900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35900" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab", + "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7", + "https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8", + "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830", + "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b", + "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb", + "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769", + "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35902", + "dataSource": "https://ubuntu.com/security/CVE-2024-35902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35902" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", + "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a", + "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d", + "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9", + "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196", + "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14", + "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c", + "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35904", + "dataSource": "https://ubuntu.com/security/CVE-2024-35904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b", + "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e", + "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35905", + "dataSource": "https://ubuntu.com/security/CVE-2024-35905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35905" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103", + "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69", + "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69", + "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1", + "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d", + "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35907", + "dataSource": "https://ubuntu.com/security/CVE-2024-35907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35907" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab", + "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e", + "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52", + "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3", + "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35908", + "dataSource": "https://ubuntu.com/security/CVE-2024-35908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8", + "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be", + "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3", + "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35910", + "dataSource": "https://ubuntu.com/security/CVE-2024-35910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35910" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", + "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", + "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f", + "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a", + "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de", + "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50", + "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87", + "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35912", + "dataSource": "https://ubuntu.com/security/CVE-2024-35912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35912" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341", + "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5", + "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62", + "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8", + "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35915", + "dataSource": "https://ubuntu.com/security/CVE-2024-35915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35915" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff", + "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240", + "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c", + "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a", + "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a", + "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16", + "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7", + "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35918", + "dataSource": "https://ubuntu.com/security/CVE-2024-35918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35918" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35920", + "dataSource": "https://ubuntu.com/security/CVE-2024-35920", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35920" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35920", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35920", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6", + "https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38", + "https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect decoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.\n\nHardware name: Google juniper sku16 board (DT)\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\nsp : ffffffc0131dbbd0\nx29: ffffffc0131dbbd0 x28: 0000000000000000\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\nx21: 0000000000000010 x20: ffffff9b050ea328\nx19: ffffffc0131dbc08 x18: 0000000000001000\nx17: 0000000000000000 x16: ffffffd2d461c6e0\nx15: 0000000000000242 x14: 000000000000018f\nx13: 000000000000004d x12: 0000000000000000\nx11: 0000000000000001 x10: fffffffffffffff0\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : fffffffffffffff0\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\nCall trace:\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\nirq_thread_fn+0x38/0x94\nirq_thread+0x100/0x1c0\nkthread+0x140/0x1fc\nret_from_fork+0x10/0x30\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\n---[ end trace ace43ce36cbd5c93 ]---\nKernel panic - not syncing: Oops: Fatal exception\nSMP: stopping secondary CPUs\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\nPHYS_OFFSET: 0xffffffe580000000\nCPU features: 0x08240002,2188200c\nMemory Limit: none", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35920" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35922", + "dataSource": "https://ubuntu.com/security/CVE-2024-35922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35922" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4", + "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f", + "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33", + "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029", + "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971", + "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270", + "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0", + "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35924", + "dataSource": "https://ubuntu.com/security/CVE-2024-35924", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35924" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35924", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35924", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f", + "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40", + "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35924" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35925", + "dataSource": "https://ubuntu.com/security/CVE-2024-35925", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35925" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35925", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35925", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8", + "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854", + "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe", + "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7", + "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02", + "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68", + "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c", + "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35925" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35926", + "dataSource": "https://ubuntu.com/security/CVE-2024-35926", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35926" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35926", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35926", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054", + "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35926" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35927", + "dataSource": "https://ubuntu.com/security/CVE-2024-35927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545", + "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c", + "https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e", + "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd", + "https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35928", + "dataSource": "https://ubuntu.com/security/CVE-2024-35928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69", + "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c", + "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587", + "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35929", + "dataSource": "https://ubuntu.com/security/CVE-2024-35929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc", + "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a", + "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35930", + "dataSource": "https://ubuntu.com/security/CVE-2024-35930", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35930" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35930", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf", + "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b", + "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f", + "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7", + "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a", + "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8", + "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8", + "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35930" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35931", + "dataSource": "https://ubuntu.com/security/CVE-2024-35931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35", + "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35932", + "dataSource": "https://ubuntu.com/security/CVE-2024-35932", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35932" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35932", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35932", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40", + "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd", + "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9", + "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35932" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35933", + "dataSource": "https://ubuntu.com/security/CVE-2024-35933", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35933" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35933", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35933", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28", + "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e", + "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b", + "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9", + "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912", + "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645", + "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990", + "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35933" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35934", + "dataSource": "https://ubuntu.com/security/CVE-2024-35934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35934", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0", + "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7", + "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec", + "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4", + "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2", + "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35935", + "dataSource": "https://ubuntu.com/security/CVE-2024-35935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35935" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35935", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229", + "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5", + "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a", + "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501", + "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9", + "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c", + "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3", + "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35936", + "dataSource": "https://ubuntu.com/security/CVE-2024-35936", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35936" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35936", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35936", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d", + "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da", + "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2", + "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9", + "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99", + "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385", + "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89", + "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35936" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35937", + "dataSource": "https://ubuntu.com/security/CVE-2024-35937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35937" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544", + "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9", + "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35938", + "dataSource": "https://ubuntu.com/security/CVE-2024-35938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35938" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793", + "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015", + "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de", + "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559", + "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35939", + "dataSource": "https://ubuntu.com/security/CVE-2024-35939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35939" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a", + "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9", + "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c", + "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35940", + "dataSource": "https://ubuntu.com/security/CVE-2024-35940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35940" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb", + "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682", + "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc", + "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8", + "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041", + "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35941", + "dataSource": "https://ubuntu.com/security/CVE-2024-35941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35942", + "dataSource": "https://ubuntu.com/security/CVE-2024-35942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35942", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d", + "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c", + "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35943", + "dataSource": "https://ubuntu.com/security/CVE-2024-35943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f", + "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3", + "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35943" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35944", + "dataSource": "https://ubuntu.com/security/CVE-2024-35944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35944" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74", + "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec", + "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f", + "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100", + "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73", + "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051", + "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b", + "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35945", + "dataSource": "https://ubuntu.com/security/CVE-2024-35945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311", + "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b", + "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35946", + "dataSource": "https://ubuntu.com/security/CVE-2024-35946", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35946" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35946", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35946", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d", + "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2", + "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35946" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35947", + "dataSource": "https://ubuntu.com/security/CVE-2024-35947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35947" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c", + "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081", + "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38", + "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b", + "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0", + "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab", + "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc", + "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-35947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35948", + "dataSource": "https://ubuntu.com/security/CVE-2024-35948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35948", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35949", + "dataSource": "https://ubuntu.com/security/CVE-2024-35949", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35949" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35949", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35949", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273", + "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35949" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35950", + "dataSource": "https://ubuntu.com/security/CVE-2024-35950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984", + "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055", + "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea", + "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0", + "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e", + "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764", + "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35951", + "dataSource": "https://ubuntu.com/security/CVE-2024-35951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35951" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3", + "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002", + "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35955", + "dataSource": "https://ubuntu.com/security/CVE-2024-35955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e", + "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", + "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0", + "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d", + "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808", + "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412", + "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33", + "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35956", + "dataSource": "https://ubuntu.com/security/CVE-2024-35956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35956" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35956", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", + "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", + "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35958", + "dataSource": "https://ubuntu.com/security/CVE-2024-35958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35958" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35958", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1", + "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7", + "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0", + "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde", + "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d", + "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35959", + "dataSource": "https://ubuntu.com/security/CVE-2024-35959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35959" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35959", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7", + "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76", + "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519", + "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35960", + "dataSource": "https://ubuntu.com/security/CVE-2024-35960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35960", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423", + "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f", + "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801", + "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0", + "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64", + "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453", + "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d", + "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35965", + "dataSource": "https://ubuntu.com/security/CVE-2024-35965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35965" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846", + "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9", + "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35966", + "dataSource": "https://ubuntu.com/security/CVE-2024-35966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546", + "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695", + "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35967", + "dataSource": "https://ubuntu.com/security/CVE-2024-35967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35967" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35967", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7", + "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01", + "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c", + "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315", + "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35969", + "dataSource": "https://ubuntu.com/security/CVE-2024-35969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652", + "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70", + "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb", + "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83", + "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129", + "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1", + "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903", + "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35970", + "dataSource": "https://ubuntu.com/security/CVE-2024-35970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35970" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6", + "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf", + "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9", + "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e", + "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35971", + "dataSource": "https://ubuntu.com/security/CVE-2024-35971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35971", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540", + "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b", + "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f", + "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35973", + "dataSource": "https://ubuntu.com/security/CVE-2024-35973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35973" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915", + "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e", + "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852", + "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79", + "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536", + "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670", + "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c", + "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35976", + "dataSource": "https://ubuntu.com/security/CVE-2024-35976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35976" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35976", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d", + "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44", + "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa", + "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6", + "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417", + "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c", + "https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd", + "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 6.7, + "exploitabilityScore": 1.4, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35978", + "dataSource": "https://ubuntu.com/security/CVE-2024-35978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35978" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810", + "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2", + "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8", + "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06", + "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0", + "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67", + "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76", + "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35979", + "dataSource": "https://ubuntu.com/security/CVE-2024-35979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268", + "https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446", + "https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35982", + "dataSource": "https://ubuntu.com/security/CVE-2024-35982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35982" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924", + "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259", + "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2", + "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d", + "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f", + "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa", + "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6", + "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.1, + "exploitabilityScore": 1.4, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35984", + "dataSource": "https://ubuntu.com/security/CVE-2024-35984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35984" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83", + "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d", + "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde", + "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620", + "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec", + "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f", + "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23", + "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35988", + "dataSource": "https://ubuntu.com/security/CVE-2024-35988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35988" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6", + "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be", + "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b", + "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948", + "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa", + "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35989", + "dataSource": "https://ubuntu.com/security/CVE-2024-35989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35989" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e", + "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb", + "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b", + "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be", + "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35990", + "dataSource": "https://ubuntu.com/security/CVE-2024-35990", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35990" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35990", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076", + "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38", + "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11", + "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b", + "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557", + "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35990" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35995", + "dataSource": "https://ubuntu.com/security/CVE-2024-35995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35995", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3", + "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4", + "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c", + "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87", + "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1", + "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3", + "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35997", + "dataSource": "https://ubuntu.com/security/CVE-2024-35997", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35997" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35997", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1", + "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401", + "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722", + "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497", + "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22", + "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e", + "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8", + "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35997" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35998", + "dataSource": "https://ubuntu.com/security/CVE-2024-35998", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35998" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35998", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35998", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75", + "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc", + "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f", + "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35998" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35999", + "dataSource": "https://ubuntu.com/security/CVE-2024-35999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35999" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e", + "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00", + "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887", + "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36000", + "dataSource": "https://ubuntu.com/security/CVE-2024-36000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36000" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36000", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc", + "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10", + "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2", + "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36003", + "dataSource": "https://ubuntu.com/security/CVE-2024-36003", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36003" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36003", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36003", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c", + "https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f", + "https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix LAG and VF lock dependency in ice_reset_vf()\n\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\n\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\n\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\n\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\n ice_service_task+0x2c9/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\n check_prev_add+0xe2/0xc50\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_reset_vf+0x22f/0x4d0 [ice]\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0 CPU1\n ---- ----\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n\n *** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n \n dump_stack_lvl+0x4a/0x80\n check_noncircular+0x12d/0x150\n check_prev_add+0xe2/0xc50\n ? save_trace+0x59/0x230\n ? add_chain_cache+0x109/0x450\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n ? lockdep_hardirqs_on+0x7d/0x100\n lock_acquire+0xd4/0x2d0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? lock_is_held_type+0xc7/0x120\n __mutex_lock+0x9b/0xbf0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? rcu_is_watching+0x11/0x50\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ice_reset_vf+0x22f/0x4d0 [ice]\n ? process_one_work+0x176/0x4d0\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x104/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36003" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36004", + "dataSource": "https://ubuntu.com/security/CVE-2024-36004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36004" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c", + "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939", + "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e", + "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c", + "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd", + "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0", + "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22", + "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36005", + "dataSource": "https://ubuntu.com/security/CVE-2024-36005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36005" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9", + "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2", + "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816", + "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2", + "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a", + "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36006", + "dataSource": "https://ubuntu.com/security/CVE-2024-36006", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36006" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36006", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530", + "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a", + "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154", + "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0", + "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40", + "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97", + "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36006" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36007", + "dataSource": "https://ubuntu.com/security/CVE-2024-36007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36007" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36007", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573", + "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596", + "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d", + "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952", + "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b", + "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916", + "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36008", + "dataSource": "https://ubuntu.com/security/CVE-2024-36008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36008" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1", + "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1", + "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0", + "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4", + "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655", + "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36009", + "dataSource": "https://ubuntu.com/security/CVE-2024-36009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36009" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36009", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851", + "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b", + "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530", + "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36012", + "dataSource": "https://ubuntu.com/security/CVE-2024-36012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36012", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac", + "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56", + "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940", + "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36013", + "dataSource": "https://ubuntu.com/security/CVE-2024-36013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36013", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658", + "https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6", + "https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n l2cap_connect\n ┌ mutex_lock(&conn->chan_lock);\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\n │ __l2cap_chan_add(conn, chan);\n │ l2cap_chan_hold(chan);\n │ list_add(&chan->list, &conn->chan_l); ... (1)\n └ mutex_unlock(&conn->chan_lock);\n chan->conf_state ... (4) <- use after free\n\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn->chan_lock);\n│ foreach chan in conn->chan_l: ... (2)\n│ l2cap_chan_put(chan);\n│ l2cap_chan_destroy\n│ kfree(chan) ... (3) <- chan freed\n└ mutex_unlock(&conn->chan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 0.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36014", + "dataSource": "https://ubuntu.com/security/CVE-2024-36014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5", + "https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490", + "https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c", + "https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639", + "https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea", + "https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb", + "https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818", + "https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d", + "https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36015", + "dataSource": "https://ubuntu.com/security/CVE-2024-36015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36015" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36015", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39", + "https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e", + "https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a", + "https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9", + "https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b", + "https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828", + "https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57", + "https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppdev: Add an error check in register_device\n\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\n\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36016", + "dataSource": "https://ubuntu.com/security/CVE-2024-36016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36016" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36016", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04", + "https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc", + "https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a", + "https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54", + "https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350", + "https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5", + "https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56", + "https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d", + "https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\n\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\n\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\n\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-36016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36017", + "dataSource": "https://ubuntu.com/security/CVE-2024-36017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36017" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36017", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489", + "https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b", + "https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8", + "https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169", + "https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de", + "https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7", + "https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a", + "https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36020", + "dataSource": "https://ubuntu.com/security/CVE-2024-36020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36020" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36020", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6", + "https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0", + "https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba", + "https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31", + "https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a", + "https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c", + "https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d", + "https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36021", + "dataSource": "https://ubuntu.com/security/CVE-2024-36021", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36021" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36021", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36021", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86", + "https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3", + "https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5", + "https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during pf initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36021" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36022", + "dataSource": "https://ubuntu.com/security/CVE-2024-36022", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36022" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36022", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36022", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6", + "https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\n\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\nis triggered after initializing the necessary IPs, That init does not\ninclude KFD, and KFD init waits until the reset is completed. KFD init\nis called in the reset handler, but in this case, the zone device and\ndrm client is not initialized, causing app to create kernel panic.\n\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\nAs the previous version has the potential of creating DRM client twice.\n\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\nto guard against drm client creation call multiple times.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36022" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36024", + "dataSource": "https://ubuntu.com/security/CVE-2024-36024", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36024" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36024", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36024", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7", + "https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\n\n[Why]\nWorkaroud for a race condition where DMCUB is in the process of\ncommitting to IPS1 during the handshake causing us to miss the\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\n\n[How]\nDisable the reallow to ensure that we have enough of a gap between entry\nand exit and we're not seeing back-to-back wake_and_executes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36024" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36025", + "dataSource": "https://ubuntu.com/security/CVE-2024-36025", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36025" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36025", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36025", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd", + "https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a", + "https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab", + "https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510", + "https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\n\nThe app_reply->elem[] array is allocated earlier in this function and it\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\nprevent memory corruption.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36025" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36026", + "dataSource": "https://ubuntu.com/security/CVE-2024-36026", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36026" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36026", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36026", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5", + "https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113", + "https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d", + "https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\n\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\nan invalid state resulting into hard hangs.\n\nAdding a GFX reset as workaround just before sending the\nMP1_UNLOAD message avoids this failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36026" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36029", + "dataSource": "https://ubuntu.com/security/CVE-2024-36029", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36029" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36029", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36029", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045", + "https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af", + "https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20", + "https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5", + "https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-msm: pervent access to suspended controller\n\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36029" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36031", + "dataSource": "https://ubuntu.com/security/CVE-2024-36031", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36031" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36031", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36031", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7", + "https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41", + "https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252", + "https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a", + "https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a", + "https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d", + "https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix overwrite of key expiration on instantiation\n\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36031" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36032", + "dataSource": "https://ubuntu.com/security/CVE-2024-36032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488", + "https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe", + "https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a", + "https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1", + "https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching fw build id\n\nAdd the missing sanity checks and move the 255-byte build-id buffer off\nthe stack to avoid leaking stack data through debugfs in case the\nbuild-info reply is malformed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36244", + "dataSource": "https://ubuntu.com/security/CVE-2024-36244", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36244" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36244", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36244", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724", + "https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2", + "https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36244" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36270", + "dataSource": "https://ubuntu.com/security/CVE-2024-36270", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36270" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36270", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36270", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c", + "https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d", + "https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3", + "https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0", + "https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03", + "https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c", + "https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36270" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36286", + "dataSource": "https://ubuntu.com/security/CVE-2024-36286", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36286" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36286", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a", + "https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4", + "https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256", + "https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5", + "https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9", + "https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718", + "https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec", + "https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36286" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36478", + "dataSource": "https://ubuntu.com/security/CVE-2024-36478", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36478" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36478", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47", + "https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36478" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36479", + "dataSource": "https://ubuntu.com/security/CVE-2024-36479", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36479" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36479", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36479", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529", + "https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125", + "https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36479" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36484", + "dataSource": "https://ubuntu.com/security/CVE-2024-36484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36484" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36484", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165", + "https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495", + "https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d", + "https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3", + "https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822", + "https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04", + "https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc", + "https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36489", + "dataSource": "https://ubuntu.com/security/CVE-2024-36489", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36489" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36489", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b", + "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b", + "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302", + "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c", + "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071", + "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36489" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36880", + "dataSource": "https://ubuntu.com/security/CVE-2024-36880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36880" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e", + "https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c", + "https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d", + "https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d", + "https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: add missing firmware sanity checks\n\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36883", + "dataSource": "https://ubuntu.com/security/CVE-2024-36883", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36883" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36883", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36883", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7", + "https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42", + "https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3", + "https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f", + "https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030", + "https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6", + "https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd", + "https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36883" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36885", + "dataSource": "https://ubuntu.com/security/CVE-2024-36885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36885", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e", + "https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2", + "https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup:\n\n kernel BUG at include/linux/scatterlist.h:187!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\n RIP: 0010:sg_init_one+0x85/0xa0\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\n Call Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\n nvkm_subdev_init_+0x39/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_init+0x44/0x90 [nouveau]\n nvkm_device_init+0x166/0x2e0 [nouveau]\n nvkm_udevice_init+0x47/0x70 [nouveau]\n nvkm_object_init+0x41/0x1c0 [nouveau]\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\n nvkm_ioctl+0x126/0x290 [nouveau]\n nvif_object_ctor+0x112/0x190 [nouveau]\n nvif_device_ctor+0x23/0x60 [nouveau]\n nouveau_cli_init+0x164/0x640 [nouveau]\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? pci_update_current_state+0x72/0xb0\n ? srso_return_thunk+0x5/0x5f\n nouveau_drm_probe+0x12c/0x280 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n local_pci_probe+0x45/0xa0\n pci_device_probe+0xc7/0x270\n really_probe+0xe6/0x3a0\n __driver_probe_device+0x87/0x160\n driver_probe_device+0x1f/0xc0\n __driver_attach+0xec/0x1f0\n ? __pfx___driver_attach+0x10/0x10\n bus_for_each_dev+0x88/0xd0\n bus_add_driver+0x116/0x220\n driver_register+0x59/0x100\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\n do_one_initcall+0x5b/0x320\n do_init_module+0x60/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x120/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x83/0x160\n ? srso_return_thunk+0x5/0x5f\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n RIP: 0033:0x7feeb5cc20cd\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36886", + "dataSource": "https://ubuntu.com/security/CVE-2024-36886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36886", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b", + "https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14", + "https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1", + "https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684", + "https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40", + "https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90", + "https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd", + "https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \n \n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36889", + "dataSource": "https://ubuntu.com/security/CVE-2024-36889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36889" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36889", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012", + "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe", + "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4", + "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f", + "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193", + "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36893", + "dataSource": "https://ubuntu.com/security/CVE-2024-36893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36893", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637", + "https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd", + "https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57", + "https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36894", + "dataSource": "https://ubuntu.com/security/CVE-2024-36894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36894", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19", + "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a", + "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb", + "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867", + "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", + "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4", + "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", + "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC. There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect. For a DWC3 based implementation, the callstack looks\nlike the following:\n\n DWC3 Gadget FFS Application\ndwc3_gadget_soft_disconnect() ...\n --> dwc3_stop_active_transfers()\n --> dwc3_gadget_giveback(-ESHUTDOWN)\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\n --> usb_ep_free_request() --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call. This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context. Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n consistently\")", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 5.6, + "exploitabilityScore": 0.4, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36898", + "dataSource": "https://ubuntu.com/security/CVE-2024-36898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5", + "https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2", + "https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e", + "https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix uninitialised kfifo\n\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked. This results in events being written to and read from an\nuninitialised kfifo. Read events are returned to userspace.\n\nInitialise the kfifo in the case where the software debounce is\nalready active.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36899", + "dataSource": "https://ubuntu.com/security/CVE-2024-36899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da", + "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a", + "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36900", + "dataSource": "https://ubuntu.com/security/CVE-2024-36900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095", + "https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd", + "https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7", + "https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\n\nThis patch fixes this by registering the devlink after\nhardware initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36901", + "dataSource": "https://ubuntu.com/security/CVE-2024-36901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36901" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36901", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579", + "https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a", + "https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488", + "https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de", + "https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0", + "https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-36901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36902", + "dataSource": "https://ubuntu.com/security/CVE-2024-36902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36902" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36902", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09", + "https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95", + "https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa", + "https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290", + "https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0", + "https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747", + "https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa", + "https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36903", + "dataSource": "https://ubuntu.com/security/CVE-2024-36903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36903", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3", + "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c", + "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36904", + "dataSource": "https://ubuntu.com/security/CVE-2024-36904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36904" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446", + "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3", + "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34", + "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8", + "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc", + "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc", + "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9", + "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36905", + "dataSource": "https://ubuntu.com/security/CVE-2024-36905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36905" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36905", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4", + "https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270", + "https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1", + "https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485", + "https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f", + "https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf", + "https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214", + "https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36906", + "dataSource": "https://ubuntu.com/security/CVE-2024-36906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36906" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726", + "https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab", + "https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e", + "https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af", + "https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9381/1: kasan: clear stale stack poison\n\nWe found below OOB crash:\n\n[ 33.452494] ==================================================================\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[ 33.455515]\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\n[ 33.456880] Hardware name: Generic DT based system\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\n[ 33.459863] print_report from kasan_report+0x9c/0x148\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[ 33.467397]\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\n[ 33.468493] and is located at offset 112 in frame:\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[ 33.469917]\n[ 33.470165] This frame has 2 objects:\n[ 33.470696] [32, 76) 'global_zone_diff'\n[ 33.470729] [112, 276) 'global_node_diff'\n[ 33.471294]\n[ 33.472095] The buggy address belongs to the physical page:\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[ 33.473944] flags: 0x1000(reserved|zone=0)\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[ 33.475656] raw: 00000000\n[ 33.476050] page dumped because: kasan: bad access detected\n[ 33.476816]\n[ 33.477061] Memory state around the buggy address:\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[ 33.480415] ^\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.482978] ==================================================================\n\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\n\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\n\nFrom cited commit [1] that explain the problem\n\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\n\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code. Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\n\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\n\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\n\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\n\nFrom cited commit [2]\n\nExtend to check for CONFIG_KASAN_STACK\n\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36907", + "dataSource": "https://ubuntu.com/security/CVE-2024-36907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc", + "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a", + "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: add a missing rpc_stat for TCP TLS\n\nCommit 1548036ef120 (\"nfs: make the rpc_stat per net namespace\") added\nfunctionality to specify rpc_stats function but missed adding it to the\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\nthe following kernel oops.\n\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\nvirtual address 000000000000001c\n[ 128.985058] Mem abort info:\n[ 128.985372] ESR = 0x0000000096000004\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 128.986176] SET = 0, FnV = 0\n[ 128.986521] EA = 0, S1PTW = 0\n[ 128.986804] FSC = 0x04: level 0 translation fault\n[ 128.987229] Data abort info:\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\nip_set nf_tables nfnetlink qrtr vsock_loopback\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\nsg fuse\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\ntainted 6.8.0-rc6+ #12\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.000244] sp : ffff8000832b3a00\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\n[ 129.005824] Call trace:\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\n[ 129.008583] process_one_work+0x174/0x3c8\n[ 129.008813] worker_thread+0x2c8/0x3e0\n[ 129.009033] kthread+0x100/0x110\n[ 129.009225] ret_from_fork+0x10/0x20\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36908", + "dataSource": "https://ubuntu.com/security/CVE-2024-36908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6", + "https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e", + "https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: do not WARN if iocg was already offlined\n\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\n\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n Call trace:\n iocg_pay_debt+0x14c/0x190\n iocg_kick_waitq+0x438/0x4c0\n iocg_waitq_timer_fn+0xd8/0x130\n __run_hrtimer+0x144/0x45c\n __hrtimer_run_queues+0x16c/0x244\n hrtimer_interrupt+0x2cc/0x7b0\n\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\n\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36909", + "dataSource": "https://ubuntu.com/security/CVE-2024-36909", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36909" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36909", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36909", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039", + "https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48", + "https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0", + "https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus ring buffer code could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the struct\nvmbus_gpadl for the ring buffers to decide whether to free the memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36909" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36910", + "dataSource": "https://ubuntu.com/security/CVE-2024-36910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36910", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7", + "https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9", + "https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54", + "https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus device UIO driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36911", + "dataSource": "https://ubuntu.com/security/CVE-2024-36911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b", + "https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4", + "https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe netvsc driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36912", + "dataSource": "https://ubuntu.com/security/CVE-2024-36912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36912", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81", + "https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca", + "https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8", + "https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nIn order to make sure callers of vmbus_establish_gpadl() and\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\nallocators, add a field in struct vmbus_gpadl to keep track of the\ndecryption status of the buffers. This will allow the callers to\nknow if they should free or leak the pages.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36913", + "dataSource": "https://ubuntu.com/security/CVE-2024-36913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36913", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a", + "https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6", + "https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36914", + "dataSource": "https://ubuntu.com/security/CVE-2024-36914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7", + "https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d", + "https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip on writeback when it's not applicable\n\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \"BUG: KASAN: slab-out-of-bounds\" as writeback connector does not\nsupport certain features which are not initialized.\n\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36915", + "dataSource": "https://ubuntu.com/security/CVE-2024-36915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8", + "https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107", + "https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\n\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\n\nUse copy_safe_from_sockptr() instead.\n\n[1]\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\n\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36916", + "dataSource": "https://ubuntu.com/security/CVE-2024-36916", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36916" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36916", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36916", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b", + "https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5", + "https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1", + "https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d", + "https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86", + "https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n \n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36916" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36917", + "dataSource": "https://ubuntu.com/security/CVE-2024-36917", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36917" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36917", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155", + "https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee", + "https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6", + "https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix overflow in blk_ioctl_discard()\n\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36917" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36918", + "dataSource": "https://ubuntu.com/security/CVE-2024-36918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c", + "https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687", + "https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d", + "https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check bloom filter map value size\n\nThis patch adds a missing check to bloom filter creating, rejecting\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\nmany other map types.\n\nThe lack of this protection can cause kernel crashes for value sizes\nthat overflow int's. Such a crash was caught by syzkaller. The next\npatch adds more guard-rails at a lower level.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36919", + "dataSource": "https://ubuntu.com/security/CVE-2024-36919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36919" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36919", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936", + "https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3", + "https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312", + "https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb", + "https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3", + "https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9", + "https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256", + "https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36919" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36920", + "dataSource": "https://ubuntu.com/security/CVE-2024-36920", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36920" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36920", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36920", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0", + "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716", + "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa", + "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf->reply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number '1' from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36920" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36921", + "dataSource": "https://ubuntu.com/security/CVE-2024-36921", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36921" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36921", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36921", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f", + "https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294", + "https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\n\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\nresult in out-of-bounds array accesses. This prevents issues should the\ndriver get into a bad state during error handling.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36921" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36922", + "dataSource": "https://ubuntu.com/security/CVE-2024-36922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36922" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89", + "https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa", + "https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36923", + "dataSource": "https://ubuntu.com/security/CVE-2024-36923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36923", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd", + "https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix uninitialized values during inode evict\n\nIf an iget fails due to not being able to retrieve information\nfrom the server then the inode structure is only partially\ninitialized. When the inode gets evicted, references to\nuninitialized structures (like fscache cookies) were being\nmade.\n\nThis patch checks for a bad_inode before doing anything other\nthan clearing the inode from the cache. Since the inode is\nbad, it shouldn't have any state associated with it that needs\nto be written back (and there really isn't a way to complete\nthose anyways).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36923" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36924", + "dataSource": "https://ubuntu.com/security/CVE-2024-36924", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36924" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36924", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36924", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd", + "https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3", + "https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683", + "https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36924" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36927", + "dataSource": "https://ubuntu.com/security/CVE-2024-36927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818", + "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e", + "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36928", + "dataSource": "https://ubuntu.com/security/CVE-2024-36928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36928" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6", + "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524", + "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494", + "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3", + "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n >0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36929", + "dataSource": "https://ubuntu.com/security/CVE-2024-36929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36929" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62", + "https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec", + "https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533", + "https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6", + "https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681", + "https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36931", + "dataSource": "https://ubuntu.com/security/CVE-2024-36931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36931" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65", + "https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c", + "https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2", + "https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5", + "https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36933", + "dataSource": "https://ubuntu.com/security/CVE-2024-36933", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36933" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36933", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36933", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a", + "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2", + "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c", + "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79", + "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a", + "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340", + "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9", + "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb->network_header\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb->mac_header\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb->protocol\n 7. push the NSH header\n 8. restore skb->mac_header\n 9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 & 7, skb->data points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb->data point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb->{mac_header,network_header} in 8 & 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb->mac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb->mac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36933" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36934", + "dataSource": "https://ubuntu.com/security/CVE-2024-36934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36934", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32", + "https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9", + "https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35", + "https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4", + "https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd", + "https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f", + "https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147", + "https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36937", + "dataSource": "https://ubuntu.com/security/CVE-2024-36937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36937" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e", + "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc", + "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c", + "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553", + "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36938", + "dataSource": "https://ubuntu.com/security/CVE-2024-36938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36938" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36938", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27", + "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d", + "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365", + "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80", + "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87", + "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36939", + "dataSource": "https://ubuntu.com/security/CVE-2024-36939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36939" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8", + "https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c", + "https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65", + "https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3", + "https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f", + "https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba", + "https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36940", + "dataSource": "https://ubuntu.com/security/CVE-2024-36940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36940" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068", + "https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca", + "https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79", + "https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c", + "https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d", + "https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e", + "https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd", + "https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36941", + "dataSource": "https://ubuntu.com/security/CVE-2024-36941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36941" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d", + "https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a", + "https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307", + "https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7", + "https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457", + "https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4", + "https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f", + "https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36944", + "dataSource": "https://ubuntu.com/security/CVE-2024-36944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36944" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97", + "https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10", + "https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6", + "https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea", + "https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nReapply \"drm/qxl: simplify qxl_fence_wait\"\n\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\n\nStephen Rostedt reports:\n \"I went to run my tests on my VMs and the tests hung on boot up.\n Unfortunately, the most I ever got out was:\n\n [ 93.607888] Testing event system initcall: OK\n [ 93.667730] Running tests on all trace events:\n [ 93.669757] Testing all events: OK\n [ 95.631064] ------------[ cut here ]------------\n Timed out after 60 seconds\"\n\nand further debugging points to a possible circular locking dependency\nbetween the console_owner locking and the worker pool locking.\n\nReverting the commit allows Steve's VM to boot to completion again.\n\n[ This may obviously result in the \"[TTM] Buffer eviction failed\"\n messages again, which was the reason for that original revert. But at\n this point this seems preferable to a non-booting system... ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36945", + "dataSource": "https://ubuntu.com/security/CVE-2024-36945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06", + "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2", + "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff", + "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36946", + "dataSource": "https://ubuntu.com/security/CVE-2024-36946", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36946" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36946", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36946", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4", + "https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe", + "https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137", + "https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7", + "https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7", + "https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a", + "https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00", + "https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36946" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36947", + "dataSource": "https://ubuntu.com/security/CVE-2024-36947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36947" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8", + "https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee", + "https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb", + "https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00", + "https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix dentry leak\n\nsimple_recursive_removal() drops the pinning references to all positives\nin subtree. For the cases when its argument has been kept alive by\nthe pinning alone that's exactly the right thing to do, but here\nthe argument comes from dcache lookup, that needs to be balanced by\nexplicit dput().\n\nFucked-up-by: Al Viro ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36948", + "dataSource": "https://ubuntu.com/security/CVE-2024-36948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36948", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717", + "https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\n\nAddressing potential overflow in result of multiplication of two lower\nprecision (u32) operands before widening it to higher precision\n(u64).\n\n-v2\nFix commit message and description. (Rodrigo)\n\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36949", + "dataSource": "https://ubuntu.com/security/CVE-2024-36949", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36949" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36949", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36949", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58", + "https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d", + "https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36949" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36950", + "dataSource": "https://ubuntu.com/security/CVE-2024-36950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec", + "https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420", + "https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0", + "https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d", + "https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9", + "https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61", + "https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130", + "https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36951", + "dataSource": "https://ubuntu.com/security/CVE-2024-36951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36951" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d", + "https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2", + "https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36952", + "dataSource": "https://ubuntu.com/security/CVE-2024-36952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36952" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36952", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3", + "https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c", + "https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278", + "https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0", + "https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36952" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36953", + "dataSource": "https://ubuntu.com/security/CVE-2024-36953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36953" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487", + "https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f", + "https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80", + "https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728", + "https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb", + "https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36954", + "dataSource": "https://ubuntu.com/security/CVE-2024-36954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36954" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36954", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6", + "https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae", + "https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565", + "https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c", + "https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574", + "https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d", + "https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd", + "https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36955", + "dataSource": "https://ubuntu.com/security/CVE-2024-36955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36955", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e", + "https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf", + "https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07", + "https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377", + "https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\n\nThe documentation for device_get_named_child_node() mentions this\nimportant point:\n\n\"\nThe caller is responsible for calling fwnode_handle_put() on the\nreturned fwnode pointer.\n\"\n\nAdd fwnode_handle_put() to avoid a leaked reference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36957", + "dataSource": "https://ubuntu.com/security/CVE-2024-36957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36957" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36957", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7", + "https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67", + "https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e", + "https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f", + "https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878", + "https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36959", + "dataSource": "https://ubuntu.com/security/CVE-2024-36959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36959" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36959", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec", + "https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1", + "https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274", + "https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f", + "https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6", + "https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d", + "https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404", + "https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\n\nIf we fail to allocate propname buffer, we need to drop the reference\ncount we just took. Because the pinctrl_dt_free_maps() includes the\ndroping operation, here we call it directly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36960", + "dataSource": "https://ubuntu.com/security/CVE-2024-36960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36960", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b", + "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f", + "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36", + "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22", + "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c", + "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0", + "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9", + "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36964", + "dataSource": "https://ubuntu.com/security/CVE-2024-36964", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36964" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36964", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02", + "https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c", + "https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32", + "https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8", + "https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b", + "https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96", + "https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3", + "https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36964" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36965", + "dataSource": "https://ubuntu.com/security/CVE-2024-36965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36965" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36965", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf", + "https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2", + "https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e", + "https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42", + "https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9", + "https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36966", + "dataSource": "https://ubuntu.com/security/CVE-2024-36966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606", + "https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe", + "https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: reliably distinguish block based and fscache mode\n\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\nthat has never been allocated, triggering the following warning:\n\n============================================\nida_free called for id=0 which is not allocated.\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\nModules linked in:\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\nRIP: 0010:ida_free+0x134/0x140\nCall Trace:\n \n erofs_kill_sb+0x81/0x90\n deactivate_locked_super+0x35/0x80\n get_tree_bdev+0x136/0x1e0\n vfs_get_tree+0x2c/0xf0\n do_new_mount+0x190/0x2f0\n [...]\n============================================\n\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\ninitialised, so use sbi->fsid to distinguish between the two modes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36967", + "dataSource": "https://ubuntu.com/security/CVE-2024-36967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36967" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36967", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28", + "https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf", + "https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7", + "https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56", + "https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13", + "https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n'scratch' is never freed. Fix this by calling kfree() in the success, and\nin the error case.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36968", + "dataSource": "https://ubuntu.com/security/CVE-2024-36968", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36968" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36968", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36968", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8", + "https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44", + "https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674", + "https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30", + "https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \nModules linked in:\n---[ end trace 0000000000000000 ]---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36968" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36969", + "dataSource": "https://ubuntu.com/security/CVE-2024-36969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba", + "https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911", + "https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639", + "https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f", + "https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445", + "https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix division by zero in setup_dsc_config\n\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\n\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\n\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\n\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36970", + "dataSource": "https://ubuntu.com/security/CVE-2024-36970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36970" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4", + "https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Use request_module_nowait\n\nThis appears to work around a deadlock regression that came in\nwith the LED merge in 6.9.\n\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\nit something like all worker threads are busy and some work that needs\nto complete cannot complete.\n\n[also remove unnecessary \"load_module\" var and now-wrong comment]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36971", + "dataSource": "https://ubuntu.com/security/CVE-2024-36971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13", + "https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6", + "https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508", + "https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4", + "https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e", + "https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc", + "https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72", + "https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36972", + "dataSource": "https://ubuntu.com/security/CVE-2024-36972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3", + "https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1", + "https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1", + "https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2", + "https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \nModules linked in:\nCR2: 0000000000000008", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36974", + "dataSource": "https://ubuntu.com/security/CVE-2024-36974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36974" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c", + "https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b", + "https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404", + "https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2", + "https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec", + "https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923", + "https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36975", + "dataSource": "https://ubuntu.com/security/CVE-2024-36975", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36975" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36975", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36975", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b", + "https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a", + "https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087", + "https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972", + "https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487", + "https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36975" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36978", + "dataSource": "https://ubuntu.com/security/CVE-2024-36978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36978" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36978", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882", + "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f", + "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e", + "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3", + "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d", + "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d", + "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37021", + "dataSource": "https://ubuntu.com/security/CVE-2024-37021", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37021" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37021", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37021", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad", + "https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9", + "https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37021" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37078", + "dataSource": "https://ubuntu.com/security/CVE-2024-37078", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37078" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37078", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37078", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f", + "https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d", + "https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0", + "https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627", + "https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92", + "https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118", + "https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7", + "https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n \n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n kthread+0x2f0/0x390\n ret_from_fork+0x4b/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37078" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37353", + "dataSource": "https://ubuntu.com/security/CVE-2024-37353", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37353" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37353", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37353", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37353" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37354", + "dataSource": "https://ubuntu.com/security/CVE-2024-37354", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37354" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37354", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428", + "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097", + "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b", + "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37354" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37356", + "dataSource": "https://ubuntu.com/security/CVE-2024-37356", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37356" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37356", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37356", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c", + "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6", + "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd", + "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66", + "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf", + "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a", + "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be", + "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37356" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38306", + "dataSource": "https://ubuntu.com/security/CVE-2024-38306", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38306" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38306", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38306", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b", + "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38306" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38381", + "dataSource": "https://ubuntu.com/security/CVE-2024-38381", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38381" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c", + "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6", + "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619", + "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe", + "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed", + "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea", + "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3", + "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38381" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38538", + "dataSource": "https://ubuntu.com/security/CVE-2024-38538", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38538" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38538", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38538", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5", + "https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2", + "https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a", + "https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc", + "https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38538" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38540", + "dataSource": "https://ubuntu.com/security/CVE-2024-38540", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38540" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38540", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc", + "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659", + "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753", + "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38540" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38541", + "dataSource": "https://ubuntu.com/security/CVE-2024-38541", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38541" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38541", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38541", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6", + "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252", + "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a", + "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38541" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38543", + "dataSource": "https://ubuntu.com/security/CVE-2024-38543", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38543" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38543", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38543", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64", + "https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc", + "https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33", + "https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3", + "https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38543" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38544", + "dataSource": "https://ubuntu.com/security/CVE-2024-38544", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38544" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38544", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38544", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794", + "https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6", + "https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb", + "https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc", + "https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38544" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38545", + "dataSource": "https://ubuntu.com/security/CVE-2024-38545", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38545" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38545", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38545", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507", + "https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911", + "https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08", + "https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf", + "https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38545" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38546", + "dataSource": "https://ubuntu.com/security/CVE-2024-38546", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38546" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38546", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38546", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31", + "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb", + "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5", + "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96", + "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49", + "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21", + "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38546" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38547", + "dataSource": "https://ubuntu.com/security/CVE-2024-38547", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38547" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38547", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38547", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb", + "https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80", + "https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0", + "https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e", + "https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272", + "https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35", + "https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38547" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38548", + "dataSource": "https://ubuntu.com/security/CVE-2024-38548", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38548" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38548", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38548", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da", + "https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79", + "https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3", + "https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896", + "https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a", + "https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965", + "https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38548" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38549", + "dataSource": "https://ubuntu.com/security/CVE-2024-38549", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38549" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38549", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38549", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4", + "https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05", + "https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0", + "https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364", + "https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7", + "https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594", + "https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67", + "https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350", + "https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38549" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38550", + "dataSource": "https://ubuntu.com/security/CVE-2024-38550", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38550" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38550", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38550", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c", + "https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6", + "https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6", + "https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169", + "https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489", + "https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38550" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38552", + "dataSource": "https://ubuntu.com/security/CVE-2024-38552", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38552" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38552", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7", + "https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123", + "https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86", + "https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c", + "https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca", + "https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29", + "https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869", + "https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e", + "https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38552" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38553", + "dataSource": "https://ubuntu.com/security/CVE-2024-38553", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38553" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38553", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f", + "https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243", + "https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5", + "https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38553" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38554", + "dataSource": "https://ubuntu.com/security/CVE-2024-38554", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38554" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38554", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2", + "https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad", + "https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a", + "https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b", + "https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38554" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38555", + "dataSource": "https://ubuntu.com/security/CVE-2024-38555", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38555" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38555", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38555", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb", + "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7", + "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0", + "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a", + "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396", + "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40", + "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38555" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38556", + "dataSource": "https://ubuntu.com/security/CVE-2024-38556", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38556" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38556", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38556", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918", + "https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7", + "https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6", + "https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b", + "https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38556" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38557", + "dataSource": "https://ubuntu.com/security/CVE-2024-38557", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38557" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38557", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38557", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4", + "https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07", + "https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a", + "https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38557" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38558", + "dataSource": "https://ubuntu.com/security/CVE-2024-38558", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38558" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38558", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5", + "https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120", + "https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3", + "https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982", + "https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11", + "https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd", + "https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56", + "https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6", + "https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38558" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38559", + "dataSource": "https://ubuntu.com/security/CVE-2024-38559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38559", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9", + "https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95", + "https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8", + "https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d", + "https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c", + "https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59", + "https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62", + "https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613", + "https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38560", + "dataSource": "https://ubuntu.com/security/CVE-2024-38560", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38560" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38560", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38560", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a", + "https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3", + "https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf", + "https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35", + "https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462", + "https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2", + "https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143", + "https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c", + "https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38560" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38564", + "dataSource": "https://ubuntu.com/security/CVE-2024-38564", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38564" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38564", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38564", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7", + "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d", + "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd", + "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38564" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38565", + "dataSource": "https://ubuntu.com/security/CVE-2024-38565", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38565" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38565", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38565", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72", + "https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff", + "https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f", + "https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603", + "https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d", + "https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5", + "https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70", + "https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850", + "https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38565" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38567", + "dataSource": "https://ubuntu.com/security/CVE-2024-38567", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38567" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38567", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38567", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd", + "https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f", + "https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c", + "https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd", + "https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582", + "https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7", + "https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d", + "https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0", + "https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38567" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38570", + "dataSource": "https://ubuntu.com/security/CVE-2024-38570", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38570" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38570", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37", + "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca", + "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73", + "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38570" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38571", + "dataSource": "https://ubuntu.com/security/CVE-2024-38571", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38571" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38571", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38571", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653", + "https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f", + "https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad", + "https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278", + "https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f", + "https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38571" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38573", + "dataSource": "https://ubuntu.com/security/CVE-2024-38573", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38573" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38573", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38573", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5", + "https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618", + "https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf", + "https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe", + "https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4", + "https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38573" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38577", + "dataSource": "https://ubuntu.com/security/CVE-2024-38577", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38577" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38577", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222", + "https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7", + "https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec", + "https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697", + "https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38577" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38578", + "dataSource": "https://ubuntu.com/security/CVE-2024-38578", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38578" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38578", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38578", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c", + "https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93", + "https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1", + "https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df", + "https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910", + "https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5", + "https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e", + "https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1", + "https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38578" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38579", + "dataSource": "https://ubuntu.com/security/CVE-2024-38579", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38579" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38579", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9", + "https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57", + "https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd", + "https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5", + "https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434", + "https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd", + "https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0", + "https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b", + "https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38579" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38580", + "dataSource": "https://ubuntu.com/security/CVE-2024-38580", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38580" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38580", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38580", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d", + "https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b", + "https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2", + "https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784", + "https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38580" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38582", + "dataSource": "https://ubuntu.com/security/CVE-2024-38582", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38582" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38582", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd", + "https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0", + "https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b", + "https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830", + "https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a", + "https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b", + "https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f", + "https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e", + "https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38582" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38583", + "dataSource": "https://ubuntu.com/security/CVE-2024-38583", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38583" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38583", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6", + "https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148", + "https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb", + "https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d", + "https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164", + "https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a", + "https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438", + "https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7", + "https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38583" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38586", + "dataSource": "https://ubuntu.com/security/CVE-2024-38586", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38586" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38586", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6", + "https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d", + "https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479", + "https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27", + "https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1", + "https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd", + "https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38586" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38587", + "dataSource": "https://ubuntu.com/security/CVE-2024-38587", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38587" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38587", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38587", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b", + "https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586", + "https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e", + "https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358", + "https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535", + "https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb", + "https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996", + "https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef", + "https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38587" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38588", + "dataSource": "https://ubuntu.com/security/CVE-2024-38588", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38588" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38588", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38588", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b", + "https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6", + "https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461", + "https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831", + "https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada", + "https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38588" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38589", + "dataSource": "https://ubuntu.com/security/CVE-2024-38589", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38589" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38589", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38589", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691", + "https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7", + "https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5", + "https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3", + "https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5", + "https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de", + "https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d", + "https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6", + "https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38589" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38590", + "dataSource": "https://ubuntu.com/security/CVE-2024-38590", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38590" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38590", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38590", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990", + "https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c", + "https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43", + "https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b", + "https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b", + "https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55", + "https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38590" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38591", + "dataSource": "https://ubuntu.com/security/CVE-2024-38591", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38591" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38591", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38591", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868", + "https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d", + "https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9", + "https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0", + "https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37", + "https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38591" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38594", + "dataSource": "https://ubuntu.com/security/CVE-2024-38594", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38594" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38594", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38594", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197", + "https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416", + "https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38594" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38596", + "dataSource": "https://ubuntu.com/security/CVE-2024-38596", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38596" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38596", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38596", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb", + "https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055", + "https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25", + "https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c", + "https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5", + "https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9", + "https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b", + "https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe", + "https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38596" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38597", + "dataSource": "https://ubuntu.com/security/CVE-2024-38597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38597", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6", + "https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b", + "https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937", + "https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4", + "https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f", + "https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce", + "https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38597" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38598", + "dataSource": "https://ubuntu.com/security/CVE-2024-38598", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38598" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38598", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3", + "https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce", + "https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482", + "https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492", + "https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f", + "https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b", + "https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1", + "https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798", + "https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38598" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38599", + "dataSource": "https://ubuntu.com/security/CVE-2024-38599", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38599" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38599", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38599", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11", + "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df", + "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275", + "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07", + "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b", + "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb", + "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913", + "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098", + "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38599" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38600", + "dataSource": "https://ubuntu.com/security/CVE-2024-38600", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38600" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38600", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38600", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68", + "https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4", + "https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c", + "https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7", + "https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a", + "https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-38600" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38601", + "dataSource": "https://ubuntu.com/security/CVE-2024-38601", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38601" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38601", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38601", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b", + "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e", + "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb", + "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1", + "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87", + "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533", + "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e", + "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa", + "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38601" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38602", + "dataSource": "https://ubuntu.com/security/CVE-2024-38602", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38602" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38602", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868", + "https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a", + "https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3", + "https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c", + "https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38602" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38605", + "dataSource": "https://ubuntu.com/security/CVE-2024-38605", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38605" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38605", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38605", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1", + "https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12", + "https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5", + "https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434", + "https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e", + "https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92", + "https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38605" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38607", + "dataSource": "https://ubuntu.com/security/CVE-2024-38607", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38607" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38607", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38607", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9", + "https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e", + "https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8", + "https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058", + "https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d", + "https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7", + "https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05", + "https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56", + "https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38607" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38608", + "dataSource": "https://ubuntu.com/security/CVE-2024-38608", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38608" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38608", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38608", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644", + "https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38608" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38610", + "dataSource": "https://ubuntu.com/security/CVE-2024-38610", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38610" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38610", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38610", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb", + "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559", + "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", + "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", + "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32", + "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38610" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38611", + "dataSource": "https://ubuntu.com/security/CVE-2024-38611", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38611" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38611", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38611", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9", + "https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce", + "https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80", + "https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38611" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38612", + "dataSource": "https://ubuntu.com/security/CVE-2024-38612", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38612" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38612", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38612", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c", + "https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7", + "https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45", + "https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01", + "https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66", + "https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4", + "https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a", + "https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4", + "https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38612" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38613", + "dataSource": "https://ubuntu.com/security/CVE-2024-38613", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38613" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38613", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38613", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0", + "https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14", + "https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82", + "https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b", + "https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87", + "https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a", + "https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed", + "https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c", + "https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38613" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38615", + "dataSource": "https://ubuntu.com/security/CVE-2024-38615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38615", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6", + "https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378", + "https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c", + "https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273", + "https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d", + "https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872", + "https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce", + "https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38618", + "dataSource": "https://ubuntu.com/security/CVE-2024-38618", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38618" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38618", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38618", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3", + "https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e", + "https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f", + "https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1", + "https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e", + "https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd", + "https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab", + "https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38618" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38619", + "dataSource": "https://ubuntu.com/security/CVE-2024-38619", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38619" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38619", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38619", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30", + "https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4", + "https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1", + "https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd", + "https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15", + "https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8", + "https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361", + "https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38619" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38621", + "dataSource": "https://ubuntu.com/security/CVE-2024-38621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd", + "https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261", + "https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7", + "https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52", + "https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808", + "https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200", + "https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a", + "https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38623", + "dataSource": "https://ubuntu.com/security/CVE-2024-38623", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38623" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38623", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38623", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef", + "https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1", + "https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7", + "https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f", + "https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38623" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38624", + "dataSource": "https://ubuntu.com/security/CVE-2024-38624", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38624" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38624", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38624", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40", + "https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b", + "https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57", + "https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d", + "https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38624" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38625", + "dataSource": "https://ubuntu.com/security/CVE-2024-38625", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38625" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38625", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803", + "https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8", + "https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38625" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38627", + "dataSource": "https://ubuntu.com/security/CVE-2024-38627", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38627" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38627", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38627", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20", + "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459", + "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247", + "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931", + "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b", + "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36", + "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695", + "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38627" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38628", + "dataSource": "https://ubuntu.com/security/CVE-2024-38628", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38628" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38628", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38628", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464", + "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0", + "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09", + "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38628" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38630", + "dataSource": "https://ubuntu.com/security/CVE-2024-38630", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38630" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38630", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38630", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4", + "https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314", + "https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38630" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38632", + "dataSource": "https://ubuntu.com/security/CVE-2024-38632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376", + "https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140", + "https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38633", + "dataSource": "https://ubuntu.com/security/CVE-2024-38633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b", + "https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752", + "https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec", + "https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003", + "https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00", + "https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762", + "https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72", + "https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38633" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38634", + "dataSource": "https://ubuntu.com/security/CVE-2024-38634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9", + "https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47", + "https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba", + "https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec", + "https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869", + "https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458", + "https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94", + "https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38635", + "dataSource": "https://ubuntu.com/security/CVE-2024-38635", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38635" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38635", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38635", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089", + "https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567", + "https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785", + "https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021", + "https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91", + "https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078", + "https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38635" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38637", + "dataSource": "https://ubuntu.com/security/CVE-2024-38637", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38637" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38637", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2", + "https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38", + "https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731", + "https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b", + "https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8", + "https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648", + "https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21", + "https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38637" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38659", + "dataSource": "https://ubuntu.com/security/CVE-2024-38659", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38659" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38659", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38659", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7", + "https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600", + "https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227", + "https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5", + "https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31", + "https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d", + "https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449", + "https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38659" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38661", + "dataSource": "https://ubuntu.com/security/CVE-2024-38661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558", + "https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056", + "https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9", + "https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0", + "https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05", + "https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6", + "https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad", + "https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38662", + "dataSource": "https://ubuntu.com/security/CVE-2024-38662", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38662" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38662", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1", + "https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9", + "https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d", + "https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e", + "https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d", + "https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38662" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38667", + "dataSource": "https://ubuntu.com/security/CVE-2024-38667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38667", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80", + "https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44", + "https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af", + "https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38780", + "dataSource": "https://ubuntu.com/security/CVE-2024-38780", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38780" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38780", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed", + "https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a", + "https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a", + "https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e", + "https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878", + "https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef", + "https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8", + "https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38780" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39276", + "dataSource": "https://ubuntu.com/security/CVE-2024-39276", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39276" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39276", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39276", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21", + "https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e", + "https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb", + "https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483", + "https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16", + "https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577", + "https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8", + "https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39276" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39277", + "dataSource": "https://ubuntu.com/security/CVE-2024-39277", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39277" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39277", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39277", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f", + "https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41", + "https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464", + "https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13", + "https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39277" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39292", + "dataSource": "https://ubuntu.com/security/CVE-2024-39292", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39292" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4", + "https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2", + "https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14", + "https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0", + "https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33", + "https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1", + "https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101", + "https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-39292" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39293", + "dataSource": "https://ubuntu.com/security/CVE-2024-39293", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39293" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39293", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39293", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", + "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39293" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39298", + "dataSource": "https://ubuntu.com/security/CVE-2024-39298", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39298" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39298", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39298", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b", + "https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd", + "https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad", + "https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n try_memory_failure_hugetlb\n me_huge_page\n __page_handle_poison\n dissolve_free_hugetlb_folio\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n take_page_off_buddy -- Failed as page is not in the \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39298" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39301", + "dataSource": "https://ubuntu.com/security/CVE-2024-39301", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39301" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39301", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17", + "https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b", + "https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a", + "https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17", + "https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867", + "https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b", + "https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672", + "https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39301" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39362", + "dataSource": "https://ubuntu.com/security/CVE-2024-39362", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39362" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39362", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39362", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39362" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39463", + "dataSource": "https://ubuntu.com/security/CVE-2024-39463", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39463" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39463", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39463", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409", + "https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456", + "https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5", + "https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39463" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39466", + "dataSource": "https://ubuntu.com/security/CVE-2024-39466", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39466" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464", + "https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3", + "https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665", + "https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b", + "https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39466" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39467", + "dataSource": "https://ubuntu.com/security/CVE-2024-39467", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39467" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39467", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98", + "https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717", + "https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57", + "https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff", + "https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0", + "https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba", + "https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39467" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39468", + "dataSource": "https://ubuntu.com/security/CVE-2024-39468", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39468" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39468", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39468", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15", + "https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720", + "https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a", + "https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47", + "https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261", + "https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39468" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39469", + "dataSource": "https://ubuntu.com/security/CVE-2024-39469", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39469" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39469", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39469", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd", + "https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82", + "https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428", + "https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3", + "https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5", + "https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c", + "https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1", + "https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39469" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39471", + "dataSource": "https://ubuntu.com/security/CVE-2024-39471", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39471" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39471", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39471", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46", + "https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3", + "https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8", + "https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691", + "https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f", + "https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520", + "https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39471" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39472", + "dataSource": "https://ubuntu.com/security/CVE-2024-39472", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39472" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39472", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39472", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a", + "https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f", + "https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5", + "https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39472" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39475", + "dataSource": "https://ubuntu.com/security/CVE-2024-39475", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39475" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39475", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b", + "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089", + "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95", + "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339", + "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547", + "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8", + "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7", + "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39475" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39476", + "dataSource": "https://ubuntu.com/security/CVE-2024-39476", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39476" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39476", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39476", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a", + "https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa", + "https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b", + "https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4", + "https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787", + "https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347", + "https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447", + "https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39476" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39480", + "dataSource": "https://ubuntu.com/security/CVE-2024-39480", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39480" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39480", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5", + "https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7", + "https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96", + "https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a", + "https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454", + "https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33", + "https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7", + "https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39480" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39482", + "dataSource": "https://ubuntu.com/security/CVE-2024-39482", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39482" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39482", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39482", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671", + "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b", + "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31", + "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023", + "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148", + "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39482" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39484", + "dataSource": "https://ubuntu.com/security/CVE-2024-39484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39484" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39484", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584", + "https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3", + "https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e", + "https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4", + "https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb", + "https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-39484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39487", + "dataSource": "https://ubuntu.com/security/CVE-2024-39487", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39487" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39487", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e", + "https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1", + "https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b", + "https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da", + "https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8", + "https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9", + "https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f", + "https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39487" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39488", + "dataSource": "https://ubuntu.com/security/CVE-2024-39488", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39488" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39488", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e", + "https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0", + "https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8", + "https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d", + "https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c", + "https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7", + "https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea", + "https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39488" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39489", + "dataSource": "https://ubuntu.com/security/CVE-2024-39489", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39489" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39489", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6", + "https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3", + "https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821", + "https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c", + "https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976", + "https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be", + "https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6", + "https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39489" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39490", + "dataSource": "https://ubuntu.com/security/CVE-2024-39490", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39490" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39490", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39490", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9", + "https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864", + "https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a", + "https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8", + "https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix missing sk_buff release in seg6_input_core\n\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\n\nThis issue was introduced in commit af3b5158b89d (\"ipv6: sr: fix BUG due\nto headroom too small after SRH push\") and persists even after commit\n7a3f5b0de364 (\"netfilter: add netfilter hooks to SRv6 data plane\"),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\n\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39490" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39493", + "dataSource": "https://ubuntu.com/security/CVE-2024-39493", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39493" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39493", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39493", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8", + "https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd", + "https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a", + "https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960", + "https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3", + "https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246", + "https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26", + "https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\n\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it's still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\n\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39493" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39494", + "dataSource": "https://ubuntu.com/security/CVE-2024-39494", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39494" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39494", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39494", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4", + "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c", + "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de", + "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39494" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39495", + "dataSource": "https://ubuntu.com/security/CVE-2024-39495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39495", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445", + "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea", + "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83", + "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce", + "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201", + "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc", + "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39495" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39496", + "dataSource": "https://ubuntu.com/security/CVE-2024-39496", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39496" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39496", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39496", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", + "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", + "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", + "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39496" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39497", + "dataSource": "https://ubuntu.com/security/CVE-2024-39497", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39497" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39497", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39497", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86", + "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263", + "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39497" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39499", + "dataSource": "https://ubuntu.com/security/CVE-2024-39499", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39499" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39499", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39499", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81", + "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd", + "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb", + "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4", + "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae", + "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee", + "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8", + "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39499" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39500", + "dataSource": "https://ubuntu.com/security/CVE-2024-39500", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39500" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39500", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073", + "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d", + "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0", + "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50", + "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n \n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39500" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39501", + "dataSource": "https://ubuntu.com/security/CVE-2024-39501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39501", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69", + "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c", + "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad", + "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6", + "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90", + "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080", + "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0", + "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: core: synchronize really_probe() and dev_uevent()\n\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\nThese can run in different threads, what can result in the following\nrace condition for dev->driver uninitialization:\n\nThread #1:\n==========\n\nreally_probe() {\n...\nprobe_failed:\n...\ndevice_unbind_cleanup(dev) {\n ...\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\n ...\n }\n...\n}\n\nThread #2:\n==========\n\ndev_uevent() {\n...\nif (dev->driver)\n // If dev->driver is NULLed from really_probe() from here on,\n // after above check, the system crashes\n add_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n...\n}\n\nreally_probe() holds the lock, already. So nothing needs to be done\nthere. dev_uevent() is called with lock held, often, too. But not\nalways. What implies that we can't add any locking in dev_uevent()\nitself. So fix this race by adding the lock to the non-protected\npath. This is the path where above race is observed:\n\n dev_uevent+0x235/0x380\n uevent_show+0x10c/0x1f0 <= Add lock here\n dev_attr_show+0x3a/0xa0\n sysfs_kf_seq_show+0x17c/0x250\n kernfs_seq_show+0x7c/0x90\n seq_read_iter+0x2d7/0x940\n kernfs_fop_read_iter+0xc6/0x310\n vfs_read+0x5bc/0x6b0\n ksys_read+0xeb/0x1b0\n __x64_sys_read+0x42/0x50\n x64_sys_call+0x27ad/0x2d30\n do_syscall_64+0xcd/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSimilar cases are reported by syzkaller in\n\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\n\nBut these are regarding the *initialization* of dev->driver\n\ndev->driver = drv;\n\nAs this switches dev->driver to non-NULL these reports can be considered\nto be false-positives (which should be \"fixed\" by this commit, as well,\nthough).\n\nThe same issue was reported and tried to be fixed back in 2015 in\n\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\n\nalready.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39502", + "dataSource": "https://ubuntu.com/security/CVE-2024-39502", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39502" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39502", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39502", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7", + "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5", + "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84", + "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13", + "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e", + "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", + "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L rx 1 tx 1 combined 0\n ethtool -L rx 0 tx 0 combined 1\n ethtool -L rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39502" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39503", + "dataSource": "https://ubuntu.com/security/CVE-2024-39503", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39503" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39503", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39503", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", + "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702", + "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6", + "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", + "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08", + "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83", + "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39503" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39505", + "dataSource": "https://ubuntu.com/security/CVE-2024-39505", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39505" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39505", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39505", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69", + "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622", + "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56", + "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe", + "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23", + "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0", + "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39505" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39506", + "dataSource": "https://ubuntu.com/security/CVE-2024-39506", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39506" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39506", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39506", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2", + "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa", + "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c", + "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349", + "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347", + "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79", + "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee", + "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39506" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39507", + "dataSource": "https://ubuntu.com/security/CVE-2024-39507", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39507" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39507", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39507", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4", + "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48", + "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa", + "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63", + "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39507" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39508", + "dataSource": "https://ubuntu.com/security/CVE-2024-39508", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39508" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39508", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39508", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf", + "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab", + "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39508" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39509", + "dataSource": "https://ubuntu.com/security/CVE-2024-39509", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39509" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39509", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39509", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f", + "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24", + "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5", + "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2", + "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26", + "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316", + "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd", + "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39509" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39510", + "dataSource": "https://ubuntu.com/security/CVE-2024-39510", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39510" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39510", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39510", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd", + "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d", + "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e", + "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39510" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40899", + "dataSource": "https://ubuntu.com/security/CVE-2024-40899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc", + "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62", + "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0", + "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40900", + "dataSource": "https://ubuntu.com/security/CVE-2024-40900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013", + "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19", + "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598", + "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40901", + "dataSource": "https://ubuntu.com/security/CVE-2024-40901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40901", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16", + "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674", + "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2", + "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41", + "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c", + "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801", + "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5", + "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40902", + "dataSource": "https://ubuntu.com/security/CVE-2024-40902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40902" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40902", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a", + "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123", + "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69", + "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7", + "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f", + "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f", + "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f", + "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40904", + "dataSource": "https://ubuntu.com/security/CVE-2024-40904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94", + "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28", + "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56", + "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46", + "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879", + "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a", + "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c", + "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40905", + "dataSource": "https://ubuntu.com/security/CVE-2024-40905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914", + "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf", + "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef", + "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12", + "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f", + "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d", + "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40906", + "dataSource": "https://ubuntu.com/security/CVE-2024-40906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a", + "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f", + "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8", + "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40908", + "dataSource": "https://ubuntu.com/security/CVE-2024-40908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d", + "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2", + "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4", + "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c", + "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40910", + "dataSource": "https://ubuntu.com/security/CVE-2024-40910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774", + "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3", + "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", + "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n \n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40911", + "dataSource": "https://ubuntu.com/security/CVE-2024-40911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a", + "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba", + "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae", + "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76", + "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40912", + "dataSource": "https://ubuntu.com/security/CVE-2024-40912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", + "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", + "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", + "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", + "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", + "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", + "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", + "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40914", + "dataSource": "https://ubuntu.com/security/CVE-2024-40914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9", + "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af", + "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf", + "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794", + "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40915", + "dataSource": "https://ubuntu.com/security/CVE-2024-40915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", + "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", + "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", + "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x1c/0x24\n[] show_stack+0x2c/0x38\n[] dump_stack_lvl+0x5a/0x72\n[] dump_stack+0x14/0x1c\n[] __might_resched+0x104/0x10e\n[] __might_sleep+0x3e/0x62\n[] down_write+0x20/0x72\n[] __set_memory+0x82/0x2fa\n[] __kernel_map_pages+0x5a/0xd4\n[] __alloc_pages_bulk+0x3b2/0x43a\n[] __vmalloc_node_range+0x196/0x6ba\n[] copy_process+0x72c/0x17ec\n[] kernel_clone+0x60/0x2fe\n[] kernel_thread+0x82/0xa0\n[] kthreadd+0x14a/0x1be\n[] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40916", + "dataSource": "https://ubuntu.com/security/CVE-2024-40916", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40916" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40916", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40916", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f", + "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9", + "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632", + "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028", + "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab", + "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec", + "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40916" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40918", + "dataSource": "https://ubuntu.com/security/CVE-2024-40918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0", + "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49", + "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40927", + "dataSource": "https://ubuntu.com/security/CVE-2024-40927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", + "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", + "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", + "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", + "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40929", + "dataSource": "https://ubuntu.com/security/CVE-2024-40929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a", + "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b", + "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281", + "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b", + "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614", + "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40931", + "dataSource": "https://ubuntu.com/security/CVE-2024-40931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde", + "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726", + "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3", + "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce", + "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813", + "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40932", + "dataSource": "https://ubuntu.com/security/CVE-2024-40932", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40932" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40932", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40932", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003", + "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e", + "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819", + "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226", + "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224", + "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d", + "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1", + "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40932" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40934", + "dataSource": "https://ubuntu.com/security/CVE-2024-40934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40934", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45", + "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98", + "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0", + "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213", + "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d", + "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3", + "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40937", + "dataSource": "https://ubuntu.com/security/CVE-2024-40937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40937" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037", + "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", + "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc", + "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", + "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40941", + "dataSource": "https://ubuntu.com/security/CVE-2024-40941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c", + "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7", + "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4", + "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de", + "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805", + "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940", + "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d", + "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40942", + "dataSource": "https://ubuntu.com/security/CVE-2024-40942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40942", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b", + "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0", + "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4", + "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3", + "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84", + "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc", + "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549", + "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40943", + "dataSource": "https://ubuntu.com/security/CVE-2024-40943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40943", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e", + "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2", + "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25", + "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9", + "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1", + "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18", + "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f", + "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40943" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40945", + "dataSource": "https://ubuntu.com/security/CVE-2024-40945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998", + "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e", + "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8", + "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6", + "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e", + "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40953", + "dataSource": "https://ubuntu.com/security/CVE-2024-40953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40953" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", + "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", + "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", + "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40954", + "dataSource": "https://ubuntu.com/security/CVE-2024-40954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40954" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40954", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5", + "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9", + "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", + "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069", + "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40956", + "dataSource": "https://ubuntu.com/security/CVE-2024-40956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40956" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40956", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33", + "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5", + "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd", + "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7", + "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40957", + "dataSource": "https://ubuntu.com/security/CVE-2024-40957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40957" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40957", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c", + "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779", + "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d", + "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6", + "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40958", + "dataSource": "https://ubuntu.com/security/CVE-2024-40958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40958" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40958", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef", + "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b", + "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55", + "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b", + "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940", + "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876", + "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40959", + "dataSource": "https://ubuntu.com/security/CVE-2024-40959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40959" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40959", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1", + "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf", + "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a", + "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08", + "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7", + "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3", + "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164", + "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40960", + "dataSource": "https://ubuntu.com/security/CVE-2024-40960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40960" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40960", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc", + "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2", + "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0", + "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b", + "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6", + "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37", + "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7", + "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40961", + "dataSource": "https://ubuntu.com/security/CVE-2024-40961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40961" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40961", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6", + "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade", + "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668", + "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4", + "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403", + "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727", + "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40963", + "dataSource": "https://ubuntu.com/security/CVE-2024-40963", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40963" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40963", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40963", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373", + "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52", + "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d", + "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085", + "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27", + "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf", + "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40963" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40965", + "dataSource": "https://ubuntu.com/security/CVE-2024-40965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40965" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e", + "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40966", + "dataSource": "https://ubuntu.com/security/CVE-2024-40966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409", + "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937", + "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86", + "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40967", + "dataSource": "https://ubuntu.com/security/CVE-2024-40967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40967" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40967", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701", + "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7", + "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916", + "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44", + "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40968", + "dataSource": "https://ubuntu.com/security/CVE-2024-40968", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40968" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40968", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40968", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0", + "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799", + "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7", + "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9", + "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee", + "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419", + "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a", + "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40968" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40969", + "dataSource": "https://ubuntu.com/security/CVE-2024-40969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", + "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", + "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40970", + "dataSource": "https://ubuntu.com/security/CVE-2024-40970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40970" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697", + "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5", + "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe", + "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e", + "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40971", + "dataSource": "https://ubuntu.com/security/CVE-2024-40971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71", + "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae", + "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4", + "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33", + "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66", + "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40972", + "dataSource": "https://ubuntu.com/security/CVE-2024-40972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b", + "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752", + "https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40973", + "dataSource": "https://ubuntu.com/security/CVE-2024-40973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40973" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b", + "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b", + "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40974", + "dataSource": "https://ubuntu.com/security/CVE-2024-40974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40974" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca", + "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d", + "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048", + "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588", + "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c", + "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257", + "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18", + "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40975", + "dataSource": "https://ubuntu.com/security/CVE-2024-40975", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40975" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40975", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40975", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe", + "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40975" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40976", + "dataSource": "https://ubuntu.com/security/CVE-2024-40976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40976" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40976", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", + "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", + "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", + "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", + "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", + "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40977", + "dataSource": "https://ubuntu.com/security/CVE-2024-40977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40977" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40977", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08", + "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02", + "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9", + "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40978", + "dataSource": "https://ubuntu.com/security/CVE-2024-40978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40978" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40978", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7", + "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901", + "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5", + "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b", + "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0", + "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75", + "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241", + "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40979", + "dataSource": "https://ubuntu.com/security/CVE-2024-40979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", + "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40980", + "dataSource": "https://ubuntu.com/security/CVE-2024-40980", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40980" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40980", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40980", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e", + "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334", + "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0", + "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5", + "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac", + "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195", + "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40980" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40981", + "dataSource": "https://ubuntu.com/security/CVE-2024-40981", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40981" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40981", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40981", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2", + "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8", + "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0", + "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11", + "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030", + "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07", + "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a", + "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40981" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40982", + "dataSource": "https://ubuntu.com/security/CVE-2024-40982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40982" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40982", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7", + "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56", + "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\n\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\nperforming the NULL check, potentially leading to a NULL pointer\ndereference if 'dev' is NULL.\n\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\nensuring that the pointer is valid before attempting to use it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40983", + "dataSource": "https://ubuntu.com/security/CVE-2024-40983", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40983" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40983", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40983", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269", + "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8", + "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2", + "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930", + "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76", + "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40983" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40984", + "dataSource": "https://ubuntu.com/security/CVE-2024-40984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40984" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40984", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3", + "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98", + "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d", + "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0", + "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c", + "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f", + "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239", + "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40987", + "dataSource": "https://ubuntu.com/security/CVE-2024-40987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40987", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4", + "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400", + "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc", + "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f", + "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f", + "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388", + "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6", + "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40987" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40988", + "dataSource": "https://ubuntu.com/security/CVE-2024-40988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40988" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b", + "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc", + "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42", + "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321", + "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad", + "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855", + "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447", + "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40989", + "dataSource": "https://ubuntu.com/security/CVE-2024-40989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40989" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", + "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", + "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", + "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40990", + "dataSource": "https://ubuntu.com/security/CVE-2024-40990", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40990" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40990", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40990", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c", + "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d", + "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3", + "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511", + "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf", + "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40990" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40994", + "dataSource": "https://ubuntu.com/security/CVE-2024-40994", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40994" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40994", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40994", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e", + "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f", + "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0", + "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f", + "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40994" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40995", + "dataSource": "https://ubuntu.com/security/CVE-2024-40995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40995", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74", + "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da", + "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2", + "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4", + "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335", + "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90", + "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40997", + "dataSource": "https://ubuntu.com/security/CVE-2024-40997", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40997" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40997", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd", + "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582", + "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40997" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40998", + "dataSource": "https://ubuntu.com/security/CVE-2024-40998", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40998" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40998", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40998", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c", + "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798", + "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40998" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40999", + "dataSource": "https://ubuntu.com/security/CVE-2024-40999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40999" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e", + "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41000", + "dataSource": "https://ubuntu.com/security/CVE-2024-41000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41000" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41000", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66", + "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e", + "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24", + "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9", + "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9", + "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] \n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41001", + "dataSource": "https://ubuntu.com/security/CVE-2024-41001", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41001" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41001", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41001", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227", + "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667", + "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3", + "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41001" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41002", + "dataSource": "https://ubuntu.com/security/CVE-2024-41002", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41002" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41002", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41002", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47", + "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6", + "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601", + "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2", + "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41002" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41004", + "dataSource": "https://ubuntu.com/security/CVE-2024-41004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41004" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3", + "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88", + "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45", + "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9", + "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3", + "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41005", + "dataSource": "https://ubuntu.com/security/CVE-2024-41005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41005" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d", + "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265", + "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c", + "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57", + "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916", + "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41006", + "dataSource": "https://ubuntu.com/security/CVE-2024-41006", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41006" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41006", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41006", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", + "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", + "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", + "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", + "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", + "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", + "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", + "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41006" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41007", + "dataSource": "https://ubuntu.com/security/CVE-2024-41007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41007" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41007", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570", + "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982", + "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1", + "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4", + "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283", + "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969", + "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde", + "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41008", + "dataSource": "https://ubuntu.com/security/CVE-2024-41008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41008", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm->task_info handling\n\nThis patch changes the handling and lifecycle of vm->task_info object.\nThe major changes are:\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm->task_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41009", + "dataSource": "https://ubuntu.com/security/CVE-2024-41009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41009" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41009", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4", + "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225", + "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069", + "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f", + "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881", + "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk's\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We've tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41011", + "dataSource": "https://ubuntu.com/security/CVE-2024-41011", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41011" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41011", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41011", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724", + "https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5", + "https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28", + "https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\n\nWe don't get the right offset in that case. The GPU has\nan unused 4K area of the register BAR space into which you can\nremap registers. We remap the HDP flush registers into this\nspace to allow userspace (CPU or GPU) to flush the HDP when it\nupdates VRAM. However, on systems with >4K pages, we end up\nexposing PAGE_SIZE of MMIO space.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41011" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41012", + "dataSource": "https://ubuntu.com/security/CVE-2024-41012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41012", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9", + "https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22", + "https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240", + "https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763", + "https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224", + "https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250", + "https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235", + "https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can't corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41013", + "dataSource": "https://ubuntu.com/security/CVE-2024-41013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41013", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41014", + "dataSource": "https://ubuntu.com/security/CVE-2024-41014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41014", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41015", + "dataSource": "https://ubuntu.com/security/CVE-2024-41015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41015" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41015", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2", + "https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb", + "https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7", + "https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0", + "https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c", + "https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176", + "https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd", + "https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59", + "https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41016", + "dataSource": "https://ubuntu.com/security/CVE-2024-41016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41016" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41016", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41017", + "dataSource": "https://ubuntu.com/security/CVE-2024-41017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41017" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41017", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751", + "https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8", + "https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce", + "https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e", + "https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746", + "https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4", + "https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73", + "https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375", + "https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41019", + "dataSource": "https://ubuntu.com/security/CVE-2024-41019", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41019" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41019", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41019", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0", + "https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06", + "https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4", + "https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a", + "https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440", + "https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41019" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41020", + "dataSource": "https://ubuntu.com/security/CVE-2024-41020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41020" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41020", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f", + "https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2", + "https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02", + "https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c", + "https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860", + "https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d", + "https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4", + "https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca", + "https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41022", + "dataSource": "https://ubuntu.com/security/CVE-2024-41022", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41022" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41022", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41022", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3", + "https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06", + "https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287", + "https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2", + "https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a", + "https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7", + "https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d", + "https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41022" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41023", + "dataSource": "https://ubuntu.com/security/CVE-2024-41023", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41023" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41023", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41023", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4", + "https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41023" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41027", + "dataSource": "https://ubuntu.com/security/CVE-2024-41027", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41027" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41027", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41027", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6", + "https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694", + "https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7", + "https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384", + "https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41027" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41030", + "dataSource": "https://ubuntu.com/security/CVE-2024-41030", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41030" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41030", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41030", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035", + "https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361", + "https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa", + "https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41030" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41031", + "dataSource": "https://ubuntu.com/security/CVE-2024-41031", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41031" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41031", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41031", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21", + "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972", + "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41031" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41034", + "dataSource": "https://ubuntu.com/security/CVE-2024-41034", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41034" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41034", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41034", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231", + "https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e", + "https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5", + "https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd", + "https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d", + "https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b", + "https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4", + "https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41034" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41035", + "dataSource": "https://ubuntu.com/security/CVE-2024-41035", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41035" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41035", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41035", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188", + "https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7", + "https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78", + "https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64", + "https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646", + "https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47", + "https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf", + "https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41035" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41036", + "dataSource": "https://ubuntu.com/security/CVE-2024-41036", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41036" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41036", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41036", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c", + "https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0", + "https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05", + "https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41036" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41040", + "dataSource": "https://ubuntu.com/security/CVE-2024-41040", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41040" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41040", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41040", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3", + "https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f", + "https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae", + "https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932", + "https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55", + "https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n \n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n \n \n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41040" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41041", + "dataSource": "https://ubuntu.com/security/CVE-2024-41041", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41041" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41041", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41041", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0", + "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd", + "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940", + "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba", + "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6", + "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e", + "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41041" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41042", + "dataSource": "https://ubuntu.com/security/CVE-2024-41042", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41042" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41042", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41042", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f", + "https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b", + "https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0", + "https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e", + "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae", + "https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe", + "https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24", + "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41042" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41044", + "dataSource": "https://ubuntu.com/security/CVE-2024-41044", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41044" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41044", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41044", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78", + "https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492", + "https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56", + "https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3", + "https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37", + "https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e", + "https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f", + "https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41044" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41045", + "dataSource": "https://ubuntu.com/security/CVE-2024-41045", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41045" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41045", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41045", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1", + "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41045" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41046", + "dataSource": "https://ubuntu.com/security/CVE-2024-41046", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41046" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41046", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41046", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec", + "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1", + "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156", + "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f", + "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1", + "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54", + "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3", + "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41046" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41047", + "dataSource": "https://ubuntu.com/security/CVE-2024-41047", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41047" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41047", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41047", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc", + "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3", + "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff", + "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e", + "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] \n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] \n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41047" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41048", + "dataSource": "https://ubuntu.com/security/CVE-2024-41048", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41048" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41048", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41048", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632", + "https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc", + "https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b", + "https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97", + "https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41048" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41049", + "dataSource": "https://ubuntu.com/security/CVE-2024-41049", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41049" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41049", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41049", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967", + "https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2", + "https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92", + "https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197", + "https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a", + "https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0", + "https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41049" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41050", + "dataSource": "https://ubuntu.com/security/CVE-2024-41050", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41050" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41050", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41050", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9", + "https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6", + "https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17", + "https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41050" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41055", + "dataSource": "https://ubuntu.com/security/CVE-2024-41055", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41055" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41055", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41055", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982", + "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7", + "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e", + "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509", + "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63", + "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41055" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41057", + "dataSource": "https://ubuntu.com/security/CVE-2024-41057", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41057" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41057", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41057", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4", + "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1", + "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11", + "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41057" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41058", + "dataSource": "https://ubuntu.com/security/CVE-2024-41058", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41058" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41058", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41058", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003", + "https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36", + "https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e", + "https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41058" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41059", + "dataSource": "https://ubuntu.com/security/CVE-2024-41059", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41059" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41059", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41059", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d", + "https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c", + "https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0", + "https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335", + "https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2", + "https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4", + "https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70", + "https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41059" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41060", + "dataSource": "https://ubuntu.com/security/CVE-2024-41060", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41060" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41060", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41060", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536", + "https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af", + "https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3", + "https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342", + "https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41060" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41061", + "dataSource": "https://ubuntu.com/security/CVE-2024-41061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03", + "https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41061" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41062", + "dataSource": "https://ubuntu.com/security/CVE-2024-41062", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41062" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41062", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41062", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629", + "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf", + "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe", + "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41062" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41063", + "dataSource": "https://ubuntu.com/security/CVE-2024-41063", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41063" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41063", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41063", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913", + "https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678", + "https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9", + "https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa", + "https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed", + "https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f", + "https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39", + "https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41063" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41064", + "dataSource": "https://ubuntu.com/security/CVE-2024-41064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1", + "https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b", + "https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff", + "https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274", + "https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3", + "https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd", + "https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41064" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41065", + "dataSource": "https://ubuntu.com/security/CVE-2024-41065", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41065" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41065", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41065", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4", + "https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586", + "https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2", + "https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd", + "https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6", + "https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a", + "https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41065" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41066", + "dataSource": "https://ubuntu.com/security/CVE-2024-41066", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41066" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41066", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41066", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561", + "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c", + "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06", + "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41066" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41067", + "dataSource": "https://ubuntu.com/security/CVE-2024-41067", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41067" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41067", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41067", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72", + "https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41067" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41068", + "dataSource": "https://ubuntu.com/security/CVE-2024-41068", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41068" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41068", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808", + "https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a", + "https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090", + "https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982", + "https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3", + "https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83", + "https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c", + "https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41068" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41069", + "dataSource": "https://ubuntu.com/security/CVE-2024-41069", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41069" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41069", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41069", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1", + "https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d", + "https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2", + "https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41069" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41070", + "dataSource": "https://ubuntu.com/security/CVE-2024-41070", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41070" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41070", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41070", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0", + "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a", + "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf", + "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe", + "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63", + "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47", + "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41070" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41071", + "dataSource": "https://ubuntu.com/security/CVE-2024-41071", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41071" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41071", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41071", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718", + "https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\n\nreq->n_channels must be set before req->channels[] can be used.\n\nThis patch fixes one of the issues encountered in [1].\n\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\n[...]\n[ 83.964264] Call Trace:\n[ 83.964267] \n[ 83.964269] dump_stack_lvl+0x3f/0xc0\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\n[ 83.964298] genl_rcv_msg+0x240/0x270\n[...]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41071" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41072", + "dataSource": "https://ubuntu.com/security/CVE-2024-41072", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41072" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41072", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41072", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f", + "https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b", + "https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b", + "https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc", + "https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b", + "https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79", + "https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac", + "https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41072" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41073", + "dataSource": "https://ubuntu.com/security/CVE-2024-41073", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41073" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41073", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41073", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b", + "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa", + "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057", + "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad", + "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41073" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41074", + "dataSource": "https://ubuntu.com/security/CVE-2024-41074", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41074" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41074", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41074", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60", + "https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0", + "https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663", + "https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41074" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41075", + "dataSource": "https://ubuntu.com/security/CVE-2024-41075", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41075" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41075", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41075", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539", + "https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a", + "https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a", + "https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41075" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41076", + "dataSource": "https://ubuntu.com/security/CVE-2024-41076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41076", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c", + "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68", + "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e", + "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41077", + "dataSource": "https://ubuntu.com/security/CVE-2024-41077", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41077" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41077", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41077", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7", + "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e", + "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1", + "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0", + "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053", + "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41077" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41078", + "dataSource": "https://ubuntu.com/security/CVE-2024-41078", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41078" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41078", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41078", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51", + "https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff", + "https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf", + "https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757", + "https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53", + "https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41078" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41079", + "dataSource": "https://ubuntu.com/security/CVE-2024-41079", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41079" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41079", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41079", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319", + "https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d", + "https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2", + "https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41079" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41080", + "dataSource": "https://ubuntu.com/security/CVE-2024-41080", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41080" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41080", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41080", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf", + "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41080" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41081", + "dataSource": "https://ubuntu.com/security/CVE-2024-41081", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41081" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41081", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41081", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316", + "https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da", + "https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a", + "https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c", + "https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a", + "https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f", + "https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c", + "https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41081" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41082", + "dataSource": "https://ubuntu.com/security/CVE-2024-41082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41082", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb", + "https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41087", + "dataSource": "https://ubuntu.com/security/CVE-2024-41087", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41087" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41087", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41087", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe", + "https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3", + "https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2", + "https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f", + "https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047", + "https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5", + "https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76", + "https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\n\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41087" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41088", + "dataSource": "https://ubuntu.com/security/CVE-2024-41088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41088", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b", + "https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729", + "https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510", + "https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: fix infinite loop when xmit fails\n\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\n\nError messages:\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\n\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\n\nThe problem occurs because tx_ring->head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\n\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring->head, remove skb from the echo stack, and drop the message.\n\n[mkl: use more imperative wording in patch description]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41088" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41089", + "dataSource": "https://ubuntu.com/security/CVE-2024-41089", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41089" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41089", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41089", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50", + "https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad", + "https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d", + "https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0", + "https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843", + "https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59", + "https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637", + "https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\n\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41089" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41090", + "dataSource": "https://ubuntu.com/security/CVE-2024-41090", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41090" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41090", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41090", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da", + "https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f", + "https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea", + "https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa", + "https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309", + "https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6", + "https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3", + "https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41090" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41091", + "dataSource": "https://ubuntu.com/security/CVE-2024-41091", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41091" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41091", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41091", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3", + "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9", + "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2", + "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319", + "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5", + "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb", + "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146", + "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41091" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41092", + "dataSource": "https://ubuntu.com/security/CVE-2024-41092", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41092" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41092", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41092", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7", + "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d", + "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc", + "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50", + "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", + "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] \n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41092" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41093", + "dataSource": "https://ubuntu.com/security/CVE-2024-41093", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41093" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41093", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41093", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800", + "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447", + "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc", + "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb", + "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41093" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41095", + "dataSource": "https://ubuntu.com/security/CVE-2024-41095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41095", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49", + "https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389", + "https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726", + "https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e", + "https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714", + "https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72", + "https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb", + "https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\n\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41097", + "dataSource": "https://ubuntu.com/security/CVE-2024-41097", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41097" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a", + "https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47", + "https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51", + "https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a", + "https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727", + "https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506", + "https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781", + "https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\n\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\n\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\n\nUnfortunately, this patch has not been tested on real hardware.\n\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41097" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41098", + "dataSource": "https://ubuntu.com/security/CVE-2024-41098", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41098" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41098", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41098", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28", + "https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e", + "https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix null pointer dereference on error\n\nIf the ata_port_alloc() call in ata_host_alloc() fails,\nata_host_release() will get called.\n\nHowever, the code in ata_host_release() tries to free ata_port struct\nmembers unconditionally, which can lead to the following:\n\nBUG: unable to handle page fault for address: 0000000000003990\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? ata_host_release.cold+0x2f/0x6e [libata]\n ? ata_host_release.cold+0x2f/0x6e [libata]\n release_nodes+0x35/0xb0\n devres_release_group+0x113/0x140\n ata_host_alloc+0xed/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nDo not access ata_port struct members unconditionally.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41098" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42063", + "dataSource": "https://ubuntu.com/security/CVE-2024-42063", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42063" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42063", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42063", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12", + "https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5", + "https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf", + "https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\n\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\n\n==========\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\n==========\n\nThe reproducer should be in the interpreter mode.\n\nThe C reproducer is trying to run the following bpf prog:\n\n 0: (18) r0 = 0x0\n 2: (18) r1 = map[id:49]\n 4: (b7) r8 = 16777216\n 5: (7b) *(u64 *)(r10 -8) = r8\n 6: (bf) r2 = r10\n 7: (07) r2 += -229\n ^^^^^^^^^^\n\n 8: (b7) r3 = 8\n 9: (b7) r4 = 0\n 10: (85) call dev_map_lookup_elem#1543472\n 11: (95) exit\n\nIt is due to the \"void *key\" (r2) passed to the helper. bpf allows uninit\nstack memory access for bpf prog with the right privileges. This patch\nuses kmsan_unpoison_memory() to mark the stack as initialized.\n\nThis should address different syzbot reports on the uninit \"void *key\"\nargument during map_{lookup,delete}_elem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42063" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42064", + "dataSource": "https://ubuntu.com/security/CVE-2024-42064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0", + "https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip pipe if the pipe idx not set properly\n\n[why]\nDriver crashes when pipe idx not set properly\n\n[how]\nAdd code to skip the pipe that idx not set properly", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42064" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42065", + "dataSource": "https://ubuntu.com/security/CVE-2024-42065", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42065" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42065", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42065", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74", + "https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42065" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42066", + "dataSource": "https://ubuntu.com/security/CVE-2024-42066", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42066" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42066", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42066", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b", + "https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix potential integer overflow in page size calculation\n\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\nprevent overflow when assigning to min_page_size.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42066" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42067", + "dataSource": "https://ubuntu.com/security/CVE-2024-42067", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42067" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42067", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42067", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a", + "https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7", + "https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730", + "https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\n\nset_memory_rox() can fail, leaving memory unprotected.\n\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42067" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42068", + "dataSource": "https://ubuntu.com/security/CVE-2024-42068", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42068" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42068", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a", + "https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8", + "https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03", + "https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89", + "https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720", + "https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\n\nset_memory_ro() can fail, leaving memory unprotected.\n\nCheck its return and take it into account as an error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42068" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42070", + "dataSource": "https://ubuntu.com/security/CVE-2024-42070", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42070" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42070", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42070", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4", + "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f", + "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f", + "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8", + "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf", + "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c", + "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564", + "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42070" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42076", + "dataSource": "https://ubuntu.com/security/CVE-2024-42076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42076", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f", + "https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf", + "https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4", + "https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f", + "https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134", + "https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298", + "https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: Initialize unused data in j1939_send_one()\n\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1313 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\n\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42077", + "dataSource": "https://ubuntu.com/security/CVE-2024-42077", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42077" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42077", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42077", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a", + "https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6", + "https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4", + "https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687", + "https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36", + "https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix DIO failure due to insufficient transaction credits\n\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits(). This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\n\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases. For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents. Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error. This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\n\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\n\nHeming Zhao said:\n\n------\nPANIC: \"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\"\n\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \"SubmitThread-CA\"\n #0 machine_kexec at ffffffff8c069932\n #1 __crash_kexec at ffffffff8c1338fa\n #2 panic at ffffffff8c1d69b9\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42077" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42079", + "dataSource": "https://ubuntu.com/security/CVE-2024-42079", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42079" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42079", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42079", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce", + "https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828", + "https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\ngfs2_log_flush).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42079" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42080", + "dataSource": "https://ubuntu.com/security/CVE-2024-42080", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42080" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42080", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42080", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d", + "https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5", + "https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9", + "https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8", + "https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Fix potential invalid address access\n\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\nin ib_create_cq(), while if the module exited but forgot del this\nrdma_restrack_entry, it would cause a invalid address access in\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\n\nThese code is used to help find one forgotten PD release in one of the\nULPs. But it is not needed anymore, so delete them.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42080" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42082", + "dataSource": "https://ubuntu.com/security/CVE-2024-42082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42082", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0", + "https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c", + "https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54", + "https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2", + "https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4", + "https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: Remove WARN() from __xdp_reg_mem_model()\n\nsyzkaller reports a warning in __xdp_reg_mem_model().\n\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\nreturns the error in two cases:\n\n 1. memory allocation fails;\n 2. rhashtable_init() fails when some fields of rhashtable_params\n struct are not initialized properly.\n\nThe second case cannot happen since there is a static const rhashtable_params\nstruct with valid fields. So, warning is only triggered when there is a\nproblem with memory allocation.\n\nThus, there is no sense in using WARN() to handle this error and it can be\nsafely removed.\n\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCall Trace:\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42084", + "dataSource": "https://ubuntu.com/security/CVE-2024-42084", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42084" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42084", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42084", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0", + "https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa", + "https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a", + "https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a", + "https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27", + "https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9", + "https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007", + "https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nftruncate: pass a signed offset\n\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\n\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\n\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42084" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42085", + "dataSource": "https://ubuntu.com/security/CVE-2024-42085", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42085" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42085", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42085", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649", + "https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c", + "https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136", + "https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63", + "https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\n\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\nto enter suspend status with below command:\necho mem > /sys/power/state\nThere will be a deadlock issue occurring. Detailed invoking path as\nbelow:\ndwc3_suspend_common()\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\n dwc3_gadget_suspend(dwc);\n dwc3_gadget_soft_disconnect(dwc);\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\nThis issue is exposed by commit c7ebd8149ee5 (\"usb: dwc3: gadget: Fix\nNULL pointer dereference in dwc3_gadget_suspend\") that removes the code\nof checking whether dwc->gadget_driver is NULL or not. It causes the\nfollowing code is executed and deadlock occurs when trying to get the\nspinlock. In fact, the root cause is the commit 5265397f9442(\"usb: dwc3:\nRemove DWC3 locking during gadget suspend/resume\") that forgot to remove\nthe lock of otg mode. So, remove the redundant lock of otg mode during\ngadget suspend/resume.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42085" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42086", + "dataSource": "https://ubuntu.com/security/CVE-2024-42086", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42086" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42086", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42086", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e", + "https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e", + "https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9", + "https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb", + "https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e", + "https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a", + "https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517", + "https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: bme680: Fix overflows in compensate() functions\n\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\"iio:\nchemical: Add support for Bosch BME680 sensor\").\n\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42086" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42087", + "dataSource": "https://ubuntu.com/security/CVE-2024-42087", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42087" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42087", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42087", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60", + "https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044", + "https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9", + "https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a", + "https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b", + "https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0", + "https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47", + "https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\n\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42087" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42089", + "dataSource": "https://ubuntu.com/security/CVE-2024-42089", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42089" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42089", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42089", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed", + "https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9", + "https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a", + "https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6", + "https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a", + "https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac", + "https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245", + "https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl-asoc-card: set priv->pdev before using it\n\npriv->pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\n\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv->dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won't crash\nprobably due to compiler optimisations.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42089" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42090", + "dataSource": "https://ubuntu.com/security/CVE-2024-42090", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42090" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42090", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42090", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e", + "https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc", + "https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0", + "https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd", + "https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1", + "https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6", + "https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b", + "https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\n\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\n\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42090" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42091", + "dataSource": "https://ubuntu.com/security/CVE-2024-42091", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42091" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42091", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42091", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb", + "https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Check pat.ops before dumping PAT settings\n\nWe may leave pat.ops unset when running on brand new platform or\nwhen running as a VF. While the former is unlikely, the latter\nis valid (future) use case and will cause NPD when someone will\ntry to dump PAT settings by debugfs.\n\nIt's better to check pointer to pat.ops instead of specific .dump\nhook, as we have this hook always defined for every .ops variant.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42091" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42092", + "dataSource": "https://ubuntu.com/security/CVE-2024-42092", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42092" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42092", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42092", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782", + "https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b", + "https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164", + "https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d", + "https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684", + "https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470", + "https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd", + "https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: davinci: Validate the obtained number of IRQs\n\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips->irqs array boundaries access in\ndavinci_gpio_probe().\n\nValidate the obtained nirq value so that it won't exceed the maximum\nnumber of IRQs per bank.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42092" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42093", + "dataSource": "https://ubuntu.com/security/CVE-2024-42093", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42093" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42093", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42093", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0", + "https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527", + "https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2", + "https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509", + "https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d", + "https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1", + "https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42093" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42094", + "dataSource": "https://ubuntu.com/security/CVE-2024-42094", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42094" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42094", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42094", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53", + "https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d", + "https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959", + "https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756", + "https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a", + "https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71", + "https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9", + "https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42094" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42095", + "dataSource": "https://ubuntu.com/security/CVE-2024-42095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42095", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e", + "https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b", + "https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0", + "https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826", + "https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de", + "https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_omap: Implementation of Errata i2310\n\nAs per Errata i2310[0], Erroneous timeout can be triggered,\nif this Erroneous interrupt is not cleared then it may leads\nto storm of interrupts, therefore apply Errata i2310 solution.\n\n[0] https://www.ti.com/lit/pdf/sprz536 page 23", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42096", + "dataSource": "https://ubuntu.com/security/CVE-2024-42096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42096" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42096", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca", + "https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b", + "https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92", + "https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29", + "https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77", + "https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4", + "https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e", + "https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: stop playing stack games in profile_pc()\n\nThe 'profile_pc()' function is used for timer-based profiling, which\nisn't really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren't necessarily\nvalid.\n\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit's not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\n\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases. We've lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\n\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\n\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\n\n\tEflags always has bits 22 and up cleared unlike kernel addresses\n\nbut that basic stack layout assumption assumes that there isn't any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\n\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\n\nWith no real practical reason for this any more, just remove the code.\n\nJust for historical interest, here's some background commits relating to\nthis code from 2006:\n\n 0cb91a229364 (\"i386: Account spinlocks to the caller during profiling for !FP kernels\")\n 31679f38d886 (\"Simplify profile_pc on x86-64\")\n\nand a code unification from 2009:\n\n ef4512882dbe (\"x86: time_32/64.c unify profile_pc\")\n\nbut the basics of this thing actually goes back to before the git tree.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42097", + "dataSource": "https://ubuntu.com/security/CVE-2024-42097", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42097" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42097", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab", + "https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3", + "https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69", + "https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14", + "https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f", + "https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e", + "https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6", + "https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emux: improve patch ioctl data validation\n\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\n\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42097" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42098", + "dataSource": "https://ubuntu.com/security/CVE-2024-42098", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42098" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42098", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42098", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8", + "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9", + "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975", + "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df", + "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42098" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42101", + "dataSource": "https://ubuntu.com/security/CVE-2024-42101", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42101" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42101", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42101", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef", + "https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d", + "https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9", + "https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e", + "https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4", + "https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e", + "https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a", + "https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\n\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42101" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42102", + "dataSource": "https://ubuntu.com/security/CVE-2024-42102", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42102" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42102", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42102", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec", + "https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c", + "https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807", + "https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a", + "https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59", + "https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63", + "https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00", + "https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\"\n\nPatch series \"mm: Avoid possible overflows in dirty throttling\".\n\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits. This patch series makes sure this is true (see patch 2/2 for\nmore details).\n\n\nThis patch (of 2):\n\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\n\nThe commit is broken in several ways. Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this). Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42102" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42104", + "dataSource": "https://ubuntu.com/security/CVE-2024-42104", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42104" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42104", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42104", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95", + "https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180", + "https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf", + "https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7", + "https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d", + "https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131", + "https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458", + "https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: add missing check for inode numbers on directory entries\n\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\n\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\n\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\n\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\n\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42104" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42105", + "dataSource": "https://ubuntu.com/security/CVE-2024-42105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42105", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4", + "https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a", + "https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987", + "https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476", + "https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5", + "https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783", + "https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4", + "https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2's internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs->ns_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs->ns_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42105" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42106", + "dataSource": "https://ubuntu.com/security/CVE-2024-42106", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42106" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42106", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42106", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2", + "https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f", + "https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9", + "https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c", + "https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4", + "https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a", + "https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb", + "https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: Initialize pad field in struct inet_diag_req_v2\n\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\n\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\n\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42106" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42107", + "dataSource": "https://ubuntu.com/security/CVE-2024-42107", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42107" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42107", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42107", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b", + "https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't process extts if PTP is disabled\n\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\nresult in a NULL pointer dereference which leads to a kernel panic.\n\nPanic occurs because the ice_ptp_extts_event() function calls\nptp_clock_event() with a NULL pointer. The ice driver has already\nreleased the PTP clock by the time the interrupt for the next external\ntimestamp event occurs.\n\nTo fix this, modify the ice_ptp_extts_event() function to check the\nPTP state and bail early if PTP is not ready.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42107" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42109", + "dataSource": "https://ubuntu.com/security/CVE-2024-42109", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42109" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42109", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42109", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e", + "https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4", + "https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c", + "https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1", + "https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally flush pending work before notifier\n\nsyzbot reports:\n\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\n[..]\nWorkqueue: events nf_tables_trans_destroy_work\nCall Trace:\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\n\nProblem is that the notifier does a conditional flush, but its possible\nthat the table-to-be-removed is still referenced by transactions being\nprocessed by the worker, so we need to flush unconditionally.\n\nWe could make the flush_work depend on whether we found a table to delete\nin nf-next to avoid the flush for most cases.\n\nAFAICS this problem is only exposed in nf-next, with\ncommit e169285f8c56 (\"netfilter: nf_tables: do not store nft_ctx in transaction objects\"),\nwith this commit applied there is an unconditional fetch of\ntable->family which is whats triggering the above splat.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42109" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42110", + "dataSource": "https://ubuntu.com/security/CVE-2024-42110", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42110" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42110", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42110", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f", + "https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3", + "https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf", + "https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\n\nThe following is emitted when using idxd (DSA) dmanegine as the data\nmover for ntb_transport that ntb_netdev uses.\n\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\n[74412.556784] caller is netif_rx_internal+0x42/0x130\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\n[74412.581699] Call Trace:\n[74412.584514] \n[74412.586933] dump_stack_lvl+0x55/0x70\n[74412.591129] check_preemption_disabled+0xc8/0xf0\n[74412.596374] netif_rx_internal+0x42/0x130\n[74412.600957] __netif_rx+0x20/0xd0\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\n[74412.634046] irq_thread_fn+0x21/0x60\n[74412.638134] ? irq_thread+0xa8/0x290\n[74412.642218] irq_thread+0x1a0/0x290\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\n[74412.660686] kthread+0x100/0x130\n[74412.664384] ? __pfx_kthread+0x10/0x10\n[74412.668639] ret_from_fork+0x31/0x50\n[74412.672716] ? __pfx_kthread+0x10/0x10\n[74412.676978] ret_from_fork_asm+0x1a/0x30\n[74412.681457] \n\nThe cause is due to the idxd driver interrupt completion handler uses\nthreaded interrupt and the threaded handler is not hard or soft interrupt\ncontext. However __netif_rx() can only be called from interrupt context.\nChange the call to netif_rx() in order to allow completion via normal\ncontext for dmaengine drivers that utilize threaded irq handling.\n\nWhile the following commit changed from netif_rx() to __netif_rx(),\nbaebdf48c360 (\"net: dev: Makes sure netif_rx() can be invoked in any context.\"),\nthe change should've been a noop instead. However, the code precedes this\nfix should've been using netif_rx_ni() or netif_rx_any_context().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42110" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42114", + "dataSource": "https://ubuntu.com/security/CVE-2024-42114", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42114" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42114", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42114", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22", + "https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec", + "https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53", + "https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa", + "https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993", + "https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\n\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\n\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __list_del include/linux/list.h:195 [inline]\n pc : __list_del_entry include/linux/list.h:218 [inline]\n pc : list_move_tail include/linux/list.h:310 [inline]\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n lr : __list_del_entry include/linux/list.h:218 [inline]\n lr : list_move_tail include/linux/list.h:310 [inline]\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n __list_del include/linux/list.h:195 [inline]\n __list_del_entry include/linux/list.h:218 [inline]\n list_move_tail include/linux/list.h:310 [inline]\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_fini\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42114" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42115", + "dataSource": "https://ubuntu.com/security/CVE-2024-42115", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42115" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42115", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42115", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c", + "https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67", + "https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65", + "https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789", + "https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc", + "https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830", + "https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8", + "https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Fix potential illegal address access in jffs2_free_inode\n\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829] ESR = 0x96000004\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564] SET = 0, FnV = 0\n[ 2430.650795] EA = 0, S1PTW = 0\n[ 2430.651032] FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683] ISV = 0, ISS = 0x00000004\n[ 2430.652001] CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528] kfree+0x78/0x348\n[ 2430.664855] jffs2_free_inode+0x24/0x48\n[ 2430.665233] i_callback+0x24/0x50\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\n[ 2430.665892] rcu_core+0x28c/0x3c8\n[ 2430.666151] rcu_core_si+0x18/0x28\n[ 2430.666473] __do_softirq+0x138/0x3cc\n[ 2430.666781] irq_exit+0xf0/0x110\n[ 2430.667065] handle_domain_irq+0x6c/0x98\n[ 2430.667447] gic_handle_irq+0xac/0xe8\n[ 2430.667739] call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\n\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\n\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42115" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42116", + "dataSource": "https://ubuntu.com/security/CVE-2024-42116", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42116" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42116", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42116", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b", + "https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6", + "https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79", + "https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda", + "https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix a log entry using uninitialized netdev\n\nDuring successful probe, igc logs this:\n\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nThe reason is that igc_ptp_init() is called very early, even before\nregister_netdev() has been called. So the netdev_info() call works\non a partially uninitialized netdev.\n\nFix this by calling igc_ptp_init() after register_netdev(), right\nafter the media autosense check, just as in igb. Add a comment,\njust as in igb.\n\nNow the log message is fine:\n\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42116" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42117", + "dataSource": "https://ubuntu.com/security/CVE-2024-42117", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42117" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42117", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42117", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765", + "https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\n\n[WHY]\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\nan array index and they return -1 when not found; however, -1 is not a\nvalid index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a positive number (which is\nfewer than callers' array size) instead.\n\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42117" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42118", + "dataSource": "https://ubuntu.com/security/CVE-2024-42118", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42118" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42118", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42118", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57", + "https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not return negative stream id for array\n\n[WHY]\nresource_stream_to_stream_idx returns an array index and it return -1\nwhen not found; however, -1 is not a valid array index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a zero instead.\n\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42118" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42119", + "dataSource": "https://ubuntu.com/security/CVE-2024-42119", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42119" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42119", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42119", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3", + "https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca", + "https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14", + "https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879", + "https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9", + "https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488", + "https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18", + "https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip finding free audio for unknown engine_id\n\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\n\n[HOW]\nSkip and return NULL.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42119" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42120", + "dataSource": "https://ubuntu.com/security/CVE-2024-42120", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42120" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42120", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42120", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329", + "https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6", + "https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1", + "https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6", + "https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4", + "https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check pipe offset before setting vblank\n\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\n\nThis fixes an OVERRUN issue reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42120" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42121", + "dataSource": "https://ubuntu.com/security/CVE-2024-42121", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42121" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42121", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42121", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03", + "https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb", + "https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e", + "https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4", + "https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567", + "https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index msg_id before read or write\n\n[WHAT]\nmsg_id is used as an array index and it cannot be a negative value, and\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\n\n[HOW]\nCheck whether msg_id is valid before reading and setting.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42121" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42122", + "dataSource": "https://ubuntu.com/security/CVE-2024-42122", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42122" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42122", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42122", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70", + "https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42122" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42123", + "dataSource": "https://ubuntu.com/security/CVE-2024-42123", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42123" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42123", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42123", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d", + "https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix double free err_addr pointer warnings\n\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\nwill be run many times so that double free err_addr in some special case.\nSo set the err_addr to NULL to avoid the warnings.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42123" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42124", + "dataSource": "https://ubuntu.com/security/CVE-2024-42124", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42124" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42124", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42124", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920", + "https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec", + "https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea", + "https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748", + "https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b", + "https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062", + "https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\n\nStop calling smp_processor_id() from preemptible code in\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\n\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42124" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42125", + "dataSource": "https://ubuntu.com/security/CVE-2024-42125", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42125" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42125", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42125", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9", + "https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\n\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\nto avoid crash.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42125" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42126", + "dataSource": "https://ubuntu.com/security/CVE-2024-42126", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42126" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42126", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42126", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70", + "https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e", + "https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8", + "https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252", + "https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057", + "https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\n\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\n\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\n\nWith kernel command line \"percpu_alloc=page\" we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\n\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[ 1.215719] --- interrupt: 200\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\n\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42126" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42127", + "dataSource": "https://ubuntu.com/security/CVE-2024-42127", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42127" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42127", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42127", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770", + "https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9", + "https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13", + "https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af", + "https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8", + "https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e", + "https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix shared irq handling on driver remove\n\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42127" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42128", + "dataSource": "https://ubuntu.com/security/CVE-2024-42128", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42128" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42128", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42128", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8", + "https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077", + "https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: an30259a: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42128" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42129", + "dataSource": "https://ubuntu.com/security/CVE-2024-42129", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42129" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42129", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42129", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51", + "https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42129" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42130", + "dataSource": "https://ubuntu.com/security/CVE-2024-42130", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42130" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42130", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42130", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a", + "https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979", + "https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08", + "https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42", + "https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc/nci: Add the inconsistency check between the input data length and count\n\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\"610501\"], 0xf)\n\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\nof 15, which passed too little data to meet the basic requirements of the function\nnci_rf_intf_activated_ntf_packet().\n\nTherefore, increasing the comparison between data length and count value to avoid\nproblems caused by inconsistent data length and count.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42130" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42131", + "dataSource": "https://ubuntu.com/security/CVE-2024-42131", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42131" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42131", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42131", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff", + "https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2", + "https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a", + "https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290", + "https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805", + "https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2", + "https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0", + "https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42131" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42134", + "dataSource": "https://ubuntu.com/security/CVE-2024-42134", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42134" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42134", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42134", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106", + "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev->is_avq.\n\n[fix]\nCheck whether it is vp_dev->is_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42134" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42135", + "dataSource": "https://ubuntu.com/security/CVE-2024-42135", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42135" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42135", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42135", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af", + "https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233", + "https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_task: Handle SIGKILL by flushing work and exiting\n\nInstead of lingering until the device is closed, this has us handle\nSIGKILL by:\n\n1. marking the worker as killed so we no longer try to use it with\n new virtqueues and new flush operations.\n2. setting the virtqueue to worker mapping so no new works are queued.\n3. running all the exiting works.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42135" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42136", + "dataSource": "https://ubuntu.com/security/CVE-2024-42136", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42136" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42136", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42136", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b", + "https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3", + "https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c", + "https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42136" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42137", + "dataSource": "https://ubuntu.com/security/CVE-2024-42137", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42137" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42137", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42137", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb", + "https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11", + "https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26", + "https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b", + "https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5", + "https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42137" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42139", + "dataSource": "https://ubuntu.com/security/CVE-2024-42139", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42139" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42139", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42139", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc", + "https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper extts handling\n\nExtts events are disabled and enabled by the application ts2phc.\nHowever, in case where the driver is removed when the application is\nrunning, a specific extts event remains enabled and can cause a kernel\ncrash.\nAs a side effect, when the driver is reloaded and application is started\nagain, remaining extts event for the channel from a previous run will\nkeep firing and the message \"extts on unexpected channel\" might be\nprinted to the user.\n\nTo avoid that, extts events shall be disabled when PTP is released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42139" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42140", + "dataSource": "https://ubuntu.com/security/CVE-2024-42140", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42140" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42140", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42140", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692", + "https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c", + "https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155", + "https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d", + "https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kexec: Avoid deadlock in kexec crash path\n\nIf the kexec crash code is called in the interrupt context, the\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\nirq_set_irqchip_state() function.\n\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\nwithout any use. So we simply remove it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42140" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42143", + "dataSource": "https://ubuntu.com/security/CVE-2024-42143", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42143" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42143", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42143", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42143" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42144", + "dataSource": "https://ubuntu.com/security/CVE-2024-42144", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42144" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42144", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42144", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9", + "https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d", + "https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42144" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42145", + "dataSource": "https://ubuntu.com/security/CVE-2024-42145", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42145" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42145", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42145", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb", + "https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f", + "https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa", + "https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4", + "https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b", + "https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6", + "https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894", + "https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Implement a limit on UMAD receive List\n\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\n\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\n\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42145" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42146", + "dataSource": "https://ubuntu.com/security/CVE-2024-42146", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42146" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42146", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42146", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994", + "https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\n\nAny kunit doing any memory access should get their own runtime_pm\nouter references since they don't use the standard driver API\nentries. In special this dma_buf from the same driver.\n\nFound by pre-merge CI on adding WARN calls for unprotected\ninner callers:\n\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\n<4> [318.639957] ------------[ cut here ]------------\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42146" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42147", + "dataSource": "https://ubuntu.com/security/CVE-2024-42147", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42147" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42147", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42147", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e", + "https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739", + "https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3", + "https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\n\nDuring the zip probe process, the debugfs failure does not stop\nthe probe. When debugfs initialization fails, jumping to the\nerror branch will also release regs, in addition to its own\nrollback operation.\n\nAs a result, it may be released repeatedly during the regs\nuninit process. Therefore, the null check needs to be added to\nthe regs uninit process.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42147" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42148", + "dataSource": "https://ubuntu.com/security/CVE-2024-42148", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42148" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42148", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42148", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b", + "https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7", + "https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f", + "https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce", + "https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d", + "https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f", + "https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e", + "https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\n\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\n\nCurrently there is a read/write out of bounds that occurs on the array\n\"struct stats_query_entry query\" present inside the \"bnx2x_fw_stats_req\"\nstruct in \"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\".\nLooking at the definition of the \"struct stats_query_entry query\" array:\n\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n BNX2X_FIRST_QUEUE_QUERY_IDX];\n\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \"struct stats_query_entry query\" are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\n\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\n\n/*\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n * control by the number of fast-path status blocks supported by the\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n * status block represents an independent interrupts context that can\n * serve a regular L2 networking queue. However special L2 queues such\n * as the FCoE queue do not require a FP-SB and other components like\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\n *\n * If the maximum number of FP-SB available is X then:\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n * regular L2 queues is Y=X-1\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\n * is Y+1\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\n * FP interrupt context for the CNIC).\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\n */\n\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\"bnx2x: Add 57712 support\").\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \"stats_query_entry query\" was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\n\nThis patch increases the size of the \"stats_query_entry query\" array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\n\nStack traces:\n\nUBSAN: array-index-out-of-bounds in\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type 'stats_query_entry [19]'\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42148" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42151", + "dataSource": "https://ubuntu.com/security/CVE-2024-42151", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42151" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42151", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42151", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d", + "https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\n\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\nparameter of the test_1() function. Mark this parameter as nullable to\nmake verifier aware of such possibility.\nOtherwise, NULL check in the test_1() code:\n\n SEC(\"struct_ops/test_1\")\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\n {\n if (!state)\n return ...;\n\n ... access state ...\n }\n\nMight be removed by verifier, thus triggering NULL pointer dereference\nunder certain conditions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42151" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42152", + "dataSource": "https://ubuntu.com/security/CVE-2024-42152", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42152" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42152", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42152", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa", + "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1", + "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33", + "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da", + "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5", + "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42152" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42153", + "dataSource": "https://ubuntu.com/security/CVE-2024-42153", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42153" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42153", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42153", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289", + "https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2", + "https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176", + "https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f", + "https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3", + "https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6", + "https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af", + "https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\n\nWhen del_timer_sync() is called in an interrupt context it throws a warning\nbecause of potential deadlock. The timer is used only to exit from\nwait_for_completion() after a timeout so replacing the call with\nwait_for_completion_timeout() allows to remove the problematic timer and\nits related functions altogether.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42153" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42154", + "dataSource": "https://ubuntu.com/security/CVE-2024-42154", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42154" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42154", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42154", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9", + "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c", + "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3", + "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321", + "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff", + "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99", + "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98", + "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn't have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42154" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42155", + "dataSource": "https://ubuntu.com/security/CVE-2024-42155", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42155" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42155", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42155", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b", + "https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of protected- and secure-keys\n\nAlthough the clear-key of neither protected- nor secure-keys is\naccessible, this key material should only be visible to the calling\nprocess. So wipe all copies of protected- or secure-keys from stack,\neven in case of an error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 1.9, + "exploitabilityScore": 0.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42155" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42156", + "dataSource": "https://ubuntu.com/security/CVE-2024-42156", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42156" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42156", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42156", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d", + "https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of clear-key structures on failure\n\nWipe all sensitive data from stack for all IOCTLs, which convert a\nclear-key into a protected- or secure-key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42156" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42157", + "dataSource": "https://ubuntu.com/security/CVE-2024-42157", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42157" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42157", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42157", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9", + "https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581", + "https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02", + "https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487", + "https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad", + "https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250", + "https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575", + "https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe sensitive data on failure\n\nWipe sensitive data from stack also if the copy_to_user() fails.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42157" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42158", + "dataSource": "https://ubuntu.com/security/CVE-2024-42158", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42158" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42158", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42158", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694", + "https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\n\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\nwarnings reported by Coccinelle:\n\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42158" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42160", + "dataSource": "https://ubuntu.com/security/CVE-2024-42160", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42160" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42160", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e", + "https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77", + "https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d", + "https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42160" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42161", + "dataSource": "https://ubuntu.com/security/CVE-2024-42161", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42161" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42161", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42161", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db", + "https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3", + "https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f", + "https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff", + "https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6", + "https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\n\n[Changes from V1:\n - Use a default branch in the switch statement to initialize `val'.]\n\nGCC warns that `val' may be used uninitialized in the\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\n\n\t[...]\n\tunsigned long long val;\t\t\t\t\t\t \\\n\t[...]\t\t\t\t\t\t\t\t \\\n\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\t\t\t \\\n\tcase 1: val = *(const unsigned char *)p; break;\t\t\t \\\n\tcase 2: val = *(const unsigned short *)p; break;\t\t \\\n\tcase 4: val = *(const unsigned int *)p; break;\t\t\t \\\n\tcase 8: val = *(const unsigned long long *)p; break;\t\t \\\n } \t\t\t\t\t\t\t \\\n\t[...]\n\tval;\t\t\t\t\t\t\t\t \\\n\t}\t\t\t\t\t\t\t\t \\\n\nThis patch adds a default entry in the switch statement that sets\n`val' to zero in order to avoid the warning, and random values to be\nused in case __builtin_preserve_field_info returns unexpected values\nfor BPF_FIELD_BYTE_SIZE.\n\nTested in bpf-next master.\nNo regressions.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42161" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42223", + "dataSource": "https://ubuntu.com/security/CVE-2024-42223", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42223" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42223", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42223", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8", + "https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd", + "https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07", + "https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce", + "https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a", + "https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1", + "https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af", + "https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: tda10048: Fix integer overflow\n\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\n\nCreate a new 64 bit variable to hold the calculations.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42223" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42224", + "dataSource": "https://ubuntu.com/security/CVE-2024-42224", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42224" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42224", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42224", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5", + "https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618", + "https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d", + "https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee", + "https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b", + "https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114", + "https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89", + "https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Correct check for empty list\n\nSince commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\") mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\n\nThis appears to be intended to guard against the list chip->mdios being\nempty. However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\n\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\n\nFlagged by Smatch.\nCompile tested only.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42224" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42225", + "dataSource": "https://ubuntu.com/security/CVE-2024-42225", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42225" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42225", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42225", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657", + "https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074", + "https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578", + "https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2", + "https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42225" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42226", + "dataSource": "https://ubuntu.com/security/CVE-2024-42226", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42226" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42226", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42226", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42226" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42228", + "dataSource": "https://ubuntu.com/security/CVE-2024-42228", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42228" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42228", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42228", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef", + "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944", + "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42228" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42229", + "dataSource": "https://ubuntu.com/security/CVE-2024-42229", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42229" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42229", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42229", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210", + "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534", + "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d", + "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133", + "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb", + "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42229" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42230", + "dataSource": "https://ubuntu.com/security/CVE-2024-42230", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42230" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42230", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42230", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011", + "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3", + "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c", + "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn't easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42230" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42232", + "dataSource": "https://ubuntu.com/security/CVE-2024-42232", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42232" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42232", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42232", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf", + "https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7", + "https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a", + "https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e", + "https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c", + "https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea", + "https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883", + "https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting(). Both of\nthese can requeue the delayed work which wouldn't be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn't mess with the delayed work in order\nto avoid interfering with the hunting interval logic. This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon < 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc->auth and monc->monmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc->cur_mon and monc->hunting as part of closing the session\n in ceph_monc_stop()\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\n- call cancel_delayed_work_sync() after the session is closed", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42232" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42236", + "dataSource": "https://ubuntu.com/security/CVE-2024-42236", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42236" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42236", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42236", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70", + "https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0", + "https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce", + "https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0", + "https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa", + "https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a", + "https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490", + "https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\n\nUserspace provided string 's' could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == '\\n') followed closely by an OOB write in the form\n`str[0 - 1] = '\\0'`.\n\nThere is already a validating check to catch strings that are too long.\nLet's supply an additional check for invalid strings that are too short.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42236" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42239", + "dataSource": "https://ubuntu.com/security/CVE-2024-42239", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42239" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42239", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42239", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a", + "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7", + "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42239" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42240", + "dataSource": "https://ubuntu.com/security/CVE-2024-42240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42240", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513", + "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364", + "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0", + "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf", + "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n <#DB>\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \n \n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \n\n [ bp: Massage commit message. ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42240" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42243", + "dataSource": "https://ubuntu.com/security/CVE-2024-42243", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42243" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42243", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42243", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b", + "https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a", + "https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can't support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc > 1 && !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd < 0) {\n\t\tfprintf(stderr, \"Unable to open <%s>\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42243" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42244", + "dataSource": "https://ubuntu.com/security/CVE-2024-42244", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42244" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42244", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42244", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856", + "https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4", + "https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348", + "https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33", + "https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4", + "https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42244" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42246", + "dataSource": "https://ubuntu.com/security/CVE-2024-42246", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42246" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42246", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42246", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde", + "https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414", + "https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6", + "https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\n\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\nthe kernel to potentially freeze up.\n\nNeil suggested:\n\n This will propagate -EPERM up into other layers which might not be ready\n to handle it. It might be safer to map EPERM to an error we would be more\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\n\nECONNREFUSED as error seems reasonable. For programs setting a different error\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\nwhich do not have f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err\ninstead of allow boolean\"), thus given that it is better to simply remap for\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42246" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42247", + "dataSource": "https://ubuntu.com/security/CVE-2024-42247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42247", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801", + "https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf", + "https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74", + "https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8", + "https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75", + "https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\n\nOn the parisc platform, the kernel issues kernel warnings because\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\nmemory location:\n\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\n\nAvoid such unaligned memory accesses by instead using the\nget_unaligned_be64() helper macro.\n\n[Jason: replace src[8] in original patch with src+8]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42252", + "dataSource": "https://ubuntu.com/security/CVE-2024-42252", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42252" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42252", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42252", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812", + "https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclosures: Change BUG_ON() to WARN_ON()\n\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\n\nFor reference, this has popped up once in the CI, and we'll need more\ninfo to debug it:\n\n03240 ------------[ cut here ]------------\n03240 kernel BUG at lib/closure.c:21!\n03240 kernel BUG at lib/closure.c:21!\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n03240 Modules linked in:\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\n03240 Hardware name: linux,dummy-virt (DT)\n03240 Workqueue: btree_update btree_interior_update_work\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n03240 pc : closure_put+0x224/0x2a0\n03240 lr : closure_put+0x24/0x2a0\n03240 sp : ffff0000d12071c0\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\n03240 Call trace:\n03240 closure_put+0x224/0x2a0\n03240 bch2_check_for_deadlock+0x910/0x1028\n03240 bch2_six_check_for_deadlock+0x1c/0x30\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\n03240 six_lock_ip_waiter+0xa8/0xf8\n03240 __bch2_btree_node_lock_write+0x14c/0x298\n03240 bch2_trans_lock_write+0x6d4/0xb10\n03240 __bch2_trans_commit+0x135c/0x5520\n03240 btree_interior_update_work+0x1248/0x1c10\n03240 process_scheduled_works+0x53c/0xd90\n03240 worker_thread+0x370/0x8c8\n03240 kthread+0x258/0x2e8\n03240 ret_from_fork+0x10/0x20\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\n03240 ---[ end trace 0000000000000000 ]---\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\n03240 SMP: stopping secondary CPUs\n03241 SMP: failed to stop secondary CPUs 13,15\n03241 Kernel Offset: disabled\n03241 CPU features: 0x00,00000003,80000008,4240500b\n03241 Memory Limit: none\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42252" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42253", + "dataSource": "https://ubuntu.com/security/CVE-2024-42253", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42253" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42253", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42253", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34", + "https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904", + "https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41", + "https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\n\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\npca953x_irq_bus_sync_unlock() in order to avoid races.\n\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\nlock is held before calling pca953x_write_regs().\n\nThe problem occurred when a request raced against irq_bus_sync_unlock()\napproximately once per thousand reboots on an i.MX8MP based system.\n\n * Normal case\n\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n\n * Race case\n\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42253" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42259", + "dataSource": "https://ubuntu.com/security/CVE-2024-42259", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42259" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42259", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42259", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60", + "https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d", + "https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab", + "https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3", + "https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7", + "https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39", + "https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b", + "https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\n\nCalculating the size of the mapped area as the lesser value\nbetween the requested size and the actual size does not consider\nthe partial mapping offset. This can cause page fault access.\n\nFix the calculation of the starting and ending addresses, the\ntotal size is now deduced from the difference between the end and\nstart addresses.\n\nAdditionally, the calculations have been rewritten in a clearer\nand more understandable form.\n\n[Joonas: Add Requires: tag]\nRequires: 60a2066c5005 (\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\")\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42259" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42267", + "dataSource": "https://ubuntu.com/security/CVE-2024-42267", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42267" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42267", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42267", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40", + "https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864", + "https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146", + "https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f", + "https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2", + "https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\n\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\nkill the process and we don't BUG() the kernel.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42267" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42269", + "dataSource": "https://ubuntu.com/security/CVE-2024-42269", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42269" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42269", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42269", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e", + "https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226", + "https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601", + "https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34", + "https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\n\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\nbut the function is exposed to user space before the entry is allocated\nvia register_pernet_subsys().\n\nLet's call register_pernet_subsys() before xt_register_template().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42269" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42270", + "dataSource": "https://ubuntu.com/security/CVE-2024-42270", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42270" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42270", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42270", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc", + "https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d", + "https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626", + "https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b", + "https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42270" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42271", + "dataSource": "https://ubuntu.com/security/CVE-2024-42271", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42271" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42271", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42271", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84", + "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0", + "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d", + "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01", + "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876", + "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5", + "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895", + "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv->path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42271" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42272", + "dataSource": "https://ubuntu.com/security/CVE-2024-42272", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42272" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42272", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42272", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738", + "https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab", + "https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2", + "https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee", + "https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64", + "https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42272" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42273", + "dataSource": "https://ubuntu.com/security/CVE-2024-42273", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42273" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42273", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42273", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791", + "https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439", + "https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1", + "https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\n\nmkdir /mnt/test/comp\nf2fs_io setflags compression /mnt/test/comp\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\ntruncate --size 13 /mnt/test/comp/testfile\n\nIn the above scenario, we can get a BUG_ON.\n kernel BUG at fs/f2fs/segment.c:3589!\n Call Trace:\n do_write_page+0x78/0x390 [f2fs]\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\n do_writepages+0xcf/0x270\n __writeback_single_inode+0x44/0x350\n writeback_sb_inodes+0x242/0x530\n __writeback_inodes_wb+0x54/0xf0\n wb_writeback+0x192/0x310\n wb_workfn+0x30d/0x400\n\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\npage was set the gcing flag by set_cluster_dirty().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42273" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42274", + "dataSource": "https://ubuntu.com/security/CVE-2024-42274", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42274" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42274", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42274", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef", + "https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323", + "https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1", + "https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9", + "https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elapse event in process context\"\n\nCommit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period elapse event\nin process context\") removed the process context workqueue from\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\nits overhead.\n\nWith RME Fireface 800, this lead to a regression since\nKernels 5.14.0, causing an AB/BA deadlock competition for the\nsubstream lock with eventual system freeze under ALSA operation:\n\nthread 0:\n * (lock A) acquire substream lock by\n\tsnd_pcm_stream_lock_irq() in\n\tsnd_pcm_status64()\n * (lock B) wait for tasklet to finish by calling\n \ttasklet_unlock_spin_wait() in\n\ttasklet_disable_in_atomic() in\n\tohci_flush_iso_completions() of ohci.c\n\nthread 1:\n * (lock B) enter tasklet\n * (lock A) attempt to acquire substream lock,\n \twaiting for it to be released:\n\tsnd_pcm_stream_lock_irqsave() in\n \tsnd_pcm_period_elapsed() in\n\tupdate_pcm_pointers() in\n\tprocess_ctx_payloads() in\n\tprocess_rx_packets() of amdtp-stream.c\n\n? tasklet_unlock_spin_wait\n \n \nohci_flush_iso_completions firewire_ohci\namdtp_domain_stream_pcm_pointer snd_firewire_lib\nsnd_pcm_update_hw_ptr0 snd_pcm\nsnd_pcm_status64 snd_pcm\n\n? native_queued_spin_lock_slowpath\n \n \n_raw_spin_lock_irqsave\nsnd_pcm_period_elapsed snd_pcm\nprocess_rx_packets snd_firewire_lib\nirq_target_callback snd_firewire_lib\nhandle_it_packet firewire_ohci\ncontext_tasklet firewire_ohci\n\nRestore the process context work queue to prevent deadlock\nAB/BA deadlock competition for ALSA substream lock of\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\n\nrevert commit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period\nelapse event in process context\")\n\nReplace inline description to prevent future deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42274" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42276", + "dataSource": "https://ubuntu.com/security/CVE-2024-42276", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42276" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42276", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42276", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec", + "https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7", + "https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83", + "https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c", + "https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba", + "https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd", + "https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: add missing condition check for existence of mapped data\n\nnvme_map_data() is called when request has physical segments, hence\nthe nvme_unmap_data() should have same condition to avoid dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42276" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42277", + "dataSource": "https://ubuntu.com/security/CVE-2024-42277", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42277" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42277", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42277", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8", + "https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922", + "https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb", + "https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c", + "https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\n\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\ndom->sdev is equal to NULL, which leads to null dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42277" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42280", + "dataSource": "https://ubuntu.com/security/CVE-2024-42280", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42280" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42280", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42280", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80", + "https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402", + "https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803", + "https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0", + "https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629", + "https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2", + "https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3", + "https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix a use after free in hfcmulti_tx()\n\nDon't dereference *sp after calling dev_kfree_skb(*sp).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42280" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42281", + "dataSource": "https://ubuntu.com/security/CVE-2024-42281", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42281" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42281", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42281", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2", + "https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc", + "https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf", + "https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a", + "https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733", + "https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be", + "https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a segment issue when downgrading gso_size\n\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42281" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42283", + "dataSource": "https://ubuntu.com/security/CVE-2024-42283", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42283" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42283", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42283", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b", + "https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8", + "https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2", + "https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb", + "https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0", + "https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96", + "https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n # ip nexthop add id 1 dev lo\n # ip nexthop add id 101 group 1\n # strace -e recvmsg ip nexthop get id 101\n ...\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42283" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42284", + "dataSource": "https://ubuntu.com/security/CVE-2024-42284", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42284" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42284", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42284", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f", + "https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a", + "https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69", + "https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813", + "https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28", + "https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b", + "https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8", + "https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Return non-zero value from tipc_udp_addr2str() on error\n\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42284" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42285", + "dataSource": "https://ubuntu.com/security/CVE-2024-42285", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42285" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42285", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42285", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6", + "https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574", + "https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79", + "https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4", + "https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6", + "https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5", + "https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae", + "https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n conn_id->cm_id.iw = cm_id;\n cm_id->context = conn_id;\n cm_id->cm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42285" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42286", + "dataSource": "https://ubuntu.com/security/CVE-2024-42286", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42286" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42286", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b", + "https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430", + "https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e", + "https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c", + "https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f", + "https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c", + "https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9", + "https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: validate nvme_local_port correctly\n\nThe driver load failed with error message,\n\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\n\nand with a kernel crash,\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\n\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\n\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\n\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\n\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\n\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\n\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\n\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\n\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\n\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\n\tCall Trace:\n\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\n\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\n\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\n\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\n\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\nfails and correctly validate nvme_local_port.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42286" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42287", + "dataSource": "https://ubuntu.com/security/CVE-2024-42287", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42287" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42287", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42287", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232", + "https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb", + "https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3", + "https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553", + "https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee", + "https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6", + "https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Complete command early within lock\n\nA crash was observed while performing NPIV and FW reset,\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x16f/0x4a0\n ? do_user_addr_fault+0x174/0x7f0\n ? exc_page_fault+0x69/0x1a0\n ? asm_exc_page_fault+0x22/0x30\n ? dma_direct_unmap_sg+0x51/0x1e0\n ? preempt_count_sub+0x96/0xe0\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\n\nThe command completion was done early while aborting the commands in driver\nunload path but outside lock to avoid the WARN_ON condition of performing\ndma_free_attr within the lock. However this caused race condition while\ncommand completion via multiple paths causing system crash.\n\nHence complete the command early in unload path but within the lock to\navoid race condition.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42287" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42288", + "dataSource": "https://ubuntu.com/security/CVE-2024-42288", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42288" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42288", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42288", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e", + "https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b", + "https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b", + "https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d", + "https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce", + "https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a", + "https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix for possible memory corruption\n\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42288" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42289", + "dataSource": "https://ubuntu.com/security/CVE-2024-42289", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42289" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42289", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42289", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe", + "https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52", + "https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2", + "https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7", + "https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef", + "https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede", + "https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313", + "https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: During vport delete send async logout explicitly\n\nDuring vport delete, it is observed that during unload we hit a crash\nbecause of stale entries in outstanding command array. For all these stale\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\nI/Os could not complete while vport delete is in process of deleting.\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\n Call Trace:\n \n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\n ? qla2x00_status_entry+0x768/0x2830\n ? newidle_balance+0x2f0/0x430\n ? dequeue_entity+0x100/0x3c0\n ? qla24xx_process_response_queue+0x6a1/0x19e0\n ? __schedule+0x2d5/0x1140\n ? qla_do_work+0x47/0x60\n ? process_one_work+0x267/0x440\n ? process_one_work+0x440/0x440\n ? worker_thread+0x2d/0x3d0\n ? process_one_work+0x440/0x440\n ? kthread+0x156/0x180\n ? set_kthread_struct+0x50/0x50\n ? ret_from_fork+0x22/0x30\n \n\nSend out async logout explicitly for all the ports during vport delete.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42289" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42290", + "dataSource": "https://ubuntu.com/security/CVE-2024-42290", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42290" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42290", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42290", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565", + "https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea", + "https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1", + "https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894", + "https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9", + "https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44", + "https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/imx-irqsteer: Handle runtime power management correctly\n\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\ncontext switch path during device probing:\n\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n __schedule_bug+0x54/0x6c\n __schedule+0x7f0/0xa94\n schedule+0x5c/0xc4\n schedule_preempt_disabled+0x24/0x40\n __mutex_lock.constprop.0+0x2c0/0x540\n __mutex_lock_slowpath+0x14/0x20\n mutex_lock+0x48/0x54\n clk_prepare_lock+0x44/0xa0\n clk_prepare+0x20/0x44\n imx_irqsteer_resume+0x28/0xe0\n pm_generic_runtime_resume+0x2c/0x44\n __genpd_runtime_resume+0x30/0x80\n genpd_runtime_resume+0xc8/0x2c0\n __rpm_callback+0x48/0x1d8\n rpm_callback+0x6c/0x78\n rpm_resume+0x490/0x6b4\n __pm_runtime_resume+0x50/0x94\n irq_chip_pm_get+0x2c/0xa0\n __irq_do_set_handler+0x178/0x24c\n irq_set_chained_handler_and_data+0x60/0xa4\n mxc_gpio_probe+0x160/0x4b0\n\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\n\n[ tglx: Rewrote change log, added Fixes tag ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42290" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42291", + "dataSource": "https://ubuntu.com/security/CVE-2024-42291", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42291" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42291", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42291", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f", + "https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97", + "https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559", + "https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add a per-VF limit on number of FDIR filters\n\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\nfilters that the VF can request, a malicious VF driver can request more\nthan that and exhaust the resources for other VFs.\n\nAdd a similar limit in ice.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42291" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42292", + "dataSource": "https://ubuntu.com/security/CVE-2024-42292", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42292" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42292", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762", + "https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2", + "https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168", + "https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d", + "https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90", + "https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5", + "https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d", + "https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject_uevent: Fix OOB access within zap_modalias_env()\n\nzap_modalias_env() wrongly calculates size of memory block to move, so\nwill cause OOB memory access issue if variable MODALIAS is not the last\none within its @env parameter, fixed by correcting size to memmove.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42292" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42294", + "dataSource": "https://ubuntu.com/security/CVE-2024-42294", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42294" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42294", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42294", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9", + "https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b", + "https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between sd_remove & sd_release\n\nOur test report the following hung task:\n\n[ 2538.459400] INFO: task \"kworker/0:0\":7 blocked for more than 188 seconds.\n[ 2538.459427] Call trace:\n[ 2538.459430] __switch_to+0x174/0x338\n[ 2538.459436] __schedule+0x628/0x9c4\n[ 2538.459442] schedule+0x7c/0xe8\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\n[ 2538.459459] mutex_lock+0x30/0xd8\n[ 2538.459462] del_gendisk+0xdc/0x350\n[ 2538.459466] sd_remove+0x30/0x60\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459474] device_release_driver+0x18/0x28\n[ 2538.459478] bus_remove_device+0x15c/0x174\n[ 2538.459483] device_del+0x1d0/0x358\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\n[ 2538.459493] scsi_forget_host+0x50/0x70\n[ 2538.459497] scsi_remove_host+0x80/0x180\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459514] device_release_driver+0x18/0x28\n[ 2538.459518] bus_remove_device+0x15c/0x174\n[ 2538.459523] device_del+0x1d0/0x358\n[ 2538.459528] usb_disable_device+0x84/0x194\n[ 2538.459532] usb_disconnect+0xec/0x300\n[ 2538.459537] hub_event+0xb80/0x1870\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\n[ 2538.459545] worker_thread+0x244/0x334\n[ 2538.459549] kthread+0x114/0x1bc\n\n[ 2538.461001] INFO: task \"fsck.\":15415 blocked for more than 188 seconds.\n[ 2538.461014] Call trace:\n[ 2538.461016] __switch_to+0x174/0x338\n[ 2538.461021] __schedule+0x628/0x9c4\n[ 2538.461025] schedule+0x7c/0xe8\n[ 2538.461030] blk_queue_enter+0xc4/0x160\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\n[ 2538.461051] sd_release+0x50/0x94\n[ 2538.461054] blkdev_put+0x190/0x28c\n[ 2538.461058] blkdev_release+0x28/0x40\n[ 2538.461063] __fput+0xf8/0x2a8\n[ 2538.461066] __fput_sync+0x28/0x5c\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\n[ 2538.461073] invoke_syscall+0x58/0x114\n[ 2538.461078] el0_svc_common+0xac/0xe0\n[ 2538.461082] do_el0_svc+0x1c/0x28\n[ 2538.461087] el0_svc+0x38/0x68\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\n\n T1:\t\t\t\tT2:\n sd_remove\n del_gendisk\n __blk_mark_disk_dead\n blk_freeze_queue_start\n ++q->mq_freeze_depth\n \t\t\t\tbdev_release\n \t\t\t\tmutex_lock(&disk->open_mutex)\n \t\t\t\tsd_release\n \t\t\t\tscsi_execute_cmd\n \t\t\t\tblk_queue_enter\n \t\t\t\twait_event(!q->mq_freeze_depth)\n mutex_lock(&disk->open_mutex)\n\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\nmake sure we don't try to acquire disk->open_mutex after freezing\nthe queue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42294" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42295", + "dataSource": "https://ubuntu.com/security/CVE-2024-42295", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42295" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42295", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42295", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2", + "https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44", + "https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62", + "https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a", + "https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787", + "https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e", + "https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899", + "https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\n\nSyzbot reported that a buffer state inconsistency was detected in\nnilfs_btnode_create_block(), triggering a kernel bug.\n\nIt is not appropriate to treat this inconsistency as a bug; it can occur\nif the argument block address (the buffer index of the newly created\nblock) is a virtual block number and has been reallocated due to\ncorruption of the bitmap used to manage its allocation state.\n\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\npossible filesystem error, rather than triggering a kernel bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42295" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42296", + "dataSource": "https://ubuntu.com/security/CVE-2024-42296", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42296" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42296", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42296", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5", + "https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8", + "https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2", + "https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b", + "https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_convert_inline_inode()\n\nIf device is readonly, make f2fs_convert_inline_inode()\nreturn EROFS instead of zero, otherwise it may trigger\npanic during writeback of inline inode's dirty page as\nbelow:\n\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\n generic_write_sync include/linux/fs.h:2806 [inline]\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\n call_write_iter include/linux/fs.h:2114 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42296" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42297", + "dataSource": "https://ubuntu.com/security/CVE-2024-42297", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42297" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42297", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42297", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8", + "https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3", + "https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf", + "https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915", + "https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6", + "https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4", + "https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5", + "https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't dirty inode for readonly filesystem\n\nsyzbot reports f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n - __f2fs_find_entry\n - f2fs_i_depth_write\n - f2fs_mark_inode_dirty_sync\n - f2fs_dirty_inode\n - set_inode_flag(inode, FI_DIRTY_INODE)\n\n- umount\n - kill_f2fs_super\n - kill_block_super\n - generic_shutdown_super\n - sync_filesystem\n : sb is readonly, skip sync_filesystem()\n - evict_inodes\n - iput\n - f2fs_evict_inode\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n : trigger kernel panic\n\nWhen we try to repair i_current_depth in readonly filesystem, let's\nskip dirty inode to avoid panic in later f2fs_evict_inode().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42297" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42299", + "dataSource": "https://ubuntu.com/security/CVE-2024-42299", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42299" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42299", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42299", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9", + "https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420", + "https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f", + "https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696", + "https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\n\nIf an NTFS file system is mounted to another system with different\nPAGE_SIZE from the original system, log->page_size will change in\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\nThis will cause a panic because \"u32 bytes = log->page_size - page_off\"\nwill get a negative value in the later read_log_page().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42299" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42301", + "dataSource": "https://ubuntu.com/security/CVE-2024-42301", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42301" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42301", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42301", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8", + "https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d", + "https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a", + "https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84", + "https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0", + "https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5", + "https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e", + "https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndev/parport: fix the array out-of-bounds risk\n\nFixed array out-of-bounds issues caused by sprintf\nby replacing it with snprintf for safer data copying,\nensuring the destination buffer is not overflowed.\n\nBelow is the stack trace I encountered during the actual issue:\n\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42301" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42302", + "dataSource": "https://ubuntu.com/security/CVE-2024-42302", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42302" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42302", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42302", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed", + "https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7", + "https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f", + "https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62", + "https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d", + "https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred. To do so, it polls the\nconfig space of the first child device on the secondary bus. If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device. Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume. Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently. (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase. And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event. Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently. The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n BUG: unable to handle page fault for address: 00000000091400c0\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n RIP: pci_bus_read_config_dword+0x17/0x50\n pci_dev_wait()\n pci_bridge_wait_for_secondary_bus()\n dpc_reset_link()\n pcie_do_recovery()\n dpc_handler()", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42302" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42304", + "dataSource": "https://ubuntu.com/security/CVE-2024-42304", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42304" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42304", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1", + "https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a", + "https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac", + "https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5", + "https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe", + "https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136", + "https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa", + "https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: make sure the first directory block is not a hole\n\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\n\n ext4_mknod\n ...\n ext4_add_entry\n // Read block 0\n ext4_read_dirblock(dir, block, DIRENT)\n bh = ext4_bread(NULL, inode, block, 0)\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\n // The first directory block is a hole\n // But type == DIRENT, so no error is reported.\n\nAfter that, we get a directory block without '.' and '..' but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\n\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42304" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42305", + "dataSource": "https://ubuntu.com/security/CVE-2024-42305", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42305" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42305", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42305", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8", + "https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa", + "https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7", + "https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a", + "https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2", + "https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c", + "https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db", + "https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check dot and dotdot of dx_root before making dir indexed\n\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\n\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\n\n do_split\n unsigned split\n dx_make_map\n count = 1\n split = count/2 = 0;\n continued = hash2 == map[split - 1].hash;\n ---> map[4294967295]\n\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\n\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\n\n bus dentry1 hole dentry2 free\n|xx--|xx-------------|...............|xx-------------|...............|\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\n\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\n\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That's why count is equal to 1.\n\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42305" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42306", + "dataSource": "https://ubuntu.com/security/CVE-2024-42306", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42306" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42306", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42306", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5", + "https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd", + "https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af", + "https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64", + "https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65", + "https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f", + "https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid using corrupted block bitmap buffer\n\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42306" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42308", + "dataSource": "https://ubuntu.com/security/CVE-2024-42308", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42308" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42308", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42308", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89", + "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa", + "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a", + "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692", + "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb", + "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40", + "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why & how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42308" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42309", + "dataSource": "https://ubuntu.com/security/CVE-2024-42309", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42309" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42309", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42309", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee", + "https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6", + "https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692", + "https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14", + "https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9", + "https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c", + "https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc", + "https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\n\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42309" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42310", + "dataSource": "https://ubuntu.com/security/CVE-2024-42310", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42310" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42310", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42310", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d", + "https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23", + "https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6", + "https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc", + "https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5", + "https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79", + "https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56", + "https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\n\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42310" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42311", + "dataSource": "https://ubuntu.com/security/CVE-2024-42311", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42311" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42311", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42311", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65", + "https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b", + "https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2", + "https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971", + "https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4", + "https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1", + "https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3", + "https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\n\nSyzbot reports uninitialized value access issue as below:\n\nloop0: detected capacity change from 0 to 64\n=====================================================\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n d_revalidate fs/namei.c:862 [inline]\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\n walk_component fs/namei.c:2001 [inline]\n link_path_walk+0x817/0x1480 fs/namei.c:2332\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\n filename_lookup+0x22e/0x740 fs/namei.c:2515\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\n user_path_at include/linux/namei.h:57 [inline]\n do_mount fs/namespace.c:3689 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\n do_read_cache_page mm/filemap.c:3595 [inline]\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\n read_mapping_page include/linux/pagemap.h:755 [inline]\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\n mount_bdev+0x628/0x920 fs/super.c:1359\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2190 [inline]\n allocate_slab mm/slub.c:2354 [inline]\n new_slab+0x2d7/0x1400 mm/slub.c:2407\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\n __slab_alloc mm/slub.c:3625 [inline]\n __slab_alloc_node mm/slub.c:3678 [inline]\n slab_alloc_node mm/slub.c:3850 [inline]\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3018 [inline]\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\n alloc_inode+0x83/0x440 fs/inode.c:260\n new_inode_pseudo fs/inode.c:1005 [inline]\n new_inode+0x38/0x4f0 fs/inode.c:1031\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\n do_mkdirat+0x529/0x810 fs/namei.c:4149\n __do_sys_mkdirat fs/namei.c:4164 [inline]\n __se_sys_mkdirat fs/namei.c:4162 [inline]\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42311" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42312", + "dataSource": "https://ubuntu.com/security/CVE-2024-42312", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42312" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42312", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42312", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05", + "https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab", + "https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4", + "https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955", + "https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536", + "https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: always initialize i_uid/i_gid\n\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\ncan safely skip setting them.\n\nCommit 5ec27ec735ba (\"fs/proc/proc_sysctl.c: fix the default values of\ni_uid/i_gid on /proc/sys inodes.\") added defaults for i_uid/i_gid when\nset_ownership() was not implemented. It also missed adjusting\nnet_ctl_set_ownership() to use the same default values in case the\ncomputation of a better value failed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42312" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42313", + "dataSource": "https://ubuntu.com/security/CVE-2024-42313", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42313" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42313", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42313", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36", + "https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635", + "https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2", + "https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567", + "https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e", + "https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6", + "https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad", + "https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free in vdec_close\n\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\n\nFix it by cancelling the work in vdec_close.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42313" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42315", + "dataSource": "https://ubuntu.com/security/CVE-2024-42315", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42315" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42315", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42315", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62", + "https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9", + "https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi->s_lock between the two processes may occur.\n\n CPU0 CPU1\n ---- ----\n kswapd\n balance_pgdat\n lock(fs_reclaim)\n exfat_iterate\n lock(&sbi->s_lock)\n exfat_readdir\n exfat_get_uniname_from_ext_entry\n exfat_get_dentry_set\n __exfat_get_dentry_set\n kmalloc_array\n ...\n lock(fs_reclaim)\n ...\n evict\n exfat_evict_inode\n lock(&sbi->s_lock)\n\nTo fix this, let's allocate bh-array with GFP_NOFS.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42315" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42318", + "dataSource": "https://ubuntu.com/security/CVE-2024-42318", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42318" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42318", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42318", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=2566", + "https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c", + "https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49", + "https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1", + "https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117", + "https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff", + "https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/", + "https://www.openwall.com/lists/oss-security/2024/08/17/2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don't lose track of restrictions on cred_transfer\n\nWhen a process' cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42318" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42319", + "dataSource": "https://ubuntu.com/security/CVE-2024-42319", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42319" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42319", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42319", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911", + "https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\n\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\npm_runtime_get_sync() < 0 occurs.\n\nAccording to the call tracei below:\n cmdq_mbox_shutdown\n mbox_free_channel\n mbox_controller_unregister\n __devm_mbox_controller_unregister\n ...\n\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\ncalling pm_runtime_disable() as observed below:\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\n to bind the cmdq device to the mbox_controller, so\n devm_mbox_controller_unregister() will automatically unregister\n the device bound to the mailbox controller when the device-managed\n resource is removed. That means devm_mbox_controller_unregister()\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\n will be called after cmdq_remove(), but before\n devm_mbox_controller_unregister().\n\nTo fix this problem, cmdq_probe() needs to move\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\ndevm_pm_runtime_disable() be called after\ndevm_mbox_controller_unregister().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42319" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42320", + "dataSource": "https://ubuntu.com/security/CVE-2024-42320", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42320" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42320", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42320", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2", + "https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8", + "https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace", + "https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42320" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42321", + "dataSource": "https://ubuntu.com/security/CVE-2024-42321", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42321" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42321", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42321", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b", + "https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107", + "https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0", + "https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nThe following splat is easy to reproduce upstream as well as in -stable\nkernels. Florian Westphal provided the following commit:\n\n d1dab4f71d37 (\"net: add and use __skb_get_hash_symmetric_net\")\n\nbut this complementary fix has been also suggested by Willem de Bruijn\nand it can be easily backported to -stable kernel which consists in\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\nto identify packets in traces.\n\n[69133.561393] ------------[ cut here ]------------\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\n[...]\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\n[69133.562040] Call Trace:\n[69133.562044] \n[69133.562049] ? __warn+0x9f/0x1a0\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\n[...]\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\n[ 1211.841753] __skb_get_hash+0x97/0x280\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\n[ 1211.841776] ? mod_find+0xbf/0xe0\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\n[ 1211.841964] ? get_stack_info+0x2b/0x80\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42321" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42322", + "dataSource": "https://ubuntu.com/security/CVE-2024-42322", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42322" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42322", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42322", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77", + "https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5", + "https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: properly dereference pe in ip_vs_add_service\n\nUse pe directly to resolve sparse warning:\n\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42322" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43817", + "dataSource": "https://ubuntu.com/security/CVE-2024-43817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43817" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f", + "https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775", + "https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf", + "https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8", + "https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: missing check virtio\n\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\nto crash kernels again\n\n1. After the skb_segment function the buffer may become non-linear\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\nthe __skb_linearize function will not be executed, then the buffer will\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\n\n2. The struct sk_buff and struct virtio_net_hdr members must be\nmathematically related.\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) may be 0 if division is without remainder.\n\noffset+2 (4191) > skb_headlen() (1116)\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nModules linked in:\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:451 [inline]\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3545 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n __sys_sendto+0x255/0x340 net/socket.c:2190\n __do_sys_sendto net/socket.c:2202 [inline]\n __se_sys_sendto net/socket.c:2198 [inline]\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43819", + "dataSource": "https://ubuntu.com/security/CVE-2024-43819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43819" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6", + "https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43823", + "dataSource": "https://ubuntu.com/security/CVE-2024-43823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43823" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43823", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23", + "https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775", + "https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506", + "https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\n\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\n\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43824", + "dataSource": "https://ubuntu.com/security/CVE-2024-43824", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43824" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43824", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43824", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a", + "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), 'epc_features' got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43824" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43828", + "dataSource": "https://ubuntu.com/security/CVE-2024-43828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43828" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43828", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121", + "https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2", + "https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1", + "https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178", + "https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706", + "https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix infinite loop when replaying fast_commit\n\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the 'es' variable.\n\nBecause 'es' contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\n\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\n\nThanks to Zhang Yi, for figuring out the real problem!", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43829", + "dataSource": "https://ubuntu.com/security/CVE-2024-43829", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43829" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43829", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c", + "https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f", + "https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f", + "https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03", + "https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3", + "https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b", + "https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/qxl: Add check for drm_cvt_mode\n\nAdd check for the return value of drm_cvt_mode() and return the error if\nit fails in order to avoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43829" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43830", + "dataSource": "https://ubuntu.com/security/CVE-2024-43830", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43830" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43830", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43830", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2", + "https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6", + "https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d", + "https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea", + "https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3", + "https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156", + "https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374", + "https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: Unregister sysfs attributes before calling deactivate()\n\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\n\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\n\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\n\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43830" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43831", + "dataSource": "https://ubuntu.com/security/CVE-2024-43831", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43831" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43831", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db", + "https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f", + "https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Handle invalid decoder vsi\n\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43831" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43832", + "dataSource": "https://ubuntu.com/security/CVE-2024-43832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43832", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7", + "https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d", + "https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb", + "https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/uv: Don't call folio_wait_writeback() without a folio reference\n\nfolio_wait_writeback() requires that no spinlocks are held and that\na folio reference is held, as documented. After we dropped the PTL, the\nfolio could get freed concurrently. So grab a temporary reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43834", + "dataSource": "https://ubuntu.com/security/CVE-2024-43834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43834", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537", + "https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26", + "https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec", + "https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a", + "https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd", + "https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: fix invalid wait context of page_pool_destroy()\n\nIf the driver uses a page pool, it creates a page pool with\npage_pool_create().\nThe reference count of page pool is 1 as default.\nA page pool will be destroyed only when a reference count reaches 0.\npage_pool_destroy() is used to destroy page pool, it decreases a\nreference count.\nWhen a page pool is destroyed, ->disconnect() is called, which is\nmem_allocator_disconnect().\nThis function internally acquires mutex_lock().\n\nIf the driver uses XDP, it registers a memory model with\nxdp_rxq_info_reg_mem_model().\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\nreference count if a memory model is a page pool.\nNow the reference count is 2.\n\nTo destroy a page pool, the driver should call both page_pool_destroy()\nand xdp_unreg_mem_model().\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\nOnly page_pool_destroy() decreases a reference count.\n\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\nwill face an invalid wait context warning.\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\nrcu_read_lock().\nThe page_pool_destroy() internally acquires mutex_lock().\n\nSplat looks like:\n=============================\n[ BUG: Invalid wait context ]\n6.10.0-rc6+ #4 Tainted: G W\n-----------------------------\nethtool/1806 is trying to lock:\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\nother info that might help us debug this:\ncontext-{5:5}\n3 locks held by ethtool/1806:\nstack backtrace:\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nCall Trace:\n\ndump_stack_lvl+0x7e/0xc0\n__lock_acquire+0x1681/0x4de0\n? _printk+0x64/0xe0\n? __pfx_mark_lock.part.0+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\nlock_acquire+0x1b3/0x580\n? mem_allocator_disconnect+0x73/0x150\n? __wake_up_klogd.part.0+0x16/0xc0\n? __pfx_lock_acquire+0x10/0x10\n? dump_stack_lvl+0x91/0xc0\n__mutex_lock+0x15c/0x1690\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_prb_read_valid+0x10/0x10\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_llist_add_batch+0x10/0x10\n? console_unlock+0x193/0x1b0\n? lockdep_hardirqs_on+0xbe/0x140\n? __pfx___mutex_lock+0x10/0x10\n? tick_nohz_tick_stopped+0x16/0x90\n? __irq_work_queue_local+0x1e5/0x330\n? irq_work_queue+0x39/0x50\n? __wake_up_klogd.part.0+0x79/0xc0\n? mem_allocator_disconnect+0x73/0x150\nmem_allocator_disconnect+0x73/0x150\n? __pfx_mem_allocator_disconnect+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? rcu_is_watching+0x11/0xb0\npage_pool_release+0x36e/0x6d0\npage_pool_destroy+0xd7/0x440\nxdp_unreg_mem_model+0x1a7/0x2a0\n? __pfx_xdp_unreg_mem_model+0x10/0x10\n? kfree+0x125/0x370\n? bnxt_free_ring.isra.0+0x2eb/0x500\n? bnxt_free_mem+0x5ac/0x2500\nxdp_rxq_info_unreg+0x4a/0xd0\nbnxt_free_mem+0x1356/0x2500\nbnxt_close_nic+0xf0/0x3b0\n? __pfx_bnxt_close_nic+0x10/0x10\n? ethnl_parse_bit+0x2c6/0x6d0\n? __pfx___nla_validate_parse+0x10/0x10\n? __pfx_ethnl_parse_bit+0x10/0x10\nbnxt_set_features+0x2a8/0x3e0\n__netdev_update_features+0x4dc/0x1370\n? ethnl_parse_bitset+0x4ff/0x750\n? __pfx_ethnl_parse_bitset+0x10/0x10\n? __pfx___netdev_update_features+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? _raw_spin_unlock_irqrestore+0x42/0x70\n? __pm_runtime_resume+0x7d/0x110\nethnl_set_features+0x32d/0xa20\n\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\nrhashtable_lookup() with rcu_read_lock().\nUsing xa without rcu_read_lock() here is safe.\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\ncall_rcu() of mem_xa_remove().\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\ncount reaches 0.\nThe xa is already protected by the reference count mechanism well in the\ncontrol plane.\nSo removing rcu_read_lock() for page_pool_destroy() is safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43835", + "dataSource": "https://ubuntu.com/security/CVE-2024-43835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd", + "https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix napi_skb_cache_put warning\n\nAfter the commit bdacf3e34945 (\"net: Use nested-BH locking for\nnapi_alloc_cache.\") was merged, the following warning began to appear:\n\n\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\n\n\t __warn+0x12f/0x340\n\t napi_skb_cache_put+0x82/0x4b0\n\t napi_skb_cache_put+0x82/0x4b0\n\t report_bug+0x165/0x370\n\t handle_bug+0x3d/0x80\n\t exc_invalid_op+0x1a/0x50\n\t asm_exc_invalid_op+0x1a/0x20\n\t __free_old_xmit+0x1c8/0x510\n\t napi_skb_cache_put+0x82/0x4b0\n\t __free_old_xmit+0x1c8/0x510\n\t __free_old_xmit+0x1c8/0x510\n\t __pfx___free_old_xmit+0x10/0x10\n\nThe issue arises because virtio is assuming it's running in NAPI context\neven when it's not, such as in the netpoll case.\n\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\nis available. Same for virtnet_poll_cleantx(), which always assumed that\nit was in a NAPI context.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43839", + "dataSource": "https://ubuntu.com/security/CVE-2024-43839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43839", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1", + "https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3", + "https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef", + "https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43", + "https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76", + "https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da", + "https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5", + "https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43841", + "dataSource": "https://ubuntu.com/security/CVE-2024-43841", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43841" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43841", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414", + "https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29", + "https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d", + "https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942", + "https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d", + "https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7", + "https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\n\nWhen user issues a connection with a different SSID than the one\nvirt_wifi has advertised, the __cfg80211_connect_result() will\ntrigger the warning: WARN_ON(bss_not_found).\n\nThe issue is because the connection code in virt_wifi does not\ncheck the SSID from user space (it only checks the BSSID), and\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\neven if the SSID is different from the one virt_wifi has advertised.\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\nthe warning.\n\nFixed it by checking the SSID (from user space) in the connection code.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43841" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43842", + "dataSource": "https://ubuntu.com/security/CVE-2024-43842", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43842" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43842", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43842", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74", + "https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891", + "https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58", + "https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\n\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\n\"copy-paste\" mistake.\n\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43842" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43844", + "dataSource": "https://ubuntu.com/security/CVE-2024-43844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43844", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296", + "https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\n\nWe mistakenly put skb too large and that may exceed skb->end.\nTherefore, we fix it.\n\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:192!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:skb_panic+0x5d/0x60\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? skb_panic+0x5d/0x60\n ? do_error_trap+0x6d/0x90\n ? skb_panic+0x5d/0x60\n ? handle_invalid_op+0x30/0x40\n ? skb_panic+0x5d/0x60\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_panic+0x5d/0x60\n skb_put+0x49/0x50\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n dpm_run_callback+0x3c/0x140\n device_resume+0x1f9/0x3c0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n process_scheduled_works+0x1d8/0x3d0\n worker_thread+0x1fc/0x2f0\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\n cfg80211 ecc\ngsmi: Log Shutdown \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43846", + "dataSource": "https://ubuntu.com/security/CVE-2024-43846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43846", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb", + "https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc", + "https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc", + "https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170", + "https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7", + "https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a", + "https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: objagg: Fix general protection fault\n\nThe library supports aggregation of objects into other objects only if\nthe parent object does not have a parent itself. That is, nesting is not\nsupported.\n\nAggregation happens in two cases: Without and with hints, where hints\nare a pre-computed recommendation on how to aggregate the provided\nobjects.\n\nNesting is not possible in the first case due to a check that prevents\nit, but in the second case there is no check because the assumption is\nthat nesting cannot happen when creating objects based on hints. The\nviolation of this assumption leads to various warnings and eventually to\na general protection fault [1].\n\nBefore fixing the root cause, error out when nesting happens and warn.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43849", + "dataSource": "https://ubuntu.com/security/CVE-2024-43849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43849" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84", + "https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08", + "https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80", + "https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc", + "https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c", + "https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: protect locator_addr with the main mutex\n\nIf the service locator server is restarted fast enough, the PDR can\nrewrite locator_addr fields concurrently. Protect them by placing\nmodification of those fields under the main pdr->lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43853", + "dataSource": "https://ubuntu.com/security/CVE-2024-43853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43853", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a", + "https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4", + "https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e", + "https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nAn UAF can happen when /proc/cpuset is read as reported in [1].\n\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc//cpuset repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/ repeatly.\n\nThe race that cause this bug can be shown as below:\n\n(umount)\t\t|\t(cat /proc//cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css->cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(&cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\n\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n&cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\n\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp->root will not be freed.\n\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\"cgroup: Make operations on the cgroup root_list RCU safe\"),\ncss->cgroup won't be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\n\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43854", + "dataSource": "https://ubuntu.com/security/CVE-2024-43854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43854", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644", + "https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f", + "https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2", + "https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1", + "https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn't used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43856", + "dataSource": "https://ubuntu.com/security/CVE-2024-43856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43856", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130", + "https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e", + "https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7", + "https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20", + "https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9", + "https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954", + "https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb", + "https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43858", + "dataSource": "https://ubuntu.com/security/CVE-2024-43858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43858" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43858", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80", + "https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00", + "https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9", + "https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42", + "https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28", + "https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862", + "https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a", + "https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix array-index-out-of-bounds in diFree", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43860", + "dataSource": "https://ubuntu.com/security/CVE-2024-43860", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43860" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43860", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43860", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982", + "https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21", + "https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa", + "https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66", + "https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2", + "https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0", + "https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8", + "https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43860" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43861", + "dataSource": "https://ubuntu.com/security/CVE-2024-43861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43861" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43861", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4", + "https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662", + "https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202", + "https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f", + "https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882", + "https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446", + "https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5", + "https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43863", + "dataSource": "https://ubuntu.com/security/CVE-2024-43863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc", + "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237", + "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e", + "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3", + "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43866", + "dataSource": "https://ubuntu.com/security/CVE-2024-43866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393", + "https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285", + "https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43867", + "dataSource": "https://ubuntu.com/security/CVE-2024-43867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6", + "https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f", + "https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef", + "https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf", + "https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95", + "https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10", + "https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43869", + "dataSource": "https://ubuntu.com/security/CVE-2024-43869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4", + "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840", + "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0", + "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99", + "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> \n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= \n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> \n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= \n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43870", + "dataSource": "https://ubuntu.com/security/CVE-2024-43870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51", + "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b", + "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a", + "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7", + "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43871", + "dataSource": "https://ubuntu.com/security/CVE-2024-43871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96", + "https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d", + "https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85", + "https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c", + "https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf", + "https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701", + "https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c", + "https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43872", + "dataSource": "https://ubuntu.com/security/CVE-2024-43872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08", + "https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43873", + "dataSource": "https://ubuntu.com/security/CVE-2024-43873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22", + "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb", + "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582", + "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c", + "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43875", + "dataSource": "https://ubuntu.com/security/CVE-2024-43875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f", + "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832", + "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0", + "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429", + "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43879", + "dataSource": "https://ubuntu.com/security/CVE-2024-43879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27", + "https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd", + "https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f", + "https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9", + "https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086", + "https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142", + "https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d", + "https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43880", + "dataSource": "https://ubuntu.com/security/CVE-2024-43880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43880" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037", + "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624", + "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb", + "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb", + "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf", + "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e", + "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43882", + "dataSource": "https://ubuntu.com/security/CVE-2024-43882", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43882" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43882", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43882", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759", + "https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada", + "https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e", + "https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64", + "https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e", + "https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f", + "https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb", + "https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43882" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43883", + "dataSource": "https://ubuntu.com/security/CVE-2024-43883", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43883" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43883", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43883", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37", + "https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174", + "https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14", + "https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89", + "https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80", + "https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a", + "https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54", + "https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: vhci-hcd: Do not drop references before new references are gained\n\nAt a few places the driver carries stale pointers\nto references that can still be used. Make sure that does not happen.\nThis strictly speaking closes ZDI-CAN-22273, though there may be\nsimilar races in the driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43883" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43884", + "dataSource": "https://ubuntu.com/security/CVE-2024-43884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43884", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Add error handling to pair_device()\n\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\npointer dereference causing a crash.\n\nFixed by adding error handling in the function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43886", + "dataSource": "https://ubuntu.com/security/CVE-2024-43886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43886" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43886", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6", + "https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\n\n[WHY]\nWhen switching from \"Extend\" to \"Second Display Only\" we sometimes\ncall resource_get_otg_master_for_stream on a stream for the eDP,\nwhich is disconnected. This leads to a null pointer dereference.\n\n[HOW]\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43889", + "dataSource": "https://ubuntu.com/security/CVE-2024-43889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43889" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43889", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c", + "https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d", + "https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c", + "https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f", + "https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3", + "https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\n\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\nbootup time.\n\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\n :\n [ 10.017963] Call Trace:\n [ 10.017968] \n [ 10.018004] ? padata_mt_helper+0x39/0xb0\n [ 10.018084] process_one_work+0x174/0x330\n [ 10.018093] worker_thread+0x266/0x3a0\n [ 10.018111] kthread+0xcf/0x100\n [ 10.018124] ret_from_fork+0x31/0x50\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\n [ 10.018147] \n\nLooking at the padata_mt_helper() function, the only way a divide-by-0\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\nmin_chunk in the passed-in padata_mt_job structure is 0.\n\nFix this divide-by-0 panic by making sure that chunk_size will be at least\n1 no matter what the input parameters are.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43890", + "dataSource": "https://ubuntu.com/security/CVE-2024-43890", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43890" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43890", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43890", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6", + "https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c", + "https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5", + "https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8", + "https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143", + "https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da", + "https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18", + "https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix overflow in get_free_elt()\n\n\"tracing_map->next_elt\" in get_free_elt() is at risk of overflowing.\n\nOnce it overflows, new elements can still be inserted into the tracing_map\neven though the maximum number of elements (`max_elts`) has been reached.\nContinuing to insert elements after the overflow could result in the\ntracing_map containing \"tracing_map->max_size\" elements, leaving no empty\nentries.\nIf any attempt is made to insert an element into a full tracing_map using\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\ndisabled, leading to a CPU hang problem.\n\nFix this by preventing any further increments to \"tracing_map->next_elt\"\nonce it reaches \"tracing_map->max_elt\".", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43890" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43892", + "dataSource": "https://ubuntu.com/security/CVE-2024-43892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b", + "https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946", + "https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: protect concurrent access to mem_cgroup_idr\n\nCommit 73f576c04b94 (\"mm: memcontrol: fix cgroup creation failure after\nmany small jobs\") decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures. It introduced IDR to maintain the memcg ID\nspace. The IDR depends on external synchronization mechanisms for\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero. Fix that.\n\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time. These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode. Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block's list_lru didn't have list_lru_one for the\nmemcg of that object. The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success. No evidence were found for these cases.\n\nLooking more deeply, we started seeing situations where valid memcg's id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them. Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43893", + "dataSource": "https://ubuntu.com/security/CVE-2024-43893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba", + "https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e", + "https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f", + "https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8", + "https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193", + "https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49", + "https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051", + "https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divide by zero\n\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\n\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nRule: add", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43894", + "dataSource": "https://ubuntu.com/security/CVE-2024-43894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43894", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f", + "https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6", + "https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e", + "https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff", + "https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52", + "https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62", + "https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset->mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43895", + "dataSource": "https://ubuntu.com/security/CVE-2024-43895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43895" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9", + "https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919", + "https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad", + "https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.\n\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43898", + "dataSource": "https://ubuntu.com/security/CVE-2024-43898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e", + "https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652", + "https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: sanity check for NULL pointer after ext4_force_shutdown\n\nTest case: 2 threads write short inline data to a file.\nIn ext4_page_mkwrite the resulting inline data is converted.\nHandling ext4_grp_locked_error with description \"block bitmap\nand bg descriptor inconsistent: X vs Y free clusters\" calls\next4_force_shutdown. The conversion clears\nEXT4_STATE_MAY_INLINE_DATA but fails for\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\nto ext4_forced_shutdown. The restoration of inline data fails\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\nWithout the flag set a regular process path in ext4_da_write_end\nfollows trying to dereference page folio private pointer that has\nnot been set. The fix calls early return with -EIO error shall the\npointer to private be NULL.\n\nSample crash report:\n\nUnable to handle kernel paging request at virtual address dfff800000000004\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000004] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\nsp : ffff8000a1957600\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\nCall trace:\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\n block_write_end+0xb4/0x104 fs/buffer.c:2253\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\n ext4_file_write_iter+0x188/0x1780\n call_write_iter include/linux/fs.h:2110 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x968/0xc3c fs/read_write.c:590\n ksys_write+0x15c/0x26c fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\n---[ end trace 0000000000000000 ]---\n----------------\nCode disassembly (best guess):\n 0:\t97f85911 \tbl\t0xffffffffffe16444\n 4:\tf94002da \tldr\tx26, [x22]\n 8:\t91008356 \tadd\tx22, x26, #0x20\n c:\td343fec8 \tlsr\tx8, x22, #3\n* 10:\t38796908 \tldrb\tw8, [x8, x25] <-- trapping instruction", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43899", + "dataSource": "https://ubuntu.com/security/CVE-2024-43899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43899", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e", + "https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\n\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\n\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\n\nand then enabling fullscreen playback (double click on the video)\n\nThe following calltrace will be seen:\n\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\n[ 181.844003] #PF: error_code(0x0010) - not-present page\n[ 181.844009] PGD 0 P4D 0\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\n[ 181.844044] RIP: 0010:0x0\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\n[ 181.844141] Call Trace:\n[ 181.844146] \n[ 181.844153] ? show_regs+0x6d/0x80\n[ 181.844167] ? __die+0x24/0x80\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43900", + "dataSource": "https://ubuntu.com/security/CVE-2024-43900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43900", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5", + "https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60", + "https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b", + "https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\n\nsyzkaller reported use-after-free in load_firmware_cb() [1].\nThe reason is because the module allocated a struct tuner in tuner_probe(),\nand then the module initialization failed, the struct tuner was released.\nA worker which created during module initialization accesses this struct\ntuner later, it caused use-after-free.\n\nThe process is as follows:\n\ntask-6504 worker_thread\ntuner_probe <= alloc dvb_frontend [2]\n...\nrequest_firmware_nowait <= create a worker\n...\ntuner_remove <= free dvb_frontend\n...\n request_firmware_work_func <= the firmware is ready\n load_firmware_cb <= but now the dvb_frontend has been freed\n\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\nnull, report a warning and just return.\n\n[1]:\n ==================================================================\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\n\n Call trace:\n load_firmware_cb+0x1310/0x17a0\n request_firmware_work_func+0x128/0x220\n process_one_work+0x770/0x1824\n worker_thread+0x488/0xea0\n kthread+0x300/0x430\n ret_from_fork+0x10/0x20\n\n Allocated by task 6504:\n kzalloc\n tuner_probe+0xb0/0x1430\n i2c_device_probe+0x92c/0xaf0\n really_probe+0x678/0xcd0\n driver_probe_device+0x280/0x370\n __device_attach_driver+0x220/0x330\n bus_for_each_drv+0x134/0x1c0\n __device_attach+0x1f4/0x410\n device_initial_probe+0x20/0x30\n bus_probe_device+0x184/0x200\n device_add+0x924/0x12c0\n device_register+0x24/0x30\n i2c_new_device+0x4e0/0xc44\n v4l2_i2c_new_subdev_board+0xbc/0x290\n v4l2_i2c_new_subdev+0xc8/0x104\n em28xx_v4l2_init+0x1dd0/0x3770\n\n Freed by task 6504:\n kfree+0x238/0x4e4\n tuner_remove+0x144/0x1c0\n i2c_device_remove+0xc8/0x290\n __device_release_driver+0x314/0x5fc\n device_release_driver+0x30/0x44\n bus_remove_device+0x244/0x490\n device_del+0x350/0x900\n device_unregister+0x28/0xd0\n i2c_unregister_device+0x174/0x1d0\n v4l2_device_unregister+0x224/0x380\n em28xx_v4l2_init+0x1d90/0x3770\n\n The buggy address belongs to the object at ffff8000d7ca2000\n which belongs to the cache kmalloc-2k of size 2048\n The buggy address is located 776 bytes inside of\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\n The buggy address belongs to the page:\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\n flags: 0x7ff800000000100(slab)\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\n[2]\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43901", + "dataSource": "https://ubuntu.com/security/CVE-2024-43901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43901", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351", + "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] \n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43902", + "dataSource": "https://ubuntu.com/security/CVE-2024-43902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43902" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43902", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2", + "https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175", + "https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a", + "https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d", + "https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43903", + "dataSource": "https://ubuntu.com/security/CVE-2024-43903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43903", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc", + "https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff", + "https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04", + "https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43904", + "dataSource": "https://ubuntu.com/security/CVE-2024-43904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43904", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea", + "https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\n\nThis commit adds null checks for the 'stream' and 'plane' variables in\nthe dcn30_apply_idle_power_optimizations function. These variables were\npreviously assumed to be null at line 922, but they were used later in\nthe code without checking if they were null. This could potentially lead\nto a null pointer dereference, which would cause a crash.\n\nThe null checks ensure that 'stream' and 'plane' are not null before\nthey are used, preventing potential crashes.\n\nFixes the below static smatch checker:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43905", + "dataSource": "https://ubuntu.com/security/CVE-2024-43905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43905", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80", + "https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab", + "https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239", + "https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43906", + "dataSource": "https://ubuntu.com/security/CVE-2024-43906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43906", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d", + "https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d", + "https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/admgpu: fix dereferencing null pointer context\n\nWhen user space sets an invalid ta type, the pointer context will be empty.\nSo it need to check the pointer context before using it", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43907", + "dataSource": "https://ubuntu.com/security/CVE-2024-43907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43907", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac", + "https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82", + "https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30", + "https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622", + "https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054", + "https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43908", + "dataSource": "https://ubuntu.com/security/CVE-2024-43908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43908", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4", + "https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4", + "https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43", + "https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a", + "https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2", + "https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c", + "https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\n\nCheck ras_manager before using it", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43909", + "dataSource": "https://ubuntu.com/security/CVE-2024-43909", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43909" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43909", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43909", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb", + "https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d", + "https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce", + "https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751", + "https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\n\noptimize the code to avoid pass a null pointer (hwmgr->backend)\nto function smu7_update_edc_leakage_table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43909" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43910", + "dataSource": "https://ubuntu.com/security/CVE-2024-43910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a", + "https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\n\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\na global function as an argument. The adverse effects of this is that\nBPF helpers can continue to make use of this modified\nCONST_PTR_TO_DYNPTR from within the context of the global function,\nwhich can unintentionally result in out-of-bounds memory accesses and\ntherefore compromise overall system stability i.e.\n\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\n[ 244.174318] Call Trace:\n[ 244.175787] \n[ 244.177356] dump_stack_lvl+0x66/0xa0\n[ 244.179531] print_report+0xce/0x670\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\n[ 244.184908] kasan_report+0xd7/0x110\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\n[ 244.192020] bpf_dynptr_data+0x137/0x140\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\n[ 244.204744] ? 0xffffffffc0009e58\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\n[ 244.220912] do_syscall_64+0xc1/0x1d0\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\n[ 244.268303] \n\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\nverifies the arguments of global function arguments, specifically\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\nexplicit and strict type matching on the supplied register type, so\nlet's also enforce that a register either type PTR_TO_STACK or\nCONST_PTR_TO_DYNPTR is by the caller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43911", + "dataSource": "https://ubuntu.com/security/CVE-2024-43911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43911", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b", + "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43912", + "dataSource": "https://ubuntu.com/security/CVE-2024-43912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe", + "https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e", + "https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc", + "https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: disallow setting special AP channel widths\n\nSetting the AP channel width is meant for use with the normal\n20/40/... MHz channel width progression, and switching around\nin S1G or narrow channels isn't supported. Disallow that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43913", + "dataSource": "https://ubuntu.com/security/CVE-2024-43913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43913", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210", + "https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43914", + "dataSource": "https://ubuntu.com/security/CVE-2024-43914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0", + "https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49", + "https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707", + "https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab", + "https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2", + "https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600", + "https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666", + "https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\n\nCurrently, mdadm support --revert-reshape to abort the reshape while\nreassembling, as the test 07revert-grow. However, following BUG_ON()\ncan be triggerred by the test:\n\nkernel BUG at drivers/md/raid5.c:6278!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nirq event stamp: 158985\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\nRIP: 0010:reshape_request+0x3f1/0xe60\nCall Trace:\n \n raid5_sync_request+0x43d/0x550\n md_do_sync+0xb7a/0x2110\n md_thread+0x294/0x2b0\n kthread+0x147/0x1c0\n ret_from_fork+0x59/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\nwhile reshape position is still set, and after reassembling the array,\nreshape position will be read from super block, then during reshape the\nchecking of 'writepos' that is caculated by old reshape position will\nfail.\n\nFix this panic the easy way first, by converting the BUG_ON() to\nWARN_ON(), and stop the reshape if checkings fail.\n\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\nshould enhance metadata validation as well, however this means\nreassemble will fail and there must be user tools to fix the wrong\nmetadata.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44931", + "dataSource": "https://ubuntu.com/security/CVE-2024-44931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc", + "https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb", + "https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\n\nUserspace may trigger a speculative read of an address outside the gpio\ndescriptor array.\nUsers can do that by calling gpio_ioctl() with an offset out of range.\nOffset is copied from user and then used as an array index to get\nthe gpio descriptor without sanitization in gpio_device_get_desc().\n\nThis change ensures that the offset is sanitized by using\narray_index_nospec() to mitigate any possibility of speculative\ninformation leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44934", + "dataSource": "https://ubuntu.com/security/CVE-2024-44934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f", + "https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f", + "https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078", + "https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658", + "https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44935", + "dataSource": "https://ubuntu.com/security/CVE-2024-44935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44935" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44935", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5", + "https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84", + "https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c", + "https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928", + "https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18", + "https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7", + "https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix null-ptr-deref in reuseport_add_sock().\n\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\nreuseport_add_sock(). [0]\n\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\nanother listener on the same port and concurrently closes the first\nlistener.\n\nThe second listen() calls reuseport_add_sock() with the first listener as\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\nbut the close() does clear it by reuseport_detach_sock().\n\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\nreuseport_add_sock(), and reuseport_detach_sock().\n\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\nprovide synchronisation for sockets that are classified into the same\nreuseport group.\n\nOtherwise, such sockets form multiple identical reuseport groups, and\nall groups except one would be silently dead.\n\n 1. Two sockets call listen() concurrently\n 2. No socket in the same group found in sctp_ep_hashtable[]\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\n incoming packets\n\nAlso, the reported null-ptr-deref could occur.\n\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\n\nLet's apply the locking strategy to __sctp_hash_endpoint() and\n__sctp_unhash_endpoint().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\n sctp_listen_start net/sctp/socket.c:8570 [inline]\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]\n __se_sys_listen net/socket.c:1900 [inline]\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f24e46039b9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\nR13:\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44938", + "dataSource": "https://ubuntu.com/security/CVE-2024-44938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44938" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630", + "https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2", + "https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix shift-out-of-bounds in dbDiscardAG\n\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\ncausing shift exponent -1 to be negative.\n\nThis patch fixes the issue by exiting the loop directly when negative\nshift is found.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44939", + "dataSource": "https://ubuntu.com/security/CVE-2024-44939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44939" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6", + "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702", + "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44940", + "dataSource": "https://ubuntu.com/security/CVE-2024-44940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44940" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59", + "https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79", + "https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44941", + "dataSource": "https://ubuntu.com/security/CVE-2024-44941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8", + "https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d", + "https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44942", + "dataSource": "https://ubuntu.com/security/CVE-2024-44942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44942", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f", + "https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745", + "https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inline.c:258!\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\nCall Trace:\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f2/0x390 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nThe root cause is: inline_data inode can be fuzzed, so that there may\nbe valid blkaddr in its direct node, once f2fs triggers background GC\nto migrate the block, it will hit f2fs_bug_on() during dirty page\nwriteback.\n\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\nso that, it can forbid migrating inline_data inode's data block for\nfixing.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + } + ], + "source": { + "type": "image", + "target": { + "userInput": "tensorflow/tensorflow:latest", + "imageID": "sha256:8f6e945a1a52d428908c6b70f2741376279500f92c5381afbac9a790aa18c5b9", + "manifestDigest": "sha256:5ec32574bc7f466b5b8f7343e300e1368574a1a89a54735d332cf0f7b78aedf7", + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "tags": [ + "tensorflow/tensorflow:latest" + ], + "imageSize": 1860450104, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf", + "size": 77859294 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:a1524f41bf32513efcd516bf2723891fa950c27dda174c21c34b42ae39292593", + "size": 1376 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:f161369a614659452b4992afcd119f46d58f303a542c25378f3b4e76850c1cb9", + "size": 1180 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:5cdc2ec5b3289e4d7a3ef8060161ac8416d19b38f7fb768d5b501ec63d7932f6", + "size": 65 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b", + "size": 64771625 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869", + "size": 366157730 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:ff26aa7f5c0c9aff1a659c954c125ba055397ad2d1ca3f6142a8d557ede26601", + "size": 1790 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:a9612271ae2cb80b4a72958aa0fad654bd0d8754abdd5735d7d42c4382c18209", + "size": 11 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86", + "size": 98899165 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:bc30661351c21630b4168db5f461fa0b46cc7399810bcd5f948ad7aea3695db6", + "size": 1252754034 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:7fc2cfd8ae5906162386489d52ebaca5012a18be55aba6f9a9d423d3b5e6f48a", + "size": 1917 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:bc9a32fd42951f1f87400fafa710eaa2e2db8586960ede6120b4e4050585062f", + "size": 1917 + } + ], + "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo0NTMyLCJkaWdlc3QiOiJzaGEyNTY6OGY2ZTk0NWExYTUyZDQyODkwOGM2YjcwZjI3NDEzNzYyNzk1MDBmOTJjNTM4MWFmYmFjOWE3OTBhYTE4YzViOSJ9LCJsYXllcnMiOlt7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo4MDQxMjY3MiwiZGlnZXN0Ijoic2hhMjU2OjkzMWI3ZmYwY2I2ZjQ5NGIyN2QzMWE0Y2JlYzNlZmU2MmFjNTQ2NzZhZGQ5Yzc0Njk1NjAzMDJmMTU0MWVjYWYifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjozMDcyLCJkaWdlc3QiOiJzaGEyNTY6YTE1MjRmNDFiZjMyNTEzZWZjZDUxNmJmMjcyMzg5MWZhOTUwYzI3ZGRhMTc0YzIxYzM0YjQyYWUzOTI5MjU5MyJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjMwNzIsImRpZ2VzdCI6InNoYTI1NjpmMTYxMzY5YTYxNDY1OTQ1MmI0OTkyYWZjZDExOWY0NmQ1OGYzMDNhNTQyYzI1Mzc4ZjNiNGU3Njg1MGMxY2I5In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjVjZGMyZWM1YjMyODllNGQ3YTNlZjgwNjAxNjFhYzg0MTZkMTliMzhmN2ZiNzY4ZDViNTAxZWM2M2Q3OTMyZjYifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo2NTM3MzE4NCwiZGlnZXN0Ijoic2hhMjU2OjM4N2EzNDgwMjJiZGY4OWZiM2Y1MTQyZTMxNzZjNGI2YWEwNzU2N2RjNjYwZTFlMWRiNDZkNmRiNTA3MjNhNWIifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjozNzMzNTA0MDAsImRpZ2VzdCI6InNoYTI1NjowYmJmM2U2NGM4YjA3NjYwOWNlMGEwYjQ5YTM5ZTMzOTI5OTJiODJkZWE1N2ZiYTUxZjBhYTEzMDRlODIxODY5In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MzU4NCwiZGlnZXN0Ijoic2hhMjU2OmZmMjZhYTdmNWMwYzlhZmYxYTY1OWM5NTRjMTI1YmEwNTUzOTdhZDJkMWNhM2Y2MTQyYThkNTU3ZWRlMjY2MDEifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoyMDQ4LCJkaWdlc3QiOiJzaGEyNTY6YTk2MTIyNzFhZTJjYjgwYjRhNzI5NThhYTBmYWQ2NTRiZDBkODc1NGFiZGQ1NzM1ZDdkNDJjNDM4MmMxODIwOSJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjEwMTc0MzEwNCwiZGlnZXN0Ijoic2hhMjU2OjhiNGM3YTkwZTVlZGI4ODc3NDM1MWYzZmQ1YzY2MWEzZmEwZjhmZWRjZjY4ZjY5Njk4MWQzYTVmZGFlODVkODYifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoxMjY3NTAxMDU2LCJkaWdlc3QiOiJzaGEyNTY6YmMzMDY2MTM1MWMyMTYzMGI0MTY4ZGI1ZjQ2MWZhMGI0NmNjNzM5OTgxMGJjZDVmOTQ4YWQ3YWVhMzY5NWRiNiJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjQwOTYsImRpZ2VzdCI6InNoYTI1Njo3ZmMyY2ZkOGFlNTkwNjE2MjM4NjQ4OWQ1MmViYWNhNTAxMmExOGJlNTVhYmE2ZjlhOWQ0MjNkM2I1ZTZmNDhhIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2OmJjOWEzMmZkNDI5NTFmMWY4NzQwMGZhZmE3MTBlYWEyZTJkYjg1ODY5NjBlZGU2MTIwYjRlNDA1MDU4NTA2MmYifV19", + "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJERUJJQU5fRlJPTlRFTkQ9bm9uaW50ZXJhY3RpdmUiLCJMQU5HPUMuVVRGLTgiXSwiQ21kIjpbIi9iaW4vYmFzaCJdLCJMYWJlbHMiOnsib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnJlZi5uYW1lIjoidWJ1bnR1Iiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiIyMi4wNCJ9fSwiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6NDU6MjMuMTM4NDQ2NjkyWiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDI0LTA2LTI3VDIwOjEwOjEwLjUyODExMDYxNFoiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgIEFSRyBSRUxFQVNFIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDYtMjdUMjA6MTA6MTAuNTY2MzAwNjI1WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgQVJHIExBVU5DSFBBRF9CVUlMRF9BUkNIIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDYtMjdUMjA6MTA6MTAuNjA2NzM3MDI5WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSAgTEFCRUwgb3JnLm9wZW5jb250YWluZXJzLmltYWdlLnJlZi5uYW1lPXVidW50dSIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA2LTI3VDIwOjEwOjEwLjYzODkxNTQ2N1oiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgIExBQkVMIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS52ZXJzaW9uPTIyLjA0IiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDYtMjdUMjA6MTA6MTIuNDgxOTgwNTM5WiIsImNyZWF0ZWRfYnkiOiIvYmluL3NoIC1jICMobm9wKSBBREQgZmlsZTpkNWRhOTIxOTk3MjZlNDJkYTA5YTZmNzVhNzc4YmVmYjYwN2ZlM2Y3OWU0YWZhZjdlZjUxODgzMjliMjZiMzg2IGluIC8gIn0seyJjcmVhdGVkIjoiMjAyNC0wNi0yN1QyMDoxMDoxMi43MDM1MTkyMThaIiwiY3JlYXRlZF9ieSI6Ii9iaW4vc2ggLWMgIyhub3ApICBDTUQgW1wiL2Jpbi9iYXNoXCJdIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6MzY6MTAuOTM5NzY0ODI3WiIsImNyZWF0ZWRfYnkiOiJFTlYgREVCSUFOX0ZST05URU5EPW5vbmludGVyYWN0aXZlIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMlQxMjozNjoxMC45Mzk3NjQ4MjdaIiwiY3JlYXRlZF9ieSI6IkVOViBMQU5HPUMuVVRGLTgiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjM2OjEwLjkzOTc2NDgyN1oiLCJjcmVhdGVkX2J5IjoiQ09QWSBzZXR1cC5zb3VyY2VzLnNoIC9zZXR1cC5zb3VyY2VzLnNoICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6MzY6MTAuOTY1MTA0ODAzWiIsImNyZWF0ZWRfYnkiOiJDT1BZIHNldHVwLnBhY2thZ2VzLnNoIC9zZXR1cC5wYWNrYWdlcy5zaCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjM2OjEwLjk5MDg0MzYwMVoiLCJjcmVhdGVkX2J5IjoiQ09QWSBjcHUucGFja2FnZXMudHh0IC9jcHUucGFja2FnZXMudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6MzY6MjAuOTgxNDQ0NjY1WiIsImNyZWF0ZWRfYnkiOiJSVU4gL2Jpbi9zaCAtYyAvc2V0dXAuc291cmNlcy5zaCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjM2OjQyLjkwOTQyMjAzN1oiLCJjcmVhdGVkX2J5IjoiUlVOIC9iaW4vc2ggLWMgL3NldHVwLnBhY2thZ2VzLnNoIC9jcHUucGFja2FnZXMudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6MzY6NDIuOTA5NDIyMDM3WiIsImNyZWF0ZWRfYnkiOiJBUkcgUFlUSE9OX1ZFUlNJT049cHl0aG9uMy4xMSIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6MzY6NDIuOTA5NDIyMDM3WiIsImNyZWF0ZWRfYnkiOiJBUkcgVEVOU09SRkxPV19QQUNLQUdFPXRlbnNvcmZsb3ctY3B1PT0yLjE3LjAiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjM2OjQyLjkzNDQ4NzI0M1oiLCJjcmVhdGVkX2J5IjoiQ09QWSBzZXR1cC5weXRob24uc2ggL3NldHVwLnB5dGhvbi5zaCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjM2OjQyLjk2MDIwNDE5NloiLCJjcmVhdGVkX2J5IjoiQ09QWSBjcHUucmVxdWlyZW1lbnRzLnR4dCAvY3B1LnJlcXVpcmVtZW50cy50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMlQxMjo0NDo1MC43NjY3NzEyNTVaIiwiY3JlYXRlZF9ieSI6IlJVTiB8MiBQWVRIT05fVkVSU0lPTj1weXRob24zLjExIFRFTlNPUkZMT1dfUEFDS0FHRT10ZW5zb3JmbG93LWNwdT09Mi4xNy4wIC9iaW4vc2ggLWMgL3NldHVwLnB5dGhvbi5zaCAkUFlUSE9OX1ZFUlNJT04gL2NwdS5yZXF1aXJlbWVudHMudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMDctMTJUMTI6NDU6MjIuODg2Mzg0MDEyWiIsImNyZWF0ZWRfYnkiOiJSVU4gfDIgUFlUSE9OX1ZFUlNJT049cHl0aG9uMy4xMSBURU5TT1JGTE9XX1BBQ0tBR0U9dGVuc29yZmxvdy1jcHU9PTIuMTcuMCAvYmluL3NoIC1jIHBpcCBpbnN0YWxsIC0tbm8tY2FjaGUtZGlyICR7VEVOU09SRkxPV19QQUNLQUdFfSAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDI0LTA3LTEyVDEyOjQ1OjIyLjkwOTIwNTRaIiwiY3JlYXRlZF9ieSI6IkNPUFkgYmFzaHJjIC9ldGMvYmFzaC5iYXNocmMgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyNC0wNy0xMlQxMjo0NToyMy4xMzg0NDY2OTJaIiwiY3JlYXRlZF9ieSI6IlJVTiB8MiBQWVRIT05fVkVSU0lPTj1weXRob24zLjExIFRFTlNPUkZMT1dfUEFDS0FHRT10ZW5zb3JmbG93LWNwdT09Mi4xNy4wIC9iaW4vc2ggLWMgY2htb2QgYStyd3ggL2V0Yy9iYXNoLmJhc2hyYyAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifV0sIm9zIjoibGludXgiLCJyb290ZnMiOnsidHlwZSI6ImxheWVycyIsImRpZmZfaWRzIjpbInNoYTI1Njo5MzFiN2ZmMGNiNmY0OTRiMjdkMzFhNGNiZWMzZWZlNjJhYzU0Njc2YWRkOWM3NDY5NTYwMzAyZjE1NDFlY2FmIiwic2hhMjU2OmExNTI0ZjQxYmYzMjUxM2VmY2Q1MTZiZjI3MjM4OTFmYTk1MGMyN2RkYTE3NGMyMWMzNGI0MmFlMzkyOTI1OTMiLCJzaGEyNTY6ZjE2MTM2OWE2MTQ2NTk0NTJiNDk5MmFmY2QxMTlmNDZkNThmMzAzYTU0MmMyNTM3OGYzYjRlNzY4NTBjMWNiOSIsInNoYTI1Njo1Y2RjMmVjNWIzMjg5ZTRkN2EzZWY4MDYwMTYxYWM4NDE2ZDE5YjM4ZjdmYjc2OGQ1YjUwMWVjNjNkNzkzMmY2Iiwic2hhMjU2OjM4N2EzNDgwMjJiZGY4OWZiM2Y1MTQyZTMxNzZjNGI2YWEwNzU2N2RjNjYwZTFlMWRiNDZkNmRiNTA3MjNhNWIiLCJzaGEyNTY6MGJiZjNlNjRjOGIwNzY2MDljZTBhMGI0OWEzOWUzMzkyOTkyYjgyZGVhNTdmYmE1MWYwYWExMzA0ZTgyMTg2OSIsInNoYTI1NjpmZjI2YWE3ZjVjMGM5YWZmMWE2NTljOTU0YzEyNWJhMDU1Mzk3YWQyZDFjYTNmNjE0MmE4ZDU1N2VkZTI2NjAxIiwic2hhMjU2OmE5NjEyMjcxYWUyY2I4MGI0YTcyOTU4YWEwZmFkNjU0YmQwZDg3NTRhYmRkNTczNWQ3ZDQyYzQzODJjMTgyMDkiLCJzaGEyNTY6OGI0YzdhOTBlNWVkYjg4Nzc0MzUxZjNmZDVjNjYxYTNmYTBmOGZlZGNmNjhmNjk2OTgxZDNhNWZkYWU4NWQ4NiIsInNoYTI1NjpiYzMwNjYxMzUxYzIxNjMwYjQxNjhkYjVmNDYxZmEwYjQ2Y2M3Mzk5ODEwYmNkNWY5NDhhZDdhZWEzNjk1ZGI2Iiwic2hhMjU2OjdmYzJjZmQ4YWU1OTA2MTYyMzg2NDg5ZDUyZWJhY2E1MDEyYTE4YmU1NWFiYTZmOWE5ZDQyM2QzYjVlNmY0OGEiLCJzaGEyNTY6YmM5YTMyZmQ0Mjk1MWYxZjg3NDAwZmFmYTcxMGVhYTJlMmRiODU4Njk2MGVkZTYxMjBiNGU0MDUwNTg1MDYyZiJdfX0=", + "repoDigests": [ + "tensorflow/tensorflow@sha256:821b11952acfa67764c1f433a0629747ee49e30a69291811a2dcbef77b67cf33" + ], + "architecture": "amd64", + "os": "linux", + "labels": { + "org.opencontainers.image.ref.name": "ubuntu", + "org.opencontainers.image.version": "22.04" + } + } + }, + "distro": { + "name": "ubuntu", + "version": "22.04", + "idLike": [ + "debian" + ] + }, + "descriptor": { + "name": "grype", + "version": "0.79.3", + "configuration": { + "output": [ + "json" + ], + "file": "", + "distro": "", + "add-cpes-if-none": false, + "output-template-file": "", + "check-for-app-update": true, + "only-fixed": false, + "only-notfixed": false, + "ignore-wontfix": "", + "platform": "", + "search": { + "scope": "squashed", + "unindexed-archives": false, + "indexed-archives": true + }, + "ignore": [ + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "kernel-headers", + "version": "", + "language": "", + "type": "rpm", + "location": "", + "upstream-name": "kernel" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-headers-.*", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + }, + { + "vulnerability": "", + "reason": "", + "namespace": "", + "fix-state": "", + "package": { + "name": "linux-libc-dev", + "version": "", + "language": "", + "type": "deb", + "location": "", + "upstream-name": "linux" + }, + "vex-status": "", + "vex-justification": "", + "match-type": "exact-indirect-match" + } + ], + "exclude": [], + "db": { + "cache-dir": "/Users/atang/Library/Caches/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": true, + "validate-by-hash-on-start": false, + "validate-age": true, + "max-allowed-built-age": 432000000000000, + "update-available-timeout": 30000000000, + "update-download-timeout": 120000000000 + }, + "externalSources": { + "enable": false, + "maven": { + "searchUpstreamBySha1": true, + "baseUrl": "https://search.maven.org/solrsearch/select" + } + }, + "match": { + "java": { + "using-cpes": false + }, + "dotnet": { + "using-cpes": false + }, + "golang": { + "using-cpes": false, + "always-use-cpe-for-stdlib": true, + "allow-main-module-pseudo-version-comparison": false + }, + "javascript": { + "using-cpes": false + }, + "python": { + "using-cpes": false + }, + "ruby": { + "using-cpes": false + }, + "rust": { + "using-cpes": false + }, + "stock": { + "using-cpes": true + } + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": null, + "ca-cert": "" + }, + "show-suppressed": false, + "by-cve": false, + "name": "", + "default-image-pull-source": "", + "vex-documents": [], + "vex-add": [], + "match-upstream-kernel-headers": false + }, + "db": { + "built": "2024-08-29T01:31:52Z", + "schemaVersion": 5, + "location": "/Users/atang/Library/Caches/grype/db/5", + "checksum": "sha256:755b4c6811bb129d58b2f2a7ff01473c8cbcd08f1916cc6a250144601a7d1d39", + "error": null + }, + "timestamp": "2024-08-29T13:31:15.474449-04:00" + } + } \ No newline at end of file diff --git a/test/sample_data/anchoregrype/tensorflow-grype-hdf.json b/test/sample_data/anchoregrype/tensorflow-grype-hdf.json new file mode 100644 index 000000000..bf4b45e20 --- /dev/null +++ b/test/sample_data/anchoregrype/tensorflow-grype-hdf.json @@ -0,0 +1,77126 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-27943", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-27943" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-27943 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-27943", + "desc": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-27943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-27943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-27943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-27943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-27943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=28995\"\n ],\n \"description\": \"libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"0d7332e43f485d8d\",\n \"name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-12-base:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"816f5e3fe2b8694c\",\n \"name\": \"libatomic1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libatomic1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"a69323dca274b473\",\n \"name\": \"libcc1-0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcc1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e06d1fc320a8a1ac\",\n \"name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-s1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"c8cf906bd8b6dcd3\",\n \"name\": \"libgomp1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgomp1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"3df6bfc8ac5188d7\",\n \"name\": \"libitm1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libitm1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e41baeef893dc672\",\n \"name\": \"liblsan0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/liblsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"851fee7a303de1b7\",\n \"name\": \"libquadmath0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libquadmath0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"4ddc88716174352d\",\n \"name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"0bd42c1a89f86d7c\",\n \"name\": \"libubsan1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libubsan1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-1010204", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-1010204" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190822-0001/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" + }, + { + "url": "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-1010204 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-1010204", + "desc": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-1010204\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-1010204\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-1010204\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-1010204\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-1010204\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.netapp.com/advisory/ntap-20190822-0001/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=23765\",\n \"https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS\"\n ],\n \"description\": \"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13716", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13716" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13716 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2017-13716", + "desc": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13716\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13716\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13716\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13716\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13716\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=22009\"\n ],\n \"description\": \"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48064", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48064" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0008/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29922" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48064 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-48064", + "desc": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0008/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=29922\",\n \"https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931\"\n ],\n \"description\": \"GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-20657", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-20657" + }, + { + "url": "http://www.securityfocus.com/bid/106444" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3352" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539" + }, + { + "url": "https://support.f5.com/csp/article/K62602089" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-20657 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2018-20657", + "desc": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-20657\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-20657\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-20657\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-20657\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-20657\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/106444\",\n \"https://access.redhat.com/errata/RHSA-2019:3352\",\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539\",\n \"https://support.f5.com/csp/article/K62602089\"\n ],\n \"description\": \"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-2781", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-2781" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/3" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-2781 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-2781", + "desc": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-2781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-2781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-2781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-2781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-2781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/02/28/2\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/3\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2781\"\n }\n }\n]", + "message": "{\n \"id\": \"ba31f56208da56da\",\n \"name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/coreutils/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/coreutils.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:coreutils:coreutils:8.32-4.1ubuntu1.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1.2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4039", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4039 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-4039", + "desc": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4039\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4039\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4039\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4039\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4039\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64\",\n \"https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf\"\n ],\n \"description\": \"\\n\\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \\nthat target AArch64 allows an attacker to exploit an existing buffer \\noverflow in dynamically-sized local variables in your application \\nwithout this being detected. This stack-protector failure only applies \\nto C99-style dynamically-sized local variables or those created using \\nalloca(). The stack-protector operates as intended for statically-sized \\nlocal variables.\\n\\nThe default behavior when the stack-protector \\ndetects an overflow is to terminate your application, resulting in \\ncontrolled loss of availability. An attacker who can exploit a buffer \\noverflow without triggering the stack-protector might be able to change \\nprogram flow control to cause an uncontrolled loss of availability or to\\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"arm-security@arm.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"0d7332e43f485d8d\",\n \"name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-12-base:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"816f5e3fe2b8694c\",\n \"name\": \"libatomic1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libatomic1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"a69323dca274b473\",\n \"name\": \"libcc1-0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcc1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"e06d1fc320a8a1ac\",\n \"name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-s1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"c8cf906bd8b6dcd3\",\n \"name\": \"libgomp1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgomp1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"3df6bfc8ac5188d7\",\n \"name\": \"libitm1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libitm1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"e41baeef893dc672\",\n \"name\": \"liblsan0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/liblsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"851fee7a303de1b7\",\n \"name\": \"libquadmath0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libquadmath0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"4ddc88716174352d\",\n \"name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"0bd42c1a89f86d7c\",\n \"name\": \"libubsan1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libubsan1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-13844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-13844" + }, + { + "url": "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-13844 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2020-13844", + "desc": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-13844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-13844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-13844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-13844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions\",\n \"https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html\"\n ],\n \"description\": \"Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \\\"straight-line speculation.\\\"\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-15847", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-15847" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-15847 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-15847", + "desc": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-15847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-15847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-15847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-15847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-15847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html\",\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481\"\n ],\n \"description\": \"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46195", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46195" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46195 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-46195", + "desc": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46195\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46195\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46195\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46195\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46195\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841\"\n ],\n \"description\": \"GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3826", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3826" + }, + { + "url": "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3826 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-3826", + "desc": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505\",\n \"https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/\"\n ],\n \"description\": \"Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7264", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 7.81.0-1ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-7264" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/07/31/1" + }, + { + "url": "https://curl.se/docs/CVE-2024-7264.html" + }, + { + "url": "https://curl.se/docs/CVE-2024-7264.json" + }, + { + "url": "https://hackerone.com/reports/2629968" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7264 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-7264", + "desc": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7264\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-7264\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-7264\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"7.81.0-1ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-7264\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7264\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/07/31/1\",\n \"https://curl.se/docs/CVE-2024-7264.html\",\n \"https://curl.se/docs/CVE-2024-7264.json\",\n \"https://hackerone.com/reports/2629968\"\n ],\n \"description\": \"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\\nparser might end up using -1 for the length of the *time fraction*, leading to\\na `strlen()` getting performed on a pointer to a heap buffer area that is not\\n(purposely) null terminated.\\n\\nThis flaw most likely leads to a crash, but can also lead to heap contents\\ngetting returned to the application when\\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"324465965a47402a\",\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/curl/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/curl.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:curl:curl:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"b4d74f55020f24c9\",\n \"name\": \"libcurl3-gnutls\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libcurl3-gnutls/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcurl3-gnutls:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcurl3-gnutls@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"curl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"52b4ac2b67a9ecd2\",\n \"name\": \"libcurl4\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libcurl4/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcurl4:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcurl4:libcurl4:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcurl4@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"curl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-34969", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-34969" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231208-0007/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-34969 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-34969", + "desc": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-34969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-34969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-34969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-34969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gitlab.freedesktop.org/dbus/dbus/-/issues/457\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/\",\n \"https://security.netapp.com/advisory/ntap-20231208-0007/\"\n ],\n \"description\": \"D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-34969\"\n }\n }\n]", + "message": "{\n \"id\": \"60da06608335c6e9\",\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/dbus/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dbus.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dbus.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"AFL-2.1\",\n \"BSD-3-clause\",\n \"BSD-3-clause-generic\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"Tcl-BSDish\",\n \"g10-permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:dbus:dbus:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/dbus@1.12.20-2ubuntu4.1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-34969\"\n }\n }\n]", + "message": "{\n \"id\": \"0c67a21e65bd16ee\",\n \"name\": \"libdbus-1-3\",\n \"version\": \"1.12.20-2ubuntu4.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libdbus-1-3/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libdbus-1-3:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"AFL-2.1\",\n \"BSD-3-clause\",\n \"BSD-3-clause-generic\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"Tcl-BSDish\",\n \"g10-permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libdbus-1-3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1-3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1_3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1_3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libdbus-1-3@1.12.20-2ubuntu4.1?arch=amd64&upstream=dbus&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"dbus\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3219", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3219" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127010" + }, + { + "url": "https://dev.gnupg.org/D556" + }, + { + "url": "https://dev.gnupg.org/T5993" + }, + { + "url": "https://marc.info/?l=oss-security&m=165696590211434&w=4" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3219 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-3219", + "desc": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3219\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3219\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3219\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3219\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3219\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-3219\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2127010\",\n \"https://dev.gnupg.org/D556\",\n \"https://dev.gnupg.org/T5993\",\n \"https://marc.info/?l=oss-security&m=165696590211434&w=4\",\n \"https://security.netapp.com/advisory/ntap-20230324-0001/\"\n ],\n \"description\": \"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"efa651c03e29c607\",\n \"name\": \"dirmngr\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/dirmngr/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dirmngr.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:dirmngr:dirmngr:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/dirmngr@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"1d53afeb1b2bed73\",\n \"name\": \"gnupg\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg:gnupg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"50e44f27e2b0c800\",\n \"name\": \"gnupg-l10n\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg-l10n/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg-l10n.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg-l10n@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"1d0ecf2cdf605099\",\n \"name\": \"gnupg-utils\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg-utils/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg-utils.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg-utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg-utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg-utils@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"22ea11b15ccb9d9a\",\n \"name\": \"gpg\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg:gpg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"6b1172046efd6589\",\n \"name\": \"gpg-agent\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-agent/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-agent.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-agent.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-agent@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"165b537d3990d094\",\n \"name\": \"gpg-wks-client\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-wks-client/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-wks-client.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-wks-client@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"89c2406ff86aa601\",\n \"name\": \"gpg-wks-server\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-wks-server/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-wks-server.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-wks-server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks-server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-wks-server@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"775f261341147b3c\",\n \"name\": \"gpgconf\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgconf/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgconf.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgconf:gpgconf:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgconf@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"5e764c44f36dd32a\",\n \"name\": \"gpgsm\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgsm/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgsm.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgsm:gpgsm:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgsm@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"9b32ff71df8828aa\",\n \"name\": \"gpgv\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgv/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgv.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgv:gpgv:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0217", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0217" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0217" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256624" + }, + { + "url": "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0217 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0217", + "desc": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0217\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0217\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0217\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0217\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0217\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-0217\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2256624\",\n \"https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79\"\n ],\n \"description\": \"A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"3e0695ea8a15e043\",\n \"name\": \"gir1.2-packagekitglib-1.0\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gir1.2-packagekitglib-1.0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"4e2ed93a3f00508b\",\n \"name\": \"libpackagekit-glib2-18\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpackagekit-glib2-18/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"cb13b67d8759b594\",\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/packagekit/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0987", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0987" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0987 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-0987", + "desc": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0987\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0987\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0987\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0987\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0987\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2064315\"\n ],\n \"description\": \"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"3e0695ea8a15e043\",\n \"name\": \"gir1.2-packagekitglib-1.0\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gir1.2-packagekitglib-1.0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"4e2ed93a3f00508b\",\n \"name\": \"libpackagekit-glib2-18\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpackagekit-glib2-18/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"cb13b67d8759b594\",\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/packagekit/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-1585", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-1585" + }, + { + "url": "https://bugs.launchpad.net/apparmor/+bug/1597017" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-1585 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-1585", + "desc": "In all versions of AppArmor mount rules are accidentally widened when compiled.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-1585\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-1585\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-1585\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-1585\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1585\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.launchpad.net/apparmor/+bug/1597017\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"In all versions of AppArmor mount rules are accidentally widened when compiled.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@ubuntu.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.9,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"apparmor\",\n \"version\": \"3.0.4-2ubuntu2.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-1585\"\n }\n }\n]", + "message": "{\n \"id\": \"20b7d6a703b1cdb0\",\n \"name\": \"libapparmor1\",\n \"version\": \"3.0.4-2ubuntu2.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libapparmor1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libapparmor1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libapparmor1:libapparmor1:3.0.4-2ubuntu2.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libapparmor1@3.0.4-2ubuntu2.3?arch=amd64&upstream=apparmor&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"apparmor\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-20013", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-20013" + }, + { + "url": "https://akkadia.org/drepper/SHA-crypt.txt" + }, + { + "url": "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/" + }, + { + "url": "https://twitter.com/solardiz/status/795601240151457793" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-20013 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-20013", + "desc": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-20013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-20013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-20013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-20013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-20013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://akkadia.org/drepper/SHA-crypt.txt\",\n \"https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/\",\n \"https://twitter.com/solardiz/status/795601240151457793\"\n ],\n \"description\": \"sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"534613922e3db6d7\",\n \"name\": \"libc-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-bin.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc-bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"57746bb623c8ca26\",\n \"name\": \"libc-dev-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc-dev-bin/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-dev-bin.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc-dev-bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev-bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev_bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev_bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc-dev-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"cde0d63aef474648\",\n \"name\": \"libc6\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6:amd64.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc6:libc6:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc6@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"ce5bb87ce346e38b\",\n \"name\": \"libc6-dev\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc6-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc6-dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6-dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6_dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6_dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc6-dev@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25260", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25260" + }, + { + "url": "https://github.com/schsiung/fuzzer_issues/issues/1" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31058" + }, + { + "url": "https://sourceware.org/elfutils/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25260 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-25260", + "desc": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25260\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25260\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25260\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25260\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25260\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/schsiung/fuzzer_issues/issues/1\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=31058\",\n \"https://sourceware.org/elfutils/\"\n ],\n \"description\": \"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"elfutils\",\n \"version\": \"0.186-1build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25260\"\n }\n }\n]", + "message": "{\n \"id\": \"84f06d819a7d441b\",\n \"name\": \"libdw1\",\n \"version\": \"0.186-1build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libdw1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libdw1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libdw1:libdw1:0.186-1build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libdw1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"elfutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"elfutils\",\n \"version\": \"0.186-1build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25260\"\n }\n }\n]", + "message": "{\n \"id\": \"db43cdc9ed146fdf\",\n \"name\": \"libelf1\",\n \"version\": \"0.186-1build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libelf1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libelf1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libelf1:libelf1:0.186-1build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libelf1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"elfutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2236", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2236" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-2236" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245218" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268268" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2236 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-2236", + "desc": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2236\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2236\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2236\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2236\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2236\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-2236\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2245218\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2268268\"\n ],\n \"description\": \"A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.\",\n \"cvss\": [\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2236\"\n }\n }\n]", + "message": "{\n \"id\": \"8bd34a8029c4772d\",\n \"name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgcrypt20/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcrypt20:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcrypt20:libgcrypt20:1.9.4-3ubuntu3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37371", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.19.2-2ubuntu0.4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37371" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37371 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37371", + "desc": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37371\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37371\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.19.2-2ubuntu0.4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37371\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37370", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.19.2-2ubuntu0.4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37370" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37370 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37370", + "desc": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37370\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37370\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.19.2-2ubuntu0.4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37370\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26462", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26462" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0012/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26462 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26462", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26462\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26462\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26462\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26462\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26462\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0012/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26461", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26461" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0011/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26461 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26461", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26461\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26461\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26461\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26461\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26461\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0011/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26458", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26458" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0010/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26458 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26458", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26458\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26458\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26458\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26458\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26458\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0010/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-0347", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-0347" + }, + { + "url": "https://source.android.com/security/bulletin/android-11" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-0347 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2020-0347", + "desc": "In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-0347\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-0347\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-0347\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-0347\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-0347\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://source.android.com/security/bulletin/android-11\"\n ],\n \"description\": \"In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.7,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"iptables\",\n \"version\": \"1.8.7-1ubuntu5.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-0347\"\n }\n }\n]", + "message": "{\n \"id\": \"6e9c18c8e88097db\",\n \"name\": \"libip4tc2\",\n \"version\": \"1.8.7-1ubuntu5.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libip4tc2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libip4tc2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GPL-2\",\n \"GPL-2+\",\n \"custom\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libip4tc2:libip4tc2:1.8.7-1ubuntu5.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libip4tc2@1.8.7-1ubuntu5.2?arch=amd64&upstream=iptables&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"iptables\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-50495", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-50495" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240119-0008/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-50495 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-50495", + "desc": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-50495\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-50495\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-50495\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-50495\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-50495\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/\",\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html\",\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html\",\n \"https://security.netapp.com/advisory/ntap-20240119-0008/\"\n ],\n \"description\": \"NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"9d631babdfb8df3e\",\n \"name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncurses6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"0532d09628a2ff0b\",\n \"name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncursesw6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"e392e94b182b72b9\",\n \"name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtinfo6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"3760343f92af5dba\",\n \"name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"38ed2d1a224f9399\",\n \"name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-45918", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-45918" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240315-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-45918 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-45918", + "desc": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-45918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-45918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-45918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-45918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html\",\n \"https://security.netapp.com/advisory/ntap-20240315-0006/\"\n ],\n \"description\": \"ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"9d631babdfb8df3e\",\n \"name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncurses6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"0532d09628a2ff0b\",\n \"name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncursesw6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"e392e94b182b72b9\",\n \"name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtinfo6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"3760343f92af5dba\",\n \"name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"38ed2d1a224f9399\",\n \"name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-7008", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-7008" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2463" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3203" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-7008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222672" + }, + { + "url": "https://github.com/systemd/systemd/issues/25676" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-7008 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-7008", + "desc": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-7008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-7008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-7008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-7008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-7008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2463\",\n \"https://access.redhat.com/errata/RHSA-2024:3203\",\n \"https://access.redhat.com/security/cve/CVE-2023-7008\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2222261\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2222672\",\n \"https://github.com/systemd/systemd/issues/25676\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/\"\n ],\n \"description\": \"A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"4d802af324d0c968\",\n \"name\": \"libpam-systemd\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpam-systemd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpam-systemd:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpam-systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam-systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam_systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam_systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpam-systemd@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"837dfa89fb7aecbb\",\n \"name\": \"libsystemd0\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libsystemd0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libsystemd0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libsystemd0:libsystemd0:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"dfcf0201a1ab32bf\",\n \"name\": \"libudev1\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libudev1/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libudev1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libudev1:libudev1:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"08e5107537f6b389\",\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/systemd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:systemd:systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/systemd@249.11-0ubuntu3.12?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"6a9688725c2c3e10\",\n \"name\": \"systemd-sysv\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/systemd-sysv/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd-sysv.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:systemd-sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd-sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd_sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd_sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/systemd-sysv@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-41409", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-41409" + }, + { + "url": "https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35" + }, + { + "url": "https://github.com/PCRE2Project/pcre2/issues/141" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-41409 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-41409", + "desc": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-41409\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-41409\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-41409\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-41409\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41409\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35\",\n \"https://github.com/PCRE2Project/pcre2/issues/141\"\n ],\n \"description\": \"Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"pcre2\",\n \"version\": \"10.39-3ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-41409\"\n }\n }\n]", + "message": "{\n \"id\": \"b83e437a170b2b4b\",\n \"name\": \"libpcre2-8-0\",\n \"version\": \"10.39-3ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpcre2-8-0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpcre2-8-0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:libpcre2-8-0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8-0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8_0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8_0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&upstream=pcre2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"pcre2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-11164", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-11164" + }, + { + "url": "http://openwall.com/lists/oss-security/2017/07/11/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/11/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/12/1" + }, + { + "url": "http://www.securityfocus.com/bid/99575" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-11164 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2017-11164", + "desc": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-11164\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-11164\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-11164\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-11164\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-11164\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://openwall.com/lists/oss-security/2017/07/11/3\",\n \"http://www.openwall.com/lists/oss-security/2023/04/11/1\",\n \"http://www.openwall.com/lists/oss-security/2023/04/12/1\",\n \"http://www.securityfocus.com/bid/99575\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"pcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-11164\"\n }\n }\n]", + "message": "{\n \"id\": \"c17e17a6c3b778e9\",\n \"name\": \"libpcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpcre3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpcre3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:libpcre3:libpcre3:2:8.39-13ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpcre3@2:8.39-13ubuntu0.22.04.1?arch=amd64&upstream=pcre3&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"pcre3\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-2568", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-2568" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/26/3" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2016-2568" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1300746" + }, + { + "url": "https://ubuntu.com/security/CVE-2016-2568" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-2568 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-2568", + "desc": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-2568\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-2568\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-2568\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-2568\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-2568\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/02/26/3\",\n \"https://access.redhat.com/security/cve/cve-2016-2568\",\n \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1300746\",\n \"https://ubuntu.com/security/CVE-2016-2568\"\n ],\n \"description\": \"pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.1,\n \"impactScore\": 6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"75f309e7896cc7d5\",\n \"name\": \"libpolkit-agent-1-0\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpolkit-agent-1-0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpolkit-agent-1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpolkit-agent-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"ff118ec3fae758b1\",\n \"name\": \"libpolkit-gobject-1-0\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpolkit-gobject-1-0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpolkit-gobject-1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpolkit-gobject-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"d55289a43c85d6a4\",\n \"name\": \"pkexec\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/pkexec/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/pkexec.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:pkexec:pkexec:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/pkexec@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"d757443f44e8916c\",\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/policykit-1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/policykit-1.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:policykit-1:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit-1:policykit_1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit_1:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit_1:policykit_1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit:policykit_1:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/policykit-1@0.105-33?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"6ace8efb10979881\",\n \"name\": \"polkitd\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/polkitd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/polkitd.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/polkitd.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:polkitd:polkitd:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/polkitd@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-8088", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-8088" + }, + { + "url": "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e" + }, + { + "url": "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64" + }, + { + "url": "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea" + }, + { + "url": "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db" + }, + { + "url": "https://github.com/python/cpython/issues/122905" + }, + { + "url": "https://github.com/python/cpython/issues/123270" + }, + { + "url": "https://github.com/python/cpython/pull/122906" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-8088 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-8088", + "desc": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-8088\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-8088\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-8088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e\",\n \"https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64\",\n \"https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea\",\n \"https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db\",\n \"https://github.com/python/cpython/issues/122905\",\n \"https://github.com/python/cpython/issues/123270\",\n \"https://github.com/python/cpython/pull/122906\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/\"\n ],\n \"description\": \"There is a HIGH severity vulnerability affecting the CPython \\\"zipfile\\\"\\nmodule affecting \\\"zipfile.Path\\\". Note that the more common API \\\"zipfile.ZipFile\\\" class is unaffected.\\n\\n\\n\\n\\n\\nWhen iterating over names of entries in a zip archive (for example, methods\\nof \\\"zipfile.Path\\\" like \\\"namelist()\\\", \\\"iterdir()\\\", etc)\\nthe process can be put into an infinite loop with a maliciously crafted\\nzip archive. This defect applies when reading only metadata or extracting\\nthe contents of the zip archive. Programs that are not handling\\nuser-controlled zip archives are not affected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7592", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-7592" + }, + { + "url": "https://github.com/python/cpython/issues/123067" + }, + { + "url": "https://github.com/python/cpython/pull/123075" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7592 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-7592", + "desc": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-7592\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-7592\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7592\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/123067\",\n \"https://github.com/python/cpython/pull/123075\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/\"\n ],\n \"description\": \"There is a LOW severity vulnerability affecting CPython, specifically the\\n'http.cookies' standard library module.\\n\\n\\nWhen parsing cookies that contained backslashes for quoted characters in\\nthe cookie value, the parser would use an algorithm with quadratic\\ncomplexity, resulting in excess CPU resources being used while parsing the\\nvalue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-6923" + }, + { + "url": "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7" + }, + { + "url": "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0" + }, + { + "url": "https://github.com/python/cpython/issues/121650" + }, + { + "url": "https://github.com/python/cpython/pull/122233" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6923 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-6923", + "desc": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-6923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-6923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7\",\n \"https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0\",\n \"https://github.com/python/cpython/issues/121650\",\n \"https://github.com/python/cpython/pull/122233\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/\"\n ],\n \"description\": \"There is a MEDIUM severity vulnerability affecting CPython.\\n\\nThe \\nemail module didn’t properly quote newlines for email headers when \\nserializing an email message allowing for header injection when an email\\n is serialized.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0397", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.10.12-1~22.04.5", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0397" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/2" + }, + { + "url": "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d" + }, + { + "url": "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524" + }, + { + "url": "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e" + }, + { + "url": "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286" + }, + { + "url": "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa" + }, + { + "url": "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab" + }, + { + "url": "https://github.com/python/cpython/issues/114572" + }, + { + "url": "https://github.com/python/cpython/pull/114573" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0397 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0397", + "desc": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.10.12-1~22.04.5\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/2\",\n \"https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d\",\n \"https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524\",\n \"https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e\",\n \"https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286\",\n \"https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa\",\n \"https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab\",\n \"https://github.com/python/cpython/issues/114572\",\n \"https://github.com/python/cpython/pull/114573\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/\"\n ],\n \"description\": \"A defect was discovered in the Python “ssl” module where there is a memory\\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\\n“get_ca_certs()”. The race condition can be triggered if the methods are\\ncalled at the same time as certificates are loaded into the SSLContext,\\nsuch as during the TLS handshake with a certificate directory configured.\\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-27043", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-27043" + }, + { + "url": "http://python.org" + }, + { + "url": "https://github.com/python/cpython/issues/102988" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/" + }, + { + "url": "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-27043 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-27043", + "desc": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-27043\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-27043\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-27043\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://python.org\",\n \"https://github.com/python/cpython/issues/102988\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/\",\n \"https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0003/\"\n ],\n \"description\": \"The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4032", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.10.12-1~22.04.5", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4032" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/3" + }, + { + "url": "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8" + }, + { + "url": "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f" + }, + { + "url": "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3" + }, + { + "url": "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb" + }, + { + "url": "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906" + }, + { + "url": "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3" + }, + { + "url": "https://github.com/python/cpython/issues/113171" + }, + { + "url": "https://github.com/python/cpython/pull/113179" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0004/" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4032 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4032", + "desc": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.10.12-1~22.04.5\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/3\",\n \"https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8\",\n \"https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f\",\n \"https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3\",\n \"https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb\",\n \"https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906\",\n \"https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3\",\n \"https://github.com/python/cpython/issues/113171\",\n \"https://github.com/python/cpython/pull/113179\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0004/\",\n \"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\n \"https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\"\n ],\n \"description\": \"The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\\n\\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-42919", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-42919" + }, + { + "url": "https://github.com/python/cpython/compare/v3.10.8...v3.10.9" + }, + { + "url": "https://github.com/python/cpython/compare/v3.9.15...v3.9.16" + }, + { + "url": "https://github.com/python/cpython/issues/97514" + }, + { + "url": "https://github.com/python/cpython/issues/97514#issuecomment-1310277840" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221209-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-42919 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-42919", + "desc": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-42919\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-42919\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-42919\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-42919\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42919\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/compare/v3.10.8...v3.10.9\",\n \"https://github.com/python/cpython/compare/v3.9.15...v3.9.16\",\n \"https://github.com/python/cpython/issues/97514\",\n \"https://github.com/python/cpython/issues/97514#issuecomment-1310277840\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/\",\n \"https://security.gentoo.org/glsa/202305-02\",\n \"https://security.netapp.com/advisory/ntap-20221209-0006/\"\n ],\n \"description\": \"Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0450", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0450" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/20/5" + }, + { + "url": "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85" + }, + { + "url": "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba" + }, + { + "url": "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675" + }, + { + "url": "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51" + }, + { + "url": "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549" + }, + { + "url": "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183" + }, + { + "url": "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b" + }, + { + "url": "https://github.com/python/cpython/issues/109858" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/" + }, + { + "url": "https://www.bamsoftware.com/hacks/zipbomb/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0450 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0450", + "desc": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0450\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0450\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0450\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/20/5\",\n \"https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85\",\n \"https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba\",\n \"https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675\",\n \"https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51\",\n \"https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549\",\n \"https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183\",\n \"https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b\",\n \"https://github.com/python/cpython/issues/109858\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/\",\n \"https://www.bamsoftware.com/hacks/zipbomb/\"\n ],\n \"description\": \"An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\\n\\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6597", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6597" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/20/5" + }, + { + "url": "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a" + }, + { + "url": "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25" + }, + { + "url": "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5" + }, + { + "url": "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d" + }, + { + "url": "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82" + }, + { + "url": "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b" + }, + { + "url": "https://github.com/python/cpython/issues/91133" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6597 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-6597", + "desc": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6597\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6597\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6597\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6597\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6597\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/20/5\",\n \"https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a\",\n \"https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25\",\n \"https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5\",\n \"https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d\",\n \"https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82\",\n \"https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b\",\n \"https://github.com/python/cpython/issues/91133\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/\"\n ],\n \"description\": \"An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\\n\\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\\n\",\n \"cvss\": [\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-41105", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-41105" + }, + { + "url": "https://github.com/python/cpython/issues/106242" + }, + { + "url": "https://github.com/python/cpython/pull/107981" + }, + { + "url": "https://github.com/python/cpython/pull/107982" + }, + { + "url": "https://github.com/python/cpython/pull/107983" + }, + { + "url": "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0015/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-41105 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-41105", + "desc": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-41105\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-41105\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-41105\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-41105\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-41105\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/106242\",\n \"https://github.com/python/cpython/pull/107981\",\n \"https://github.com/python/cpython/pull/107982\",\n \"https://github.com/python/cpython/pull/107983\",\n \"https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0015/\"\n ],\n \"description\": \"An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-40217", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-40217" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0014/" + }, + { + "url": "https://www.python.org/dev/security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-40217 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-40217", + "desc": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-40217\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-40217\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-40217\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-40217\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-40217\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html\",\n \"https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0014/\",\n \"https://www.python.org/dev/security/\"\n ],\n \"description\": \"An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \\\"not connected\\\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-24329", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-24329" + }, + { + "url": "https://github.com/python/cpython/issues/102153" + }, + { + "url": "https://github.com/python/cpython/pull/99421" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/" + }, + { + "url": "https://pointernull.com/security/python-url-parse-problem.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0004/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/127587" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-24329 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-24329", + "desc": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-24329\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-24329\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-24329\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-24329\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-24329\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/102153\",\n \"https://github.com/python/cpython/pull/99421\",\n \"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/\",\n \"https://pointernull.com/security/python-url-parse-problem.html\",\n \"https://security.netapp.com/advisory/ntap-20230324-0004/\",\n \"https://www.kb.cert.org/vuls/id/127587\"\n ],\n \"description\": \"An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45061", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45061" + }, + { + "url": "https://github.com/python/cpython/issues/98433" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221209-0007/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45061 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-45061", + "desc": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45061\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45061\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45061\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45061\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45061\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/98433\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/\",\n \"https://security.gentoo.org/glsa/202305-02\",\n \"https://security.netapp.com/advisory/ntap-20221209-0007/\"\n ],\n \"description\": \"An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41996", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41996" + }, + { + "url": "https://dheatattack.gitlab.io/details/" + }, + { + "url": "https://dheatattack.gitlab.io/faq/" + }, + { + "url": "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41996 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-41996", + "desc": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41996\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41996\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41996\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41996\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41996\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://dheatattack.gitlab.io/details/\",\n \"https://dheatattack.gitlab.io/faq/\",\n \"https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1\"\n ],\n \"description\": \"Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41996\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41996\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5535", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-5535" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5535 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-5535", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-5535\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-5535\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5535\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5535\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4741", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4741" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4741 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4741", + "desc": "no description found", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4741\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4741\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4603", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4603" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/16/2" + }, + { + "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397" + }, + { + "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e" + }, + { + "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d" + }, + { + "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0001/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4603 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4603", + "desc": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4603\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4603\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4603\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-4603\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4603\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/16/2\",\n \"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397\",\n \"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e\",\n \"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d\",\n \"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740\",\n \"https://security.netapp.com/advisory/ntap-20240621-0001/\",\n \"https://www.openssl.org/news/secadv/20240516.txt\"\n ],\n \"description\": \"Issue summary: Checking excessively long DSA keys or parameters may be very\\nslow.\\n\\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\\nexperience long delays. Where the key or parameters that are being checked\\nhave been obtained from an untrusted source this may lead to a Denial of\\nService.\\n\\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\\nvarious checks on DSA parameters. Some of those computations take a long time\\nif the modulus (`p` parameter) is too large.\\n\\nTrying to use a very large modulus is slow and OpenSSL will not allow using\\npublic keys with a modulus which is over 10,000 bits in length for signature\\nverification. However the key and parameter check functions do not limit\\nthe modulus size when performing the checks.\\n\\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\\nand supplies a key or parameters obtained from an untrusted source could be\\nvulnerable to a Denial of Service attack.\\n\\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\\nonly applications that directly call these functions may be vulnerable.\\n\\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\\nwhen using the `-check` option.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4603\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4603\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2511", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2511" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/04/08/5" + }, + { + "url": "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce" + }, + { + "url": "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d" + }, + { + "url": "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0013/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2511 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-2511", + "desc": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2511\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2511\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/04/08/5\",\n \"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce\",\n \"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d\",\n \"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08\",\n \"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640\",\n \"https://security.netapp.com/advisory/ntap-20240503-0013/\",\n \"https://www.openssl.org/news/secadv/20240408.txt\"\n ],\n \"description\": \"Issue summary: Some non-default TLS server configurations can cause unbounded\\nmemory growth when processing TLSv1.3 sessions\\n\\nImpact summary: An attacker may exploit certain server configurations to trigger\\nunbounded memory growth that would lead to a Denial of Service\\n\\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\\nbeing used (but not if early_data support is also configured and the default\\nanti-replay protection is in use). In this case, under certain conditions, the\\nsession cache can get into an incorrect state and it will fail to flush properly\\nas it fills. The session cache will continue to grow in an unbounded manner. A\\nmalicious client could deliberately create the scenario for this failure to\\nforce a Denial of Service. It may also happen by accident in normal operation.\\n\\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\\nclients.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\\n1.0.2 is also not affected by this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2511\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2511\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46848", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46848" + }, + { + "url": "https://bugs.gentoo.org/866237" + }, + { + "url": "https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5" + }, + { + "url": "https://gitlab.com/gnutls/libtasn1/-/issues/32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221118-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46848 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-46848", + "desc": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.gentoo.org/866237\",\n \"https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5\",\n \"https://gitlab.com/gnutls/libtasn1/-/issues/32\",\n \"https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/\",\n \"https://security.netapp.com/advisory/ntap-20221118-0006/\"\n ],\n \"description\": \"GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46848\"\n }\n }\n]", + "message": "{\n \"id\": \"48034bac058cf4d8\",\n \"name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtasn1-6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtasn1-6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-3\",\n \"LGPL\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtasn1-6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1-6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1_6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1_6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34459", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34459" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34459 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-34459", + "desc": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34459\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34459\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34459\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34459\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34459\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720\",\n \"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8\",\n \"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/\"\n ],\n \"description\": \"An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libxml2\",\n \"version\": \"2.9.13+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34459\"\n }\n }\n]", + "message": "{\n \"id\": \"2c561f4e739dd13a\",\n \"name\": \"libxml2\",\n \"version\": \"2.9.13+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libxml2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libxml2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"ISC\",\n \"MIT-1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libxml2:libxml2:2.9.13+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libxml2@2.9.13%2Bdfsg-1ubuntu0.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35328", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35328" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35328 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35328", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35328\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35328\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35328\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35328\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35328\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35328\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35326", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35326" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35326 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35326", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35326\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35326\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35326\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35326\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35326\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35326\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35325", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35325" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35325 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35325", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35325\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35325\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35325\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35325\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35325\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35325\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4899", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-4899" + }, + { + "url": "https://github.com/facebook/zstd/issues/3200" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230725-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4899 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-4899", + "desc": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-4899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-4899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-4899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/facebook/zstd/issues/3200\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/\",\n \"https://security.netapp.com/advisory/ntap-20230725-0005/\"\n ],\n \"description\": \"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libzstd\",\n \"version\": \"1.4.8+dfsg-3build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-4899\"\n }\n }\n]", + "message": "{\n \"id\": \"db01fe463729db55\",\n \"name\": \"libzstd1\",\n \"version\": \"1.4.8+dfsg-3build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libzstd1/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libzstd1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"Expat\",\n \"GPL-2\",\n \"zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libzstd1:libzstd1:1.4.8+dfsg-3build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&upstream=libzstd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libzstd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-29383", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-29383" + }, + { + "url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d" + }, + { + "url": "https://github.com/shadow-maint/shadow/pull/687" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/" + }, + { + "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-29383 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-29383", + "desc": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-29383\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-29383\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-29383\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-29383\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-29383\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d\",\n \"https://github.com/shadow-maint/shadow/pull/687\",\n \"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/\",\n \"https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797\"\n ],\n \"description\": \"In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\\\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\\\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \\\"cat /etc/passwd\\\" shows a rogue user account.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"shadow\",\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-29383\"\n }\n }\n]", + "message": "{\n \"id\": \"c25e61c8104d045b\",\n \"name\": \"login\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/login/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/login.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/login.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:login:login:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/login@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"shadow\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"shadow\",\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-29383\"\n }\n }\n]", + "message": "{\n \"id\": \"fdb7dd2a267a46c4\",\n \"name\": \"passwd\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/passwd/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/passwd.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/passwd.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:passwd:passwd:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/passwd@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"shadow\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-45261", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-45261" + }, + { + "url": "https://savannah.gnu.org/bugs/?61685" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-45261 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-45261", + "desc": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-45261\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-45261\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-45261\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-45261\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-45261\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://savannah.gnu.org/bugs/?61685\"\n ],\n \"description\": \"An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-45261\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-20633", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-20633" + }, + { + "url": "https://savannah.gnu.org/bugs/index.php?56683" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-20633 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-20633", + "desc": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-20633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-20633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-20633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-20633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://savannah.gnu.org/bugs/index.php?56683\"\n ],\n \"description\": \"GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-20633\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-6952", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-6952" + }, + { + "url": "http://www.securityfocus.com/bid/103047" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2033" + }, + { + "url": "https://savannah.gnu.org/bugs/index.php?53133" + }, + { + "url": "https://security.gentoo.org/glsa/201904-17" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-6952 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2018-6952", + "desc": "A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-6952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-6952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-6952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-6952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-6952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/103047\",\n \"https://access.redhat.com/errata/RHSA-2019:2033\",\n \"https://savannah.gnu.org/bugs/index.php?53133\",\n \"https://security.gentoo.org/glsa/201904-17\"\n ],\n \"description\": \"A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-6952\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-21240", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-21240" + }, + { + "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc" + }, + { + "url": "https://github.com/httplib2/httplib2/pull/182" + }, + { + "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m" + }, + { + "url": "https://pypi.org/project/httplib2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-21240 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-21240", + "desc": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-21240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-21240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-21240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-21240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\",\n \"https://github.com/httplib2/httplib2/pull/182\",\n \"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\",\n \"https://pypi.org/project/httplib2\"\n ],\n \"description\": \"httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \\\"\\\\xa0\\\" characters in the \\\"www-authenticate\\\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-httplib2\",\n \"version\": \"0.20.2-2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-21240\"\n }\n }\n]", + "message": "{\n \"id\": \"9a3b917c64001b05\",\n \"name\": \"python3-httplib2\",\n \"version\": \"0.20.2-2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-httplib2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-httplib2.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-1.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-httplib2@0.20.2-2?arch=all&upstream=python-httplib2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-httplib2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6345", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-6345" + }, + { + "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" + }, + { + "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6345 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-6345", + "desc": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-6345\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-6345\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6345\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0\",\n \"https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5\"\n ],\n \"description\": \"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"96186ba8ec8bad45\",\n \"name\": \"python3-pkg-resources\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pkg-resources/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pkg-resources.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-3-clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pkg-resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg-resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg_resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg_resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pkg-resources@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"setuptools\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"2806aa205839c7c6\",\n \"name\": \"python3-setuptools-whl\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-setuptools-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-setuptools-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-3-clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-setuptools-whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools-whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools_whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools_whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-setuptools-whl@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"setuptools\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-3651", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-3651" + }, + { + "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" + }, + { + "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-3651 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-3651", + "desc": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-3651\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-3651\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-3651\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-3651\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-3651\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d\",\n \"https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb\"\n ],\n \"description\": \"A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-3651\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35195", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35195" + }, + { + "url": "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac" + }, + { + "url": "https://github.com/psf/requests/pull/6655" + }, + { + "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35195 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35195", + "desc": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35195\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35195\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35195\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35195\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35195\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac\",\n \"https://github.com/psf/requests/pull/6655\",\n \"https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/\"\n ],\n \"description\": \"Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.6,\n \"exploitabilityScore\": 0.3,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35195\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-5752", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-5752" + }, + { + "url": "https://github.com/pypa/pip/pull/12306" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-5752 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-5752", + "desc": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-5752\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-5752\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/pypa/pip/pull/12306\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/\"\n ],\n \"description\": \"When installing a package from a Mercurial VCS URL (ie \\\"pip install \\nhg+...\\\") with pip prior to v23.3, the specified Mercurial revision could\\n be used to inject arbitrary configuration options to the \\\"hg clone\\\" \\ncall (ie \\\"--config\\\"). Controlling the Mercurial configuration can modify\\n how and which repository is installed. This vulnerability does not \\naffect users who aren't installing from Mercurial.\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-5752\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-32681", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-32681" + }, + { + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/" + }, + { + "url": "https://security.gentoo.org/glsa/202309-08" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-32681 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-32681", + "desc": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-32681\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-32681\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-32681\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-32681\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-32681\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5\",\n \"https://github.com/psf/requests/releases/tag/v2.31.0\",\n \"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/\",\n \"https://security.gentoo.org/glsa/202309-08\"\n ],\n \"description\": \"Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-32681\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37891", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37891" + }, + { + "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + }, + { + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37891 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37891", + "desc": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37891\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37891\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e\",\n \"https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \" urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37891\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5569", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.0.0-3ubuntu0.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-5569" + }, + { + "url": "https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd" + }, + { + "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5569 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-5569", + "desc": "A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-5569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-5569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.0.0-3ubuntu0.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd\",\n \"https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae\"\n ],\n \"description\": \"A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-zipp\",\n \"version\": \"1.0.0-3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.0-3ubuntu0.1 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5569\"\n }\n }\n]", + "message": "{\n \"id\": \"e3bc49624ab198ff\",\n \"name\": \"python3-zipp\",\n \"version\": \"1.0.0-3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-zipp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-zipp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-zipp@1.0.0-3?arch=all&upstream=python-zipp&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-zipp\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-31879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-31879" + }, + { + "url": "https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210618-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-31879 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-31879", + "desc": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-31879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-31879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-31879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-31879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html\",\n \"https://security.netapp.com/advisory/ntap-20210618-0002/\"\n ],\n \"description\": \"GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 2.7\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"wget\",\n \"version\": \"1.21.2-2ubuntu1.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-31879\"\n }\n }\n]", + "message": "{\n \"id\": \"313cc77842f860d3\",\n \"name\": \"wget\",\n \"version\": \"1.21.2-2ubuntu1.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/wget/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/wget.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/wget.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.2\",\n \"GPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:wget:wget:1.21.2-2ubuntu1.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/wget@1.21.2-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2012-4542", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2012-4542" + }, + { + "url": "http://marc.info/?l=linux-kernel&m=135903967015813&w=2" + }, + { + "url": "http://marc.info/?l=linux-kernel&m=135904012416042&w=2" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0496.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0579.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0882.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0928.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=875360" + }, + { + "url": "https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2012-4542 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2012-4542", + "desc": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2012-4542\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2012-4542\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2012-4542\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2012-4542\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-4542\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://marc.info/?l=linux-kernel&m=135903967015813&w=2\",\n \"http://marc.info/?l=linux-kernel&m=135904012416042&w=2\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0496.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0579.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0882.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0928.html\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=875360\",\n \"https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8\"\n ],\n \"description\": \"block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2012-4542\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2013-7445", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2013-7445" + }, + { + "url": "https://bugzilla.kernel.org/show_bug.cgi?id=60533" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2013-7445 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2013-7445", + "desc": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2013-7445\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2013-7445\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2013-7445\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2013-7445\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-7445\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.kernel.org/show_bug.cgi?id=60533\"\n ],\n \"description\": \"The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2013-7445\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2015-8553", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2015-8553" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-120.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Aug/18" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4497" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2015-8553 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2015-8553", + "desc": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2015-8553\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2015-8553\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2015-8553\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2015-8553\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8553\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://xenbits.xen.org/xsa/advisory-120.html\",\n \"https://seclists.org/bugtraq/2019/Aug/18\",\n \"https://www.debian.org/security/2019/dsa-4497\"\n ],\n \"description\": \"Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2015-8553\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-8660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-8660" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/10/13/8" + }, + { + "url": "http://www.securityfocus.com/bid/93558" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1384851" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-8660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2016-8660", + "desc": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-8660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-8660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-8660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-8660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-8660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/10/13/8\",\n \"http://www.securityfocus.com/bid/93558\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1384851\"\n ],\n \"description\": \"The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \\\"page lock order bug in the XFS seek hole/data implementation.\\\"\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-8660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-0537", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-0537" + }, + { + "url": "http://www.securityfocus.com/bid/96831" + }, + { + "url": "http://www.securitytracker.com/id/1037968" + }, + { + "url": "https://source.android.com/security/bulletin/2017-03-01" + }, + { + "url": "https://source.android.com/security/bulletin/2017-03-01.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-0537 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-0537", + "desc": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-0537\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-0537\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-0537\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-0537\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-0537\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/96831\",\n \"http://www.securitytracker.com/id/1037968\",\n \"https://source.android.com/security/bulletin/2017-03-01\",\n \"https://source.android.com/security/bulletin/2017-03-01.html\"\n ],\n \"description\": \"An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.6,\n \"exploitabilityScore\": 4.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-0537\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13165", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13165" + }, + { + "url": "https://source.android.com/security/bulletin/pixel/2017-12-01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13165 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13165", + "desc": "An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13165\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13165\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13165\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13165\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13165\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://source.android.com/security/bulletin/pixel/2017-12-01\"\n ],\n \"description\": \"An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13165\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13693", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13693" + }, + { + "url": "http://www.securityfocus.com/bid/100502" + }, + { + "url": "https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732" + }, + { + "url": "https://patchwork.kernel.org/patch/9919053/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13693", + "desc": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/100502\",\n \"https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\",\n \"https://patchwork.kernel.org/patch/9919053/\"\n ],\n \"description\": \"The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13694", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13694" + }, + { + "url": "http://www.securityfocus.com/bid/100500" + }, + { + "url": "https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0" + }, + { + "url": "https://patchwork.kernel.org/patch/9806085/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13694 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13694", + "desc": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13694\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13694\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13694\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13694\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13694\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/100500\",\n \"https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0\",\n \"https://patchwork.kernel.org/patch/9806085/\"\n ],\n \"description\": \"The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13694\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-1121", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-1121" + }, + { + "url": "http://seclists.org/oss-sec/2018/q2/122" + }, + { + "url": "http://www.securityfocus.com/bid/104214" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121" + }, + { + "url": "https://www.exploit-db.com/exploits/44806/" + }, + { + "url": "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-1121 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-1121", + "desc": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-1121\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-1121\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-1121\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-1121\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1121\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/oss-sec/2018/q2/122\",\n \"http://www.securityfocus.com/bid/104214\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121\",\n \"https://www.exploit-db.com/exploits/44806/\",\n \"https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt\"\n ],\n \"description\": \"procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.9,\n \"exploitabilityScore\": 1.3,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-1121\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12928", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12928" + }, + { + "url": "http://www.securityfocus.com/bid/104593" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384" + }, + { + "url": "https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12928", + "desc": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104593\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384\",\n \"https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2\"\n ],\n \"description\": \"In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12929", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12929" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12929", + "desc": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12930", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12930" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12930 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12930", + "desc": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12930\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12930\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12930\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12930\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12930\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12930\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12931", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12931" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12931", + "desc": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-17977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-17977" + }, + { + "url": "http://www.securityfocus.com/bid/105539" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2018/10/05/5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-17977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-17977", + "desc": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-17977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-17977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-17977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-17977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-17977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/105539\",\n \"https://www.openwall.com/lists/oss-security/2018/10/05/5\"\n ],\n \"description\": \"The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-17977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-14899", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-14899" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Dec/32" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/23" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/24" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/25" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Nov/20" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/08/13/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/10/07/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/07/05/1" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899" + }, + { + "url": "https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/" + }, + { + "url": "https://support.apple.com/kb/HT211288" + }, + { + "url": "https://support.apple.com/kb/HT211289" + }, + { + "url": "https://support.apple.com/kb/HT211290" + }, + { + "url": "https://support.apple.com/kb/HT211850" + }, + { + "url": "https://support.apple.com/kb/HT211931" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-14899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-14899", + "desc": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-14899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-14899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-14899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-14899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2020/Dec/32\",\n \"http://seclists.org/fulldisclosure/2020/Jul/23\",\n \"http://seclists.org/fulldisclosure/2020/Jul/24\",\n \"http://seclists.org/fulldisclosure/2020/Jul/25\",\n \"http://seclists.org/fulldisclosure/2020/Nov/20\",\n \"http://www.openwall.com/lists/oss-security/2020/08/13/2\",\n \"http://www.openwall.com/lists/oss-security/2020/10/07/3\",\n \"http://www.openwall.com/lists/oss-security/2021/07/05/1\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899\",\n \"https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/\",\n \"https://support.apple.com/kb/HT211288\",\n \"https://support.apple.com/kb/HT211289\",\n \"https://support.apple.com/kb/HT211290\",\n \"https://support.apple.com/kb/HT211850\",\n \"https://support.apple.com/kb/HT211931\"\n ],\n \"description\": \"A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 4.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-14899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-15213", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-15213" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2019/08/20/2" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190905-0002/" + }, + { + "url": "https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-15213 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-15213", + "desc": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-15213\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-15213\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-15213\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-15213\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-15213\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html\",\n \"http://www.openwall.com/lists/oss-security/2019/08/20/2\",\n \"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7\",\n \"https://security.netapp.com/advisory/ntap-20190905-0002/\",\n \"https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15213\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-19378", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-19378" + }, + { + "url": "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200103-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-19378 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-19378", + "desc": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-19378\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-19378\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-19378\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-19378\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-19378\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378\",\n \"https://security.netapp.com/advisory/ntap-20200103-0001/\"\n ],\n \"description\": \"In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-19378\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-19814", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-19814" + }, + { + "url": "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200103-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-19814 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-19814", + "desc": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-19814\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-19814\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-19814\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-19814\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-19814\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814\",\n \"https://security.netapp.com/advisory/ntap-20200103-0001/\"\n ],\n \"description\": \"In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 9.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-19814\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-20794", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-20794" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/08/24/1" + }, + { + "url": "https://github.com/sargun/fuse-example" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200608-0001/" + }, + { + "url": "https://sourceforge.net/p/fuse/mailman/message/36598753/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-20794 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-20794", + "desc": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-20794\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-20794\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-20794\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-20794\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20794\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2020/08/24/1\",\n \"https://github.com/sargun/fuse-example\",\n \"https://security.netapp.com/advisory/ntap-20200608-0001/\",\n \"https://sourceforge.net/p/fuse/mailman/message/36598753/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-20794\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-11935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-11935" + }, + { + "url": "https://bugs.launchpad.net/bugs/1873074" + }, + { + "url": "https://ubuntu.com/security/CVE-2020-11935" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-11935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-11935", + "desc": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-11935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-11935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-11935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-11935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugs.launchpad.net/bugs/1873074\",\n \"https://ubuntu.com/security/CVE-2020-11935\"\n ],\n \"description\": \"It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@ubuntu.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-11935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-14304", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-14304" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-14304 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-14304", + "desc": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-14304\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-14304\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-14304\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-14304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304\"\n ],\n \"description\": \"A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-14304\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-15802", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-15802" + }, + { + "url": "https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/589825" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-15802 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-15802", + "desc": "Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-15802\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-15802\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-15802\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-15802\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-15802\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709\",\n \"https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/\",\n \"https://www.kb.cert.org/vuls/id/589825\"\n ],\n \"description\": \"Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-15802\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26140", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26140" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26140 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26140", + "desc": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26140\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26140\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26140\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26140\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26140\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26140\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26142", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26142" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26142 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26142", + "desc": "An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26142\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26142\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26142\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26142\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26142\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:H/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.6,\n \"exploitabilityScore\": 4.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26142\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26143", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26143" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26143 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26143", + "desc": "An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26143\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26143\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26143\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26143\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26143\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26143\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26146", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26146" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26146 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26146", + "desc": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26146\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26146\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26146\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26146\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26146\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26146\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26556", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26556" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/799380" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26556 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26556", + "desc": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26556\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26556\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26556\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26556\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26556\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\",\n \"https://www.kb.cert.org/vuls/id/799380\"\n ],\n \"description\": \"Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26556\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26557", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26557" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26557 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26557", + "desc": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26557\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26557\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26557\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26557\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26557\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26557\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26559" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26559", + "desc": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26560", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26560" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26560 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26560", + "desc": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26560\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26560\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26560\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26560\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26560\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26560\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-35501", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-35501" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1908577" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-35501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-35501", + "desc": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-35501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-35501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-35501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-35501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1908577\"\n ],\n \"description\": \"A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-35501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-26934", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-26934" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-363.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-26934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-26934", + "desc": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-26934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-26934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-26934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-26934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-26934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://xenbits.xen.org/xsa/advisory-363.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/\",\n \"https://security.netapp.com/advisory/ntap-20210326-0001/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-26934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-31615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-31615" + }, + { + "url": "https://bluetooth.com" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-31615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-31615", + "desc": "Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-31615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-31615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-31615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-31615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bluetooth.com\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/\"\n ],\n \"description\": \"Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-31615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-33096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-33096" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220210-0010/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-33096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-33096", + "desc": "Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-33096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-33096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-33096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-33096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-33096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.netapp.com/advisory/ntap-20220210-0010/\",\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html\"\n ],\n \"description\": \"Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-33096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3714", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3714" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3714" + }, + { + "url": "https://arxiv.org/abs/2111.08553" + }, + { + "url": "https://arxiv.org/pdf/2111.08553.pdf" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1931327" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3714 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3714", + "desc": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3714\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3714\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3714\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3714\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3714\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2021-3714\",\n \"https://arxiv.org/abs/2111.08553\",\n \"https://arxiv.org/pdf/2111.08553.pdf\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1931327\"\n ],\n \"description\": \"A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3714\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3773", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3773" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004949" + }, + { + "url": "https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3773 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3773", + "desc": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3773\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3773\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3773\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3773\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3773\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2004949\",\n \"https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3773\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3864" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/" + }, + { + "url": "https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/10/20/2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3864", + "desc": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2021-3864\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2015046\",\n \"https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/\",\n \"https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/\",\n \"https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/\",\n \"https://security-tracker.debian.org/tracker/CVE-2021-3864\",\n \"https://www.openwall.com/lists/oss-security/2021/10/20/2\"\n ],\n \"description\": \"A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-4095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-4095" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/1" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031194" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-4095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-4095", + "desc": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-4095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-4095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-4095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-4095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-4095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2022/01/17/1\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2031194\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/\"\n ],\n \"description\": \"A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 1.9,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-4095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46928" + }, + { + "url": "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26" + }, + { + "url": "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8" + }, + { + "url": "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-46928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26\",\n \"https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8\",\n \"https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nparisc: Clear stale IIR value on instruction access rights trap\\n\\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\\ncouldn't execute an instruction due to missing execute permissions on\\nthe memory region. In this case it seems the CPU didn't even fetched\\nthe instruction from memory and thus did not store it in the cr19 (IIR)\\nregister before calling the trap handler. So, the trap handler will find\\nsome random old stale value in cr19.\\n\\nThis patch simply overwrites the stale IIR value with a constant magic\\n\\\"bad food\\\" value (0xbaadf00d), in the hope people don't start to try to\\nunderstand the various random IIR values in trap 7 dumps.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47432", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47432" + }, + { + "url": "https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac" + }, + { + "url": "https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0" + }, + { + "url": "https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437" + }, + { + "url": "https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47432 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47432", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Don't overflow in peek()\n\nWhen we started spreading new inode numbers throughout most of the 64\nbit inode space, that triggered some corner case bugs, in particular\nsome integer overflows related to the radix tree code. Oops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47432\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47432\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47432\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47432\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47432\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac\",\n \"https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0\",\n \"https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437\",\n \"https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib/generic-radix-tree.c: Don't overflow in peek()\\n\\nWhen we started spreading new inode numbers throughout most of the 64\\nbit inode space, that triggered some corner case bugs, in particular\\nsome integer overflows related to the radix tree code. Oops.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47432\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47472", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47472" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47472 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47472", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47472\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47472\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47472\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47472\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47472\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47472\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47599", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47599" + }, + { + "url": "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2" + }, + { + "url": "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47599 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47599", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47599\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47599\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47599\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47599\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47599\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2\",\n \"https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: use latest_dev in btrfs_show_devname\\n\\nThe test case btrfs/238 reports the warning below:\\n\\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\\n Call trace:\\n btrfs_show_devname+0x108/0x1b4 [btrfs]\\n show_mountinfo+0x234/0x2c4\\n m_show+0x28/0x34\\n seq_read_iter+0x12c/0x3c4\\n vfs_read+0x29c/0x2c8\\n ksys_read+0x80/0xec\\n __arm64_sys_read+0x28/0x34\\n invoke_syscall+0x50/0xf8\\n do_el0_svc+0x88/0x138\\n el0_svc+0x2c/0x8c\\n el0t_64_sync_handler+0x84/0xe4\\n el0t_64_sync+0x198/0x19c\\n\\nReason:\\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\\nand found none, leading to the warning as in above.\\n\\nFix:\\nlatest_dev is updated according to the changes to the device list.\\nThat means we could use the latest_dev->name to show the device name in\\n/proc/self/mounts, the pointer will be always valid as it's assigned\\nbefore the device is deleted from the list in remove or replace.\\nThe RCU protection is sufficient as the device structure is freed after\\nsynchronization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47599\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47615" + }, + { + "url": "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9" + }, + { + "url": "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701" + }, + { + "url": "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47615", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it's\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn't udata, which indicates that this isn't a user MR.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9\",\n \"https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701\",\n \"https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\\n\\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\\nwrong values in the union which leads to attempt to release resources that\\nwere not allocated in the first place.\\n\\nFor example:\\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\\n RIP: 0010:check_unmap+0x54f/0x8b0\\n Call Trace:\\n debug_dma_unmap_page+0x57/0x60\\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\\n ib_dereg_mr_user+0x60/0x140 [ib_core]\\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\\n uobj_destroy+0x3f/0x80 [ib_uverbs]\\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\\n ? lock_acquire+0xc4/0x2e0\\n ? lock_acquired+0x12/0x380\\n ? lock_acquire+0xc4/0x2e0\\n ? lock_acquire+0xc4/0x2e0\\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\\n ? lock_release+0x28a/0x400\\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\\n __x64_sys_ioctl+0x7f/0xb0\\n do_syscall_64+0x38/0x90\\n\\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\\n - Move the ib_umem field into the user MRs structure in the union as it's\\n applicable only there.\\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\\n in case there isn't udata, which indicates that this isn't a user MR.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0400", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0400" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-0400" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040604" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044575" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0400 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0400", + "desc": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0400\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0400\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0400\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0400\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0400\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-0400\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2040604\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2044575\"\n ],\n \"description\": \"An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0400\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0480", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0480" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-0480" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2049700" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042" + }, + { + "url": "https://github.com/kata-containers/kata-containers/issues/3373" + }, + { + "url": "https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/" + }, + { + "url": "https://ubuntu.com/security/CVE-2022-0480" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0480 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0480", + "desc": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0480\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0480\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0480\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0480\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0480\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-0480\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2049700\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042\",\n \"https://github.com/kata-containers/kata-containers/issues/3373\",\n \"https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/\",\n \"https://ubuntu.com/security/CVE-2022-0480\"\n ],\n \"description\": \"A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0480\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0854", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0854" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5161" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5173" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0854", + "desc": "A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13\",\n \"https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html\",\n \"https://www.debian.org/security/2022/dsa-5161\",\n \"https://www.debian.org/security/2022/dsa-5173\"\n ],\n \"description\": \"A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0995" + }, + { + "url": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html" + }, + { + "url": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220429-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0995", + "desc": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html\",\n \"http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2063786\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb\",\n \"https://security.netapp.com/advisory/ntap-20220429-0001/\"\n ],\n \"description\": \"An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1205", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-1205" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1205" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071047" + }, + { + "url": "https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0" + }, + { + "url": "https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/04/02/4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1205 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-1205", + "desc": "A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1205\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-1205\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-1205\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-1205\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1205\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-1205\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2071047\",\n \"https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0\",\n \"https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009\",\n \"https://www.openwall.com/lists/oss-security/2022/04/02/4\"\n ],\n \"description\": \"A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-1205\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-1247" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1247" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066799" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-1247", + "desc": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-1247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-1247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-1247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-1247\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2066799\"\n ],\n \"description\": \"An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-1247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-23825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-23825" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/11/08/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/11/10/2" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" + }, + { + "url": "https://security.gentoo.org/glsa/202402-07" + }, + { + "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5184" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-23825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-23825", + "desc": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-23825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-23825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-23825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-23825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-23825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2022/11/08/1\",\n \"http://www.openwall.com/lists/oss-security/2022/11/10/2\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/\",\n \"https://security.gentoo.org/glsa/202402-07\",\n \"https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037\",\n \"https://www.debian.org/security/2022/dsa-5184\"\n ],\n \"description\": \"Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-23825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25265", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25265" + }, + { + "url": "https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294" + }, + { + "url": "https://github.com/x0reaxeax/exec-prot-bypass" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220318-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25265 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25265", + "desc": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25265\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25265\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25265\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25265\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25265\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294\",\n \"https://github.com/x0reaxeax/exec-prot-bypass\",\n \"https://security.netapp.com/advisory/ntap-20220318-0005/\"\n ],\n \"description\": \"In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25265\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25836" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25836", + "desc": "Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25837" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25837", + "desc": "Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-26047", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-26047" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-26047 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-26047", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-26047\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-26047\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-26047\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-26047\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-26047\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-26047\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-28667" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-28667", + "desc": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-28667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-28667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-28667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-28667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html\"\n ],\n \"description\": \"Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-28667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-28693" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-28693", + "desc": "no description found", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-28693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-28693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-28693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-2961" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2961" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230214-0004/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-2961", + "desc": "A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-2961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-2961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-2961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-2961\",\n \"https://security.netapp.com/advisory/ntap-20230214-0004/\"\n ],\n \"description\": \"A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-2961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3114", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3114" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153054" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3114 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3114", + "desc": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3114\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3114\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3114\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3114\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3114\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2153054\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3114\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3238", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3238" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127927" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3238 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3238", + "desc": "A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3238\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3238\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3238\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3238\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3238\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2127927\"\n ],\n \"description\": \"A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3238\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3523", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3523" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33" + }, + { + "url": "https://vuldb.com/?id.211020" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3523 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3523", + "desc": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3523\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3523\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3523\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3523\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3523\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33\",\n \"https://vuldb.com/?id.211020\"\n ],\n \"description\": \"A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@vuldb.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3523\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-38096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-38096" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-38096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-38096", + "desc": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-38096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-38096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-38096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-38096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2022-38096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-38457", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-38457" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-38457 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-38457", + "desc": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-38457\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-38457\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-38457\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-38457\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38457\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2074\"\n ],\n \"description\": \"A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-38457\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-40133", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-40133" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-40133 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-40133", + "desc": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-40133\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-40133\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-40133\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-40133\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40133\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2075\"\n ],\n \"description\": \"A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-40133\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-41848", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-41848" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-41848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-41848", + "desc": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-41848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-41848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-41848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-41848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c\",\n \"https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270\"\n ],\n \"description\": \"drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.2,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-41848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44032", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44032" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44032", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44033", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44033" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44033 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44033", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44033\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44033\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44033\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44033\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44033\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44033\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44034", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44034" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44034 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44034", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44034\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44034\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44034\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44034\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44034\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44034\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4543", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-4543" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/12/16/3" + }, + { + "url": "https://www.willsroot.io/2022/12/entrybleed.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4543 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-4543", + "desc": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4543\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-4543\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-4543\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-4543\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4543\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.openwall.com/lists/oss-security/2022/12/16/3\",\n \"https://www.willsroot.io/2022/12/entrybleed.html\"\n ],\n \"description\": \"A flaw named \\\"EntryBleed\\\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-4543\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45884", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45884" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45884", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45885", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45885" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45885", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45887" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45887", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45888", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45888" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920" + }, + { + "url": "https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45888", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920\",\n \"https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48628", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48628" + }, + { + "url": "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571" + }, + { + "url": "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5" + }, + { + "url": "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48628 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48628", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48628\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48628\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48628\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48628\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48628\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571\",\n \"https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5\",\n \"https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nceph: drop messages from MDS when unmounting\\n\\nWhen unmounting all the dirty buffers will be flushed and after\\nthe last osd request is finished the last reference of the i_count\\nwill be released. Then it will flush the dirty cap/snap to MDSs,\\nand the unmounting won't wait the possible acks, which will ihold\\nthe inodes when updating the metadata locally but makes no sense\\nany more, of this. This will make the evict_inodes() to skip these\\ninodes.\\n\\nIf encrypt is enabled the kernel generate a warning when removing\\nthe encrypt keys when the skipped inodes still hold the keyring:\\n\\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\ngeneric_shutdown_super+0x47/0x120\\nkill_anon_super+0x14/0x30\\nceph_kill_sb+0x36/0x90 [ceph]\\ndeactivate_locked_super+0x29/0x60\\ncleanup_mnt+0xb8/0x140\\ntask_work_run+0x67/0xb0\\nexit_to_user_mode_prepare+0x23d/0x240\\nsyscall_exit_to_user_mode+0x25/0x60\\ndo_syscall_64+0x40/0x80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\nRIP: 0033:0x7fd83dc39e9b\\n\\nLater the kernel will crash when iput() the inodes and dereferencing\\nthe \\\"sb->s_master_keys\\\", which has been released by the\\ngeneric_shutdown_super().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48628\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48631", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48631" + }, + { + "url": "https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0" + }, + { + "url": "https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d" + }, + { + "url": "https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc" + }, + { + "url": "https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0" + }, + { + "url": "https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48631 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48631", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\n\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\nassumes that the extent header has been previously validated. However, there\nare no checks that verify that the number of entries (eh->eh_entries) is\nnon-zero when depth is > 0. And this will lead to problems because the\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\n\n[ 135.245946] ------------[ cut here ]------------\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\n[ 135.256475] Code:\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\n[ 135.277952] Call Trace:\n[ 135.278635] \n[ 135.279247] ? preempt_count_add+0x6d/0xa0\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\n[ 135.283745] ? xa_load+0x6f/0xa0\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\n[ 135.285646] read_pages+0x67/0x1d0\n[ 135.286492] ? folio_add_lru+0x51/0x80\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\n[ 135.289457] ? path_openat+0xa72/0xdd0\n[ 135.290332] filemap_read+0xbf/0x300\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\n[ 135.292192] new_sync_read+0x103/0x170\n[ 135.293014] vfs_read+0x15d/0x180\n[ 135.293745] ksys_read+0xa1/0xe0\n[ 135.294461] do_syscall_64+0x3c/0x80\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\neh_entries is not 0 when eh_depth is > 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48631\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48631\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48631\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48631\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48631\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0\",\n \"https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d\",\n \"https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc\",\n \"https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0\",\n \"https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\\n\\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\\nassumes that the extent header has been previously validated. However, there\\nare no checks that verify that the number of entries (eh->eh_entries) is\\nnon-zero when depth is > 0. And this will lead to problems because the\\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\\n\\n[ 135.245946] ------------[ cut here ]------------\\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\\n[ 135.256475] Code:\\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\\n[ 135.277952] Call Trace:\\n[ 135.278635] \\n[ 135.279247] ? preempt_count_add+0x6d/0xa0\\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\\n[ 135.283745] ? xa_load+0x6f/0xa0\\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\\n[ 135.285646] read_pages+0x67/0x1d0\\n[ 135.286492] ? folio_add_lru+0x51/0x80\\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\\n[ 135.289457] ? path_openat+0xa72/0xdd0\\n[ 135.290332] filemap_read+0xbf/0x300\\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\\n[ 135.292192] new_sync_read+0x103/0x170\\n[ 135.293014] vfs_read+0x15d/0x180\\n[ 135.293745] ksys_read+0xa1/0xe0\\n[ 135.294461] do_syscall_64+0x3c/0x80\\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\\neh_entries is not 0 when eh_depth is > 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48631\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48632" + }, + { + "url": "https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8" + }, + { + "url": "https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e" + }, + { + "url": "https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2" + }, + { + "url": "https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\n\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8\",\n \"https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e\",\n \"https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2\",\n \"https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\\n\\nmemcpy() is called in a loop while 'operation->length' upper bound\\nis not checked and 'data_idx' also increments.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48633", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48633" + }, + { + "url": "https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474" + }, + { + "url": "https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48633 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48633", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\n\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\ngets destroyed by drm_gem_object_release() move the\ndrm_gem_object_release() call in psb_gem_free_object() to after\nthe unpin to fix the below warning:\n\n[ 79.693962] ------------[ cut here ]------------\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\n[ 79.694734] Call Trace:\n[ 79.694749] \n[ 79.694761] ? __schedule+0x47f/0x1670\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\n[ 79.694885] ? __cond_resched+0x1c/0x30\n[ 79.694902] ww_mutex_lock+0x38/0xa0\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\n[ 79.695042] idr_for_each+0x4b/0xb0\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 79.695095] drm_gem_release+0x1c/0x30\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\n[ 79.695150] drm_release+0x6a/0x120\n[ 79.695175] __fput+0x9f/0x260\n[ 79.695203] task_work_run+0x59/0xa0\n[ 79.695227] do_exit+0x387/0xbe0\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695304] do_group_exit+0x33/0xb0\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\n[ 79.695353] do_syscall_64+0x58/0x80\n[ 79.695376] ? up_read+0x17/0x20\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474\",\n \"https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\\n\\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\\ngets destroyed by drm_gem_object_release() move the\\ndrm_gem_object_release() call in psb_gem_free_object() to after\\nthe unpin to fix the below warning:\\n\\n[ 79.693962] ------------[ cut here ]------------\\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\\n[ 79.694734] Call Trace:\\n[ 79.694749] \\n[ 79.694761] ? __schedule+0x47f/0x1670\\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\\n[ 79.694885] ? __cond_resched+0x1c/0x30\\n[ 79.694902] ww_mutex_lock+0x38/0xa0\\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\\n[ 79.695042] idr_for_each+0x4b/0xb0\\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\\n[ 79.695095] drm_gem_release+0x1c/0x30\\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\\n[ 79.695150] drm_release+0x6a/0x120\\n[ 79.695175] __fput+0x9f/0x260\\n[ 79.695203] task_work_run+0x59/0xa0\\n[ 79.695227] do_exit+0x387/0xbe0\\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\\n[ 79.695304] do_group_exit+0x33/0xb0\\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\\n[ 79.695353] do_syscall_64+0x58/0x80\\n[ 79.695376] ? up_read+0x17/0x20\\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48633\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48634" + }, + { + "url": "https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281" + }, + { + "url": "https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd" + }, + { + "url": "https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd" + }, + { + "url": "https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\n\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\ncrtc_funcs->mode_set_base() which takes ww_mutex.\n\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\non mode_set_base() errors.\n\nInstead unlock it after setting gma_crtc->page_flip_event and on\nerrors re-take the lock and clear gma_crtc->page_flip_event it\nit is still set.\n\nThis fixes the following WARN/stacktrace:\n\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\n[ 512.123031] preempt_count: 1, expected: 0\n[ 512.123048] RCU nest depth: 0, expected: 0\n[ 512.123066] INFO: lockdep is turned off.\n[ 512.123080] irq event stamp: 0\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 512.123233] Preemption disabled at:\n[ 512.123241] [<0000000000000000>] 0x0\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 512.123323] Call Trace:\n[ 512.123346] \n[ 512.123370] dump_stack_lvl+0x5b/0x77\n[ 512.123412] __might_resched.cold+0xff/0x13a\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\n[ 512.123984] drm_ioctl+0x21f/0x420\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\n[ 512.124104] ? lock_release+0x1ef/0x2d0\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\n[ 512.124203] do_syscall_64+0x58/0x80\n[ 512.124239] ? do_syscall_64+0x67/0x80\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\n[ 512.124300] ? do_syscall_64+0x67/0x80\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\n[ 512.124647] ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281\",\n \"https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd\",\n \"https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd\",\n \"https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\\n\\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\\ncrtc_funcs->mode_set_base() which takes ww_mutex.\\n\\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\\non mode_set_base() errors.\\n\\nInstead unlock it after setting gma_crtc->page_flip_event and on\\nerrors re-take the lock and clear gma_crtc->page_flip_event it\\nit is still set.\\n\\nThis fixes the following WARN/stacktrace:\\n\\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\\n[ 512.123031] preempt_count: 1, expected: 0\\n[ 512.123048] RCU nest depth: 0, expected: 0\\n[ 512.123066] INFO: lockdep is turned off.\\n[ 512.123080] irq event stamp: 0\\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\\n[ 512.123233] Preemption disabled at:\\n[ 512.123241] [<0000000000000000>] 0x0\\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\\n[ 512.123323] Call Trace:\\n[ 512.123346] \\n[ 512.123370] dump_stack_lvl+0x5b/0x77\\n[ 512.123412] __might_resched.cold+0xff/0x13a\\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\\n[ 512.123984] drm_ioctl+0x21f/0x420\\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\\n[ 512.124104] ? lock_release+0x1ef/0x2d0\\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\\n[ 512.124203] do_syscall_64+0x58/0x80\\n[ 512.124239] ? do_syscall_64+0x67/0x80\\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\\n[ 512.124300] ? do_syscall_64+0x67/0x80\\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\\n[ 512.124647] \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48635", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48635" + }, + { + "url": "https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3" + }, + { + "url": "https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0" + }, + { + "url": "https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48635 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48635", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got an infinite loop and a WARNING report when executing a tail command\nin virtiofs.\n\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\n Modules linked in:\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\n Call Trace:\n \n dax_iomap_rw+0xea/0x620\n ? __this_cpu_preempt_check+0x13/0x20\n fuse_dax_read_iter+0x47/0x80\n fuse_file_read_iter+0xae/0xd0\n new_sync_read+0xfe/0x180\n ? 0xffffffff81000000\n vfs_read+0x14d/0x1a0\n ksys_read+0x6d/0xf0\n __x64_sys_read+0x1a/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe tail command will call read() with a count of 0. In this case,\niomap_iter() will report this WARNING, and always return 1 which casuing\nthe infinite loop in dax_iomap_rw().\n\nFixing by checking count whether is 0 in dax_iomap_rw().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48635\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48635\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48635\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48635\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48635\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3\",\n \"https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0\",\n \"https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfsdax: Fix infinite loop in dax_iomap_rw()\\n\\nI got an infinite loop and a WARNING report when executing a tail command\\nin virtiofs.\\n\\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\\n Modules linked in:\\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\\n Call Trace:\\n \\n dax_iomap_rw+0xea/0x620\\n ? __this_cpu_preempt_check+0x13/0x20\\n fuse_dax_read_iter+0x47/0x80\\n fuse_file_read_iter+0xae/0xd0\\n new_sync_read+0xfe/0x180\\n ? 0xffffffff81000000\\n vfs_read+0x14d/0x1a0\\n ksys_read+0x6d/0xf0\\n __x64_sys_read+0x1a/0x20\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe tail command will call read() with a count of 0. In this case,\\niomap_iter() will report this WARNING, and always return 1 which casuing\\nthe infinite loop in dax_iomap_rw().\\n\\nFixing by checking count whether is 0 in dax_iomap_rw().\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48635\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48636", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48636" + }, + { + "url": "https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1" + }, + { + "url": "https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4" + }, + { + "url": "https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac" + }, + { + "url": "https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1" + }, + { + "url": "https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6" + }, + { + "url": "https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70" + }, + { + "url": "https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d" + }, + { + "url": "https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48636 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48636", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\n\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\n\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\n\nFix by checking the pavgroup pointer with lcu->lock held.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48636\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48636\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48636\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48636\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48636\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1\",\n \"https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4\",\n \"https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac\",\n \"https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1\",\n \"https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6\",\n \"https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70\",\n \"https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d\",\n \"https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\\n\\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\\npointer being NULL.\\n\\nThe pavgroup pointer is checked on the entrance of the function but\\nwithout the lcu->lock being held. Therefore there is a race window\\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\\npavgroup to NULL with the lcu->lock held.\\n\\nFix by checking the pavgroup pointer with lcu->lock held.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48636\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48637", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48637" + }, + { + "url": "https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6" + }, + { + "url": "https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338" + }, + { + "url": "https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48637 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48637", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: prevent skb UAF after handing over to PTP worker\n\nWhen reading the timestamp is required bnxt_tx_int() hands\nover the ownership of the completed skb to the PTP worker.\nThe skb should not be used afterwards, as the worker may\nrun before the rest of our code and free the skb, leading\nto a use-after-free.\n\nSince dev_kfree_skb_any() accepts NULL make the loss of\nownership more obvious and set skb to NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48637\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48637\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48637\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48637\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48637\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6\",\n \"https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338\",\n \"https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt: prevent skb UAF after handing over to PTP worker\\n\\nWhen reading the timestamp is required bnxt_tx_int() hands\\nover the ownership of the completed skb to the PTP worker.\\nThe skb should not be used afterwards, as the worker may\\nrun before the rest of our code and free the skb, leading\\nto a use-after-free.\\n\\nSince dev_kfree_skb_any() accepts NULL make the loss of\\nownership more obvious and set skb to NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48637\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48638", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48638" + }, + { + "url": "https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b" + }, + { + "url": "https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad" + }, + { + "url": "https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48638 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48638", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\n\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\nespecially cgroup id is provide from userspace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48638\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48638\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48638\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48638\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48638\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b\",\n \"https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad\",\n \"https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\\n\\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\\nespecially cgroup id is provide from userspace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48638\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48639" + }, + { + "url": "https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88" + }, + { + "url": "https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596" + }, + { + "url": "https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a" + }, + { + "url": "https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5" + }, + { + "url": "https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48639", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix possible refcount leak in tc_new_tfilter()\n\ntfilter_put need to be called to put the refount got by tp->ops->get to\navoid possible refcount leak when chain->tmplt_ops != NULL and\nchain->tmplt_ops != tp->ops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88\",\n \"https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596\",\n \"https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a\",\n \"https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5\",\n \"https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: sched: fix possible refcount leak in tc_new_tfilter()\\n\\ntfilter_put need to be called to put the refount got by tp->ops->get to\\navoid possible refcount leak when chain->tmplt_ops != NULL and\\nchain->tmplt_ops != tp->ops.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48640", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48640" + }, + { + "url": "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6" + }, + { + "url": "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7" + }, + { + "url": "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48640 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48640", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n [ 334.694703] Mem abort info:\n [ 334.697486] ESR = 0x0000000096000004\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 334.706536] SET = 0, FnV = 0\n [ 334.709579] EA = 0, S1PTW = 0\n [ 334.712719] FSC = 0x04: level 0 translation fault\n [ 334.717586] Data abort info:\n [ 334.720454] ISV = 0, ISS = 0x00000004\n [ 334.724288] CM = 0, WnR = 0\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.807962] sp : ffff8000221733e0\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n [ 334.882532] Call trace:\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\n [ 334.913799] arp_xmit+0x3c/0xbc\n [ 334.916932] arp_send_dst+0x98/0xd0\n [ 334.920410] arp_solicit+0xe8/0x230\n [ 334.923888] neigh_probe+0x60/0xb0\n [ 334.927279] __neigh_event_send+0x3b0/0x470\n [ 334.931453] neigh_resolve_output+0x70/0x90\n [ 334.935626] ip_finish_output2+0x158/0x514\n [ 334.939714] __ip_finish_output+0xac/0x1a4\n [ 334.943800] ip_finish_output+0x40/0xfc\n [ 334.947626] ip_output+0xf8/0x1a4\n [ 334.950931] ip_send_skb+0x5c/0x100\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\n [ 334.958758] raw_sendmsg+0x458/0x6d0\n [ 334.962325] inet_sendmsg+0x50/0x80\n [ 334.965805] sock_sendmsg+0x60/0x6c\n [ 334.969286] __sys_sendto+0xc8/0x134\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48640\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48640\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48640\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48640\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48640\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6\",\n \"https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7\",\n \"https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: fix NULL deref in bond_rr_gen_slave_id\\n\\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\\nif a bond is initially created with an initial mode != zero (Round Robin)\\nthe memory required for the counter is never created and when the mode is\\nchanged there is never any attempt to verify the memory is allocated upon\\nswitching modes.\\n\\nThis causes the following Oops on an aarch64 machine:\\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\\n [ 334.694703] Mem abort info:\\n [ 334.697486] ESR = 0x0000000096000004\\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\\n [ 334.706536] SET = 0, FnV = 0\\n [ 334.709579] EA = 0, S1PTW = 0\\n [ 334.712719] FSC = 0x04: level 0 translation fault\\n [ 334.717586] Data abort info:\\n [ 334.720454] ISV = 0, ISS = 0x00000004\\n [ 334.724288] CM = 0, WnR = 0\\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n [ 334.807962] sp : ffff8000221733e0\\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\\n [ 334.882532] Call trace:\\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\\n [ 334.913799] arp_xmit+0x3c/0xbc\\n [ 334.916932] arp_send_dst+0x98/0xd0\\n [ 334.920410] arp_solicit+0xe8/0x230\\n [ 334.923888] neigh_probe+0x60/0xb0\\n [ 334.927279] __neigh_event_send+0x3b0/0x470\\n [ 334.931453] neigh_resolve_output+0x70/0x90\\n [ 334.935626] ip_finish_output2+0x158/0x514\\n [ 334.939714] __ip_finish_output+0xac/0x1a4\\n [ 334.943800] ip_finish_output+0x40/0xfc\\n [ 334.947626] ip_output+0xf8/0x1a4\\n [ 334.950931] ip_send_skb+0x5c/0x100\\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\\n [ 334.958758] raw_sendmsg+0x458/0x6d0\\n [ 334.962325] inet_sendmsg+0x50/0x80\\n [ 334.965805] sock_sendmsg+0x60/0x6c\\n [ 334.969286] __sys_sendto+0xc8/0x134\\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48640\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48641", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48641" + }, + { + "url": "https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab" + }, + { + "url": "https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e" + }, + { + "url": "https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33" + }, + { + "url": "https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9" + }, + { + "url": "https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1" + }, + { + "url": "https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f" + }, + { + "url": "https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48641 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48641", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix memory leak when blob is malformed\n\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48641\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48641\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48641\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48641\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48641\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab\",\n \"https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e\",\n \"https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33\",\n \"https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9\",\n \"https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1\",\n \"https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f\",\n \"https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: ebtables: fix memory leak when blob is malformed\\n\\nThe bug fix was incomplete, it \\\"replaced\\\" crash with a memory leak.\\nThe old code had an assignment to \\\"ret\\\" embedded into the conditional,\\nrestore this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48641\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48642", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48642" + }, + { + "url": "https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852" + }, + { + "url": "https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714" + }, + { + "url": "https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac" + }, + { + "url": "https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48642 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48642", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\n\nIt seems to me that percpu memory for chain stats started leaking since\ncommit 3bc158f8d0330f0a (\"netfilter: nf_tables: map basechain priority to\nhardware priority\") when nft_chain_offload_priority() returned an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48642\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48642\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48642\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852\",\n \"https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714\",\n \"https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac\",\n \"https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\\n\\nIt seems to me that percpu memory for chain stats started leaking since\\ncommit 3bc158f8d0330f0a (\\\"netfilter: nf_tables: map basechain priority to\\nhardware priority\\\") when nft_chain_offload_priority() returned an error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48642\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48643", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48643" + }, + { + "url": "https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378" + }, + { + "url": "https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91" + }, + { + "url": "https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d" + }, + { + "url": "https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48643 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48643", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\n\nsyzbot is reporting underflow of nft_counters_enabled counter at\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\"netfilter:\nnf_tables: do not leave chain stats enabled on error\") missed that\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\nnf_tables_addchain() decrements the counter because nft_basechain_init()\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\n\nIncrement the counter immediately after returning from\nnft_basechain_init().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48643\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48643\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48643\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48643\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48643\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378\",\n \"https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91\",\n \"https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d\",\n \"https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\\n\\nsyzbot is reporting underflow of nft_counters_enabled counter at\\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\\\"netfilter:\\nnf_tables: do not leave chain stats enabled on error\\\") missed that\\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\\nnf_tables_addchain() decrements the counter because nft_basechain_init()\\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\\n\\nIncrement the counter immediately after returning from\\nnft_basechain_init().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48643\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48644", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48644" + }, + { + "url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb" + }, + { + "url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323" + }, + { + "url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76" + }, + { + "url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92" + }, + { + "url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48644 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48644", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48644\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48644\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48644\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48644\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48644\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb\",\n \"https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323\",\n \"https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76\",\n \"https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92\",\n \"https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: avoid disabling offload when it was never enabled\\n\\nIn an incredibly strange API design decision, qdisc->destroy() gets\\ncalled even if qdisc->init() never succeeded, not exclusively since\\ncommit 87b60cfacf9f (\\\"net_sched: fix error recovery at qdisc creation\\\"),\\nbut apparently also earlier (in the case of qdisc_create_dflt()).\\n\\nThe taprio qdisc does not fully acknowledge this when it attempts full\\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\\n\\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\\n\\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\\nan invalid set of flags.\\n\\nAs a result, it is possible to crash the kernel if user space forces an\\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\\nof taprio_enable_offload(). This is because drivers do not expect the\\noffload to be disabled when it was never enabled.\\n\\nThe error that we force here is to attach taprio as a non-root qdisc,\\nbut instead as child of an mqprio root qdisc:\\n\\n$ tc qdisc add dev swp0 root handle 1: \\\\\\n\\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\\n$ tc qdisc replace dev swp0 parent 1:1 \\\\\\n\\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\\\\n\\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\\\\n\\tflags 0x0 clockid CLOCK_TAI\\nUnable to handle kernel paging request at virtual address fffffffffffffff8\\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\\nCall trace:\\n taprio_dump+0x27c/0x310\\n vsc9959_port_setup_tc+0x1f4/0x460\\n felix_port_setup_tc+0x24/0x3c\\n dsa_slave_setup_tc+0x54/0x27c\\n taprio_disable_offload.isra.0+0x58/0xe0\\n taprio_destroy+0x80/0x104\\n qdisc_create+0x240/0x470\\n tc_modify_qdisc+0x1fc/0x6b0\\n rtnetlink_rcv_msg+0x12c/0x390\\n netlink_rcv_skb+0x5c/0x130\\n rtnetlink_rcv+0x1c/0x2c\\n\\nFix this by keeping track of the operations we made, and undo the\\noffload only if we actually did it.\\n\\nI've added \\\"bool offloaded\\\" inside a 4 byte hole between \\\"int clockid\\\"\\nand \\\"atomic64_t picos_per_byte\\\". Now the first cache line looks like\\nbelow:\\n\\n$ pahole -C taprio_sched net/sched/sch_taprio.o\\nstruct taprio_sched {\\n struct Qdisc * * qdiscs; /* 0 8 */\\n struct Qdisc * root; /* 8 8 */\\n u32 flags; /* 16 4 */\\n enum tk_offsets tk_offset; /* 20 4 */\\n int clockid; /* 24 4 */\\n bool offloaded; /* 28 1 */\\n\\n /* XXX 3 bytes hole, try to pack */\\n\\n atomic64_t picos_per_byte; /* 32 0 */\\n\\n /* XXX 8 bytes hole, try to pack */\\n\\n spinlock_t current_entry_lock; /* 40 0 */\\n\\n /* XXX 8 bytes hole, try to pack */\\n\\n struct sched_entry * current_entry; /* 48 8 */\\n struct sched_gate_list * oper_sched; /* 56 8 */\\n /* --- cacheline 1 boundary (64 bytes) --- */\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48644\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48645", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48645" + }, + { + "url": "https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f" + }, + { + "url": "https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7" + }, + { + "url": "https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48645 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48645", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\n\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\n\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\n\nMoreover, attempting to access these registers crashes the kernel:\n\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\n\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48645\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48645\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48645\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48645\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48645\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f\",\n \"https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7\",\n \"https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\\n\\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\\nthrough a mix of command BD ring messages and port registers:\\nenetc_port_rd(), enetc_port_wr().\\n\\nPort registers are a region of the ENETC memory map which are only\\naccessible from the PCIe Physical Function. They are not accessible from\\nthe Virtual Functions.\\n\\nMoreover, attempting to access these registers crashes the kernel:\\n\\n$ echo 1 > /sys/bus/pci/devices/0000\\\\:00\\\\:00.0/sriov_numvfs\\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\\\\n\\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\\nUnable to handle kernel paging request at virtual address ffff800009551a08\\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\\npc : enetc_setup_tc_taprio+0x170/0x47c\\nlr : enetc_setup_tc_taprio+0x16c/0x47c\\nCall trace:\\n enetc_setup_tc_taprio+0x170/0x47c\\n enetc_setup_tc+0x38/0x2dc\\n taprio_change+0x43c/0x970\\n taprio_init+0x188/0x1e0\\n qdisc_create+0x114/0x470\\n tc_modify_qdisc+0x1fc/0x6c0\\n rtnetlink_rcv_msg+0x12c/0x390\\n\\nSplit enetc_setup_tc() into separate functions for the PF and for the\\nVF drivers. Also remove enetc_qos.o from being included into\\nenetc-vf.ko, since it serves absolutely no purpose there.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48645\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48646", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48646" + }, + { + "url": "https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa" + }, + { + "url": "https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48646 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48646", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\n\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\npointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48646\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48646\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48646\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48646\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48646\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa\",\n \"https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\\n\\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\\npointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48646\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48647", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48647" + }, + { + "url": "https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b" + }, + { + "url": "https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff" + }, + { + "url": "https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c" + }, + { + "url": "https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48647 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48647", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interrupts\n\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\nthe offset is 0 because the tx queues are in the single existing channel\nat index 0, together with the rx queue.\n\nWithout this fix, as soon as you try to send any traffic, it tries to\nget the tx queues from an uninitialized channel getting these errors:\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48647\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48647\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48647\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48647\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48647\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b\",\n \"https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff\",\n \"https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c\",\n \"https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc: fix TX channel offset when using legacy interrupts\\n\\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\\nthe offset is 0 because the tx queues are in the single existing channel\\nat index 0, together with the rx queue.\\n\\nWithout this fix, as soon as you try to send any traffic, it tries to\\nget the tx queues from an uninitialized channel getting these errors:\\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\\n [...]\\n Call Trace:\\n \\n dev_hard_start_xmit+0xd7/0x230\\n sch_direct_xmit+0x9f/0x360\\n __dev_queue_xmit+0x890/0xa40\\n [...]\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\\n [...]\\n Call Trace:\\n \\n dev_hard_start_xmit+0xd7/0x230\\n sch_direct_xmit+0x9f/0x360\\n __dev_queue_xmit+0x890/0xa40\\n [...]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48647\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48648" + }, + { + "url": "https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3" + }, + { + "url": "https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998" + }, + { + "url": "https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7" + }, + { + "url": "https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn't\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it's wrong anyway so let's fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3\",\n \"https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998\",\n \"https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7\",\n \"https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc: fix null pointer dereference in efx_hard_start_xmit\\n\\nTrying to get the channel from the tx_queue variable here is wrong\\nbecause we can only be here if tx_queue is NULL, so we shouldn't\\ndereference it. As the above comment in the code says, this is very\\nunlikely to happen, but it's wrong anyway so let's fix it.\\n\\nI hit this issue because of a different bug that caused tx_queue to be\\nNULL. If that happens, this is the error message that we get here:\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48650", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48650" + }, + { + "url": "https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf" + }, + { + "url": "https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7" + }, + { + "url": "https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48650 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48650", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\n\nCommit 8f394da36a36 (\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\")\nmade the __qlt_24xx_handle_abts() function return early if\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\nup the allocated memory for the management command.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48650\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48650\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48650\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48650\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48650\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf\",\n \"https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7\",\n \"https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\\n\\nCommit 8f394da36a36 (\\\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\\\")\\nmade the __qlt_24xx_handle_abts() function return early if\\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\\nup the allocated memory for the management command.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48650\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48651", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48651" + }, + { + "url": "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca" + }, + { + "url": "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be" + }, + { + "url": "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4" + }, + { + "url": "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7" + }, + { + "url": "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638" + }, + { + "url": "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241" + }, + { + "url": "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef" + }, + { + "url": "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48651 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48651", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\n and skb->protocol is not specified as in packet_parse_headers()\n\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\n\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb->head + skb->mac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48651\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48651\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48651\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48651\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48651\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca\",\n \"https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be\",\n \"https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4\",\n \"https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7\",\n \"https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638\",\n \"https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241\",\n \"https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef\",\n \"https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\\n\\nIf an AF_PACKET socket is used to send packets through ipvlan and the\\ndefault xmit function of the AF_PACKET socket is changed from\\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\\nbugs as following:\\n\\n=================================================================\\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\\nall Trace:\\nprint_address_description.constprop.0+0x1d/0x160\\nprint_report.cold+0x4f/0x112\\nkasan_report+0xa3/0x130\\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\\n__dev_direct_xmit+0x2e2/0x380\\npacket_direct_xmit+0x22/0x60\\npacket_snd+0x7c9/0xc40\\nsock_sendmsg+0x9a/0xa0\\n__sys_sendto+0x18a/0x230\\n__x64_sys_sendto+0x74/0x90\\ndo_syscall_64+0x3b/0x90\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe root cause is:\\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\\n and skb->protocol is not specified as in packet_parse_headers()\\n\\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\\n\\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\\nuse \\\"skb->head + skb->mac_header\\\", out-of-bound access occurs.\\n\\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\\nand reset mac header in multicast to solve this out-of-bound bug.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48651\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48653", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48653" + }, + { + "url": "https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93" + }, + { + "url": "https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783" + }, + { + "url": "https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48653 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48653", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't double unplug aux on peer initiated reset\n\nIn the IDC callback that is accessed when the aux drivers request a reset,\nthe function to unplug the aux devices is called. This function is also\ncalled in the ice_prepare_for_reset function. This double call is causing\na \"scheduling while atomic\" BUG.\n\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\n\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\n\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\n\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\n\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\n r ttm\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\n[ 662.815557] Preemption disabled at:\n[ 662.815558] [<0000000000000000>] 0x0\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\n[ 662.815568] Call Trace:\n[ 662.815572] \n[ 662.815574] dump_stack_lvl+0x33/0x42\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\n[ 662.815588] __schedule+0x798/0x990\n[ 662.815595] schedule+0x44/0xc0\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\n[ 662.815633] device_del+0x37/0x3d0\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\n[ 662.815764] handle_irq_event+0x34/0x60\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\n[ 662.815770] __common_interrupt+0x62/0x100\n[ 662.815774] common_interrupt+0xb4/0xd0\n[ 662.815779] \n[ 662.815780] \n[ 662.815780] asm_common_interrupt+0x1e/0x40\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\n[ 662.815795] RDX: 0000009a52da2d08 R\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48653\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48653\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48653\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48653\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48653\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93\",\n \"https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783\",\n \"https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Don't double unplug aux on peer initiated reset\\n\\nIn the IDC callback that is accessed when the aux drivers request a reset,\\nthe function to unplug the aux devices is called. This function is also\\ncalled in the ice_prepare_for_reset function. This double call is causing\\na \\\"scheduling while atomic\\\" BUG.\\n\\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\\n\\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\\n\\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\\n\\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\\n\\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\\n\\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\\n\\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\\n r ttm\\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\\n[ 662.815557] Preemption disabled at:\\n[ 662.815558] [<0000000000000000>] 0x0\\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\\n[ 662.815568] Call Trace:\\n[ 662.815572] \\n[ 662.815574] dump_stack_lvl+0x33/0x42\\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\\n[ 662.815588] __schedule+0x798/0x990\\n[ 662.815595] schedule+0x44/0xc0\\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\\n[ 662.815633] device_del+0x37/0x3d0\\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\\n[ 662.815764] handle_irq_event+0x34/0x60\\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\\n[ 662.815770] __common_interrupt+0x62/0x100\\n[ 662.815774] common_interrupt+0xb4/0xd0\\n[ 662.815779] \\n[ 662.815780] \\n[ 662.815780] asm_common_interrupt+0x1e/0x40\\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\\n[ 662.815795] RDX: 0000009a52da2d08 R\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48653\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48654", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48654" + }, + { + "url": "https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8" + }, + { + "url": "https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47" + }, + { + "url": "https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e" + }, + { + "url": "https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764" + }, + { + "url": "https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48654 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48654", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48654\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48654\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48654\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48654\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48654\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8\",\n \"https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47\",\n \"https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e\",\n \"https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764\",\n \"https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\\n\\nnf_osf_find() incorrectly returns true on mismatch, this leads to\\ncopying uninitialized memory area in nft_osf which can be used to leak\\nstale kernel stack data to userspace.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48654\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48656", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48656" + }, + { + "url": "https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2" + }, + { + "url": "https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5" + }, + { + "url": "https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d" + }, + { + "url": "https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48656 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48656", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48656\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48656\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48656\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48656\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48656\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2\",\n \"https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5\",\n \"https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d\",\n \"https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\\n\\nWe should call of_node_put() for the reference returned by\\nof_parse_phandle() in fail path or when it is not used anymore.\\nHere we only need to move the of_node_put() before the check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48656\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48658", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48658" + }, + { + "url": "https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b" + }, + { + "url": "https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a" + }, + { + "url": "https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48658 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48658", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48658\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48658\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48658\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48658\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48658\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b\",\n \"https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a\",\n \"https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\\n\\nCommit 5a836bf6b09f (\\\"mm: slub: move flush_cpu_slab() invocations\\n__free_slab() invocations out of IRQ context\\\") moved all flush_cpu_slab()\\ninvocations to the global workqueue to avoid a problem related\\nwith deactivate_slab()/__free_slab() being called from an IRQ context\\non PREEMPT_RT kernels.\\n\\nWhen the flush_all_cpu_locked() function is called from a task context\\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\\nflushing the global workqueue, this will cause a dependency issue.\\n\\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\\n check_flush_dependency+0x10a/0x120\\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\\n __flush_work.isra.0+0xbf/0x220\\n ? __queue_work+0x1dc/0x420\\n flush_all_cpus_locked+0xfb/0x120\\n __kmem_cache_shutdown+0x2b/0x320\\n kmem_cache_destroy+0x49/0x100\\n bioset_exit+0x143/0x190\\n blk_release_queue+0xb9/0x100\\n kobject_cleanup+0x37/0x130\\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\\n\\nFix this bug by creating a workqueue for the flush operation with\\nthe WQ_MEM_RECLAIM bit set.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48658\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48659", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48659" + }, + { + "url": "https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9" + }, + { + "url": "https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296" + }, + { + "url": "https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c" + }, + { + "url": "https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124" + }, + { + "url": "https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd" + }, + { + "url": "https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c" + }, + { + "url": "https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457" + }, + { + "url": "https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48659 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48659", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48659\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48659\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48659\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48659\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48659\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9\",\n \"https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296\",\n \"https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c\",\n \"https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124\",\n \"https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd\",\n \"https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c\",\n \"https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457\",\n \"https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/slub: fix to return errno if kmalloc() fails\\n\\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\\nout-of-memory, if it fails, return errno correctly rather than\\ntriggering panic via BUG_ON();\\n\\nkernel BUG at mm/slub.c:5893!\\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\\n\\nCall trace:\\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\\n create_cache mm/slab_common.c:229 [inline]\\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\\n mount_bdev+0x1b8/0x210 fs/super.c:1400\\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\\n vfs_get_tree+0x40/0x140 fs/super.c:1530\\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\\n path_mount+0x358/0x914 fs/namespace.c:3370\\n do_mount fs/namespace.c:3383 [inline]\\n __do_sys_mount fs/namespace.c:3591 [inline]\\n __se_sys_mount fs/namespace.c:3568 [inline]\\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48659\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48660" + }, + { + "url": "https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd" + }, + { + "url": "https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1" + }, + { + "url": "https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168" + }, + { + "url": "https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48660", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd\",\n \"https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1\",\n \"https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168\",\n \"https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\\n\\nWhen running gpio test on nxp-ls1028 platform with below command\\ngpiomon --num-events=3 --rising-edge gpiochip1 25\\nThere will be a warning trace as below:\\nCall trace:\\nfree_irq+0x204/0x360\\nlineevent_free+0x64/0x70\\ngpio_ioctl+0x598/0x6a0\\n__arm64_sys_ioctl+0xb4/0x100\\ninvoke_syscall+0x5c/0x130\\n......\\nel0t_64_sync+0x1a0/0x1a4\\nThe reason of this issue is that calling request_threaded_irq()\\nfunction failed, and then lineevent_free() is invoked to release\\nthe resource. Since the lineevent_state::irq was already set, so\\nthe subsequent invocation of free_irq() would trigger the above\\nwarning call trace. To fix this issue, set the lineevent_state::irq\\nafter the IRQ register successfully.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48661" + }, + { + "url": "https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933" + }, + { + "url": "https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872" + }, + { + "url": "https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933\",\n \"https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872\",\n \"https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: mockup: Fix potential resource leakage when register a chip\\n\\nIf creation of software node fails, the locally allocated string\\narray is left unfreed. Free it on error path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48664", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48664" + }, + { + "url": "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8" + }, + { + "url": "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b" + }, + { + "url": "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b" + }, + { + "url": "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48664 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48664", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\n Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\n Sep 07 11:55:32 debian9 kernel: Call Trace:\n Sep 07 11:55:32 debian9 kernel: \n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: \n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n block group, but the metadata reservation can not be satisfied right\n away, so a reservation ticket is created and it starts the async\n metadata reclaim task (fs_info->async_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n (generic/562 creates a lot of 2K files with the goal of filling\n metadata space). We try to create an inline extent for them, but we\n fail when trying to insert the inline extent with -ENOSPC (at\n cow_file_range_inline()) - since this is not critical, we fallback\n to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48664\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48664\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48664\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48664\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48664\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8\",\n \"https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b\",\n \"https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b\",\n \"https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix hang during unmount when stopping a space reclaim worker\\n\\nOften when running generic/562 from fstests we can hang during unmount,\\nresulting in a trace like this:\\n\\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\\n Sep 07 11:55:32 debian9 kernel: \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\\n Sep 07 11:55:32 debian9 kernel: Call Trace:\\n Sep 07 11:55:32 debian9 kernel: \\n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\\n Sep 07 11:55:32 debian9 kernel: \\n\\nWhat happens is the following:\\n\\n1) The cleaner kthread tries to start a transaction to delete an unused\\n block group, but the metadata reservation can not be satisfied right\\n away, so a reservation ticket is created and it starts the async\\n metadata reclaim task (fs_info->async_reclaim_work);\\n\\n2) Writeback for all the filler inodes with an i_size of 2K starts\\n (generic/562 creates a lot of 2K files with the goal of filling\\n metadata space). We try to create an inline extent for them, but we\\n fail when trying to insert the inline extent with -ENOSPC (at\\n cow_file_range_inline()) - since this is not critical, we fallback\\n to non-inline mode (back to cow_file_range()), reserve extents\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48664\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48666", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48666" + }, + { + "url": "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a" + }, + { + "url": "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f" + }, + { + "url": "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506" + }, + { + "url": "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48666 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48666", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48666\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48666\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48666\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48666\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48666\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a\",\n \"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f\",\n \"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506\",\n \"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix a use-after-free\\n\\nThere are two .exit_cmd_priv implementations. Both implementations use\\nresources associated with the SCSI host. Make sure that these resources are\\nstill available when .exit_cmd_priv is called by waiting inside\\nscsi_remove_host() until the tag set has been freed.\\n\\nThis commit fixes the following use-after-free:\\n\\n==================================================================\\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\\nCall Trace:\\n \\n dump_stack_lvl+0x34/0x44\\n print_report.cold+0x5e/0x5db\\n kasan_report+0xab/0x120\\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\n scsi_mq_exit_request+0x4d/0x70\\n blk_mq_free_rqs+0x143/0x410\\n __blk_mq_free_map_and_rqs+0x6e/0x100\\n blk_mq_free_tag_set+0x2b/0x160\\n scsi_host_dev_release+0xf3/0x1a0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\\n execute_in_process_context+0x23/0x90\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_disk_release+0x3f/0x50\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n disk_release+0x17f/0x1b0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n dm_put_table_device+0xa3/0x160 [dm_mod]\\n dm_put_device+0xd0/0x140 [dm_mod]\\n free_priority_group+0xd8/0x110 [dm_multipath]\\n free_multipath+0x94/0xe0 [dm_multipath]\\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\\n __dm_destroy+0x196/0x350 [dm_mod]\\n dev_remove+0x10c/0x160 [dm_mod]\\n ctl_ioctl+0x2c2/0x590 [dm_mod]\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48666\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48667" + }, + { + "url": "https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e" + }, + { + "url": "https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in insert range\n\ninsert range doesn't discard the affected cached region\nso can risk temporarily corrupting file data.\n\nAlso includes some minor cleanup (avoiding rereading\ninode size repeatedly unnecessarily) to make it clearer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e\",\n \"https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix temporary data corruption in insert range\\n\\ninsert range doesn't discard the affected cached region\\nso can risk temporarily corrupting file data.\\n\\nAlso includes some minor cleanup (avoiding rereading\\ninode size repeatedly unnecessarily) to make it clearer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48668", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48668" + }, + { + "url": "https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9" + }, + { + "url": "https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48668 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48668", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in collapse range\n\ncollapse range doesn't discard the affected cached region\nso can risk temporarily corrupting the file data. This\nfixes xfstest generic/031\n\nI also decided to merge a minor cleanup to this into the same patch\n(avoiding rereading inode size repeatedly unnecessarily) to make it\nclearer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48668\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48668\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48668\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48668\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48668\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9\",\n \"https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix temporary data corruption in collapse range\\n\\ncollapse range doesn't discard the affected cached region\\nso can risk temporarily corrupting the file data. This\\nfixes xfstest generic/031\\n\\nI also decided to merge a minor cleanup to this into the same patch\\n(avoiding rereading inode size repeatedly unnecessarily) to make it\\nclearer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48668\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48672" + }, + { + "url": "https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e" + }, + { + "url": "https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0" + }, + { + "url": "https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181" + }, + { + "url": "https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7" + }, + { + "url": "https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853" + }, + { + "url": "https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf" + }, + { + "url": "https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e\",\n \"https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0\",\n \"https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181\",\n \"https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7\",\n \"https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853\",\n \"https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf\",\n \"https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\\n\\nCommit 78c44d910d3e (\\\"drivers/of: Fix depth when unflattening devicetree\\\")\\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\\nwhich makes it possible to overflow the nps[] buffer...\\n\\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\\nanalysis tool.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48673", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48673" + }, + { + "url": "https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde" + }, + { + "url": "https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48673 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48673", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48673\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48673\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48673\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48673\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48673\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde\",\n \"https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: Fix possible access to freed memory in link clear\\n\\nAfter modifying the QP to the Error state, all RX WR would be completed\\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\\nwait for it is done, but destroy the QP and free the link group directly.\\nSo there is a risk that accessing the freed memory in tasklet context.\\n\\nHere is a crash example:\\n\\n BUG: unable to handle page fault for address: ffffffff8f220860\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\\n Oops: 0002 [#1] SMP PTI\\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n \\n _raw_spin_lock_irqsave+0x30/0x40\\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\\n tasklet_action_common.isra.21+0x66/0x100\\n __do_softirq+0xd5/0x29c\\n asm_call_irq_on_stack+0x12/0x20\\n \\n do_softirq_own_stack+0x37/0x40\\n irq_exit_rcu+0x9d/0xa0\\n sysvec_call_function_single+0x34/0x80\\n asm_sysvec_call_function_single+0x12/0x20\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48673\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48675", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48675" + }, + { + "url": "https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785" + }, + { + "url": "https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3" + }, + { + "url": "https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833" + }, + { + "url": "https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48675 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48675", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48675\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48675\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48675\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48675\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48675\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785\",\n \"https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3\",\n \"https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833\",\n \"https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/core: Fix a nested dead lock as part of ODP flow\\n\\nFix a nested dead lock as part of ODP flow by using mmput_async().\\n\\nFrom the below call trace [1] can see that calling mmput() once we have\\nthe umem_odp->umem_mutex locked as required by\\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\\nmay dead lock when trying to lock the same mutex.\\n\\nMoving to use mmput_async() will solve the problem as the above\\nexit_mmap() flow will be called in other task and will be executed once\\nthe lock will be available.\\n\\n[1]\\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\\n2 flags:0x00004000\\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\\n[64843.077719] Call Trace:\\n[64843.077722] \\n[64843.077724] __schedule+0x23d/0x590\\n[64843.077729] schedule+0x4e/0xb0\\n[64843.077735] schedule_preempt_disabled+0xe/0x10\\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\\n[64843.077752] mutex_lock+0x34/0x40\\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\\n[64843.077816] exit_mmap+0x1bc/0x200\\n[64843.077822] ? walk_page_range+0x9c/0x120\\n[64843.077828] ? __cond_resched+0x1a/0x50\\n[64843.077833] ? mutex_lock+0x13/0x40\\n[64843.077839] ? uprobe_clear_state+0xac/0x120\\n[64843.077860] mmput+0x5f/0x140\\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\\n[mlx5_ib]\\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\\n[64843.078051] process_one_work+0x22b/0x3d0\\n[64843.078059] worker_thread+0x53/0x410\\n[64843.078065] ? process_one_work+0x3d0/0x3d0\\n[64843.078073] kthread+0x12a/0x150\\n[64843.078079] ? set_kthread_struct+0x50/0x50\\n[64843.078085] ret_from_fork+0x22/0x30\\n[64843.078093] \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48675\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48686" + }, + { + "url": "https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5" + }, + { + "url": "https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea" + }, + { + "url": "https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3" + }, + { + "url": "https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff" + }, + { + "url": "https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5\",\n \"https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea\",\n \"https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3\",\n \"https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff\",\n \"https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-tcp: fix UAF when detecting digest errors\\n\\nWe should also bail from the io_work loop when we set rd_enabled to true,\\nso we don't attempt to read data from the socket when the TCP stream is\\nalready out-of-sync or corrupted.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48687", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48687" + }, + { + "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa" + }, + { + "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c" + }, + { + "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093" + }, + { + "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3" + }, + { + "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35" + }, + { + "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864" + }, + { + "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48687 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48687", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48687\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48687\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48687\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48687\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48687\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\",\n \"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\",\n \"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\",\n \"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\",\n \"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\",\n \"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\",\n \"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix out-of-bounds read when setting HMAC data.\\n\\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\\nSegment Routing Headers. This configuration is realised via netlink through\\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\\nlength of the SECRET attribute, it is possible to provide invalid combinations\\n(e.g., secret = \\\"\\\", secretlen = 64). This case is not checked in the code and\\nwith an appropriately crafted netlink message, an out-of-bounds read of up\\nto 64 bytes (max secret length) can occur past the skb end pointer and into\\nskb_shared_info:\\n\\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\\n208\\t\\tmemcpy(hinfo->secret, secret, slen);\\n(gdb) bt\\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\\n family=) at net/netlink/genetlink.c:731\\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\\n at net/netlink/af_netlink.c:2501\\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\\n at net/netlink/af_netlink.c:1319\\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\\n at net/netlink/af_netlink.c:1345\\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\\n...\\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\\n$1 = 0xffff88800b1b76c0\\n(gdb) p/x secret\\n$2 = 0xffff88800b1b76c0\\n(gdb) p slen\\n$3 = 64 '@'\\n\\nThe OOB data can then be read back from userspace by dumping HMAC state. This\\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\\nSECRET.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48687\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48688", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48688" + }, + { + "url": "https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae" + }, + { + "url": "https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc" + }, + { + "url": "https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9" + }, + { + "url": "https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc" + }, + { + "url": "https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746" + }, + { + "url": "https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48688 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48688", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48688\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48688\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48688\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48688\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48688\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae\",\n \"https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc\",\n \"https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9\",\n \"https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc\",\n \"https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746\",\n \"https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Fix kernel crash during module removal\\n\\nThe driver incorrectly frees client instance and subsequent\\ni40e module removal leads to kernel crash.\\n\\nReproducer:\\n1. Do ethtool offline test followed immediately by another one\\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\\n2. Remove recursively irdma module that also removes i40e module\\nhost# modprobe -r irdma\\n\\nResult:\\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\\n[ 8687.768755] #PF: supervisor read access in kernel mode\\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\\n[ 8687.779034] PGD 0 P4D 0\\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 8687.905572] PKRU: 55555554\\n[ 8687.908286] Call Trace:\\n[ 8687.910737] \\n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\\n[ 8687.917040] pci_device_remove+0x33/0xa0\\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\\n[ 8687.926188] driver_detach+0x44/0x90\\n[ 8687.929770] bus_remove_driver+0x55/0xe0\\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\\n\\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\\nfailure is indicated back to i40e_client_subtask() that calls\\ni40e_client_del_instance() to free client instance referenced\\nby pf->cinst and sets this pointer to NULL. During the module\\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\\npf->cinst that is NULL -> crash.\\nDo not remove client instance when client open callbacks fails and\\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\\nto take care about this situation (when netdev is up and client\\nis NOT opened) in i40e_notify_client_of_netdev_close() and\\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\\nis set.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48688\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48689", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48689" + }, + { + "url": "https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775" + }, + { + "url": "https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83" + }, + { + "url": "https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48689 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48689", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48689\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48689\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48689\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48689\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48689\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775\",\n \"https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83\",\n \"https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: TX zerocopy should not sense pfmemalloc status\\n\\nWe got a recent syzbot report [1] showing a possible misuse\\nof pfmemalloc page status in TCP zerocopy paths.\\n\\nIndeed, for pages coming from user space or other layers,\\nusing page_is_pfmemalloc() is moot, and possibly could give\\nfalse positives.\\n\\nThere has been attempts to make page_is_pfmemalloc() more robust,\\nbut not using it in the first place in this context is probably better,\\nremoving cpu cycles.\\n\\nNote to stable teams :\\n\\nYou need to backport 84ce071e38a6 (\\\"net: introduce\\n__skb_fill_page_desc_noacc\\\") as a prereq.\\n\\nRace is more probable after commit c07aea3ef4d4\\n(\\\"mm: add a signature in struct page\\\") because page_is_pfmemalloc()\\nis now using low order bit from page->lru.next, which can change\\nmore often than page->index.\\n\\nLow order bit should never be set for lru.next (when used as an anchor\\nin LRU list), so KCSAN report is mostly a false positive.\\n\\nBackporting to older kernel versions seems not necessary.\\n\\n[1]\\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\\n\\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\\n__list_add include/linux/list.h:73 [inline]\\nlist_add include/linux/list.h:88 [inline]\\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\\nlru_add_fn+0x440/0x520 mm/swap.c:228\\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\\nfolio_batch_add_and_move mm/swap.c:263 [inline]\\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\\next4_file_write_iter+0x2e3/0x1210\\ncall_write_iter include/linux/fs.h:2187 [inline]\\nnew_sync_write fs/read_write.c:491 [inline]\\nvfs_write+0x468/0x760 fs/read_write.c:578\\nksys_write+0xe8/0x1a0 fs/read_write.c:631\\n__do_sys_write fs/read_write.c:643 [inline]\\n__se_sys_write fs/read_write.c:640 [inline]\\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\\nkernel_sendpage+0x184/0x300 net/socket.c:3561\\nsock_sendpage+0x5a/0x70 net/socket.c:1054\\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\\nsplice_from_pipe_feed fs/splice.c:415 [inline]\\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\\nsplice_from_pipe fs/splice.c:594 [inline]\\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\\ndo_splice_from fs/splice.c:764 [inline]\\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48689\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48691" + }, + { + "url": "https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157" + }, + { + "url": "https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65" + }, + { + "url": "https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4" + }, + { + "url": "https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157\",\n \"https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65\",\n \"https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4\",\n \"https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: clean up hook list when offload flags check fails\\n\\nsplice back the hook list so nft_chain_release_hook() has a chance to\\nrelease the hooks.\\n\\nBUG: memory leak\\nunreferenced object 0xffff88810180b100 (size 96):\\n comm \\\"syz-executor133\\\", pid 3619, jiffies 4294945714 (age 12.690s)\\n hex dump (first 32 bytes):\\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\\n backtrace:\\n [] kmalloc include/linux/slab.h:600 [inline]\\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48692", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48692" + }, + { + "url": "https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa" + }, + { + "url": "https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb" + }, + { + "url": "https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624" + }, + { + "url": "https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48692 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48692", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48692\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48692\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48692\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48692\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48692\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa\",\n \"https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb\",\n \"https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624\",\n \"https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\\n\\nThis change fixes the following kernel NULL pointer dereference\\nwhich is reproduced by blktests srp/007 occasionally.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000170\\nPGD 0 P4D 0\\nOops: 0002 [#1] PREEMPT SMP NOPTI\\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\\nWorkqueue: 0x0 (kblockd)\\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\\nCall Trace:\\n \\n __ib_process_cq+0xb7/0x280 [ib_core]\\n ib_poll_handler+0x2b/0x130 [ib_core]\\n irq_poll_softirq+0x93/0x150\\n __do_softirq+0xee/0x4b8\\n irq_exit_rcu+0xf7/0x130\\n sysvec_apic_timer_interrupt+0x8e/0xc0\\n \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48692\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48693" + }, + { + "url": "https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883" + }, + { + "url": "https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1" + }, + { + "url": "https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d" + }, + { + "url": "https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b" + }, + { + "url": "https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82" + }, + { + "url": "https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48693", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883\",\n \"https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1\",\n \"https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d\",\n \"https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b\",\n \"https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82\",\n \"https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\\n\\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\\n\\n(1) we need to add of_node_put() when for_each__matching_node() breaks\\n(2) we need to add iounmap() for each iomap in fail path\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48695", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48695" + }, + { + "url": "https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b" + }, + { + "url": "https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5" + }, + { + "url": "https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7" + }, + { + "url": "https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16" + }, + { + "url": "https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34" + }, + { + "url": "https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82" + }, + { + "url": "https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48695 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48695", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48695\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48695\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48695\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48695\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48695\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b\",\n \"https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5\",\n \"https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7\",\n \"https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16\",\n \"https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34\",\n \"https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82\",\n \"https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6\",\n \"https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Fix use-after-free warning\\n\\nFix the following use-after-free warning which is observed during\\ncontroller reset:\\n\\nrefcount_t: underflow; use-after-free.\\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48695\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48697", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48697" + }, + { + "url": "https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e" + }, + { + "url": "https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060" + }, + { + "url": "https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52" + }, + { + "url": "https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717" + }, + { + "url": "https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b" + }, + { + "url": "https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48697 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48697", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48697\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48697\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48697\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48697\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48697\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e\",\n \"https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060\",\n \"https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52\",\n \"https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717\",\n \"https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b\",\n \"https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: fix a use-after-free\\n\\nFix the following use-after-free complaint triggered by blktests nvme/004:\\n\\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\\nCall Trace:\\n show_stack+0x52/0x58\\n dump_stack_lvl+0x49/0x5e\\n print_report.cold+0x36/0x1e2\\n kasan_report+0xb9/0xf0\\n __asan_load4+0x6b/0x80\\n blk_mq_complete_request_remote+0xac/0x350\\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\\n nvmet_req_complete+0x15/0x40 [nvmet]\\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\\n process_one_work+0x56e/0xa70\\n worker_thread+0x2d1/0x640\\n kthread+0x183/0x1c0\\n ret_from_fork+0x1f/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48697\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48698", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48698" + }, + { + "url": "https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05" + }, + { + "url": "https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54" + }, + { + "url": "https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48698 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48698", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48698\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48698\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48698\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48698\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48698\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05\",\n \"https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54\",\n \"https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fix memory leak when using debugfs_lookup()\\n\\nWhen calling debugfs_lookup() the result must have dput() called on it,\\notherwise the memory will leak over time. Fix this up by properly\\ncalling dput().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48698\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48699" + }, + { + "url": "https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3" + }, + { + "url": "https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2" + }, + { + "url": "https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3\",\n \"https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2\",\n \"https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/debug: fix dentry leak in update_sched_domain_debugfs\\n\\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\\nleaks a dentry and with a hotplug stress test, the machine eventually\\nruns out of memory.\\n\\nFix this up by using the newly created debugfs_lookup_and_remove() call\\ninstead which properly handles the dentry reference counting logic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48700" + }, + { + "url": "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986" + }, + { + "url": "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03" + }, + { + "url": "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46" + }, + { + "url": "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere's currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it's not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there's no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986\",\n \"https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03\",\n \"https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46\",\n \"https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/type1: Unpin zero pages\\n\\nThere's currently a reference count leak on the zero page. We increment\\nthe reference via pin_user_pages_remote(), but the page is later handled\\nas an invalid/reserved page, therefore it's not accounted against the\\nuser and not unpinned by our put_pfn().\\n\\nIntroducing special zero page handling in put_pfn() would resolve the\\nleak, but without accounting of the zero page, a single user could\\nstill create enough mappings to generate a reference count overflow.\\n\\nThe zero page is always resident, so for our purposes there's no reason\\nto keep it pinned. Therefore, add a loop to walk pages returned from\\npin_user_pages_remote() and unpin any zero pages.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48701", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48701" + }, + { + "url": "https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712" + }, + { + "url": "https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936" + }, + { + "url": "https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf" + }, + { + "url": "https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0" + }, + { + "url": "https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251" + }, + { + "url": "https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd" + }, + { + "url": "https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061" + }, + { + "url": "https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48701 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48701", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48701\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48701\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48701\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48701\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48701\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712\",\n \"https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936\",\n \"https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf\",\n \"https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0\",\n \"https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251\",\n \"https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd\",\n \"https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061\",\n \"https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\\n\\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\\nwhen parsing the interface descriptor for this device.\\n\\nFix this by checking the number of interfaces.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48701\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48702", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48702" + }, + { + "url": "https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c" + }, + { + "url": "https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178" + }, + { + "url": "https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2" + }, + { + "url": "https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1" + }, + { + "url": "https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa" + }, + { + "url": "https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275" + }, + { + "url": "https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7" + }, + { + "url": "https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48702 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48702", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48702\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48702\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48702\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48702\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48702\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c\",\n \"https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178\",\n \"https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2\",\n \"https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1\",\n \"https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa\",\n \"https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275\",\n \"https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7\",\n \"https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\\n\\nThe voice allocator sometimes begins allocating from near the end of the\\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\\naccesses the newly allocated voices as if it never wrapped around.\\n\\nThis results in out of bounds access if the first voice has a high enough\\nindex so that first_voice + requested_voice_count > NUM_G (64).\\nThe more voices are requested, the more likely it is for this to occur.\\n\\nThis was initially discovered using PipeWire, however it can be reproduced\\nby calling aplay multiple times with 16 channels:\\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\\n\\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\\nCall Trace:\\n\\ndump_stack_lvl+0x49/0x63\\ndump_stack+0x10/0x16\\nubsan_epilogue+0x9/0x3f\\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\\n? exit_to_user_mode_prepare+0x35/0x170\\n? do_syscall_64+0x69/0x90\\n? syscall_exit_to_user_mode+0x26/0x50\\n? do_syscall_64+0x69/0x90\\n? exit_to_user_mode_prepare+0x35/0x170\\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\\n__x64_sys_ioctl+0x95/0xd0\\ndo_syscall_64+0x5c/0x90\\n? do_syscall_64+0x69/0x90\\n? do_syscall_64+0x69/0x90\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48702\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48703", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48703" + }, + { + "url": "https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d" + }, + { + "url": "https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48703 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48703", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48703\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48703\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48703\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48703\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48703\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d\",\n \"https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\\n\\nIn some case, the GDDV returns a package with a buffer which has\\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\\n\\nThen the data_vault_read() got NULL point dereference problem when\\naccessing the 0x10 value in data_vault.\\n\\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\\n0000000000000010\\n\\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\\nNULL value in data_vault.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48703\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48704", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48704" + }, + { + "url": "https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40" + }, + { + "url": "https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8" + }, + { + "url": "https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d" + }, + { + "url": "https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c" + }, + { + "url": "https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe" + }, + { + "url": "https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3" + }, + { + "url": "https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d" + }, + { + "url": "https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48704 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48704", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [] ra = [] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[] si_dma_is_lockup+0x34/0xd0\n[] radeon_fence_check_lockup+0xd0/0x290\n[] process_one_work+0x280/0x550\n[] worker_thread+0x70/0x7c0\n[] worker_thread+0x130/0x7c0\n[] kthread+0x200/0x210\n[] worker_thread+0x0/0x7c0\n[] kthread+0x14c/0x210\n[] ret_from_kernel_thread+0x18/0x20\n[] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48704\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48704\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48704\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48704\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48704\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40\",\n \"https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8\",\n \"https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d\",\n \"https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c\",\n \"https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe\",\n \"https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3\",\n \"https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d\",\n \"https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: add a force flush to delay work when radeon\\n\\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\\nput device in D3hot state.\\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\\n> Configuration and Message requests are the only TLPs accepted by a Function in\\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\\n> and all received Completions may optionally be handled as Unexpected Completions.\\nThis issue will happen in following logs:\\nUnable to handle kernel paging request at virtual address 00008800e0008010\\nCPU 0 kworker/0:3(131): Oops 0\\npc = [] ra = [] ps = 0000 Tainted: G W\\npc is at si_gpu_check_soft_reset+0x3c/0x240\\nra is at si_dma_is_lockup+0x34/0xd0\\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\\ns6 = fff00007ef07bd98\\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\\ngp = ffffffff81d89690 sp = 00000000aa814126\\nDisabling lock debugging due to kernel taint\\nTrace:\\n[] si_dma_is_lockup+0x34/0xd0\\n[] radeon_fence_check_lockup+0xd0/0x290\\n[] process_one_work+0x280/0x550\\n[] worker_thread+0x70/0x7c0\\n[] worker_thread+0x130/0x7c0\\n[] kthread+0x200/0x210\\n[] worker_thread+0x0/0x7c0\\n[] kthread+0x14c/0x210\\n[] ret_from_kernel_thread+0x18/0x20\\n[] kthread+0x0/0x210\\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\\n <88210000> 4821ed21\\nSo force lockup work queue flush to fix this problem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48704\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48706", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48706" + }, + { + "url": "https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e" + }, + { + "url": "https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48706 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48706", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48706\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48706\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48706\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48706\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48706\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e\",\n \"https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\\n\\nifcvf_mgmt_dev leaks memory if it is not freed before\\nreturning. Call is made to correct return statement\\nso memory does not leak. ifcvf_init_hw does not take\\ncare of this so it is needed to do it here.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48706\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48708", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48708" + }, + { + "url": "https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db" + }, + { + "url": "https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb" + }, + { + "url": "https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208" + }, + { + "url": "https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26" + }, + { + "url": "https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2" + }, + { + "url": "https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b" + }, + { + "url": "https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48708 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48708", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference\n\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48708\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48708\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48708\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48708\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48708\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db\",\n \"https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb\",\n \"https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208\",\n \"https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26\",\n \"https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2\",\n \"https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b\",\n \"https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: single: fix potential NULL dereference\\n\\nAdded checking of pointer \\\"function\\\" in pcs_set_mux().\\npinmux_generic_get_function() can return NULL and the pointer\\n\\\"function\\\" was dereferenced without checking against NULL.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48708\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48710", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48710" + }, + { + "url": "https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17" + }, + { + "url": "https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f" + }, + { + "url": "https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60" + }, + { + "url": "https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9" + }, + { + "url": "https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29" + }, + { + "url": "https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f" + }, + { + "url": "https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9" + }, + { + "url": "https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479" + }, + { + "url": "https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48710 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48710", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48710\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48710\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48710\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48710\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48710\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17\",\n \"https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f\",\n \"https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60\",\n \"https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9\",\n \"https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29\",\n \"https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f\",\n \"https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9\",\n \"https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479\",\n \"https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: fix a possible null pointer dereference\\n\\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\\n\\nThe failure status of drm_cvt_mode() on the other path is checked too.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48710\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48744" + }, + { + "url": "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e" + }, + { + "url": "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48744", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e\",\n \"https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Avoid field-overflowing memcpy()\\n\\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\\nintentionally writing across neighboring fields.\\n\\nUse flexible arrays instead of zero-element arrays (which look like they\\nare always overflowing) and split the cross-field memcpy() into two halves\\nthat can be appropriately bounds-checked by the compiler.\\n\\nWe were doing:\\n\\n\\t#define ETH_HLEN 14\\n\\t#define VLAN_HLEN 4\\n\\t...\\n\\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\\n\\t...\\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\\n\\t...\\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\\n struct mlx5_wqe_data_seg *dseg = wqe->data;\\n\\t...\\n\\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\\n\\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\\n2 bytes in size), but copying 18, intending to write across start\\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\\n(8 bytes).\\n\\nstruct mlx5e_tx_wqe {\\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\\n\\n /* size: 32, cachelines: 1, members: 3 */\\n /* last cacheline: 32 bytes */\\n};\\n\\nstruct mlx5_wqe_eth_seg {\\n u8 swp_outer_l4_offset; /* 0 1 */\\n u8 swp_outer_l3_offset; /* 1 1 */\\n u8 swp_inner_l4_offset; /* 2 1 */\\n u8 swp_inner_l3_offset; /* 3 1 */\\n u8 cs_flags; /* 4 1 */\\n u8 swp_flags; /* 5 1 */\\n __be16 mss; /* 6 2 */\\n __be32 flow_table_metadata; /* 8 4 */\\n union {\\n struct {\\n __be16 sz; /* 12 2 */\\n u8 start[2]; /* 14 2 */\\n } inline_hdr; /* 12 4 */\\n struct {\\n __be16 type; /* 12 2 */\\n __be16 vlan_tci; /* 14 2 */\\n } insert; /* 12 4 */\\n __be32 trailer; /* 12 4 */\\n }; /* 12 4 */\\n\\n /* size: 16, cachelines: 1, members: 9 */\\n /* last cacheline: 16 bytes */\\n};\\n\\nstruct mlx5_wqe_data_seg {\\n __be32 byte_count; /* 0 4 */\\n __be32 lkey; /* 4 4 */\\n __be64 addr; /* 8 8 */\\n\\n /* size: 16, cachelines: 1, members: 3 */\\n /* last cacheline: 16 bytes */\\n};\\n\\nSo, split the memcpy() so the compiler can reason about the buffer\\nsizes.\\n\\n\\\"pahole\\\" shows no size nor member offset changes to struct mlx5e_tx_wqe\\nnor struct mlx5e_umr_wqe. \\\"objdump -d\\\" shows no meaningful object\\ncode changes (i.e. only source line number induced differences and\\noptimizations).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48766", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48766" + }, + { + "url": "https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f" + }, + { + "url": "https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48766 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48766", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48766\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48766\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48766\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48766\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48766\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f\",\n \"https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\\n\\nMirrors the logic for dcn30. Cue lots of WARNs and some\\nkernel panics without this fix.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48766\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48771", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48771" + }, + { + "url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d" + }, + { + "url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565" + }, + { + "url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c" + }, + { + "url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82" + }, + { + "url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c" + }, + { + "url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414" + }, + { + "url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48771 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48771", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48771\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48771\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48771\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48771\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48771\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d\",\n \"https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565\",\n \"https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c\",\n \"https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82\",\n \"https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c\",\n \"https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414\",\n \"https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\\n\\nA failing usercopy of the fence_rep object will lead to a stale entry in\\nthe file descriptor table as put_unused_fd() won't release it. This\\nenables userland to refer to a dangling 'file' object through that still\\nvalid file descriptor, leading to all kinds of use-after-free\\nexploitation scenarios.\\n\\nFix this by deferring the call to fd_install() until after the usercopy\\nhas succeeded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48771\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48772", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48772" + }, + { + "url": "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea" + }, + { + "url": "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87" + }, + { + "url": "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0" + }, + { + "url": "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115" + }, + { + "url": "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4" + }, + { + "url": "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d" + }, + { + "url": "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48772 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48772", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] \n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48772\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48772\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48772\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48772\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48772\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea\",\n \"https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87\",\n \"https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0\",\n \"https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115\",\n \"https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4\",\n \"https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d\",\n \"https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: lgdt3306a: Add a check against null-pointer-def\\n\\nThe driver should check whether the client provides the platform_data.\\n\\nThe following log reveals it:\\n\\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\\n[ 29.612820] Call Trace:\\n[ 29.613030] \\n[ 29.613201] dump_stack_lvl+0x56/0x6f\\n[ 29.613496] ? kmemdup+0x30/0x40\\n[ 29.613754] print_report.cold+0x494/0x6b7\\n[ 29.614082] ? kmemdup+0x30/0x40\\n[ 29.614340] kasan_report+0x8a/0x190\\n[ 29.614628] ? kmemdup+0x30/0x40\\n[ 29.614888] kasan_check_range+0x14d/0x1d0\\n[ 29.615213] memcpy+0x20/0x60\\n[ 29.615454] kmemdup+0x30/0x40\\n[ 29.615700] lgdt3306a_probe+0x52/0x310\\n[ 29.616339] i2c_device_probe+0x951/0xa90\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48772\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48781", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48781" + }, + { + "url": "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3" + }, + { + "url": "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48781 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48781", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3\",\n \"https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: af_alg - get rid of alg_memory_allocated\\n\\nalg_memory_allocated does not seem to be really used.\\n\\nalg_proto does have a .memory_allocated field, but no\\ncorresponding .sysctl_mem.\\n\\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\\nusers will trigger a NULL dereference [1].\\n\\nTHis was not a problem until SO_RESERVE_MEM addition.\\n\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\\n __do_sys_setsockopt net/socket.c:2191 [inline]\\n __se_sys_setsockopt net/socket.c:2188 [inline]\\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x7fc7440fddc9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\\n \\nModules linked in:\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48781\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48808" + }, + { + "url": "https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7" + }, + { + "url": "https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae" + }, + { + "url": "https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7\",\n \"https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae\",\n \"https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: fix panic when DSA master device unbinds on shutdown\\n\\nRafael reports that on a system with LX2160A and Marvell DSA switches,\\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\\npanic can be seen:\\n\\nsystemd-shutdown[1]: Rebooting.\\nUnable to handle kernel paging request at virtual address 00a0000800000041\\n[00a0000800000041] address between user and kernel address ranges\\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\\npc : dsa_slave_netdevice_event+0x130/0x3e4\\nlr : raw_notifier_call_chain+0x50/0x6c\\nCall trace:\\n dsa_slave_netdevice_event+0x130/0x3e4\\n raw_notifier_call_chain+0x50/0x6c\\n call_netdevice_notifiers_info+0x54/0xa0\\n __dev_close_many+0x50/0x130\\n dev_close_many+0x84/0x120\\n unregister_netdevice_many+0x130/0x710\\n unregister_netdevice_queue+0x8c/0xd0\\n unregister_netdev+0x20/0x30\\n dpaa2_eth_remove+0x68/0x190\\n fsl_mc_driver_remove+0x20/0x5c\\n __device_release_driver+0x21c/0x220\\n device_release_driver_internal+0xac/0xb0\\n device_links_unbind_consumers+0xd4/0x100\\n __device_release_driver+0x94/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_device_remove+0x24/0x40\\n __fsl_mc_device_remove+0xc/0x20\\n device_for_each_child+0x58/0xa0\\n dprc_remove+0x90/0xb0\\n fsl_mc_driver_remove+0x20/0x5c\\n __device_release_driver+0x21c/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_bus_remove+0x80/0x100\\n fsl_mc_bus_shutdown+0xc/0x1c\\n platform_shutdown+0x20/0x30\\n device_shutdown+0x154/0x330\\n __do_sys_reboot+0x1cc/0x250\\n __arm64_sys_reboot+0x20/0x30\\n invoke_syscall.constprop.0+0x4c/0xe0\\n do_el0_svc+0x4c/0x150\\n el0_svc+0x24/0xb0\\n el0t_64_sync_handler+0xa8/0xb0\\n el0t_64_sync+0x178/0x17c\\n\\nIt can be seen from the stack trace that the problem is that the\\nderegistration of the master causes a dev_close(), which gets notified\\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\\nBut dsa_switch_shutdown() has already run, and this has unregistered the\\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\\ncall dev_close_many() on those slave interfaces, leading to the problem.\\n\\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\\nstopped being uppers of the DSA master, we can now reset to NULL the\\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\\nnotifier events on the master.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48816", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48816" + }, + { + "url": "https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07" + }, + { + "url": "https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48816 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48816", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48816\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48816\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48816\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48816\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48816\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07\",\n \"https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: lock against ->sock changing during sysfs read\\n\\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\\nSo it is important to hold that mutex. Otherwise a sysfs read can\\ntrigger an oops.\\nCommit 17f09d3f619a (\\\"SUNRPC: Check if the xprt is connected before\\nhandling sysfs reads\\\") appears to attempt to fix this problem, but it\\nonly narrows the race window.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48816\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48833" + }, + { + "url": "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec" + }, + { + "url": "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82" + }, + { + "url": "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] \n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec\",\n \"https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82\",\n \"https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\\n\\nAfter the recent changes made by commit c2e39305299f01 (\\\"btrfs: clear\\nextent buffer uptodate when we fail to write it\\\") and its followup fix,\\ncommit 651740a5024117 (\\\"btrfs: check WRITE_ERR when trying to read an\\nextent buffer\\\"), we can now end up not cleaning up space reservations of\\nlog tree extent buffers after a transaction abort happens, as well as not\\ncleaning up still dirty extent buffers.\\n\\nThis happens because if writeback for a log tree extent buffer failed,\\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\\nwhen trying to free the log tree with free_log_tree(), which iterates\\nover the tree, we can end up getting an -EIO error when trying to read\\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\\nimmediately as we can not iterate over the entire tree.\\n\\nIn that case we never update the reserved space for an extent buffer in\\nthe respective block group and space_info object.\\n\\nWhen this happens we get the following traces when unmounting the fs:\\n\\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\\n[174957.399379] ------------[ cut here ]------------\\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\\n[174957.429717] Code: 21 48 8b bd (...)\\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[174957.443948] Call Trace:\\n[174957.444264] \\n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\\n[174957.445803] ? call_rcu+0x16c/0x290\\n[174957.446250] generic_shutdown_super+0x74/0x120\\n[174957.446832] kill_anon_super+0x14/0x30\\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\\n[174957.447890] deactivate_locked_super+0x31/0xa0\\n[174957.448440] cleanup_mnt+0x147/0x1c0\\n[174957.448888] task_work_run+0x5c/0xa0\\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\\n[174957.450512] do_syscall_64+0x48/0xc0\\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[174957.451605] RIP: 0033:0x7f328fdc4a97\\n[174957.452059] Code: 03 0c 00 f7 (...)\\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48834" + }, + { + "url": "https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e" + }, + { + "url": "https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952" + }, + { + "url": "https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016" + }, + { + "url": "https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7" + }, + { + "url": "https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e\",\n \"https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952\",\n \"https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016\",\n \"https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7\",\n \"https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: usbtmc: Fix bug in pipe direction for control transfers\\n\\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\\n\\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\\nModules linked in:\\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\\n\\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\\nall of its transfers, whether they are in or out. It's easy to fix.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48835" + }, + { + "url": "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f" + }, + { + "url": "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05" + }, + { + "url": "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3" + }, + { + "url": "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f\",\n \"https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05\",\n \"https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3\",\n \"https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Page fault in reply q processing\\n\\nA page fault was encountered in mpt3sas on a LUN reset error path:\\n\\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\\n[ 149.885617] #PF: supervisor read access in kernel mode\\n[ 149.894346] #PF: error_code(0x0000) - not-present page\\n[ 149.903123] PGD 0 P4D 0\\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 150.108323] PKRU: 55555554\\n[ 150.114690] Call Trace:\\n[ 150.120497] ? printk+0x48/0x4a\\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\\n[ 150.203206] ? __schedule+0x1e9/0x610\\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\\n[ 150.217924] kthread+0x12e/0x150\\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\\n[ 150.231206] ret_from_fork+0x1f/0x30\\n\\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\\npointer outside of the list_for_each_entry() loop. At the end of the full\\nlist traversal the pointer is invalid.\\n\\nMove the _base_process_reply_queue() call inside of the loop.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48836" + }, + { + "url": "https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7" + }, + { + "url": "https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8" + }, + { + "url": "https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821" + }, + { + "url": "https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f" + }, + { + "url": "https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c" + }, + { + "url": "https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31" + }, + { + "url": "https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a" + }, + { + "url": "https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48836", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n \n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7\",\n \"https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8\",\n \"https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821\",\n \"https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f\",\n \"https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c\",\n \"https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31\",\n \"https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a\",\n \"https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: aiptek - properly check endpoint type\\n\\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\\nendpoint type. There was a check for the number of endpoints, but not\\nfor the type of endpoint.\\n\\nFix it by replacing old desc.bNumEndpoints check with\\nusb_find_common_endpoints() helper for finding endpoints\\n\\nFail log:\\n\\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\nModules linked in:\\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\\nWorkqueue: usb_hub_wq hub_event\\n...\\nCall Trace:\\n \\n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48837" + }, + { + "url": "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7" + }, + { + "url": "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e" + }, + { + "url": "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65" + }, + { + "url": "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c" + }, + { + "url": "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa" + }, + { + "url": "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b" + }, + { + "url": "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90" + }, + { + "url": "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7\",\n \"https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e\",\n \"https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65\",\n \"https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c\",\n \"https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa\",\n \"https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b\",\n \"https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90\",\n \"https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\\n\\nIf \\\"BufOffset\\\" is very large the \\\"BufOffset + 8\\\" operation can have an\\ninteger overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48838", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48838" + }, + { + "url": "https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646" + }, + { + "url": "https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740" + }, + { + "url": "https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a" + }, + { + "url": "https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5" + }, + { + "url": "https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e" + }, + { + "url": "https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b" + }, + { + "url": "https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e" + }, + { + "url": "https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48838 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48838", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48838\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48838\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48838\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48838\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48838\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646\",\n \"https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740\",\n \"https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a\",\n \"https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5\",\n \"https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e\",\n \"https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b\",\n \"https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e\",\n \"https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\\n\\nThe syzbot fuzzer found a use-after-free bug:\\n\\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\\n\\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\\n __kasan_report mm/kasan/report.c:442 [inline]\\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\\n\\nAlthough the bug manifested in the driver core, the real cause was a\\nrace with the gadget core. dev_uevent() does:\\n\\n\\tif (dev->driver)\\n\\t\\tadd_uevent_var(env, \\\"DRIVER=%s\\\", dev->driver->name);\\n\\nand between the test and the dereference of dev->driver, the gadget\\ncore sets dev->driver to NULL.\\n\\nThe race wouldn't occur if the gadget core registered its devices on\\na real bus, using the standard synchronization techniques of the\\ndriver core. However, it's not necessary to make such a large change\\nin order to fix this bug; all we need to do is make sure that\\nudc->dev.driver is always NULL.\\n\\nIn fact, there is no reason for udc->dev.driver ever to be set to\\nanything, let alone to the value it currently gets: the address of the\\ngadget's driver. After all, a gadget driver only knows how to manage\\na gadget, not how to manage a UDC.\\n\\nThis patch simply removes the statements in the gadget core that touch\\nudc->dev.driver.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48838\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48839" + }, + { + "url": "https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d" + }, + { + "url": "https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02" + }, + { + "url": "https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a" + }, + { + "url": "https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da" + }, + { + "url": "https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33" + }, + { + "url": "https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0" + }, + { + "url": "https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a" + }, + { + "url": "https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n \n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n==================================================================", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d\",\n \"https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02\",\n \"https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a\",\n \"https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da\",\n \"https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33\",\n \"https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0\",\n \"https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a\",\n \"https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\\n\\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\\nand mmap operations, tpacket_rcv() is queueing skbs with\\ngarbage in skb->cb[], triggering a too big copy [1]\\n\\nPresumably, users of af_packet using mmap() already gets correct\\nmetadata from the mapped buffer, we can simply make sure\\nto clear 12 bytes that might be copied to user space later.\\n\\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\\n\\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\\n __kasan_report mm/kasan/report.c:442 [inline]\\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\\n check_region_inline mm/kasan/generic.c:183 [inline]\\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\\n memcpy include/linux/fortify-string.h:225 [inline]\\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\\n sock_recvmsg_nosec net/socket.c:948 [inline]\\n sock_recvmsg net/socket.c:966 [inline]\\n sock_recvmsg net/socket.c:962 [inline]\\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x7fdfd5954c29\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\\n \\n\\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\\n\\nthis frame has 1 object:\\n [32, 160) 'addr'\\n\\nMemory state around the buggy address:\\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\\n ^\\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\\n==================================================================\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48840" + }, + { + "url": "https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57" + }, + { + "url": "https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813" + }, + { + "url": "https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57\",\n \"https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813\",\n \"https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niavf: Fix hang during reboot/shutdown\\n\\nRecent commit 974578017fc1 (\\\"iavf: Add waiting so the port is\\ninitialized in remove\\\") adds a wait-loop at the beginning of\\niavf_remove() to ensure that port initialization is finished\\nprior unregistering net device. This causes a regression\\nin reboot/shutdown scenario because in this case callback\\niavf_shutdown() is called and this callback detaches the device,\\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\\nis called. That callback calls among other things sriov_disable()\\nthat calls indirectly iavf_remove() (see stack trace below).\\nAs the adapter state is already __IAVF_REMOVE then the mentioned\\nloop is end-less and shutdown process hangs.\\n\\nThe patch fixes this by checking adapter's state at the beginning\\nof iavf_remove() and skips the rest of the function if the adapter\\nis already in remove state (shutdown is in progress).\\n\\nReproducer:\\n1. Create VF on PF driven by ice or i40e driver\\n2. Ensure that the VF is bound to iavf driver\\n3. Reboot\\n\\n[52625.981294] sysrq: SysRq : Show Blocked State\\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\\n[52625.996732] Call Trace:\\n[52625.999187] __schedule+0x2d1/0x830\\n[52626.007400] schedule+0x35/0xa0\\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\\n[52626.020046] usleep_range+0x5b/0x80\\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\\n[52626.027645] pci_device_remove+0x3b/0xc0\\n[52626.031572] device_release_driver_internal+0x103/0x1f0\\n[52626.036805] pci_stop_bus_device+0x72/0xa0\\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\\n[52626.050232] sriov_disable+0x2f/0xe0\\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\\n[52626.057946] ice_remove+0x220/0x240 [ice]\\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\\n[52626.065987] pci_device_shutdown+0x34/0x60\\n[52626.070086] device_shutdown+0x165/0x1c5\\n[52626.074011] kernel_restart+0xe/0x30\\n[52626.077593] __do_sys_reboot+0x1d2/0x210\\n[52626.093815] do_syscall_64+0x5b/0x1a0\\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48846" + }, + { + "url": "https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29" + }, + { + "url": "https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e" + }, + { + "url": "https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29\",\n \"https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e\",\n \"https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: release rq qos structures for queue without disk\\n\\nblkcg_init_queue() may add rq qos structures to request queue, previously\\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\\n8e141f9eb803 (\\\"block: drain file system I/O on del_gendisk\\\")\\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\\nbecause queues may not have disk, such as un-present scsi luns, nvme\\nadmin queue, ...\\n\\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\\n\\nBTW, v5.18 won't need this patch any more since we move\\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\\nhandler, and patches have been in for-5.18/block.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48868" + }, + { + "url": "https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7" + }, + { + "url": "https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960" + }, + { + "url": "https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7\",\n \"https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960\",\n \"https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\\n\\nThe workqueue is enabled when the appropriate driver is loaded and\\ndisabled when the driver is removed. When the driver is removed it\\nassumes that the workqueue was enabled successfully and proceeds to\\nfree allocations made during workqueue enabling.\\n\\nFailure during workqueue enabling does not prevent the driver from\\nbeing loaded. This is because the error path within drv_enable_wq()\\nreturns success unless a second failure is encountered\\nduring the error path. By returning success it is possible to load\\nthe driver even if the workqueue cannot be enabled and\\nallocations that do not exist are attempted to be freed during\\ndriver remove.\\n\\nSome examples of problematic flows:\\n(a)\\n\\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\\n In above flow, if idxd_wq_request_irq() fails then\\n idxd_wq_unmap_portal() is called on error exit path, but\\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\\n driver is thus loaded successfully.\\n\\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\\n Above flow on driver unload triggers the WARN in devm_iounmap() because\\n the device resource has already been removed during error path of\\n drv_enable_wq().\\n\\n(b)\\n\\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\\n In above flow, if idxd_wq_request_irq() fails then\\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\\n counter, yet the driver loads successfully because drv_enable_wq()\\n returns 0.\\n\\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\\n Above flow on driver unload triggers a BUG when attempting to drop the\\n initial ref of the uninitialized percpu ref:\\n BUG: kernel NULL pointer dereference, address: 0000000000000010\\n\\nFix the drv_enable_wq() error path by returning the original error that\\nindicates failure of workqueue enabling. This ensures that the probe\\nfails when an error is encountered and the driver remove paths are only\\nattempted when the workqueue was enabled successfully.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48869" + }, + { + "url": "https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3" + }, + { + "url": "https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4" + }, + { + "url": "https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae" + }, + { + "url": "https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9" + }, + { + "url": "https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3\",\n \"https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4\",\n \"https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae\",\n \"https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9\",\n \"https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: gadgetfs: Fix race between mounting and unmounting\\n\\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\\nin the gadgetfs driver, involving processes concurrently mounting and\\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\\nthe_device while the former is using it. The output from KASAN says,\\nin part:\\n\\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\\n\\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\\nCall Trace:\\n \\n...\\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\\n vfs_get_super fs/super.c:1190 [inline]\\n get_tree_single+0xd0/0x160 fs/super.c:1207\\n vfs_get_tree+0x88/0x270 fs/super.c:1531\\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\\n\\nThe simplest solution is to ensure that gadgetfs_fill_super() and\\ngadgetfs_kill_sb() are serialized by making them both acquire a new\\nmutex.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48870" + }, + { + "url": "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f" + }, + { + "url": "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5" + }, + { + "url": "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f\",\n \"https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5\",\n \"https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: fix possible null-ptr-defer in spk_ttyio_release\\n\\nRun the following tests on the qemu platform:\\n\\nsyzkaller:~# modprobe speakup_audptr\\n input: Speakup as /devices/virtual/input/input4\\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\\n speakup 3.1.6: initialized\\n synth name on entry is: (null)\\n synth probe\\n\\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\\nproblem, as follow:\\n\\nsyzkaller:~# modprobe -r speakup_audptr\\n releasing synth audptr\\n BUG: kernel NULL pointer dereference, address: 0000000000000080\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD 0 P4D 0\\n Oops: 0002 [#1] PREEMPT SMP PTI\\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\\n RIP: 0010:mutex_lock+0x14/0x30\\n Call Trace:\\n \\n spk_ttyio_release+0x19/0x70 [speakup]\\n synth_release.part.6+0xac/0xc0 [speakup]\\n synth_remove+0x56/0x60 [speakup]\\n __x64_sys_delete_module+0x156/0x250\\n ? fpregs_assert_state_consistent+0x1d/0x50\\n do_syscall_64+0x37/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n \\n Modules linked in: speakup_audptr(-) speakup\\n Dumping ftrace buffer:\\n\\nin_synth->dev was not initialized during modprobe, so we add check\\nfor in_synth->dev to fix this bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48871" + }, + { + "url": "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a" + }, + { + "url": "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2" + }, + { + "url": "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a" + }, + { + "url": "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a\",\n \"https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2\",\n \"https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a\",\n \"https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\\n\\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\\nqcom_geni_serial_port_setup() updates the RX FIFO depth\\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\\n\\nThe RX UART handle code will read \\\"port->rx_fifo_depth\\\" number of words\\ninto \\\"port->rx_fifo\\\" buffer, thus exceeding the bounds. This can be\\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\\ndevice and KASAN:\\n\\n Bluetooth: hci0: QCA Product ID :0x00000010\\n Bluetooth: hci0: QCA SOC Version :0x400a0200\\n Bluetooth: hci0: QCA ROM Version :0x00000200\\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\\n Bluetooth: hci0: QCA controller version 0x02000200\\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\\n Bluetooth: hci0: QCA Failed to download patch (-2)\\n ==================================================================\\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\\n\\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n dump_backtrace.part.0+0xe0/0xf0\\n show_stack+0x18/0x40\\n dump_stack_lvl+0x8c/0xb8\\n print_report+0x188/0x488\\n kasan_report+0xb4/0x100\\n __asan_store4+0x80/0xa4\\n handle_rx_uart+0xa8/0x18c\\n qcom_geni_serial_handle_rx+0x84/0x9c\\n qcom_geni_serial_isr+0x24c/0x760\\n __handle_irq_event_percpu+0x108/0x500\\n handle_irq_event+0x6c/0x110\\n handle_fasteoi_irq+0x138/0x2cc\\n generic_handle_domain_irq+0x48/0x64\\n\\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48872" + }, + { + "url": "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907" + }, + { + "url": "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4" + }, + { + "url": "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1" + }, + { + "url": "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb" + }, + { + "url": "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907\",\n \"https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4\",\n \"https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1\",\n \"https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb\",\n \"https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmisc: fastrpc: Fix use-after-free race condition for maps\\n\\nIt is possible that in between calling fastrpc_map_get() until\\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\\nfastrpc_map_lookup() and get a reference to a map that is about to be\\ndeleted.\\n\\nRewrite fastrpc_map_get() to only increase the reference count of a map\\nif it's non-zero. Propagate this to callers so they can know if a map is\\nabout to be deleted.\\n\\nFixes this warning:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\\n...\\nCall trace:\\n refcount_warn_saturate\\n [fastrpc_map_get inlined]\\n [fastrpc_map_lookup inlined]\\n fastrpc_map_create\\n fastrpc_internal_invoke\\n fastrpc_device_ioctl\\n __arm64_sys_ioctl\\n invoke_syscall\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48873" + }, + { + "url": "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330" + }, + { + "url": "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8" + }, + { + "url": "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b" + }, + { + "url": "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7" + }, + { + "url": "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330\",\n \"https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8\",\n \"https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b\",\n \"https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7\",\n \"https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmisc: fastrpc: Don't remove map on creater_process and device_release\\n\\nDo not remove the map from the list on error path in\\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\\nuse-after-free. Do not remove it on fastrpc_device_release either,\\ncall fastrpc_map_put instead.\\n\\nThe fastrpc_free_map is the only proper place to remove the map.\\nThis is called only after the reference count is 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48875" + }, + { + "url": "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef" + }, + { + "url": "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df" + }, + { + "url": "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e" + }, + { + "url": "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef\",\n \"https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df\",\n \"https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e\",\n \"https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: sdata can be NULL during AMPDU start\\n\\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\\ndeauthentication is ongoing.\\n\\nHere a trace triggering the race with the hostapd test\\nmulti_ap_fronthaul_on_ap:\\n\\n(gdb) list *drv_ampdu_action+0x46\\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\\n391 int ret = -EOPNOTSUPP;\\n392\\n393 might_sleep();\\n394\\n395 sdata = get_bss_sdata(sdata);\\n396 if (!check_sdata_in_driver(sdata))\\n397 return -EIO;\\n398\\n399 trace_drv_ampdu_action(local, sdata, params);\\n400\\n\\nwlan0: moving STA 02:00:00:00:03:00 to state 3\\nwlan0: associated\\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\\nwlan0: moving STA 02:00:00:00:03:00 to state 2\\nwlan0: moving STA 02:00:00:00:03:00 to state 1\\nwlan0: Removed STA 02:00:00:00:03:00\\nwlan0: Destroyed STA 02:00:00:00:03:00\\nBUG: unable to handle page fault for address: fffffffffffffb48\\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\\nCall Trace:\\n \\n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\\n process_one_work+0x29f/0x620\\n worker_thread+0x4d/0x3d0\\n ? process_one_work+0x620/0x620\\n kthread+0xfb/0x120\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork+0x22/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48877" + }, + { + "url": "https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb" + }, + { + "url": "https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91" + }, + { + "url": "https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31" + }, + { + "url": "https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0" + }, + { + "url": "https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692" + }, + { + "url": "https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8" + }, + { + "url": "https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb\",\n \"https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91\",\n \"https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31\",\n \"https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0\",\n \"https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692\",\n \"https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8\",\n \"https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: let's avoid panic if extent_tree is not created\\n\\nThis patch avoids the below panic.\\n\\npc : __lookup_extent_tree+0xd8/0x760\\nlr : f2fs_do_write_data_page+0x104/0x87c\\nsp : ffffffc010cbb3c0\\nx29: ffffffc010cbb3e0 x28: 0000000000000000\\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\\nx23: ffffffc010cbb480 x22: 0000000000000000\\nx21: 0000000000000000 x20: ffffffff22e90900\\nx19: 0000000000000000 x18: ffffffc010c5d080\\nx17: 0000000000000000 x16: 0000000000000020\\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\\nx13: 0000000000000000 x12: ffffff802da49000\\nx11: 000000000a001200 x10: ffffff8803e7ed40\\nx9 : ffffff8023195800 x8 : ffffff802da49078\\nx7 : 0000000000000001 x6 : 0000000000000000\\nx5 : 0000000000000006 x4 : ffffffc010cbba28\\nx3 : 0000000000000000 x2 : ffffffc010cbb480\\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\\nCall trace:\\n __lookup_extent_tree+0xd8/0x760\\n f2fs_do_write_data_page+0x104/0x87c\\n f2fs_write_single_data_page+0x420/0xb60\\n f2fs_write_cache_pages+0x418/0xb1c\\n __f2fs_write_data_pages+0x428/0x58c\\n f2fs_write_data_pages+0x30/0x40\\n do_writepages+0x88/0x190\\n __writeback_single_inode+0x48/0x448\\n writeback_sb_inodes+0x468/0x9e8\\n __writeback_inodes_wb+0xb8/0x2a4\\n wb_writeback+0x33c/0x740\\n wb_do_writeback+0x2b4/0x400\\n wb_workfn+0xe4/0x34c\\n process_one_work+0x24c/0x5bc\\n worker_thread+0x3e8/0xa50\\n kthread+0x150/0x1b4\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48878" + }, + { + "url": "https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8" + }, + { + "url": "https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3" + }, + { + "url": "https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587" + }, + { + "url": "https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8\",\n \"https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3\",\n \"https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587\",\n \"https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\\n\\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\\nover serdev) should not be invoked when HCI device is not open (e.g. if\\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\\neither. Also skip this step if device is powered off\\n(qca_power_shutdown()).\\n\\nThe shutdown callback causes use-after-free during system reboot with\\nQualcomm Atheros Bluetooth:\\n\\n Unable to handle kernel paging request at virtual address\\n 0072662f67726fd7\\n ...\\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n tty_driver_flush_buffer+0x4/0x30\\n serdev_device_write_flush+0x24/0x34\\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\\n device_shutdown+0x15c/0x260\\n kernel_restart+0x48/0xac\\n\\nKASAN report:\\n\\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\\n\\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n dump_backtrace.part.0+0xdc/0xf0\\n show_stack+0x18/0x30\\n dump_stack_lvl+0x68/0x84\\n print_report+0x188/0x488\\n kasan_report+0xa4/0xf0\\n __asan_load8+0x80/0xac\\n tty_driver_flush_buffer+0x1c/0x50\\n ttyport_write_flush+0x34/0x44\\n serdev_device_write_flush+0x48/0x60\\n qca_serdev_shutdown+0x124/0x274\\n device_shutdown+0x1e8/0x350\\n kernel_restart+0x48/0xb0\\n __do_sys_reboot+0x244/0x2d0\\n __arm64_sys_reboot+0x54/0x70\\n invoke_syscall+0x60/0x190\\n el0_svc_common.constprop.0+0x7c/0x160\\n do_el0_svc+0x44/0xf0\\n el0_svc+0x2c/0x6c\\n el0t_64_sync_handler+0xbc/0x140\\n el0t_64_sync+0x190/0x194\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48879" + }, + { + "url": "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5" + }, + { + "url": "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794" + }, + { + "url": "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452" + }, + { + "url": "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104" + }, + { + "url": "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747" + }, + { + "url": "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5\",\n \"https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794\",\n \"https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452\",\n \"https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104\",\n \"https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747\",\n \"https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nefi: fix NULL-deref in init error path\\n\\nIn cases where runtime services are not supported or have been disabled,\\nthe runtime services workqueue will never have been allocated.\\n\\nDo not try to destroy the workqueue unconditionally in the unlikely\\nevent that EFI initialisation fails to avoid dereferencing a NULL\\npointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48880" + }, + { + "url": "https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb" + }, + { + "url": "https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb\",\n \"https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884\",\n \"https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\\n\\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\\nrequest should be freed via ssam_request_sync_free(). Currently it is\\nleaked instead. Fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48887" + }, + { + "url": "https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a" + }, + { + "url": "https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a\",\n \"https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Remove rcu locks from user resources\\n\\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\\nthe rcu paths were buggy and it was easy to make the driver crash by\\nsubmitting command buffers from two different threads. Because the\\nlookups never show up in performance profiles replace them with a\\nregular spin lock which fixes the races in accesses to those shared\\nresources.\\n\\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\\nseen crashes with apps using shared resources.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48891", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48891" + }, + { + "url": "https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb" + }, + { + "url": "https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91" + }, + { + "url": "https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01" + }, + { + "url": "https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53" + }, + { + "url": "https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5" + }, + { + "url": "https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae" + }, + { + "url": "https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48891 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48891", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48891\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48891\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48891\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb\",\n \"https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91\",\n \"https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01\",\n \"https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53\",\n \"https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5\",\n \"https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae\",\n \"https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nregulator: da9211: Use irq handler when ready\\n\\nIf the system does not come from reset (like when it is kexec()), the\\nregulator might have an IRQ waiting for us.\\n\\nIf we enable the IRQ handler before its structures are ready, we crash.\\n\\nThis patch fixes:\\n\\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\\n[ 1.316096] Call trace:\\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\\n[ 1.327825] da9211_irq_handler+0x68/0xf8\\n[ 1.327829] irq_thread+0x11c/0x234\\n[ 1.327833] kthread+0x13c/0x154\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48891\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48892" + }, + { + "url": "https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc" + }, + { + "url": "https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8" + }, + { + "url": "https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc\",\n \"https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8\",\n \"https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\\n\\nSince commit 07ec77a1d4e8 (\\\"sched: Allow task CPU affinity to be\\nrestricted on asymmetric systems\\\"), the setting and clearing of\\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\\nprotection. Since sched_setaffinity() can be invoked from another\\nprocess, the process being modified may be undergoing fork() at\\nthe same time. When racing with the clearing of user_cpus_ptr in\\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\\npossibly double-free in arm64 kernel.\\n\\nCommit 8f9ea86fdf99 (\\\"sched: Always preserve the user requested\\ncpumask\\\") fixes this problem as user_cpus_ptr, once set, will never\\nbe cleared in a task's lifetime. However, this bug was re-introduced\\nin commit 851a723e45d1 (\\\"sched: Always clear user_cpus_ptr in\\ndo_set_cpus_allowed()\\\") which allows the clearing of user_cpus_ptr in\\ndo_set_cpus_allowed(). This time, it will affect all arches.\\n\\nFix this bug by always clearing the user_cpus_ptr of the newly\\ncloned/forked task before the copying process starts and check the\\nuser_cpus_ptr state of the source task under pi_lock.\\n\\nNote to stable, this patch won't be applicable to stable releases.\\nJust copy the new dup_user_cpus_ptr() function over.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48893" + }, + { + "url": "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112" + }, + { + "url": "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112\",\n \"https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Cleanup partial engine discovery failures\\n\\nIf we abort driver initialisation in the middle of gt/engine discovery,\\nsome engines will be fully setup and some not. Those incompletely setup\\nengines only have 'engine->release == NULL' and so will leak any of the\\ncommon objects allocated.\\n\\nv2:\\n - Drop the destroy_pinned_context() helper for now. It's not really\\n worth it with just a single callsite at the moment. (Janusz)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48895" + }, + { + "url": "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a" + }, + { + "url": "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a\",\n \"https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/arm-smmu: Don't unregister on shutdown\\n\\nMichael Walle says he noticed the following stack trace while performing\\na shutdown with \\\"reboot -f\\\". He suggests he got \\\"lucky\\\" and just hit the\\ncorrect spot for the reboot while there was a packet transmission in\\nflight.\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\\nHardware name: Kontron KBox A-230-LS (DT)\\npc : iommu_get_dma_domain+0x14/0x20\\nlr : iommu_dma_map_page+0x9c/0x254\\nCall trace:\\n iommu_get_dma_domain+0x14/0x20\\n dma_map_page_attrs+0x1ec/0x250\\n enetc_start_xmit+0x14c/0x10b0\\n enetc_xmit+0x60/0xdc\\n dev_hard_start_xmit+0xb8/0x210\\n sch_direct_xmit+0x11c/0x420\\n __dev_queue_xmit+0x354/0xb20\\n ip6_finish_output2+0x280/0x5b0\\n __ip6_finish_output+0x15c/0x270\\n ip6_output+0x78/0x15c\\n NF_HOOK.constprop.0+0x50/0xd0\\n mld_sendpack+0x1bc/0x320\\n mld_ifc_work+0x1d8/0x4dc\\n process_one_work+0x1e8/0x460\\n worker_thread+0x178/0x534\\n kthread+0xe0/0xe4\\n ret_from_fork+0x10/0x20\\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\\n---[ end trace 0000000000000000 ]---\\nKernel panic - not syncing: Oops: Fatal exception in interrupt\\n\\nThis appears to be reproducible when the board has a fixed IP address,\\nis ping flooded from another host, and \\\"reboot -f\\\" is used.\\n\\nThe following is one more manifestation of the issue:\\n\\n$ reboot -f\\nkvm: exiting hardware virtualization\\ncfg80211: failed to load regulatory.db\\narm-smmu 5000000.iommu: disabling translation\\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\\ndwc3 3100000.usb: Removing from iommu group 9\\ndwc3 3110000.usb: Removing from iommu group 10\\nahci-qoriq 3200000.sata: Removing from iommu group 2\\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\\nplatform f080000.display: Removing from iommu group 0\\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\\netnaviv etnaviv: Removing from iommu group 1\\ncaam_jr 8010000.jr: Removing from iommu group 13\\ncaam_jr 8020000.jr: Removing from iommu group 14\\ncaam_jr 8030000.jr: Removing from iommu group 15\\ncaam_jr 8040000.jr: Removing from iommu group 16\\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\\nmscc_felix 0000:00:00.5: Removing from iommu group 3\\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\\npcieport 0001:00:00.0: Removing from iommu group 18\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\npcieport 0002:00:00.0: Removing from iommu group 19\\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\\npc : iommu_get_dma_domain+0x14/0x20\\nlr : iommu_dma_unmap_page+0x38/0xe0\\nCall trace:\\n iommu_get_dma_domain+0x14/0x20\\n dma_unmap_page_attrs+0x38/0x1d0\\n en\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48896" + }, + { + "url": "https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0" + }, + { + "url": "https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8" + }, + { + "url": "https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18" + }, + { + "url": "https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07" + }, + { + "url": "https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0\",\n \"https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8\",\n \"https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18\",\n \"https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07\",\n \"https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nixgbe: fix pci device refcount leak\\n\\nAs the comment of pci_get_domain_bus_and_slot() says, it\\nreturns a PCI device with refcount incremented, when finish\\nusing it, the caller must decrement the reference count by\\ncalling pci_dev_put().\\n\\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\\npci_dev_put() is called to avoid leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48898" + }, + { + "url": "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169" + }, + { + "url": "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1" + }, + { + "url": "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a" + }, + { + "url": "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169\",\n \"https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1\",\n \"https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a\",\n \"https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\\n\\nThere are 3 possible interrupt sources are handled by DP controller,\\nHPDstatus, Controller state changes and Aux read/write transaction.\\nAt every irq, DP controller have to check isr status of every interrupt\\nsources and service the interrupt if its isr status bits shows interrupts\\nare pending. There is potential race condition may happen at current aux\\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\\neven irq is not for aux read or write transaction. This may cause aux read\\ntransaction return premature if host aux data read is in the middle of\\nwaiting for sink to complete transferring data to host while irq happen.\\nThis will cause host's receiving buffer contains unexpected data. This\\npatch fixes this problem by checking aux isr and return immediately at\\naux isr handler if there are no any isr status bits set.\\n\\nCurrent there is a bug report regrading eDP edid corruption happen during\\nsystem booting up. After lengthy debugging to found that VIDEO_READY\\ninterrupt was continuously firing during system booting up which cause\\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\\nfrom aux hardware buffer which is not yet contains complete data transfer\\nfrom sink. This cause edid corruption.\\n\\nFollows are the signature at kernel logs when problem happen,\\nEDID has corrupt header\\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\\n\\nChanges in v2:\\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\\n-- add more commit text\\n\\nChanges in v3:\\n-- add Stephen suggested\\n-- dp_aux_isr() return IRQ_XXX back to caller\\n-- dp_ctrl_isr() return IRQ_XXX back to caller\\n\\nChanges in v4:\\n-- split into two patches\\n\\nChanges in v5:\\n-- delete empty line between tags\\n\\nChanges in v6:\\n-- remove extra \\\"that\\\" and fixed line more than 75 char at commit text\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/516121/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48899" + }, + { + "url": "https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8" + }, + { + "url": "https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea" + }, + { + "url": "https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e" + }, + { + "url": "https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2" + }, + { + "url": "https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317" + }, + { + "url": "https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8\",\n \"https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea\",\n \"https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e\",\n \"https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2\",\n \"https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317\",\n \"https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/virtio: Fix GEM handle creation UAF\\n\\nUserspace can guess the handle value and try to race GEM object creation\\nwith handle close, resulting in a use-after-free if we dereference the\\nobject after dropping the handle's reference. For that reason, dropping\\nthe handle's reference must be done *after* we are done dereferencing\\nthe object.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48900" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48900", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48929" + }, + { + "url": "https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1" + }, + { + "url": "https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae" + }, + { + "url": "https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1\",\n \"https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae\",\n \"https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\\n\\nWhen commit e6ac2450d6de (\\\"bpf: Support bpf program calling kernel function\\\") added\\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\\nreg type to the appropriate btf_vmlinux BTF ID, however\\ncommit c25b2ae13603 (\\\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\\\")\\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\\nthe base register types, and defined other variants using type flag\\ncomposition. However, now, the direct usage of reg->type to index into\\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\\nout of bounds access and kernel crash on dereference of bad pointer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0030", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-0030" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157270" + }, + { + "url": "https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230413-0010/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0030 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-0030", + "desc": "A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0030\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-0030\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-0030\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-0030\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0030\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2157270\",\n \"https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10\",\n \"https://security.netapp.com/advisory/ntap-20230413-0010/\"\n ],\n \"description\": \"A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-0030\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-0160" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0160" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" + }, + { + "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0160 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-0160", + "desc": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0160\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-0160\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-0160\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-0160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-0160\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2159764\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56\",\n \"https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/\"\n ],\n \"description\": \"A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-0160\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1193", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1193" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-1193" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154177" + }, + { + "url": "https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1193 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1193", + "desc": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1193\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1193\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1193\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1193\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1193\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-1193\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2154177\",\n \"https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/\"\n ],\n \"description\": \"A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1193\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1872" + }, + { + "url": "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1872", + "desc": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0002/\"\n ],\n \"description\": \"A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\\n\\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\\n\\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cve-coordination@google.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1989", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1989" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0004/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5492" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1989", + "desc": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0004/\",\n \"https://www.debian.org/security/2023/dsa-5492\"\n ],\n \"description\": \"A use-after-free flaw was found in btsdio_remove in drivers\\\\bluetooth\\\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-2007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-2007" + }, + { + "url": "https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240119-0011/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5480" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-2007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-2007", + "desc": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-2007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-2007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-2007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-2007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-2007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0\",\n \"https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html\",\n \"https://security.netapp.com/advisory/ntap-20240119-0011/\",\n \"https://www.debian.org/security/2023/dsa-5480\"\n ],\n \"description\": \"The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-2007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-20569", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-20569" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/08/08/4" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-434.html" + }, + { + "url": "https://comsec.ethz.ch/research/microarch/inception/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240605-0006/" + }, + { + "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5475" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-20569 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-20569", + "desc": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-20569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-20569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-20569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-20569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-20569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/08/08/4\",\n \"http://xenbits.xen.org/xsa/advisory-434.html\",\n \"https://comsec.ethz.ch/research/microarch/inception/\",\n \"https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/\",\n \"https://security.netapp.com/advisory/ntap-20240605-0006/\",\n \"https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005\",\n \"https://www.debian.org/security/2023/dsa-5475\"\n ],\n \"description\": \"\\n\\n\\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-20569\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-26242", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-26242" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208518" + }, + { + "url": "https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230406-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-26242 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-26242", + "desc": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-26242\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-26242\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-26242\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-26242\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26242\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.suse.com/show_bug.cgi?id=1208518\",\n \"https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com\",\n \"https://security.netapp.com/advisory/ntap-20230406-0002/\"\n ],\n \"description\": \"afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-26242\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-28327", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-28327" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177382" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-28327 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-28327", + "desc": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-28327\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-28327\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-28327\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-28327\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-28327\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2177382\"\n ],\n \"description\": \"A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-28327\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-31082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-31082" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210781" + }, + { + "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230929-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-31082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-31082", + "desc": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-31082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-31082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-31082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-31082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-31082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.suse.com/show_bug.cgi?id=1210781\",\n \"https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230929-0003/\"\n ],\n \"description\": \"An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-31082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-33053", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-33053" + }, + { + "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-33053 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-33053", + "desc": "Memory corruption in Kernel while parsing metadata.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-33053\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-33053\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-33053\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-33053\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-33053\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin\"\n ],\n \"description\": \"Memory corruption in Kernel while parsing metadata.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"product-security@qualcomm.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-33053\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3397", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-3397" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3397" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" + }, + { + "url": "https://www.spinics.net/lists/kernel/msg4788636.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3397 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-3397", + "desc": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-3397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-3397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-3397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-3397\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2217271\",\n \"https://www.spinics.net/lists/kernel/msg4788636.html\"\n ],\n \"description\": \"A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-3397\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3640", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-3640" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3640" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3640 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-3640", + "desc": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3640\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-3640\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-3640\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-3640\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3640\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-3640\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2217523\"\n ],\n \"description\": \"A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-3640\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-38417", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-38417" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-38417 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-38417", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-38417\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-38417\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-38417\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-38417\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-38417\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-38417\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4010", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4010" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + }, + { + "url": "https://github.com/wanrenmi/a-usb-kernel-bug" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4010 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-4010", + "desc": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4010\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4010\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4010\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4010\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4010\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-4010\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2227726\",\n \"https://github.com/wanrenmi/a-usb-kernel-bug\"\n ],\n \"description\": \"A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4010\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4133", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4133" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2950" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3138" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4133 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-4133", + "desc": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4133\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4133\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4133\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4133\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4133\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2394\",\n \"https://access.redhat.com/errata/RHSA-2024:2950\",\n \"https://access.redhat.com/errata/RHSA-2024:3138\",\n \"https://access.redhat.com/security/cve/CVE-2023-4133\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2221702\"\n ],\n \"description\": \"A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4133\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-44452", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-44452" + }, + { + "url": "https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1836/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-44452 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-44452", + "desc": "Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-44452\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-44452\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-44452\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-44452\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-44452\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736\",\n \"https://www.zerodayinitiative.com/advisories/ZDI-23-1836/\"\n ],\n \"description\": \"Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\\n\\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.\",\n \"cvss\": [\n {\n \"source\": \"zdi-disclosures@trendmicro.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-44452\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-47210", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-47210" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-47210 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-47210", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-47210\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-47210\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-47210\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-47210\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-47210\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-47210\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52438", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52438" + }, + { + "url": "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906" + }, + { + "url": "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6" + }, + { + "url": "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56" + }, + { + "url": "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869" + }, + { + "url": "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3" + }, + { + "url": "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c" + }, + { + "url": "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52438 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52438", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52438\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52438\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52438\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52438\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52438\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906\",\n \"https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6\",\n \"https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56\",\n \"https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869\",\n \"https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3\",\n \"https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c\",\n \"https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: fix use-after-free in shinker's callback\\n\\nThe mmap read lock is used during the shrinker's callback, which means\\nthat using alloc->vma pointer isn't safe as it can race with munmap().\\nAs of commit dd2283f2605e (\\\"mm: mmap: zap pages with read mmap_sem in\\nmunmap\\\") the mmap lock is downgraded after the vma has been isolated.\\n\\nI was able to reproduce this issue by manually adding some delays and\\ntriggering page reclaiming through the shrinker's debug sysfs. The\\nfollowing KASAN report confirms the UAF:\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\\n\\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\\n Hardware name: linux,dummy-virt (DT)\\n Call trace:\\n zap_page_range_single+0x470/0x4b8\\n binder_alloc_free_page+0x608/0xadc\\n __list_lru_walk_one+0x130/0x3b0\\n list_lru_walk_node+0xc4/0x22c\\n binder_shrink_scan+0x108/0x1dc\\n shrinker_debugfs_scan_write+0x2b4/0x500\\n full_proxy_write+0xd4/0x140\\n vfs_write+0x1ac/0x758\\n ksys_write+0xf0/0x1dc\\n __arm64_sys_write+0x6c/0x9c\\n\\n Allocated by task 492:\\n kmem_cache_alloc+0x130/0x368\\n vm_area_alloc+0x2c/0x190\\n mmap_region+0x258/0x18bc\\n do_mmap+0x694/0xa60\\n vm_mmap_pgoff+0x170/0x29c\\n ksys_mmap_pgoff+0x290/0x3a0\\n __arm64_sys_mmap+0xcc/0x144\\n\\n Freed by task 491:\\n kmem_cache_free+0x17c/0x3c8\\n vm_area_free_rcu_cb+0x74/0x98\\n rcu_core+0xa38/0x26d4\\n rcu_core_si+0x10/0x1c\\n __do_softirq+0x2fc/0xd24\\n\\n Last potentially related work creation:\\n __call_rcu_common.constprop.0+0x6c/0xba0\\n call_rcu+0x10/0x1c\\n vm_area_free+0x18/0x24\\n remove_vma+0xe4/0x118\\n do_vmi_align_munmap.isra.0+0x718/0xb5c\\n do_vmi_munmap+0xdc/0x1fc\\n __vm_munmap+0x10c/0x278\\n __arm64_sys_munmap+0x58/0x7c\\n\\nFix this issue by performing instead a vma_lookup() which will fail to\\nfind the vma that was isolated before the mmap lock downgrade. Note that\\nthis option has better performance than upgrading to a mmap write lock\\nwhich would increase contention. Plus, mmap_write_trylock() has been\\nrecently removed anyway.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52438\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52439", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52439" + }, + { + "url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2" + }, + { + "url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea" + }, + { + "url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c" + }, + { + "url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad" + }, + { + "url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7" + }, + { + "url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570" + }, + { + "url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41" + }, + { + "url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52439 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52439", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52439\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52439\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52439\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52439\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52439\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2\",\n \"https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea\",\n \"https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c\",\n \"https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad\",\n \"https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7\",\n \"https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570\",\n \"https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41\",\n \"https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nuio: Fix use-after-free in uio_open\\n\\ncore-1\\t\\t\\t\\tcore-2\\n-------------------------------------------------------\\nuio_unregister_device\\t\\tuio_open\\n\\t\\t\\t\\tidev = idr_find()\\ndevice_unregister(&idev->dev)\\nput_device(&idev->dev)\\nuio_device_release\\n\\t\\t\\t\\tget_device(&idev->dev)\\nkfree(idev)\\nuio_free_minor(minor)\\n\\t\\t\\t\\tuio_release\\n\\t\\t\\t\\tput_device(&idev->dev)\\n\\t\\t\\t\\tkfree(idev)\\n-------------------------------------------------------\\n\\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\\nidev when the idev->dev kobject ref is 1. But after core-1\\ndevice_unregister, put_device and before doing kfree, the core-2 may\\nget_device. Then:\\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\\n2. When core-2 do uio_release and put_device, the idev will be double\\n freed.\\n\\nTo address this issue, we can get idev atomic & inc idev reference with\\nminor_lock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52439\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52452", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52452" + }, + { + "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + }, + { + "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52452 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52452", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52452\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52452\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52452\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52452\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52452\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19\",\n \"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529\",\n \"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix accesses to uninit stack slots\\n\\nPrivileged programs are supposed to be able to read uninitialized stack\\nmemory (ever since 6715df8d5) but, before this patch, these accesses\\nwere permitted inconsistently. In particular, accesses were permitted\\nabove state->allocated_stack, but not below it. In other words, if the\\nstack was already \\\"large enough\\\", the access was permitted, but\\notherwise the access was rejected instead of being allowed to \\\"grow the\\nstack\\\". This undesired rejection was happening in two places:\\n- in check_stack_slot_within_bounds()\\n- in check_stack_range_initialized()\\nThis patch arranges for these accesses to be permitted. A bunch of tests\\nthat were relying on the old rejection had to change; all of them were\\nchanged to add also run unprivileged, in which case the old behavior\\npersists. One tests couldn't be updated - global_func16 - because it\\ncan't run unprivileged for other reasons.\\n\\nThis patch also fixes the tracking of the stack size for variable-offset\\nreads. This second fix is bundled in the same commit as the first one\\nbecause they're inter-related. Before this patch, writes to the stack\\nusing registers containing a variable offset (as opposed to registers\\nwith fixed, known values) were not properly contributing to the\\nfunction's needed stack size. As a result, it was possible for a program\\nto verify, but then to attempt to read out-of-bounds data at runtime\\nbecause a too small stack had been allocated for it.\\n\\nEach function tracks the size of the stack it needs in\\nbpf_subprog_info.stack_depth, which is maintained by\\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\\nwas calling update_state_depth() but it was passing in only the fixed\\npart of the offset register, ignoring the variable offset. This was\\nincorrect; the minimum possible value of that register should be used\\ninstead.\\n\\nThis tracking is now fixed by centralizing the tracking of stack size in\\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\\nnow simpler and more convincingly tracks the correct maximum stack size.\\ncheck_stack_range_initialized() can now rely on enough stack having been\\nallocated for the access; this helps with the fix for the first issue.\\n\\nA few tests were changed to also check the stack depth computation. The\\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52452\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52475", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52475" + }, + { + "url": "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46" + }, + { + "url": "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd" + }, + { + "url": "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc" + }, + { + "url": "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc" + }, + { + "url": "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f" + }, + { + "url": "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9" + }, + { + "url": "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06" + }, + { + "url": "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52475 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52475", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52475\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52475\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52475\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52475\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52475\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46\",\n \"https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd\",\n \"https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc\",\n \"https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc\",\n \"https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f\",\n \"https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9\",\n \"https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06\",\n \"https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: powermate - fix use-after-free in powermate_config_complete\\n\\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\\nhappens when the device is disconnected, which leads to a memory free from\\nthe powermate_device struct. When an asynchronous control message\\ncompletes after the kfree and its callback is invoked, the lock does not\\nexist anymore and hence the bug.\\n\\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\\ndevice disconnection.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52475\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52476", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52476" + }, + { + "url": "https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c" + }, + { + "url": "https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c" + }, + { + "url": "https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265" + }, + { + "url": "https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52476 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52476", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52476\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52476\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52476\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52476\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52476\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c\",\n \"https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c\",\n \"https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265\",\n \"https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/x86/lbr: Filter vsyscall addresses\\n\\nWe found that a panic can occur when a vsyscall is made while LBR sampling\\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\\ncall sequence can occur (most recent at top):\\n\\n __insn_get_emulate_prefix()\\n insn_get_emulate_prefix()\\n insn_get_prefixes()\\n insn_get_opcode()\\n decode_branch_type()\\n get_branch_type()\\n intel_pmu_lbr_filter()\\n intel_pmu_handle_irq()\\n perf_event_nmi_handler()\\n\\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\\n\\n peek_nbyte_next(insn_byte_t, insn, i)\\n\\nWithin this macro, this dereference occurs:\\n\\n (insn)->next_byte\\n\\nInspecting registers at this point, the value of the next_byte field is the\\naddress of the vsyscall made, for example the location of the vsyscall\\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\\nin the vsyscall region will trigger an oops due to an unhandled page fault.\\n\\nTo fix the bug, filtering for vsyscalls can be done when\\ndetermining the branch type. This patch will return\\na \\\"none\\\" branch if a kernel address if found to lie in the\\nvsyscall region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52476\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52477", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52477" + }, + { + "url": "https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289" + }, + { + "url": "https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c" + }, + { + "url": "https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b" + }, + { + "url": "https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3" + }, + { + "url": "https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d" + }, + { + "url": "https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81" + }, + { + "url": "https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee" + }, + { + "url": "https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52477 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52477", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52477\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52477\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52477\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52477\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52477\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289\",\n \"https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c\",\n \"https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b\",\n \"https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3\",\n \"https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d\",\n \"https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81\",\n \"https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee\",\n \"https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: hub: Guard against accesses to uninitialized BOS descriptors\\n\\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\\naccess fields inside udev->bos without checking if it was allocated and\\ninitialized. If usb_get_bos_descriptor() fails for whatever\\nreason, udev->bos will be NULL and those accesses will result in a\\ncrash:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000018\\nPGD 0 P4D 0\\nOops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\\nWorkqueue: usb_hub_wq hub_event\\nRIP: 0010:hub_port_reset+0x193/0x788\\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\\nCall Trace:\\nhub_event+0x73f/0x156e\\n? hub_activate+0x5b7/0x68f\\nprocess_one_work+0x1a2/0x487\\nworker_thread+0x11a/0x288\\nkthread+0x13a/0x152\\n? process_one_work+0x487/0x487\\n? kthread_associate_blkcg+0x70/0x70\\nret_from_fork+0x1f/0x30\\n\\nFall back to a default behavior if the BOS descriptor isn't accessible\\nand skip all the functionalities that depend on it: LPM support checks,\\nSuper Speed capabilitiy checks, U1/U2 states setup.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52477\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52478", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52478" + }, + { + "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1" + }, + { + "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528" + }, + { + "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c" + }, + { + "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5" + }, + { + "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b" + }, + { + "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452" + }, + { + "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e" + }, + { + "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52478 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52478", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52478\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52478\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52478\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52478\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52478\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1\",\n \"https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528\",\n \"https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c\",\n \"https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5\",\n \"https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b\",\n \"https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452\",\n \"https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e\",\n \"https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\\n\\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\\nraces when it races with itself.\\n\\nhidpp_connect_event() primarily runs from a workqueue but it also runs\\non probe() and if a \\\"device-connected\\\" packet is received by the hw\\nwhen the thread running hidpp_connect_event() from probe() is waiting on\\nthe hw, then a second thread running hidpp_connect_event() will be\\nstarted from the workqueue.\\n\\nThis opens the following races (note the below code is simplified):\\n\\n1. Retrieving + printing the protocol (harmless race):\\n\\n\\tif (!hidpp->protocol_major) {\\n\\t\\thidpp_root_get_protocol_version()\\n\\t\\thidpp->protocol_major = response.rap.params[0];\\n\\t}\\n\\nWe can actually see this race hit in the dmesg in the abrt output\\nattached to rhbz#2227968:\\n\\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n\\nTesting with extra logging added has shown that after this the 2 threads\\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\\nthrough all the other TOCTOU cases managing to hit all of them:\\n\\n2. Updating the name to the HIDPP name (harmless race):\\n\\n\\tif (hidpp->name == hdev->name) {\\n\\t\\t...\\n\\t\\thidpp->name = new_name;\\n\\t}\\n\\n3. Initializing the power_supply class for the battery (problematic!):\\n\\nhidpp_initialize_battery()\\n{\\n if (hidpp->battery.ps)\\n return 0;\\n\\n\\tprobe_battery(); /* Blocks, threads take turns executing this */\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n}\\n\\n4. Creating delayed input_device (potentially problematic):\\n\\n\\tif (hidpp->delayed_input)\\n\\t\\treturn;\\n\\n\\thidpp->delayed_input = hidpp_allocate_input(hdev);\\n\\nThe really big problem here is 3. Hitting the race leads to the following\\nsequence:\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n\\n\\t...\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n\\nSo now we have registered 2 power supplies for the same battery,\\nwhich looks a bit weird from userspace's pov but this is not even\\nthe really big problem.\\n\\nNotice how:\\n\\n1. This is all devm-maganaged\\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\\n3. hidpp->battery.desc.properties points to the result from the second\\n devm_kmemdup()\\n\\nThis causes a use after free scenario on USB disconnect of the receiver:\\n1. The last registered power supply class device gets unregistered\\n2. The memory from the last devm_kmemdup() call gets freed,\\n hidpp->battery.desc.properties now points to freed memory\\n3. The first registered power supply class device gets unregistered,\\n this involves sending a remove uevent to userspace which invokes\\n power_supply_uevent() to fill the uevent data\\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\\n now points to freed memory leading to backtraces like this one:\\n\\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\\n...\\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\\n...\\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\\nSep 22 20:01:35 eric kernel: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52478\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52479", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52479" + }, + { + "url": "https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd" + }, + { + "url": "https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930" + }, + { + "url": "https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce" + }, + { + "url": "https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52479 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52479", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52479\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52479\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52479\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52479\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52479\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd\",\n \"https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930\",\n \"https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce\",\n \"https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix uaf in smb20_oplock_break_ack\\n\\ndrop reference after use opinfo.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52479\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52481", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52481" + }, + { + "url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25" + }, + { + "url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513" + }, + { + "url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52481 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52481", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52481\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52481\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52481\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52481\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52481\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25\",\n \"https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513\",\n \"https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\\n\\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\\naffected Cortex-A520 core, a speculatively executed unprivileged load\\nmight leak data from a privileged load via a cache side channel. The\\nissue only exists for loads within a translation regime with the same\\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\\nthe return to EL0.\\n\\nThe workaround is to execute a TLBI before returning to EL0 after all\\nloads of privileged data. A non-shareable TLBI to any address is\\nsufficient.\\n\\nThe workaround isn't necessary if page table isolation (KPTI) is\\nenabled, but for simplicity it will be. Page table isolation should\\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\\nand the E0PD feature (used when KASLR is enabled).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52481\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52482", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52482" + }, + { + "url": "https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96" + }, + { + "url": "https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d" + }, + { + "url": "https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4" + }, + { + "url": "https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d" + }, + { + "url": "https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52482 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52482", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52482\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52482\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52482\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52482\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52482\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96\",\n \"https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d\",\n \"https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4\",\n \"https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d\",\n \"https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/srso: Add SRSO mitigation for Hygon processors\\n\\nAdd mitigation for the speculative return stack overflow vulnerability\\nwhich exists on Hygon processors too.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52482\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52483", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52483" + }, + { + "url": "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a" + }, + { + "url": "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4" + }, + { + "url": "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c" + }, + { + "url": "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52483 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52483", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52483\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52483\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52483\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52483\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52483\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a\",\n \"https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4\",\n \"https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c\",\n \"https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmctp: perform route lookups under a RCU read-side lock\\n\\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\\ntraverse the net's route list without the RCU read lock held. This means\\nthe route lookup is subject to preemption, resulting in an potential\\ngrace period expiry, and so an eventual kfree() while we still have the\\nroute pointer.\\n\\nAdd the proper read-side critical section locks around the route\\nlookups, preventing premption and a possible parallel kfree.\\n\\nThe remaining net->mctp.routes accesses are already under a\\nrcu_read_lock, or protected by the RTNL for updates.\\n\\nBased on an analysis from Sili Luo , where\\nintroducing a delay in the route lookup could cause a UAF on\\nsimultaneous sendmsg() and route deletion.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52483\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52484" + }, + { + "url": "https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429" + }, + { + "url": "https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6" + }, + { + "url": "https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b" + }, + { + "url": "https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429\",\n \"https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6\",\n \"https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b\",\n \"https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\\n\\nWhen running an SVA case, the following soft lockup is triggered:\\n--------------------------------------------------------------------\\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\\nsp : ffff8000d83ef290\\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\\nCall trace:\\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\\n __arm_smmu_tlb_inv_range+0x118/0x254\\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\\n arm_smmu_mm_invalidate_range+0xa0/0xa4\\n __mmu_notifier_invalidate_range_end+0x88/0x120\\n unmap_vmas+0x194/0x1e0\\n unmap_region+0xb4/0x144\\n do_mas_align_munmap+0x290/0x490\\n do_mas_munmap+0xbc/0x124\\n __vm_munmap+0xa8/0x19c\\n __arm64_sys_munmap+0x28/0x50\\n invoke_syscall+0x78/0x11c\\n el0_svc_common.constprop.0+0x58/0x1c0\\n do_el0_svc+0x34/0x60\\n el0_svc+0x2c/0xd4\\n el0t_64_sync_handler+0x114/0x140\\n el0t_64_sync+0x1a4/0x1a8\\n--------------------------------------------------------------------\\n\\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\\nto \\\"arm_smmu_mm_arch_invalidate_secondary_tlbs\\\", yet the problem remains.\\n\\nThe commit 06ff87bae8d3 (\\\"arm64: mm: remove unused functions and variable\\nprotoypes\\\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\\ntypically next to MMU tlb flush function, e.g.\\n\\ttlb_flush_mmu_tlbonly {\\n\\t\\ttlb_flush {\\n\\t\\t\\t__flush_tlb_range {\\n\\t\\t\\t\\t// check MAX_TLBI_OPS\\n\\t\\t\\t}\\n\\t\\t}\\n\\t\\tmmu_notifier_arch_invalidate_secondary_tlbs {\\n\\t\\t\\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\\n\\t\\t\\t\\t// does not check MAX_TLBI_OPS\\n\\t\\t\\t}\\n\\t\\t}\\n\\t}\\n\\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\\nTLBI command, if the request size hits this threshold.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52485", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52485" + }, + { + "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + }, + { + "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52485 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52485", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52485\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52485\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52485\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52485\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52485\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009\",\n \"https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wake DMCUB before sending a command\\n\\n[Why]\\nWe can hang in place trying to send commands when the DMCUB isn't\\npowered on.\\n\\n[How]\\nFor functions that execute within a DC context or DC lock we can\\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\\nexits idle power optimizations and reallows once we're done with\\nthe command submission on success.\\n\\nFor DM direct submissions the DM will need to manage the enter/exit\\nsequencing manually.\\n\\nWe cannot invoke a DMCUB command directly within the DM execution\\nhelper or we can deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52485\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52488", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52488" + }, + { + "url": "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db" + }, + { + "url": "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573" + }, + { + "url": "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611" + }, + { + "url": "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23" + }, + { + "url": "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b" + }, + { + "url": "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52488 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52488", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52488\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52488\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52488\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52488\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52488\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db\",\n \"https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573\",\n \"https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611\",\n \"https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23\",\n \"https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b\",\n \"https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\\n\\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\\ninitial register address is sent ($00), followed by all the FIFO data\\nwithout having to resend the register address each time. In this mode, the\\nIC doesn't increment the register address for each R/W byte.\\n\\nThe regmap_raw_read() and regmap_raw_write() are functions which can\\nperform IO over multiple registers. They are currently used to read/write\\nfrom/to the FIFO, and although they operate correctly in this burst mode on\\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\\nmanually. The reason is that when the R/W size is more than 1 byte, these\\nfunctions assume that the register address is incremented and handle the\\ncache accordingly.\\n\\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\\nremove the manual cache control which was a workaround when using the\\n_raw_ versions. FIFO registers are properly declared as volatile so\\ncache will not be used/updated for FIFO accesses.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52488\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52499", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52499" + }, + { + "url": "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820" + }, + { + "url": "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746" + }, + { + "url": "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3" + }, + { + "url": "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52499 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52499", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR: 00000030 CR: 00001000 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52499\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52499\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52499\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52499\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52499\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820\",\n \"https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746\",\n \"https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3\",\n \"https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/47x: Fix 47x syscall return crash\\n\\nEddie reported that newer kernels were crashing during boot on his 476\\nFSP2 system:\\n\\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\\n BUG: Unable to handle kernel instruction fetch\\n Faulting instruction address: 0xb7ee2000\\n Oops: Kernel access of bad area, sig: 11 [#1]\\n BE PAGE_SIZE=4K FSP-2\\n Modules linked in:\\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\\n MSR: 00000030 CR: 00001000 XER: 20000000\\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\\n NIP [b7ee2000] 0xb7ee2000\\n LR [8c008000] 0x8c008000\\n Call Trace:\\n Instruction dump:\\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\\n ---[ end trace 0000000000000000 ]---\\n\\nThe problem is in ret_from_syscall where the check for\\nicache_44x_need_flush is done. When the flush is needed the code jumps\\nout-of-line to do the flush, and then intends to jump back to continue\\nthe syscall return.\\n\\nHowever the branch back to label 1b doesn't return to the correct\\nlocation, instead branching back just prior to the return to userspace,\\ncausing bogus register values to be used by the rfi.\\n\\nThe breakage was introduced by commit 6f76a01173cc\\n(\\\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\\\") which\\ninadvertently removed the \\\"1\\\" label and reused it elsewhere.\\n\\nFix it by adding named local labels in the correct locations. Note that\\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\\ncompiles.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52499\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52500", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52500" + }, + { + "url": "https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749" + }, + { + "url": "https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7" + }, + { + "url": "https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4" + }, + { + "url": "https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172" + }, + { + "url": "https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52500 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52500", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52500\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52500\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52500\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52500\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52500\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749\",\n \"https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7\",\n \"https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4\",\n \"https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172\",\n \"https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\\n\\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\\nwhen we receive the response.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52500\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52501", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52501" + }, + { + "url": "https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d" + }, + { + "url": "https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a" + }, + { + "url": "https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca" + }, + { + "url": "https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49" + }, + { + "url": "https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52501", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d\",\n \"https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a\",\n \"https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca\",\n \"https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49\",\n \"https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Do not attempt to read past \\\"commit\\\"\\n\\nWhen iterating over the ring buffer while the ring buffer is active, the\\nwriter can corrupt the reader. There's barriers to help detect this and\\nhandle it, but that code missed the case where the last event was at the\\nvery end of the page and has only 4 bytes left.\\n\\nThe checks to detect the corruption by the writer to reads needs to see the\\nlength of the event. If the length in the first 4 bytes is zero then the\\nlength is stored in the second 4 bytes. But if the writer is in the process\\nof updating that code, there's a small window where the length in the first\\n4 bytes could be zero even though the length is only 4 bytes. That will\\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\\nallocated page.\\n\\nTo protect against this, fail immediately if the next event pointer is\\nless than 8 bytes from the end of the commit (last byte of data), as all\\nevents must be a minimum of 8 bytes anyway.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52502", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52502" + }, + { + "url": "https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93" + }, + { + "url": "https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9" + }, + { + "url": "https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d" + }, + { + "url": "https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c" + }, + { + "url": "https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8" + }, + { + "url": "https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc" + }, + { + "url": "https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52502 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52502", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52502\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52502\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52502\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52502\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52502\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93\",\n \"https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9\",\n \"https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d\",\n \"https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c\",\n \"https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8\",\n \"https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc\",\n \"https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\\n\\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\\n\\nGetting a reference on the socket found in a lookup while\\nholding a lock should happen before releasing the lock.\\n\\nnfc_llcp_sock_get_sn() has a similar problem.\\n\\nFinally nfc_llcp_recv_snl() needs to make sure the socket\\nfound by nfc_llcp_sock_from_sn() does not disappear.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52502\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52503", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52503" + }, + { + "url": "https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116" + }, + { + "url": "https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce" + }, + { + "url": "https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c" + }, + { + "url": "https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27" + }, + { + "url": "https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52503 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52503", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52503\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52503\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52503\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52503\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52503\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116\",\n \"https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce\",\n \"https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c\",\n \"https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27\",\n \"https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\\n\\nThere is a potential race condition in amdtee_close_session that may\\ncause use-after-free in amdtee_open_session. For instance, if a session\\nhas refcount == 1, and one thread tries to free this session via:\\n\\n kref_put(&sess->refcount, destroy_session);\\n\\nthe reference count will get decremented, and the next step would be to\\ncall destroy_session(). However, if in another thread,\\namdtee_open_session() is called before destroy_session() has completed\\nexecution, alloc_session() may return 'sess' that will be freed up\\nlater in destroy_session() leading to use-after-free in\\namdtee_open_session.\\n\\nTo fix this issue, treat decrement of sess->refcount and removal of\\n'sess' from session list in destroy_session() as a critical section, so\\nthat it is executed atomically.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52503\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52504", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52504" + }, + { + "url": "https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae" + }, + { + "url": "https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1" + }, + { + "url": "https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b" + }, + { + "url": "https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e" + }, + { + "url": "https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4" + }, + { + "url": "https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61" + }, + { + "url": "https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52504 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52504", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52504\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52504\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52504\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52504\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52504\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae\",\n \"https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1\",\n \"https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b\",\n \"https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e\",\n \"https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4\",\n \"https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61\",\n \"https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/alternatives: Disable KASAN in apply_alternatives()\\n\\nFei has reported that KASAN triggers during apply_alternatives() on\\na 5-level paging machine:\\n\\n\\tBUG: KASAN: out-of-bounds in rcu_is_watching()\\n\\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\\n\\t...\\n\\t__asan_load4()\\n\\trcu_is_watching()\\n\\ttrace_hardirqs_on()\\n\\ttext_poke_early()\\n\\tapply_alternatives()\\n\\t...\\n\\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\\n\\nKASAN gets confused when apply_alternatives() patches the\\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\\n\\nFix it for real by disabling KASAN while the kernel is patching alternatives.\\n\\n[ mingo: updated the changelog ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52504\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52507", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52507" + }, + { + "url": "https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213" + }, + { + "url": "https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53" + }, + { + "url": "https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0" + }, + { + "url": "https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da" + }, + { + "url": "https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848" + }, + { + "url": "https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb" + }, + { + "url": "https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802" + }, + { + "url": "https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52507 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52507", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52507\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52507\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52507\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52507\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52507\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213\",\n \"https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53\",\n \"https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0\",\n \"https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da\",\n \"https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848\",\n \"https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb\",\n \"https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802\",\n \"https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: assert requested protocol is valid\\n\\nThe protocol is used in a bit mask to determine if the protocol is\\nsupported. Assert the provided protocol is less than the maximum\\ndefined so it doesn't potentially perform a shift-out-of-bounds and\\nprovide a clearer error for undefined protocols vs unsupported ones.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52507\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52508", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52508" + }, + { + "url": "https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c" + }, + { + "url": "https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea" + }, + { + "url": "https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52508 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52508", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52508\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52508\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52508\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52508\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52508\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c\",\n \"https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea\",\n \"https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\\n\\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\\nnull request structure pointer. An FC LLDD may make a call to\\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\\n\\nAdd validation of the request structure pointer before dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52508\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52509", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52509" + }, + { + "url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705" + }, + { + "url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89" + }, + { + "url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6" + }, + { + "url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5" + }, + { + "url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965" + }, + { + "url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52509 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52509", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52509\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52509\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52509\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52509\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52509\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705\",\n \"https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89\",\n \"https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6\",\n \"https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5\",\n \"https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965\",\n \"https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\\n\\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\\nravb_tx_timeout_work() is possible to use the freed priv after\\nravb_remove() was called like below:\\n\\nCPU0\\t\\t\\tCPU1\\n\\t\\t\\travb_tx_timeout()\\nravb_remove()\\nunregister_netdev()\\nfree_netdev(ndev)\\n// free priv\\n\\t\\t\\travb_tx_timeout_work()\\n\\t\\t\\t// use priv\\n\\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\\ncalled. And, after phy_stop() is called, netif_carrier_off()\\nis also called. So that .ndo_tx_timeout() will not be called\\nafter phy_stop().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52509\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52510", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52510" + }, + { + "url": "https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66" + }, + { + "url": "https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add" + }, + { + "url": "https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f" + }, + { + "url": "https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e" + }, + { + "url": "https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc" + }, + { + "url": "https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640" + }, + { + "url": "https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d" + }, + { + "url": "https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52510 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52510", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52510\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52510\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52510\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52510\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52510\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66\",\n \"https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add\",\n \"https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f\",\n \"https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e\",\n \"https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc\",\n \"https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640\",\n \"https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d\",\n \"https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\\n\\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\\nit calls clk_unregister() to release priv->clk and returns an\\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\\nthis case, a use-after-free may happen in the second time we call\\nclk_unregister().\\n\\nFix this by removing the first clk_unregister(). Also, priv->clk could\\nbe an error code on failure of clk_register_fixed_rate(). Use\\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52510\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52511", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52511" + }, + { + "url": "https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18" + }, + { + "url": "https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355" + }, + { + "url": "https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb" + }, + { + "url": "https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52511 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52511", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52511\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52511\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52511\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18\",\n \"https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355\",\n \"https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb\",\n \"https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: sun6i: reduce DMA RX transfer width to single byte\\n\\nThrough empirical testing it has been determined that sometimes RX SPI\\ntransfers with DMA enabled return corrupted data. This is down to single\\nor even multiple bytes lost during DMA transfer from SPI peripheral to\\nmemory. It seems the RX FIFO within the SPI peripheral can become\\nconfused when performing bus read accesses wider than a single byte to it\\nduring an active SPI transfer.\\n\\nThis patch reduces the width of individual DMA read accesses to the\\nRX FIFO to a single byte to mitigate that issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52511\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52516", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52516" + }, + { + "url": "https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c" + }, + { + "url": "https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab" + }, + { + "url": "https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae" + }, + { + "url": "https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1" + }, + { + "url": "https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52516 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52516", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52516\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52516\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52516\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52516\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52516\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c\",\n \"https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab\",\n \"https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae\",\n \"https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1\",\n \"https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\\n\\n__dma_entry_alloc_check_leak() calls into printk -> serial console\\noutput (qcom geni) and grabs port->lock under free_entries_lock\\nspin lock, which is a reverse locking dependency chain as qcom_geni\\nIRQ handler can call into dma-debug code and grab free_entries_lock\\nunder port->lock.\\n\\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\\nscope so that we don't acquire serial console's port->lock under it.\\n\\nTrimmed-down lockdep splat:\\n\\n The existing dependency chain (in reverse order) is:\\n\\n -> #2 (free_entries_lock){-.-.}-{2:2}:\\n _raw_spin_lock_irqsave+0x60/0x80\\n dma_entry_alloc+0x38/0x110\\n debug_dma_map_page+0x60/0xf8\\n dma_map_page_attrs+0x1e0/0x230\\n dma_map_single_attrs.constprop.0+0x6c/0xc8\\n geni_se_rx_dma_prep+0x40/0xcc\\n qcom_geni_serial_isr+0x310/0x510\\n __handle_irq_event_percpu+0x110/0x244\\n handle_irq_event_percpu+0x20/0x54\\n handle_irq_event+0x50/0x88\\n handle_fasteoi_irq+0xa4/0xcc\\n handle_irq_desc+0x28/0x40\\n generic_handle_domain_irq+0x24/0x30\\n gic_handle_irq+0xc4/0x148\\n do_interrupt_handler+0xa4/0xb0\\n el1_interrupt+0x34/0x64\\n el1h_64_irq_handler+0x18/0x24\\n el1h_64_irq+0x64/0x68\\n arch_local_irq_enable+0x4/0x8\\n ____do_softirq+0x18/0x24\\n ...\\n\\n -> #1 (&port_lock_key){-.-.}-{2:2}:\\n _raw_spin_lock_irqsave+0x60/0x80\\n qcom_geni_serial_console_write+0x184/0x1dc\\n console_flush_all+0x344/0x454\\n console_unlock+0x94/0xf0\\n vprintk_emit+0x238/0x24c\\n vprintk_default+0x3c/0x48\\n vprintk+0xb4/0xbc\\n _printk+0x68/0x90\\n register_console+0x230/0x38c\\n uart_add_one_port+0x338/0x494\\n qcom_geni_serial_probe+0x390/0x424\\n platform_probe+0x70/0xc0\\n really_probe+0x148/0x280\\n __driver_probe_device+0xfc/0x114\\n driver_probe_device+0x44/0x100\\n __device_attach_driver+0x64/0xdc\\n bus_for_each_drv+0xb0/0xd8\\n __device_attach+0xe4/0x140\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x44/0xb0\\n device_add+0x538/0x668\\n of_device_add+0x44/0x50\\n of_platform_device_create_pdata+0x94/0xc8\\n of_platform_bus_create+0x270/0x304\\n of_platform_populate+0xac/0xc4\\n devm_of_platform_populate+0x60/0xac\\n geni_se_probe+0x154/0x160\\n platform_probe+0x70/0xc0\\n ...\\n\\n -> #0 (console_owner){-...}-{0:0}:\\n __lock_acquire+0xdf8/0x109c\\n lock_acquire+0x234/0x284\\n console_flush_all+0x330/0x454\\n console_unlock+0x94/0xf0\\n vprintk_emit+0x238/0x24c\\n vprintk_default+0x3c/0x48\\n vprintk+0xb4/0xbc\\n _printk+0x68/0x90\\n dma_entry_alloc+0xb4/0x110\\n debug_dma_map_sg+0xdc/0x2f8\\n __dma_map_sg_attrs+0xac/0xe4\\n dma_map_sgtable+0x30/0x4c\\n get_pages+0x1d4/0x1e4 [msm]\\n msm_gem_pin_pages_locked+0x38/0xac [msm]\\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\\n drm_ioctl_kernel+0xe0/0x15c\\n drm_ioctl+0x2e8/0x3f4\\n vfs_ioctl+0x30/0x50\\n ...\\n\\n Chain exists of:\\n console_owner --> &port_lock_key --> free_entries_lock\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(free_entries_lock);\\n lock(&port_lock_key);\\n lock(free_entries_lock);\\n lock(console_owner);\\n\\n *** DEADLOCK ***\\n\\n Call trace:\\n dump_backtrace+0xb4/0xf0\\n show_stack+0x20/0x30\\n dump_stack_lvl+0x60/0x84\\n dump_stack+0x18/0x24\\n print_circular_bug+0x1cc/0x234\\n check_noncircular+0x78/0xac\\n __lock_acquire+0xdf8/0x109c\\n lock_acquire+0x234/0x284\\n console_flush_all+0x330/0x454\\n consol\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52516\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52517", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52517" + }, + { + "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d" + }, + { + "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209" + }, + { + "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097" + }, + { + "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52517 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52517", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52517\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52517\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52517\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52517\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52517\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d\",\n \"https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209\",\n \"https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097\",\n \"https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\\n\\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\\nread any data remaining in FIFO to the RX buffer. This behaviour is\\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\\ntransfer complete interrupt still fires as soon as all bytes to be\\ntransferred have been stored in the FIFO. At that point data in the FIFO\\nstill needs to be picked up by the DMA engine. Thus the drain procedure\\nand DMA engine end up racing to read from RX FIFO, corrupting any data\\nread. Additionally the RX buffer pointer is never adjusted according to\\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\\nmode is a bug.\\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\\nAlso wait for completion of RX DMA when in DMA mode before returning to\\nensure all data has been copied to the supplied memory buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52517\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52522", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52522" + }, + { + "url": "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa" + }, + { + "url": "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd" + }, + { + "url": "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0" + }, + { + "url": "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af" + }, + { + "url": "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc" + }, + { + "url": "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52522 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52522", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52522\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52522\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52522\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52522\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52522\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa\",\n \"https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd\",\n \"https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0\",\n \"https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af\",\n \"https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc\",\n \"https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix possible store tearing in neigh_periodic_work()\\n\\nWhile looking at a related syzbot report involving neigh_periodic_work(),\\nI found that I forgot to add an annotation when deleting an\\nRCU protected item from a list.\\n\\nReaders use rcu_deference(*np), we need to use either\\nrcu_assign_pointer() or WRITE_ONCE() on writer side\\nto prevent store tearing.\\n\\nI use rcu_assign_pointer() to have lockdep support,\\nthis was the choice made in neigh_flush_dev().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52522\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52524", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52524" + }, + { + "url": "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391" + }, + { + "url": "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391" + }, + { + "url": "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b" + }, + { + "url": "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082" + }, + { + "url": "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb" + }, + { + "url": "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52524 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52524", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52524\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52524\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52524\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52524\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52524\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391\",\n \"https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391\",\n \"https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b\",\n \"https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082\",\n \"https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb\",\n \"https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nfc: llcp: Add lock when modifying device list\\n\\nThe device list needs its associated lock held when modifying it, or the\\nlist could become corrupted, as syzbot discovered.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52524\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52527", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52527" + }, + { + "url": "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6" + }, + { + "url": "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59" + }, + { + "url": "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844" + }, + { + "url": "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed" + }, + { + "url": "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070" + }, + { + "url": "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb" + }, + { + "url": "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f" + }, + { + "url": "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52527 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52527", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52527\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52527\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52527\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52527\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52527\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6\",\n \"https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59\",\n \"https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844\",\n \"https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed\",\n \"https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070\",\n \"https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb\",\n \"https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f\",\n \"https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\\n\\nIncluding the transhdrlen in length is a problem when the packet is\\npartially filled (e.g. something like send(MSG_MORE) happened previously)\\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\\ntransport header or account for it twice. This can happen under some\\ncircumstances, such as splicing into an L2TP socket.\\n\\nThe symptom observed is a warning in __ip6_append_data():\\n\\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\\n\\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\\npartially occupied skbuff. The warning occurs when 'copy' is larger than\\nthe amount of data in the message iterator. This is because the requested\\nlength includes the transport header length when it shouldn't. This can be\\ntriggered by, for example:\\n\\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\\n bind(sfd, ...); // ::1\\n connect(sfd, ...); // ::1 port 7\\n send(sfd, buffer, 4100, MSG_MORE);\\n sendfile(sfd, dfd, NULL, 1024);\\n\\nFix this by only adding transhdrlen into the length if the write queue is\\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\\n\\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\\nthe UDP packet itself.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52527\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52528", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52528" + }, + { + "url": "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed" + }, + { + "url": "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5" + }, + { + "url": "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825" + }, + { + "url": "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4" + }, + { + "url": "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d" + }, + { + "url": "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09" + }, + { + "url": "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812" + }, + { + "url": "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52528 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52528", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52528\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52528\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52528\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52528\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52528\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed\",\n \"https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5\",\n \"https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825\",\n \"https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4\",\n \"https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d\",\n \"https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09\",\n \"https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812\",\n \"https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\\n\\nsyzbot reported the following uninit-value access issue:\\n\\n=====================================================\\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nWorkqueue: usb_hub_wq hub_event\\nCall Trace:\\n __dump_stack lib/dump_stack.c:77 [inline]\\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\\n port_event drivers/usb/core/hub.c:5494 [inline]\\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\\n kthread+0x551/0x590 kernel/kthread.c:292\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\\n\\nLocal variable ----buf.i87@smsc75xx_bind created at:\\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n\\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\\n\\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\\nless bytes than requested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52528\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52531", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52531" + }, + { + "url": "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0" + }, + { + "url": "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef" + }, + { + "url": "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d" + }, + { + "url": "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52531 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52531", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52531\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52531\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52531\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52531\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52531\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0\",\n \"https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef\",\n \"https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d\",\n \"https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: Fix a memory corruption issue\\n\\nA few lines above, space is kzalloc()'ed for:\\n\\tsizeof(struct iwl_nvm_data) +\\n\\tsizeof(struct ieee80211_channel) +\\n\\tsizeof(struct ieee80211_rate)\\n\\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\\n\\nAt the end of this structure, there is the 'channels' flex array.\\nEach element is of type 'struct ieee80211_channel'.\\nSo only 1 element is allocated in this array.\\n\\nWhen doing:\\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\\nWe point at the first element of the 'channels' flex array.\\nSo this is fine.\\n\\nHowever, when doing:\\n mvm->nvm_data->bands[0].bitrates =\\n\\t\\t\\t(void *)((u8 *)mvm->nvm_data->channels + 1);\\nbecause of the \\\"(u8 *)\\\" cast, we add only 1 to the address of the beginning\\nof the flex array.\\n\\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\\njust after.\\n\\nRemove the spurious casting so that the pointer arithmetic works as\\nexpected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52531\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52532", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52532" + }, + { + "url": "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80" + }, + { + "url": "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c" + }, + { + "url": "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52532 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52532", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52532\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52532\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52532\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52532\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52532\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80\",\n \"https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c\",\n \"https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mana: Fix TX CQE error handling\\n\\nFor an unknown TX CQE error type (probably from a newer hardware),\\nstill free the SKB, update the queue tail, etc., otherwise the\\naccounting will be wrong.\\n\\nAlso, TX errors can be triggered by injecting corrupted packets, so\\nreplace the WARN_ONCE to ratelimited error logging.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52532\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52559" + }, + { + "url": "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e" + }, + { + "url": "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0" + }, + { + "url": "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e" + }, + { + "url": "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52559", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e\",\n \"https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0\",\n \"https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e\",\n \"https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Avoid memory allocation in iommu_suspend()\\n\\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\\nthe suspend callback, which can cause intermittent suspend/hibernation\\nproblems with the following kernel traces:\\n\\nCalling iommu_suspend+0x0/0x1d0\\n------------[ cut here ]------------\\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\\n...\\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\\nRIP: 0010:ktime_get+0x9b/0xb0\\n...\\nCall Trace:\\n \\n tick_sched_timer+0x22/0x90\\n ? __pfx_tick_sched_timer+0x10/0x10\\n __hrtimer_run_queues+0x111/0x2b0\\n hrtimer_interrupt+0xfa/0x230\\n __sysvec_apic_timer_interrupt+0x63/0x140\\n sysvec_apic_timer_interrupt+0x7b/0xa0\\n \\n \\n asm_sysvec_apic_timer_interrupt+0x1f/0x30\\n...\\n------------[ cut here ]------------\\nInterrupts enabled after iommu_suspend+0x0/0x1d0\\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\\nRIP: 0010:syscore_suspend+0x147/0x270\\n...\\nCall Trace:\\n \\n hibernation_snapshot+0x25b/0x670\\n hibernate+0xcd/0x390\\n state_store+0xcf/0xe0\\n kobj_attr_store+0x13/0x30\\n sysfs_kf_write+0x3f/0x50\\n kernfs_fop_write_iter+0x128/0x200\\n vfs_write+0x1fd/0x3c0\\n ksys_write+0x6f/0xf0\\n __x64_sys_write+0x1d/0x30\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\nGiven that only 4 words memory is needed, avoid the memory allocation in\\niommu_suspend().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52561", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52561" + }, + { + "url": "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6" + }, + { + "url": "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2" + }, + { + "url": "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52561 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52561", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\n\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\n\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52561\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52561\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52561\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52561\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52561\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6\",\n \"https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2\",\n \"https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\\n\\nAdding a reserved memory region for the framebuffer memory\\n(the splash memory region set up by the bootloader).\\n\\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\\nat this particular memory region) reported on DB845c running\\nv5.10.y.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52561\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52566", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52566" + }, + { + "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33" + }, + { + "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2" + }, + { + "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8" + }, + { + "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7" + }, + { + "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc" + }, + { + "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c" + }, + { + "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b" + }, + { + "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52566 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52566", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52566\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52566\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52566\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52566\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52566\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\",\n \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\",\n \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\",\n \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\",\n \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\",\n \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\",\n \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\",\n \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\\n\\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\\nreference count of bh when the call to nilfs_dat_translate() fails. If\\nthe reference count hits 0 and its owner page gets unlocked, bh may be\\nfreed. However, bh->b_page is dereferenced to put the page after that,\\nwhich may result in a use-after-free bug. This patch moves the release\\noperation after unlocking and putting the page.\\n\\nNOTE: The function in question is only called in GC, and in combination\\nwith current userland tools, address translation using DAT does not occur\\nin that function, so the code path that causes this issue will not be\\nexecuted. However, it is possible to run that code path by intentionally\\nmodifying the userland GC library or by calling the GC ioctl directly.\\n\\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52566\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52569", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52569" + }, + { + "url": "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9" + }, + { + "url": "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f" + }, + { + "url": "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52569 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52569", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9\",\n \"https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f\",\n \"https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: remove BUG() after failure to insert delayed dir index item\\n\\nInstead of calling BUG() when we fail to insert a delayed dir index item\\ninto the delayed node's tree, we can just release all the resources we\\nhave allocated/acquired before and return the error to the caller. This is\\nfine because all existing call chains undo anything they have done before\\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\\nsnapshots in the transaction commit path).\\n\\nSo remove the BUG() call and do proper error handling.\\n\\nThis relates to a syzbot report linked below, but does not fix it because\\nit only prevents hitting a BUG(), it does not fix the issue where somehow\\nwe attempt to use twice the same index number for different index items.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52569\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52572", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52572" + }, + { + "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a" + }, + { + "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3" + }, + { + "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52572 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52572", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52572\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52572\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52572\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52572\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52572\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a\",\n \"https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3\",\n \"https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: Fix UAF in cifs_demultiplex_thread()\\n\\nThere is a UAF when xfstests on cifs:\\n\\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\\n\\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\\n ...\\n Call Trace:\\n \\n dump_stack_lvl+0x34/0x44\\n print_report+0x171/0x472\\n kasan_report+0xad/0x130\\n kasan_check_range+0x145/0x1a0\\n smb2_is_network_name_deleted+0x27/0x160\\n cifs_demultiplex_thread.cold+0x172/0x5a4\\n kthread+0x165/0x1a0\\n ret_from_fork+0x1f/0x30\\n \\n\\n Allocated by task 923:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n __kasan_slab_alloc+0x54/0x60\\n kmem_cache_alloc+0x147/0x320\\n mempool_alloc+0xe1/0x260\\n cifs_small_buf_get+0x24/0x60\\n allocate_buffers+0xa1/0x1c0\\n cifs_demultiplex_thread+0x199/0x10d0\\n kthread+0x165/0x1a0\\n ret_from_fork+0x1f/0x30\\n\\n Freed by task 921:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n kasan_save_free_info+0x2a/0x40\\n ____kasan_slab_free+0x143/0x1b0\\n kmem_cache_free+0xe3/0x4d0\\n cifs_small_buf_release+0x29/0x90\\n SMB2_negotiate+0x8b7/0x1c60\\n smb2_negotiate+0x51/0x70\\n cifs_negotiate_protocol+0xf0/0x160\\n cifs_get_smb_ses+0x5fa/0x13c0\\n mount_get_conns+0x7a/0x750\\n cifs_mount+0x103/0xd00\\n cifs_smb3_do_mount+0x1dd/0xcb0\\n smb3_get_tree+0x1d5/0x300\\n vfs_get_tree+0x41/0xf0\\n path_mount+0x9b3/0xdd0\\n __x64_sys_mount+0x190/0x1d0\\n do_syscall_64+0x35/0x80\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nThe UAF is because:\\n\\n mount(pid: 921) | cifsd(pid: 923)\\n-------------------------------|-------------------------------\\n | cifs_demultiplex_thread\\nSMB2_negotiate |\\n cifs_send_recv |\\n compound_send_recv |\\n smb_send_rqst |\\n wait_for_response |\\n wait_event_state [1] |\\n | standard_receive3\\n | cifs_handle_standard\\n | handle_mid\\n | mid->resp_buf = buf; [2]\\n | dequeue_mid [3]\\n KILL the process [4] |\\n resp_iov[i].iov_base = buf |\\n free_rsp_buf [5] |\\n | is_network_name_deleted [6]\\n | callback\\n\\n1. After send request to server, wait the response until\\n mid->mid_state != SUBMITTED;\\n2. Receive response from server, and set it to mid;\\n3. Set the mid state to RECEIVED;\\n4. Kill the process, the mid state already RECEIVED, get 0;\\n5. Handle and release the negotiate response;\\n6. UAF.\\n\\nIt can be easily reproduce with add some delay in [3] - [6].\\n\\nOnly sync call has the problem since async call's callback is\\nexecuted in cifsd process.\\n\\nAdd an extra state to mark the mid state to READY before wakeup the\\nwaitter, then it can get the resp safely.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52572\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52574", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52574" + }, + { + "url": "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457" + }, + { + "url": "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58" + }, + { + "url": "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd" + }, + { + "url": "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7" + }, + { + "url": "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7" + }, + { + "url": "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d" + }, + { + "url": "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d" + }, + { + "url": "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52574 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52574", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52574\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52574\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52574\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52574\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52574\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457\",\n \"https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58\",\n \"https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd\",\n \"https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7\",\n \"https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7\",\n \"https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d\",\n \"https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d\",\n \"https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nteam: fix null-ptr-deref when team device type is changed\\n\\nGet a null-ptr-deref bug as follows with reproducer [1].\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000228\\n...\\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\\n...\\nCall Trace:\\n \\n ? __die+0x24/0x70\\n ? page_fault_oops+0x82/0x150\\n ? exc_page_fault+0x69/0x150\\n ? asm_exc_page_fault+0x26/0x30\\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\\n neigh_connected_output+0xb2/0x100\\n ip6_finish_output2+0x1cb/0x520\\n ? nf_hook_slow+0x43/0xc0\\n ? ip6_mtu+0x46/0x80\\n ip6_finish_output+0x2a/0xb0\\n mld_sendpack+0x18f/0x250\\n mld_ifc_work+0x39/0x160\\n process_one_work+0x1e6/0x3f0\\n worker_thread+0x4d/0x2f0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe5/0x120\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n\\n[1]\\n$ teamd -t team0 -d -c '{\\\"runner\\\": {\\\"name\\\": \\\"loadbalance\\\"}}'\\n$ ip link add name t-dummy type dummy\\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\\n$ ip link add name t-nlmon type nlmon\\n$ ip link set t-nlmon master team0\\n$ ip link set t-nlmon nomaster\\n$ ip link set t-dummy up\\n$ ip link set team0 up\\n$ ip link set t-dummy.100 down\\n$ ip link set t-dummy.100 master team0\\n\\nWhen enslave a vlan device to team device and team device type is changed\\nfrom non-ether to ether, header_ops of team device is changed to\\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\\na vlan device.\\n\\nCache eth_header_ops in team_setup(), then assign cached header_ops to\\nheader_ops of team net device when its type is changed from non-ether\\nto ether to fix the bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52574\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52576", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52576" + }, + { + "url": "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b" + }, + { + "url": "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204" + }, + { + "url": "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52576 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52576", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52576\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52576\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52576\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52576\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52576\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b\",\n \"https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204\",\n \"https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\\n\\nThe code calling ima_free_kexec_buffer() runs long after the memblock\\nallocator has already been torn down, potentially resulting in a use\\nafter free in memblock_isolate_range().\\n\\nWith KASAN or KFENCE, this use after free will result in a BUG\\nfrom the idle task, and a subsequent kernel panic.\\n\\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\\nthat bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52576\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52578", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52578" + }, + { + "url": "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd" + }, + { + "url": "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4" + }, + { + "url": "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2" + }, + { + "url": "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394" + }, + { + "url": "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5" + }, + { + "url": "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839" + }, + { + "url": "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52578 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52578", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52578\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52578\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52578\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52578\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52578\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd\",\n \"https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4\",\n \"https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2\",\n \"https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394\",\n \"https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5\",\n \"https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839\",\n \"https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: use DEV_STATS_INC()\\n\\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\\nThis function can run from multiple cpus without mutual exclusion.\\n\\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\\n\\nHandles updates to dev->stats.tx_dropped while we are at it.\\n\\n[1]\\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\\n\\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\\nbr_nf_hook_thresh+0x1ed/0x220\\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\\nNF_HOOK include/linux/netfilter.h:304 [inline]\\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\\nnapi_poll net/core/dev.c:6594 [inline]\\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\\nkthread+0x1d7/0x210 kernel/kthread.c:388\\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\\nbr_nf_hook_thresh+0x1ed/0x220\\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\\nNF_HOOK include/linux/netfilter.h:304 [inline]\\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\\nnapi_poll net/core/dev.c:6594 [inline]\\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\\nprocess_one_work kernel/workqueue.c:2630 [inline]\\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\\nkthread+0x1d7/0x210 kernel/kthread.c:388\\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52578\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52582", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52582" + }, + { + "url": "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a" + }, + { + "url": "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412" + }, + { + "url": "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52582 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52582", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52582\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52582\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52582\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52582\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52582\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a\",\n \"https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412\",\n \"https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfs: Only call folio_start_fscache() one time for each folio\\n\\nIf a network filesystem using netfs implements a clamp_length()\\nfunction, it can set subrequest lengths smaller than a page size.\\n\\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\\nset any folios to be written back, we need to make sure we only\\ncall folio_start_fscache() once for each folio.\\n\\nOtherwise, this simple testcase:\\n\\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\\n 1+0 records in\\n 1+0 records out\\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\\n echo 3 > /proc/sys/vm/drop_caches\\n cat /mnt/nfs/file.bin > /dev/null\\n\\nwill trigger an oops similar to the following:\\n\\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\\n ------------[ cut here ]------------\\n kernel BUG at include/linux/netfs.h:44!\\n ...\\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\\n ...\\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\\n ...\\n Call Trace:\\n netfs_rreq_assess+0x497/0x660 [netfs]\\n netfs_subreq_terminated+0x32b/0x610 [netfs]\\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\\n nfs_read_completion+0x2f9/0x330 [nfs]\\n rpc_free_task+0x72/0xa0 [sunrpc]\\n rpc_async_release+0x46/0x70 [sunrpc]\\n process_one_work+0x3bd/0x710\\n worker_thread+0x89/0x610\\n kthread+0x181/0x1c0\\n ret_from_fork+0x29/0x50\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52582\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52584", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52584" + }, + { + "url": "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8" + }, + { + "url": "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e" + }, + { + "url": "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9" + }, + { + "url": "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52584 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52584", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52584\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52584\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52584\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52584\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52584\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8\",\n \"https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e\",\n \"https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9\",\n \"https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspmi: mediatek: Fix UAF on device remove\\n\\nThe pmif driver data that contains the clocks is allocated along with\\nspmi_controller.\\nOn device remove, spmi_controller will be freed first, and then devres\\n, including the clocks, will be cleanup.\\nThis leads to UAF because putting the clocks will access the clocks in\\nthe pmif driver data, which is already freed along with spmi_controller.\\n\\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\\nbuilding the kernel with KASAN.\\n\\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\\nclocks before freeing spmi_controller.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.8,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52584\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52585", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52585" + }, + { + "url": "https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a" + }, + { + "url": "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49" + }, + { + "url": "https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626" + }, + { + "url": "https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b" + }, + { + "url": "https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915" + }, + { + "url": "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680" + }, + { + "url": "https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52585 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52585", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52585\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52585\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52585\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52585\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52585\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a\",\n \"https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49\",\n \"https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626\",\n \"https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b\",\n \"https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915\",\n \"https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680\",\n \"https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\\n\\nReturn invalid error code -EINVAL for invalid block id.\\n\\nFixes the below:\\n\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52585\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52586", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52586" + }, + { + "url": "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f" + }, + { + "url": "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52586 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52586", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52586\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52586\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52586\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52586\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52586\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f\",\n \"https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dpu: Add mutex lock in control vblank irq\\n\\nAdd a mutex lock to control vblank irq to synchronize vblank\\nenable/disable operations happening from different threads to prevent\\nrace conditions while registering/unregistering the vblank irq callback.\\n\\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\\n parameter of dpu_encoder_phys.\\n -Switch from atomic refcnt to a simple int counter as mutex has\\n now been added\\nv3: Mistakenly did not change wording in last version. It is done now.\\nv2: Slightly changed wording of commit message\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/571854/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52586\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52589", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52589" + }, + { + "url": "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395" + }, + { + "url": "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe" + }, + { + "url": "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52589 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52589", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52589\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52589\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52589\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52589\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52589\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7\",\n \"https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395\",\n \"https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe\",\n \"https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: rkisp1: Fix IRQ disable race issue\\n\\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\\ninterrupts and then apparently assumes that the interrupt handler won't\\nbe running, and proceeds in the stop procedure. This is not the case, as\\nthe interrupt handler can already be running, which would lead to the\\nISP being disabled while the interrupt handler handling a captured\\nframe.\\n\\nThis brings up two issues: 1) the ISP could be powered off while the\\ninterrupt handler is still running and accessing registers, leading to\\nboard lockup, and 2) the interrupt handler code and the code that\\ndisables the streaming might do things that conflict.\\n\\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\\na suitable delay (or printk in my case) in the interrupt handler,\\nleading to board lockup.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52589\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52590", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52590" + }, + { + "url": "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc" + }, + { + "url": "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52590 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52590", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52590\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52590\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52590\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52590\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52590\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc\",\n \"https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: Avoid touching renamed directory if parent does not change\\n\\nThe VFS will not be locking moved directory if its parent does not\\nchange. Change ocfs2 rename code to avoid touching renamed directory if\\nits parent does not change as without locking that can corrupt the\\nfilesystem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52590\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52591", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52591" + }, + { + "url": "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc" + }, + { + "url": "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed" + }, + { + "url": "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52591 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52591", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52591\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52591\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52591\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52591\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52591\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc\",\n \"https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed\",\n \"https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nreiserfs: Avoid touching renamed directory if parent does not change\\n\\nThe VFS will not be locking moved directory if its parent does not\\nchange. Change reiserfs rename code to avoid touching renamed directory\\nif its parent does not change as without locking that can corrupt the\\nfilesystem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52591\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52593", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52593" + }, + { + "url": "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878" + }, + { + "url": "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03" + }, + { + "url": "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132" + }, + { + "url": "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52593 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52593", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52593\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52593\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52593\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52593\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52593\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878\",\n \"https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03\",\n \"https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132\",\n \"https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\\n\\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\\nshould check the return value before examining skb data. So convert\\nthe latter to return an appropriate error code and propagate it to\\nreturn from 'wfx_start_ap()' as well. Compile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52593\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52596", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52596" + }, + { + "url": "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede" + }, + { + "url": "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489" + }, + { + "url": "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52596 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52596", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52596\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52596\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52596\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52596\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52596\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede\",\n \"https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489\",\n \"https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysctl: Fix out of bounds access for empty sysctl registers\\n\\nWhen registering tables to the sysctl subsystem there is a check to see\\nif header is a permanently empty directory (used for mounts). This check\\nevaluates the first element of the ctl_table. This results in an out of\\nbounds evaluation when registering empty directories.\\n\\nThe function register_sysctl_mount_point now passes a ctl_table of size\\n1 instead of size 0. It now relies solely on the type to identify\\na permanently empty register.\\n\\nMake sure that the ctl_table has at least one element before testing for\\npermanent emptiness.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52596\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52621" + }, + { + "url": "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d" + }, + { + "url": "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d" + }, + { + "url": "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304" + }, + { + "url": "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d\",\n \"https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d\",\n \"https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304\",\n \"https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\\n\\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\\navailable for sleepable bpf program, so add the corresponding lock\\nassertion for sleepable bpf program, otherwise the following warning\\nwill be reported when a sleepable bpf program manipulates bpf map under\\ninterpreter mode (aka bpf_jit_enable=0):\\n\\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\\n ......\\n Call Trace:\\n \\n ? __warn+0xa5/0x240\\n ? bpf_map_lookup_elem+0x54/0x60\\n ? report_bug+0x1ba/0x1f0\\n ? handle_bug+0x40/0x80\\n ? exc_invalid_op+0x18/0x50\\n ? asm_exc_invalid_op+0x1b/0x20\\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\\n ? rcu_is_watching+0x23/0x50\\n ? bpf_map_lookup_elem+0x54/0x60\\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\\n ___bpf_prog_run+0x513/0x3b70\\n __bpf_prog_run32+0x9d/0xd0\\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\\n bpf_trampoline_6442580665+0x4d/0x1000\\n __x64_sys_getpgid+0x5/0x30\\n ? do_syscall_64+0x36/0xb0\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52624", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52624" + }, + { + "url": "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d" + }, + { + "url": "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52624 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52624", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52624\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52624\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52624\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52624\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52624\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d\",\n \"https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wake DMCUB before executing GPINT commands\\n\\n[Why]\\nDMCUB can be in idle when we attempt to interface with the HW through\\nthe GPINT mailbox resulting in a system hang.\\n\\n[How]\\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\\nsequence.\\n\\nIf the GPINT executes successfully then DMCUB will be put back into\\nsleep after the optional response is returned.\\n\\nIt functions similar to the inbox command interface.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52624\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52625", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52625" + }, + { + "url": "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f" + }, + { + "url": "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52625 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52625", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52625\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52625\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52625\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52625\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52625\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f\",\n \"https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\\n\\n[Why]\\nWe can hang in place trying to send commands when the DMCUB isn't\\npowered on.\\n\\n[How]\\nWe need to exit out of the idle state prior to sending a command,\\nbut the process that performs the exit also invokes a command itself.\\n\\nFixing this issue involves the following:\\n\\n1. Using a software state to track whether or not we need to start\\n the process to exit idle or notify idle.\\n\\nIt's possible for the hardware to have exited an idle state without\\ndriver knowledge, but entering one is always restricted to a driver\\nallow - which makes the SW state vs HW state mismatch issue purely one\\nof optimization, which should seldomly be hit, if at all.\\n\\n2. Refactor any instances of exit/notify idle to use a single wrapper\\n that maintains this SW state.\\n\\nThis works simialr to dc_allow_idle_optimizations, but works at the\\nDMCUB level and makes sure the state is marked prior to any notify/exit\\nidle so we don't enter an infinite loop.\\n\\n3. Make sure we exit out of idle prior to sending any commands or\\n waiting for DMCUB idle.\\n\\nThis patch takes care of 1/2. A future patch will take care of wrapping\\nDMCUB command submission with calls to this new interface.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52625\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52629", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52629" + }, + { + "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65" + }, + { + "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52629 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52629", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52629\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52629\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52629\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52629\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52629\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65\",\n \"https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\\n\\nThe original code puts flush_work() before timer_shutdown_sync()\\nin switch_drv_remove(). Although we use flush_work() to stop\\nthe worker, it could be rescheduled in switch_timer(). As a result,\\na use-after-free bug can occur. The details are shown below:\\n\\n (cpu 0) | (cpu 1)\\nswitch_drv_remove() |\\n flush_work() |\\n ... | switch_timer // timer\\n | schedule_work(&psw->work)\\n timer_shutdown_sync() |\\n ... | switch_work_handler // worker\\n kfree(psw) // free |\\n | psw->state = 0 // use\\n\\nThis patch puts timer_shutdown_sync() before flush_work() to\\nmitigate the bugs. As a result, the worker and timer will be\\nstopped safely before the deallocate operations.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52629\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52632" + }, + { + "url": "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4" + }, + { + "url": "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340" + }, + { + "url": "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c" + }, + { + "url": "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4\",\n \"https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340\",\n \"https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c\",\n \"https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix lock dependency warning with srcu\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.5.0-kfd-yangp #2289 Not tainted\\n------------------------------------------------------\\nkworker/0:2/996 is trying to acquire lock:\\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\\n\\nbut task is already holding lock:\\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\\n\\tprocess_one_work+0x211/0x560\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\\n __flush_work+0x88/0x4f0\\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\\n kfd_ioctl+0x1d1/0x630 [amdgpu]\\n __x64_sys_ioctl+0x88/0xc0\\n\\n-> #2 (&info->lock#2){+.+.}-{3:3}:\\n __mutex_lock+0x99/0xc70\\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\\n restore_process_helper+0x22/0x80 [amdgpu]\\n restore_process_worker+0x2d/0xa0 [amdgpu]\\n process_one_work+0x29b/0x560\\n worker_thread+0x3d/0x3d0\\n\\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\\n __flush_work+0x88/0x4f0\\n __cancel_work_timer+0x12c/0x1c0\\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\\n __mmu_notifier_release+0xad/0x240\\n exit_mmap+0x6a/0x3a0\\n mmput+0x6a/0x120\\n do_exit+0x322/0xb90\\n do_group_exit+0x37/0xa0\\n __x64_sys_exit_group+0x18/0x20\\n do_syscall_64+0x38/0x80\\n\\n-> #0 (srcu){.+.+}-{0:0}:\\n __lock_acquire+0x1521/0x2510\\n lock_sync+0x5f/0x90\\n __synchronize_srcu+0x4f/0x1a0\\n __mmu_notifier_release+0x128/0x240\\n exit_mmap+0x6a/0x3a0\\n mmput+0x6a/0x120\\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\\n process_one_work+0x29b/0x560\\n worker_thread+0x3d/0x3d0\\n\\nother info that might help us debug this:\\nChain exists of:\\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\\n\\nPossible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock((work_completion)(&svms->deferred_list_work));\\n lock(&info->lock#2);\\n\\t\\t\\tlock((work_completion)(&svms->deferred_list_work));\\n sync(srcu);\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52634" + }, + { + "url": "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662" + }, + { + "url": "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662\",\n \"https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix disable_otg_wa logic\\n\\n[Why]\\nWhen switching to another HDMI mode, we are unnecesarilly\\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\\nthe same time when only HPO is supposed to be set.\\n\\nThis can lead to a system hang the next time we change refresh rates as\\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\\nit isn't supposed to be.\\n\\n[How]\\nRemoving the enable/disable FIFO entirely.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52639" + }, + { + "url": "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082" + }, + { + "url": "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc" + }, + { + "url": "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380" + }, + { + "url": "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52639", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082\",\n \"https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc\",\n \"https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380\",\n \"https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: s390: vsie: fix race during shadow creation\\n\\nRight now it is possible to see gmap->private being zero in\\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\\nfact that we add gmap->private == kvm after creation:\\n\\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\\n struct vsie_page *vsie_page)\\n{\\n[...]\\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\\n if (IS_ERR(gmap))\\n return PTR_ERR(gmap);\\n gmap->private = vcpu->kvm;\\n\\nLet children inherit the private field of the parent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52646", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52646" + }, + { + "url": "https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1" + }, + { + "url": "https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2" + }, + { + "url": "https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95" + }, + { + "url": "https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1" + }, + { + "url": "https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d" + }, + { + "url": "https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f" + }, + { + "url": "https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52646 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52646", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix mremap after fork null-deref\n\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\n\n[jmoyer@redhat.com: fix 80 column issue]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52646\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52646\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52646\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52646\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52646\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1\",\n \"https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2\",\n \"https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95\",\n \"https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1\",\n \"https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d\",\n \"https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f\",\n \"https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naio: fix mremap after fork null-deref\\n\\nCommit e4a0d3e720e7 (\\\"aio: Make it possible to remap aio ring\\\") introduced\\na null-deref if mremap is called on an old aio mapping after fork as\\nmm->ioctx_table will be set to NULL.\\n\\n[jmoyer@redhat.com: fix 80 column issue]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52646\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52648" + }, + { + "url": "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461" + }, + { + "url": "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92" + }, + { + "url": "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba" + }, + { + "url": "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461\",\n \"https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92\",\n \"https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba\",\n \"https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\\n\\nSwitch to a new plane state requires unreferencing of all held surfaces.\\nIn the work required for mob cursors the mapped surfaces started being\\ncached but the variable indicating whether the surface is currently\\nmapped was not being reset. This leads to crashes as the duplicated\\nstate, incorrectly, indicates the that surface is mapped even when\\nno surface is present. That's because after unreferencing the surface\\nit's perfectly possible for the plane to be backed by a bo instead of a\\nsurface.\\n\\nReset the surface mapped flag when unreferencing the plane state surface\\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\\n\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x7f/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\\n commit_tail+0xd1/0x130\\n drm_atomic_helper_commit+0x11a/0x140\\n drm_atomic_commit+0x97/0xd0\\n ? __pfx___drm_printfn_info+0x10/0x10\\n drm_atomic_helper_update_plane+0xf5/0x160\\n drm_mode_cursor_universal+0x10e/0x270\\n drm_mode_cursor_common+0x102/0x230\\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\\n drm_ioctl_kernel+0xb2/0x110\\n drm_ioctl+0x26d/0x4b0\\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\\n ? __pfx_drm_ioctl+0x10/0x10\\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\\n __x64_sys_ioctl+0x94/0xd0\\n do_syscall_64+0x61/0xe0\\n ? __x64_sys_ioctl+0xaf/0xd0\\n ? syscall_exit_to_user_mode+0x2b/0x40\\n ? do_syscall_64+0x70/0xe0\\n ? __x64_sys_ioctl+0xaf/0xd0\\n ? syscall_exit_to_user_mode+0x2b/0x40\\n ? do_syscall_64+0x70/0xe0\\n ? exc_page_fault+0x7f/0x180\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\nRIP: 0033:0x7f1e93f279ed\\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\\n \\nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\\nCR2: 0000000000000028\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\\nRBP: ffff969d4143\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52653", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52653" + }, + { + "url": "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4" + }, + { + "url": "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c" + }, + { + "url": "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822" + }, + { + "url": "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52653 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52653", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52653\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52653\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52653\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52653\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52653\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4\",\n \"https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c\",\n \"https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822\",\n \"https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: fix a memleak in gss_import_v2_context\\n\\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\\nwhich frees ctx on error.\\n\\nThus, this patch reform the last call of gss_import_v2_context to the\\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\\nformation.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52653\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52655", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52655" + }, + { + "url": "https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e" + }, + { + "url": "https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab" + }, + { + "url": "https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd" + }, + { + "url": "https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204" + }, + { + "url": "https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a" + }, + { + "url": "https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52655 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52655", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aqc111: check packet for fixup for true limit\n\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\n\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\n\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52655\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52655\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52655\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52655\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52655\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e\",\n \"https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab\",\n \"https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd\",\n \"https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204\",\n \"https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a\",\n \"https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: aqc111: check packet for fixup for true limit\\n\\nIf a device sends a packet that is inbetween 0\\nand sizeof(u64) the value passed to skb_trim()\\nas length will wrap around ending up as some very\\nlarge value.\\n\\nThe driver will then proceed to parse the header\\nlocated at that position, which will either oops or\\nprocess some random value.\\n\\nThe fix is to check against sizeof(u64) rather than\\n0, which the driver currently does. The issue exists\\nsince the introduction of the driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52655\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52657", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52657" + }, + { + "url": "https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94" + }, + { + "url": "https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488" + }, + { + "url": "https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f" + }, + { + "url": "https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52657 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52657", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/pm: resolve reboot exception for si oland\"\n\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\n\nThis causes hangs on SI when DC is enabled and errors on driver\nreboot and power off cycles.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52657\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52657\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52657\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52657\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52657\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94\",\n \"https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488\",\n \"https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f\",\n \"https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"drm/amd/pm: resolve reboot exception for si oland\\\"\\n\\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\\n\\nThis causes hangs on SI when DC is enabled and errors on driver\\nreboot and power off cycles.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52657\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52660" + }, + { + "url": "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63" + }, + { + "url": "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee" + }, + { + "url": "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587" + }, + { + "url": "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52660", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63\",\n \"https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee\",\n \"https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587\",\n \"https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\\n\\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\\nhandlers can be called at any time. If such a call happens while the ISP\\nis powered down, the SoC will hang as the driver tries to access the\\nISP registers.\\n\\nThis can be reproduced even without the platform sharing the IRQ line:\\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\\nhang.\\n\\nFix this by adding a new field, 'irqs_enabled', which is used to bail\\nout from the interrupt handler when the ISP is not operational.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52664", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52664" + }, + { + "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d" + }, + { + "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928" + }, + { + "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf" + }, + { + "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52664 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52664", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52664\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52664\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52664\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52664\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52664\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d\",\n \"https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928\",\n \"https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf\",\n \"https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: atlantic: eliminate double free in error handling logic\\n\\nDriver has a logic leak in ring data allocation/free,\\nwhere aq_ring_free could be called multiple times on same ring,\\nif system is under stress and got memory allocation error.\\n\\nRing pointer was used as an indicator of failure, but this is\\nnot correct since only ring data is allocated/deallocated.\\nRing itself is an array member.\\n\\nChanging ring allocation functions to return error code directly.\\nThis simplifies error handling and eliminates aq_ring_free\\non higher layer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52664\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52666", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52666" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52666 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52666", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52666\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52666\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52666\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52666\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52666\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52666\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52667" + }, + { + "url": "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8" + }, + { + "url": "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779" + }, + { + "url": "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1" + }, + { + "url": "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e" + }, + { + "url": "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft->g. However, its caller\nfs_any_create_table() will free ft->g again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft->g to NULL in fs_any_create_groups().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8\",\n \"https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779\",\n \"https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1\",\n \"https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e\",\n \"https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\\n\\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\\nfs_any_create_groups() will free ft->g. However, its caller\\nfs_any_create_table() will free ft->g again through calling\\nmlx5e_destroy_flow_table(), which will lead to a double-free.\\nFix this by setting ft->g to NULL in fs_any_create_groups().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52669", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52669" + }, + { + "url": "https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285" + }, + { + "url": "https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79" + }, + { + "url": "https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b" + }, + { + "url": "https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e" + }, + { + "url": "https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23" + }, + { + "url": "https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52669 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52669", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left. Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52669\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52669\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52669\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52669\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52669\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285\",\n \"https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79\",\n \"https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b\",\n \"https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e\",\n \"https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23\",\n \"https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: s390/aes - Fix buffer overread in CTR mode\\n\\nWhen processing the last block, the s390 ctr code will always read\\na whole block, even if there isn't a whole block of data left. Fix\\nthis by using the actual length left and copy it into a buffer first\\nfor processing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52669\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52670", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52670" + }, + { + "url": "https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08" + }, + { + "url": "https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6" + }, + { + "url": "https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a" + }, + { + "url": "https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30" + }, + { + "url": "https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43" + }, + { + "url": "https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687" + }, + { + "url": "https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d" + }, + { + "url": "https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52670 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52670", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52670\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52670\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52670\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52670\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52670\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08\",\n \"https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6\",\n \"https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a\",\n \"https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30\",\n \"https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43\",\n \"https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687\",\n \"https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d\",\n \"https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrpmsg: virtio: Free driver_override when rpmsg_remove()\\n\\nFree driver_override when rpmsg_remove(), otherwise\\nthe following memory leak will occur:\\n\\nunreferenced object 0xffff0000d55d7080 (size 128):\\n comm \\\"kworker/u8:2\\\", pid 56, jiffies 4294893188 (age 214.272s)\\n hex dump (first 32 bytes):\\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace:\\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\\n [<00000000228a60c3>] kstrndup+0x4c/0x90\\n [<0000000077158695>] driver_set_override+0xd0/0x164\\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\\n [<00000000443331cc>] really_probe+0xbc/0x2dc\\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\\n [<000000003b929a36>] __device_attach+0x9c/0x19c\\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\\n [<000000003c999637>] bus_probe_device+0xa0/0xac\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.6,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52670\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52671", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52671" + }, + { + "url": "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5" + }, + { + "url": "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239" + }, + { + "url": "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52671 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52671", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52671\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52671\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52671\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52671\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52671\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5\",\n \"https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239\",\n \"https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\\n\\n[Why]\\nUnder some circumstances, disabling an OPTC and attempting to reclaim\\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\\nnot being properly disconnected from the disabled OPTC.\\n\\n[How]\\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52671\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52672" + }, + { + "url": "https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8" + }, + { + "url": "https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9" + }, + { + "url": "https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24" + }, + { + "url": "https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55" + }, + { + "url": "https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f" + }, + { + "url": "https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner : rewrite to account for watch queues]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8\",\n \"https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9\",\n \"https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24\",\n \"https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55\",\n \"https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f\",\n \"https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npipe: wakeup wr_wait after setting max_usage\\n\\nCommit c73be61cede5 (\\\"pipe: Add general notification queue support\\\") a\\nregression was introduced that would lock up resized pipes under certain\\nconditions. See the reproducer in [1].\\n\\nThe commit resizing the pipe ring size was moved to a different\\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\\nraising pipe->max_usage. If a pipe was full before the resize occured it\\nwould result in the wakeup never actually triggering pipe_write.\\n\\nSet @max_usage and @nr_accounted before waking writers if this isn't a\\nwatch queue.\\n\\n[Christian Brauner : rewrite to account for watch queues]\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52673", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52673" + }, + { + "url": "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a" + }, + { + "url": "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52673 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52673", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52673\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52673\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52673\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52673\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52673\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a\",\n \"https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix a debugfs null pointer error\\n\\n[WHY & HOW]\\nCheck whether get_subvp_en() callback exists before calling it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52673\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52674", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52674" + }, + { + "url": "https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572" + }, + { + "url": "https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7" + }, + { + "url": "https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2" + }, + { + "url": "https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810" + }, + { + "url": "https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52674 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52674", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\n\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52674\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52674\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52674\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52674\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52674\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572\",\n \"https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7\",\n \"https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2\",\n \"https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810\",\n \"https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\\n\\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\\nscarlett2_mixer_values[].\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52674\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52675", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52675" + }, + { + "url": "https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032" + }, + { + "url": "https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3" + }, + { + "url": "https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34" + }, + { + "url": "https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05" + }, + { + "url": "https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3" + }, + { + "url": "https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec" + }, + { + "url": "https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6" + }, + { + "url": "https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52675 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52675", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52675\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52675\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52675\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52675\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52675\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032\",\n \"https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3\",\n \"https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34\",\n \"https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05\",\n \"https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3\",\n \"https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec\",\n \"https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6\",\n \"https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52675\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52676", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52676" + }, + { + "url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760" + }, + { + "url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2" + }, + { + "url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52676 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52676", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52676\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52676\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52676\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52676\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52676\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760\",\n \"https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2\",\n \"https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Guard stack limits against 32bit overflow\\n\\nThis patch promotes the arithmetic around checking stack bounds to be\\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\\nimplies adding together a 64-bit register with a int offset. The\\nregister was checked to be below 1<<29 when it was variable, but not\\nwhen it was fixed. The offset either comes from an instruction (in which\\ncase it is 16 bit), from another register (in which case the caller\\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\\nkfunc (in which case it can be a u32 [2]). Between the register being\\ninconsistently checked to be below 1<<29, and the offset being up to an\\nu32, it appears that we were open to overflowing the `int`s which were\\ncurrently used for arithmetic.\\n\\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52676\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52677", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52677" + }, + { + "url": "https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f" + }, + { + "url": "https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f" + }, + { + "url": "https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7" + }, + { + "url": "https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc" + }, + { + "url": "https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52677 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52677", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Check if the code to patch lies in the exit section\n\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52677\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52677\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52677\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52677\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52677\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f\",\n \"https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f\",\n \"https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7\",\n \"https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc\",\n \"https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: Check if the code to patch lies in the exit section\\n\\nOtherwise we fall through to vmalloc_to_page() which panics since the\\naddress does not lie in the vmalloc region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52677\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52679", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52679" + }, + { + "url": "https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db" + }, + { + "url": "https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21" + }, + { + "url": "https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b" + }, + { + "url": "https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2" + }, + { + "url": "https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8" + }, + { + "url": "https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd" + }, + { + "url": "https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7" + }, + { + "url": "https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52679 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52679", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52679\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52679\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52679\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52679\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52679\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db\",\n \"https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21\",\n \"https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b\",\n \"https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2\",\n \"https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8\",\n \"https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd\",\n \"https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7\",\n \"https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: Fix double free in of_parse_phandle_with_args_map\\n\\nIn of_parse_phandle_with_args_map() the inner loop that\\niterates through the map entries calls of_node_put(new)\\nto free the reference acquired by the previous iteration\\nof the inner loop. This assumes that the value of \\\"new\\\" is\\nNULL on the first iteration of the inner loop.\\n\\nMake sure that this is true in all iterations of the outer\\nloop by setting \\\"new\\\" to NULL after its value is assigned to \\\"cur\\\".\\n\\nExtend the unittest to detect the double free and add an additional\\ntest case that actually triggers this path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52679\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52680", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52680" + }, + { + "url": "https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51" + }, + { + "url": "https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e" + }, + { + "url": "https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3" + }, + { + "url": "https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3" + }, + { + "url": "https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52680 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52680", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52680\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52680\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52680\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52680\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52680\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51\",\n \"https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e\",\n \"https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3\",\n \"https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3\",\n \"https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add missing error checks to *_ctl_get()\\n\\nThe *_ctl_get() functions which call scarlett2_update_*() were not\\nchecking the return value. Fix to check the return value and pass to\\nthe caller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52680\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52682", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52682" + }, + { + "url": "https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2" + }, + { + "url": "https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00" + }, + { + "url": "https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3" + }, + { + "url": "https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52682 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52682", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52682\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52682\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52682\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52682\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52682\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2\",\n \"https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00\",\n \"https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3\",\n \"https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to wait on block writeback for post_read case\\n\\nIf inode is compressed, but not encrypted, it missed to call\\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\\nin IPU write path.\\n\\nThread A\\t\\t\\t\\tGC-Thread\\n\\t\\t\\t\\t\\t- f2fs_gc\\n\\t\\t\\t\\t\\t - do_garbage_collect\\n\\t\\t\\t\\t\\t - gc_data_segment\\n\\t\\t\\t\\t\\t - move_data_block\\n\\t\\t\\t\\t\\t - f2fs_submit_page_write\\n\\t\\t\\t\\t\\t migrate normal cluster's block via\\n\\t\\t\\t\\t\\t meta_inode's page cache\\n- f2fs_write_single_data_page\\n - f2fs_do_write_data_page\\n - f2fs_inplace_write_data\\n - f2fs_submit_page_bio\\n\\nIRQ\\n- f2fs_read_end_io\\n\\t\\t\\t\\t\\tIRQ\\n\\t\\t\\t\\t\\told data overrides new data due to\\n\\t\\t\\t\\t\\tout-of-order GC and common IO.\\n\\t\\t\\t\\t\\t- f2fs_read_end_io\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52682\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52683", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52683" + }, + { + "url": "https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782" + }, + { + "url": "https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee" + }, + { + "url": "https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad" + }, + { + "url": "https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de" + }, + { + "url": "https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae" + }, + { + "url": "https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1" + }, + { + "url": "https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4" + }, + { + "url": "https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52683 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52683", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52683\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52683\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52683\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52683\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52683\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782\",\n \"https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee\",\n \"https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad\",\n \"https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de\",\n \"https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae\",\n \"https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1\",\n \"https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4\",\n \"https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: LPIT: Avoid u32 multiplication overflow\\n\\nIn lpit_update_residency() there is a possibility of overflow\\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\\n\\nChange multiplication to mul_u32_u32().\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52683\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52685", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52685" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52685 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52685", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52685\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52685\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52685\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52685\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52685\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52685\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52686" + }, + { + "url": "https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4" + }, + { + "url": "https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050" + }, + { + "url": "https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9" + }, + { + "url": "https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877" + }, + { + "url": "https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7" + }, + { + "url": "https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42" + }, + { + "url": "https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf" + }, + { + "url": "https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4\",\n \"https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050\",\n \"https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9\",\n \"https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877\",\n \"https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7\",\n \"https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42\",\n \"https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf\",\n \"https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check in opal_event_init()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52690", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52690" + }, + { + "url": "https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b" + }, + { + "url": "https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19" + }, + { + "url": "https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742" + }, + { + "url": "https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13" + }, + { + "url": "https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9" + }, + { + "url": "https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2" + }, + { + "url": "https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52690 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52690", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52690\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52690\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52690\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52690\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52690\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b\",\n \"https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19\",\n \"https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742\",\n \"https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13\",\n \"https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9\",\n \"https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2\",\n \"https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\\nAdd a null pointer check, and release 'ent' to avoid memory leaks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52690\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52691" + }, + { + "url": "https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706" + }, + { + "url": "https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334" + }, + { + "url": "https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30" + }, + { + "url": "https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4" + }, + { + "url": "https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0" + }, + { + "url": "https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a" + }, + { + "url": "https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2" + }, + { + "url": "https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706\",\n \"https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334\",\n \"https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30\",\n \"https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4\",\n \"https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0\",\n \"https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a\",\n \"https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2\",\n \"https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: fix a double-free in si_dpm_init\\n\\nWhen the allocation of\\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\\namdgpu_free_extended_power_table is called to free some fields of adev.\\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\\nlabel dpm_failed and calls si_dpm_fini, which calls\\namdgpu_free_extended_power_table again and free those fields again. Thus\\na double-free is triggered.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52692", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52692" + }, + { + "url": "https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3" + }, + { + "url": "https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99" + }, + { + "url": "https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467" + }, + { + "url": "https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88" + }, + { + "url": "https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52692 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52692", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52692\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52692\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52692\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52692\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52692\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3\",\n \"https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99\",\n \"https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467\",\n \"https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88\",\n \"https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\\n\\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\\nchecking the result. Return the error if it fails rather than\\ncontinuing with an invalid value.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52692\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52693" + }, + { + "url": "https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3" + }, + { + "url": "https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95" + }, + { + "url": "https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c" + }, + { + "url": "https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af" + }, + { + "url": "https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8" + }, + { + "url": "https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f" + }, + { + "url": "https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f" + }, + { + "url": "https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52693", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3\",\n \"https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95\",\n \"https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c\",\n \"https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af\",\n \"https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8\",\n \"https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f\",\n \"https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f\",\n \"https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: video: check for error while searching for backlight device parent\\n\\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\\nfails, for example, because acpi_ut_acquire_mutex() fails inside\\nacpi_get_parent), this can lead to incorrect (uninitialized)\\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\\nthe parent pci device.\\n\\nCheck acpi_get_parent() result and set parent device only in case of success.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52694", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52694" + }, + { + "url": "https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5" + }, + { + "url": "https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205" + }, + { + "url": "https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1" + }, + { + "url": "https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2" + }, + { + "url": "https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114" + }, + { + "url": "https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52694 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52694", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52694\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52694\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52694\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52694\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52694\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5\",\n \"https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205\",\n \"https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1\",\n \"https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2\",\n \"https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114\",\n \"https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\\n\\nWith tpd12s015_remove() marked with __exit this function is discarded\\nwhen the driver is compiled as a built-in. The result is that when the\\ndriver unbinds there is no cleanup done which results in resource\\nleakage or worse.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52694\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52696", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52696" + }, + { + "url": "https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664" + }, + { + "url": "https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219" + }, + { + "url": "https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc" + }, + { + "url": "https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1" + }, + { + "url": "https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab" + }, + { + "url": "https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d" + }, + { + "url": "https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52696 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52696", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52696\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52696\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52696\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52696\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52696\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664\",\n \"https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219\",\n \"https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc\",\n \"https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1\",\n \"https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab\",\n \"https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d\",\n \"https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52696\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52698", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52698" + }, + { + "url": "https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149" + }, + { + "url": "https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53" + }, + { + "url": "https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031" + }, + { + "url": "https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01" + }, + { + "url": "https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da" + }, + { + "url": "https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded" + }, + { + "url": "https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99" + }, + { + "url": "https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52698 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52698", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: fix memory leak in netlbl_calipso_add_pass()\n\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\n\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n hex dump (first 32 bytes):\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<...>] kmalloc include/linux/slab.h:552 [inline]\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\n\n[PM: merged via the LSM tree at Jakub Kicinski request]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52698\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52698\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52698\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52698\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52698\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149\",\n \"https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53\",\n \"https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031\",\n \"https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01\",\n \"https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da\",\n \"https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded\",\n \"https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99\",\n \"https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncalipso: fix memory leak in netlbl_calipso_add_pass()\\n\\nIf IPv6 support is disabled at boot (ipv6.disable=1),\\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\\nand the netlbl_calipso_ops_get() function always returns NULL.\\nIn this case, the netlbl_calipso_add_pass() function allocates memory\\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\\n\\nBUG: memory leak\\nunreferenced object 0xffff888011d68180 (size 64):\\n comm \\\"syz-executor.1\\\", pid 10746, jiffies 4295410986 (age 17.928s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace:\\n [<...>] kmalloc include/linux/slab.h:552 [inline]\\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\\n\\nFound by InfoTeCS on behalf of Linux Verification Center\\n(linuxtesting.org) with Syzkaller\\n\\n[PM: merged via the LSM tree at Jakub Kicinski request]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52698\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52699" + }, + { + "url": "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76" + }, + { + "url": "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f" + }, + { + "url": "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09" + }, + { + "url": "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1" + }, + { + "url": "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac" + }, + { + "url": "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3" + }, + { + "url": "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e" + }, + { + "url": "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76\",\n \"https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f\",\n \"https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09\",\n \"https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1\",\n \"https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac\",\n \"https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3\",\n \"https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e\",\n \"https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysv: don't call sb_bread() with pointers_lock held\\n\\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\\nsb_bread() is called with rw_spinlock held.\\n\\nA \\\"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\\\" bug\\nand a \\\"sb_bread() with write_lock(&pointers_lock)\\\" bug were introduced by\\n\\\"Replace BKL for chain locking with sysvfs-private rwlock\\\" in Linux 2.5.12.\\n\\nThen, \\\"[PATCH] err1-40: sysvfs locking fix\\\" in Linux 2.6.8 fixed the\\nformer bug by moving pointers_lock lock to the callers, but instead\\nintroduced a \\\"sb_bread() with read_lock(&pointers_lock)\\\" bug (which made\\nthis problem easier to hit).\\n\\nAl Viro suggested that why not to do like get_branch()/get_block()/\\nfind_shared() in Minix filesystem does. And doing like that is almost a\\nrevert of \\\"[PATCH] err1-40: sysvfs locking fix\\\" except that get_branch()\\n from with find_shared() is called without write_lock(&pointers_lock).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52700" + }, + { + "url": "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc" + }, + { + "url": "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc\",\n \"https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix kernel warning when sending SYN message\\n\\nWhen sending a SYN message, this kernel stack trace is observed:\\n\\n...\\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\\n...\\n[ 13.398494] Call Trace:\\n[ 13.398630] \\n[ 13.398630] ? __alloc_skb+0xed/0x1a0\\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\\n[ 13.398630] ? __sys_connect+0x9f/0xd0\\n[ 13.398630] __sys_connect+0x9f/0xd0\\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\\n[ 13.398630] __x64_sys_connect+0x16/0x20\\n[ 13.398630] do_syscall_64+0x42/0x90\\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nIt is because commit a41dad905e5a (\\\"iov_iter: saner checks for attempt\\nto copy to/from iterator\\\") has introduced sanity check for copying\\nfrom/to iov iterator. Lacking of copy direction from the iterator\\nviewpoint would lead to kernel stack trace like above.\\n\\nThis commit fixes this issue by initializing the iov iterator with\\nthe correct copy direction when sending SYN or ACK without data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52701", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52701" + }, + { + "url": "https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5" + }, + { + "url": "https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52701 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52701", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use a bounce buffer for copying skb->mark\n\nsyzbot found arm64 builds would crash in sock_recv_mark()\nwhen CONFIG_HARDENED_USERCOPY=y\n\nx86 and powerpc are not detecting the issue because\nthey define user_access_begin.\nThis will be handled in a different patch,\nbecause a check_object_size() is missing.\n\nOnly data from skb->cb[] can be copied directly to/from user space,\nas explained in commit 79a8a642bf05 (\"net: Whitelist\nthe skbuff_head_cache \"cb\" field\")\n\nsyzbot report was:\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nsp : ffff80000fb9b9a0\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\nCall trace:\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\ncheck_heap_object mm/usercopy.c:196 [inline]\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\ncheck_object_size include/linux/thread_info.h:199 [inline]\n__copy_to_user include/linux/uaccess.h:115 [inline]\nput_cmsg+0x408/0x464 net/core/scm.c:238\nsock_recv_mark net/socket.c:975 [inline]\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\n____sys_recvmsg+0x110/0x3a0\n___sys_recvmsg net/socket.c:2737 [inline]\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\n__do_sys_recvmsg net/socket.c:2777 [inline]\n__se_sys_recvmsg net/socket.c:2774 [inline]\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52701\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52701\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52701\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52701\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52701\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5\",\n \"https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: use a bounce buffer for copying skb->mark\\n\\nsyzbot found arm64 builds would crash in sock_recv_mark()\\nwhen CONFIG_HARDENED_USERCOPY=y\\n\\nx86 and powerpc are not detecting the issue because\\nthey define user_access_begin.\\nThis will be handled in a different patch,\\nbecause a check_object_size() is missing.\\n\\nOnly data from skb->cb[] can be copied directly to/from user space,\\nas explained in commit 79a8a642bf05 (\\\"net: Whitelist\\nthe skbuff_head_cache \\\"cb\\\" field\\\")\\n\\nsyzbot report was:\\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\\n------------[ cut here ]------------\\nkernel BUG at mm/usercopy.c:102 !\\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\\nsp : ffff80000fb9b9a0\\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\\nCall trace:\\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\\ncheck_heap_object mm/usercopy.c:196 [inline]\\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\\ncheck_object_size include/linux/thread_info.h:199 [inline]\\n__copy_to_user include/linux/uaccess.h:115 [inline]\\nput_cmsg+0x408/0x464 net/core/scm.c:238\\nsock_recv_mark net/socket.c:975 [inline]\\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\\n____sys_recvmsg+0x110/0x3a0\\n___sys_recvmsg net/socket.c:2737 [inline]\\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\\n__do_sys_recvmsg net/socket.c:2777 [inline]\\n__se_sys_recvmsg net/socket.c:2774 [inline]\\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52701\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52702", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52702" + }, + { + "url": "https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536" + }, + { + "url": "https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5" + }, + { + "url": "https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6" + }, + { + "url": "https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52702 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52702", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\n\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52702\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52702\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52702\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52702\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52702\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536\",\n \"https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5\",\n \"https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6\",\n \"https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\\n\\nold_meter needs to be free after it is detached regardless of whether\\nthe new meter is successfully attached.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52702\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52703", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52703" + }, + { + "url": "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc" + }, + { + "url": "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5" + }, + { + "url": "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb" + }, + { + "url": "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030" + }, + { + "url": "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081" + }, + { + "url": "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042" + }, + { + "url": "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52703 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52703", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52703\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52703\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52703\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52703\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52703\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc\",\n \"https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5\",\n \"https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb\",\n \"https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030\",\n \"https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081\",\n \"https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042\",\n \"https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\\n\\nsyzbot reported that act_len in kalmia_send_init_packet() is\\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\\nPirko noted that it's pointless to pass it in the error path, and that\\nthe value that would be printed in the second error path would be the\\nvalue of act_len from the first call to usb_bulk_msg.[1]\\n\\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\\npaths.\\n\\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52703\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52705", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52705" + }, + { + "url": "https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5" + }, + { + "url": "https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b" + }, + { + "url": "https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f" + }, + { + "url": "https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d" + }, + { + "url": "https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205" + }, + { + "url": "https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4" + }, + { + "url": "https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52705 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52705", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes. Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks. This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord state:D stack:23456 pid:5067 ppid:2\n flags:0x00004000\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n schedule+0xc3/0x190 kernel/sched/core.c:6682\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n kthread+0x270/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n ...\n Call Trace:\n \n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52705\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52705\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52705\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52705\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52705\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5\",\n \"https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b\",\n \"https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f\",\n \"https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d\",\n \"https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205\",\n \"https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4\",\n \"https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix underflow in second superblock position calculations\\n\\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\\nsuperblock, underflows when the argument device size is less than 4096\\nbytes. Therefore, when using this macro, it is necessary to check in\\nadvance that the device size is not less than a lower limit, or at least\\nthat underflow does not occur.\\n\\nThe current nilfs2 implementation lacks this check, causing out-of-bound\\nblock access when mounting devices smaller than 4096 bytes:\\n\\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\\n phys_seg 1 prio class 2\\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\\n\\nIn addition, when trying to resize the filesystem to a size below 4096\\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\\nnumber of segments in superblocks. This causes excessive loop iterations\\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\\nsemaphore ns_segctor_sem to block for a long time and hang the writer\\nthread:\\n\\n INFO: task segctord:5067 blocked for more than 143 seconds.\\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:segctord state:D stack:23456 pid:5067 ppid:2\\n flags:0x00004000\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\\n schedule+0xc3/0x190 kernel/sched/core.c:6682\\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\\n kthread+0x270/0x300 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n ...\\n Call Trace:\\n \\n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\\n ...\\n\\nThis fixes these issues by inserting appropriate minimum device size\\nchecks or anti-underflow checks, depending on where the macro is used.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52705\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52707", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52707" + }, + { + "url": "https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38" + }, + { + "url": "https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe" + }, + { + "url": "https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a" + }, + { + "url": "https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a" + }, + { + "url": "https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52707 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52707", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\n\nIf a non-root cgroup gets removed when there is a thread that registered\ntrigger and is polling on a pressure file within the cgroup, the polling\nwaitqueue gets freed in the following path:\n\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n\nHowever, the polling thread still has a reference to the pressure file and\nwill access the freed waitqueue when the file is closed or upon exit:\n\n fput\n ep_eventpoll_release\n ep_free\n ep_remove_wait_queue\n remove_wait_queue\n\nThis results in use-after-free as pasted below.\n\nThe fundamental problem here is that cgroup_file_release() (and\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\nwith the comment at commit 42288cb44c4b (\"wait: add wake_up_pollfree()\")\nsince the waitqueue's lifetime is not tied to file's one and can be\nconsidered as another special case. While this would be fixable by somehow\nmaking cgroup_file_release() be tied to the fput(), it would require\nsizable refactoring at cgroups or higher layer which might be more\njustifiable if we identify more cases like this.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\n\n\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\n\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\n\tCall Trace:\n\t\n\tdump_stack_lvl+0x73/0xa0\n\tprint_report+0x16c/0x4e0\n\tkasan_report+0xc3/0xf0\n\tkasan_check_range+0x2d2/0x310\n\t_raw_spin_lock_irqsave+0x60/0xc0\n\tremove_wait_queue+0x1a/0xa0\n\tep_free+0x12c/0x170\n\tep_eventpoll_release+0x26/0x30\n\t__fput+0x202/0x400\n\ttask_work_run+0x11d/0x170\n\tdo_exit+0x495/0x1130\n\tdo_group_exit+0x100/0x100\n\tget_signal+0xd67/0xde0\n\tarch_do_signal_or_restart+0x2a/0x2b0\n\texit_to_user_mode_prepare+0x94/0x100\n\tsyscall_exit_to_user_mode+0x20/0x40\n\tdo_syscall_64+0x52/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\t\n\n Allocated by task 4404:\n\n\tkasan_set_track+0x3d/0x60\n\t__kasan_kmalloc+0x85/0x90\n\tpsi_trigger_create+0x113/0x3e0\n\tpressure_write+0x146/0x2e0\n\tcgroup_file_write+0x11c/0x250\n\tkernfs_fop_write_iter+0x186/0x220\n\tvfs_write+0x3d8/0x5c0\n\tksys_write+0x90/0x110\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Freed by task 4407:\n\n\tkasan_set_track+0x3d/0x60\n\tkasan_save_free_info+0x27/0x40\n\t____kasan_slab_free+0x11d/0x170\n\tslab_free_freelist_hook+0x87/0x150\n\t__kmem_cache_free+0xcb/0x180\n\tpsi_trigger_destroy+0x2e8/0x310\n\tcgroup_file_release+0x4f/0xb0\n\tkernfs_drain_open_files+0x165/0x1f0\n\tkernfs_drain+0x162/0x1a0\n\t__kernfs_remove+0x1fb/0x310\n\tkernfs_remove_by_name_ns+0x95/0xe0\n\tcgroup_addrm_files+0x67f/0x700\n\tcgroup_destroy_locked+0x283/0x3c0\n\tcgroup_rmdir+0x29/0x100\n\tkernfs_iop_rmdir+0xd1/0x140\n\tvfs_rmdir+0xfe/0x240\n\tdo_rmdir+0x13d/0x280\n\t__x64_sys_rmdir+0x2c/0x30\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52707\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52707\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52707\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52707\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52707\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38\",\n \"https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe\",\n \"https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a\",\n \"https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a\",\n \"https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\\n\\nIf a non-root cgroup gets removed when there is a thread that registered\\ntrigger and is polling on a pressure file within the cgroup, the polling\\nwaitqueue gets freed in the following path:\\n\\n do_rmdir\\n cgroup_rmdir\\n kernfs_drain_open_files\\n cgroup_file_release\\n cgroup_pressure_release\\n psi_trigger_destroy\\n\\nHowever, the polling thread still has a reference to the pressure file and\\nwill access the freed waitqueue when the file is closed or upon exit:\\n\\n fput\\n ep_eventpoll_release\\n ep_free\\n ep_remove_wait_queue\\n remove_wait_queue\\n\\nThis results in use-after-free as pasted below.\\n\\nThe fundamental problem here is that cgroup_file_release() (and\\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\\nwith the comment at commit 42288cb44c4b (\\\"wait: add wake_up_pollfree()\\\")\\nsince the waitqueue's lifetime is not tied to file's one and can be\\nconsidered as another special case. While this would be fixable by somehow\\nmaking cgroup_file_release() be tied to the fput(), it would require\\nsizable refactoring at cgroups or higher layer which might be more\\njustifiable if we identify more cases like this.\\n\\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\\n\\n\\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\\n\\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\\n\\tCall Trace:\\n\\t\\n\\tdump_stack_lvl+0x73/0xa0\\n\\tprint_report+0x16c/0x4e0\\n\\tkasan_report+0xc3/0xf0\\n\\tkasan_check_range+0x2d2/0x310\\n\\t_raw_spin_lock_irqsave+0x60/0xc0\\n\\tremove_wait_queue+0x1a/0xa0\\n\\tep_free+0x12c/0x170\\n\\tep_eventpoll_release+0x26/0x30\\n\\t__fput+0x202/0x400\\n\\ttask_work_run+0x11d/0x170\\n\\tdo_exit+0x495/0x1130\\n\\tdo_group_exit+0x100/0x100\\n\\tget_signal+0xd67/0xde0\\n\\tarch_do_signal_or_restart+0x2a/0x2b0\\n\\texit_to_user_mode_prepare+0x94/0x100\\n\\tsyscall_exit_to_user_mode+0x20/0x40\\n\\tdo_syscall_64+0x52/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\t\\n\\n Allocated by task 4404:\\n\\n\\tkasan_set_track+0x3d/0x60\\n\\t__kasan_kmalloc+0x85/0x90\\n\\tpsi_trigger_create+0x113/0x3e0\\n\\tpressure_write+0x146/0x2e0\\n\\tcgroup_file_write+0x11c/0x250\\n\\tkernfs_fop_write_iter+0x186/0x220\\n\\tvfs_write+0x3d8/0x5c0\\n\\tksys_write+0x90/0x110\\n\\tdo_syscall_64+0x43/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\n Freed by task 4407:\\n\\n\\tkasan_set_track+0x3d/0x60\\n\\tkasan_save_free_info+0x27/0x40\\n\\t____kasan_slab_free+0x11d/0x170\\n\\tslab_free_freelist_hook+0x87/0x150\\n\\t__kmem_cache_free+0xcb/0x180\\n\\tpsi_trigger_destroy+0x2e8/0x310\\n\\tcgroup_file_release+0x4f/0xb0\\n\\tkernfs_drain_open_files+0x165/0x1f0\\n\\tkernfs_drain+0x162/0x1a0\\n\\t__kernfs_remove+0x1fb/0x310\\n\\tkernfs_remove_by_name_ns+0x95/0xe0\\n\\tcgroup_addrm_files+0x67f/0x700\\n\\tcgroup_destroy_locked+0x283/0x3c0\\n\\tcgroup_rmdir+0x29/0x100\\n\\tkernfs_iop_rmdir+0xd1/0x140\\n\\tvfs_rmdir+0xfe/0x240\\n\\tdo_rmdir+0x13d/0x280\\n\\t__x64_sys_rmdir+0x2c/0x30\\n\\tdo_syscall_64+0x43/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52707\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52708", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52708" + }, + { + "url": "https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be" + }, + { + "url": "https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f" + }, + { + "url": "https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714" + }, + { + "url": "https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd" + }, + { + "url": "https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52708 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52708", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\n\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\n\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52708\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52708\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52708\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52708\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52708\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be\",\n \"https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f\",\n \"https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714\",\n \"https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd\",\n \"https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\\n\\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\\nor it will cause null-ptr-deref, because of deleting a not added\\ndevice in mmc_remove_host().\\n\\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\\nand change the label 'fail_add_host' to 'fail_gpiod_request'.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52708\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52730", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52730" + }, + { + "url": "https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd" + }, + { + "url": "https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931" + }, + { + "url": "https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a" + }, + { + "url": "https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded" + }, + { + "url": "https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e" + }, + { + "url": "https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58" + }, + { + "url": "https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52730 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52730", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52730\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52730\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52730\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52730\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52730\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd\",\n \"https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931\",\n \"https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a\",\n \"https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded\",\n \"https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e\",\n \"https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58\",\n \"https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: sdio: fix possible resource leaks in some error paths\\n\\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\\nnot release the resources, because the sdio function is not presented\\nin these two cases, it won't call of_node_put() or put_device().\\n\\nTo fix these leaks, make sdio_func_present() only control whether\\ndevice_del() needs to be called or not, then always call of_node_put()\\nand put_device().\\n\\nIn error case in sdio_init_func(), the reference of 'card->dev' is\\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\\nit can keep the get/put function be balanced.\\n\\nWithout this patch, while doing fault inject test, it can get the\\nfollowing leak reports, after this fix, the leak is gone.\\n\\nunreferenced object 0xffff888112514000 (size 2048):\\n comm \\\"kworker/3:2\\\", pid 65, jiffies 4294741614 (age 124.774s)\\n hex dump (first 32 bytes):\\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\\n backtrace:\\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\\n\\nunreferenced object 0xffff888112511000 (size 2048):\\n comm \\\"kworker/3:2\\\", pid 65, jiffies 4294741623 (age 124.766s)\\n hex dump (first 32 bytes):\\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\\n backtrace:\\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52730\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52732", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52732" + }, + { + "url": "https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c" + }, + { + "url": "https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52732 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52732", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: blocklist the kclient when receiving corrupted snap trace\n\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\n\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\n\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52732\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52732\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52732\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52732\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52732\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c\",\n \"https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nceph: blocklist the kclient when receiving corrupted snap trace\\n\\nWhen received corrupted snap trace we don't know what exactly has\\nhappened in MDS side. And we shouldn't continue IOs and metadatas\\naccess to MDS, which may corrupt or get incorrect contents.\\n\\nThis patch will just block all the further IO/MDS requests\\nimmediately and then evict the kclient itself.\\n\\nThe reason why we still need to evict the kclient just after\\nblocking all the further IOs is that the MDS could revoke the caps\\nfaster.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52732\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52733", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52733" + }, + { + "url": "https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb" + }, + { + "url": "https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2" + }, + { + "url": "https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b" + }, + { + "url": "https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9" + }, + { + "url": "https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52733 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52733", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/decompressor: specify __decompress() buf len to avoid overflow\n\nHistorically calls to __decompress() didn't specify \"out_len\" parameter\non many architectures including s390, expecting that no writes beyond\nuncompressed kernel image are performed. This has changed since commit\n2aa14b1ab2c4 (\"zstd: import usptream v1.5.2\") which includes zstd library\ncommit 6a7ede3dfccb (\"Reduce size of dctx by reutilizing dst buffer\n(#2751)\"). Now zstd decompression code might store literal buffer in\nthe unwritten portion of the destination buffer. Since \"out_len\" is\nnot set, it is considered to be unlimited and hence free to use for\noptimization needs. On s390 this might corrupt initrd or ipl report\nwhich are often placed right after the decompressor buffer. Luckily the\nsize of uncompressed kernel image is already known to the decompressor,\nso to avoid the problem simply specify it in the \"out_len\" parameter.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52733\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52733\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52733\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52733\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52733\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb\",\n \"https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2\",\n \"https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b\",\n \"https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9\",\n \"https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/decompressor: specify __decompress() buf len to avoid overflow\\n\\nHistorically calls to __decompress() didn't specify \\\"out_len\\\" parameter\\non many architectures including s390, expecting that no writes beyond\\nuncompressed kernel image are performed. This has changed since commit\\n2aa14b1ab2c4 (\\\"zstd: import usptream v1.5.2\\\") which includes zstd library\\ncommit 6a7ede3dfccb (\\\"Reduce size of dctx by reutilizing dst buffer\\n(#2751)\\\"). Now zstd decompression code might store literal buffer in\\nthe unwritten portion of the destination buffer. Since \\\"out_len\\\" is\\nnot set, it is considered to be unlimited and hence free to use for\\noptimization needs. On s390 this might corrupt initrd or ipl report\\nwhich are often placed right after the decompressor buffer. Luckily the\\nsize of uncompressed kernel image is already known to the decompressor,\\nso to avoid the problem simply specify it in the \\\"out_len\\\" parameter.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52733\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52734", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52734" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52734 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52734", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52734\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52734\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52734\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52734\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52734\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52734\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52735", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52735" + }, + { + "url": "https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9" + }, + { + "url": "https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49" + }, + { + "url": "https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52735 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52735", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\n\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\n\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52735\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52735\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52735\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52735\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52735\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9\",\n \"https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49\",\n \"https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\\n\\nsock_map proto callbacks should never call themselves by design. Protect\\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\\noverflow in favor of a resource leak.\\n\\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52735\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52736", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52736" + }, + { + "url": "https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0" + }, + { + "url": "https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8" + }, + { + "url": "https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a" + }, + { + "url": "https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52736 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52736", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Do not unset preset when cleaning up codec\n\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\n\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\n\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52736\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52736\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52736\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52736\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52736\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0\",\n \"https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8\",\n \"https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a\",\n \"https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: Do not unset preset when cleaning up codec\\n\\nSeveral functions that take part in codec's initialization and removal\\nare re-used by ASoC codec drivers implementations. Drivers mimic the\\nbehavior of hda_codec_driver_probe/remove() found in\\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\\n\\nOne of the reasons for that is the expectation of\\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\\nstruct snd_card. This expectation can be met only once sound card\\ncomponents probing commences.\\n\\nAs ASoC sound card may be unbound without codec device being actually\\nremoved from the system, unsetting ->preset in\\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\\nscenario causing null-ptr-deref. Preset is assigned only once, during\\ndevice/driver matching whereas ASoC codec driver's module reloading may\\noccur several times throughout the lifetime of an audio stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52736\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52737", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52737" + }, + { + "url": "https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508" + }, + { + "url": "https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52737 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52737", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52737\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52737\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52737\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52737\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52737\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508\",\n \"https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: lock the inode in shared mode before starting fiemap\\n\\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\\na file range in the inode's io tree. This however can lead to a deadlock\\nif we have a concurrent fsync on the file and fiemap code triggers a fault\\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\\nsyzbot and triggers a trace like the following:\\n\\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\\n schedule+0xcb/0x190 kernel/sched/core.c:6682\\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\\n generic_write_sync include/linux/fs.h:2885 [inline]\\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\\n call_write_iter include/linux/fs.h:2189 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\\n ksys_write+0x177/0x2a0 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n RIP: 0033:0x7f7d4054e9b9\\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\\n \\n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\\n schedule+0xcb/0x190 kernel/sched/core.c:6682\\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\\n handle_pte_fault mm/memory.c:4949 [inline]\\n __handle_mm_fault mm/memory.c:5073 [inline]\\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\\n Code: 74 0a 89 (...)\\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52737\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52738", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52738" + }, + { + "url": "https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b" + }, + { + "url": "https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd" + }, + { + "url": "https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52738 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52738", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52738\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52738\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52738\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52738\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52738\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b\",\n \"https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd\",\n \"https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\\n\\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\\nroutine - such function is expected to be called only after the\\nrespective init function - drm_sched_init() - was executed successfully.\\n\\nHappens that we faced a driver probe failure in the Steam Deck\\nrecently, and the function drm_sched_fini() was called even without\\nits counter-part had been previously called, causing the following oops:\\n\\namdgpu: probe of 0000:04:00.0 failed with error -110\\nBUG: kernel NULL pointer dereference, address: 0000000000000090\\nPGD 0 P4D 0\\nOops: 0002 [#1] PREEMPT SMP NOPTI\\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\\n[...]\\nCall Trace:\\n \\n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\\n devm_drm_dev_init_release+0x49/0x70\\n [...]\\n\\nTo prevent that, check if the drm_sched was properly initialized for a\\ngiven ring before calling its fini counter-part.\\n\\nNotice ideally we'd use sched.ready for that; such field is set as the latest\\nthing on drm_sched_init(). But amdgpu seems to \\\"override\\\" the meaning of such\\nfield - in the above oops for example, it was a GFX ring causing the crash, and\\nthe sched.ready field was set to true in the ring init routine, regardless of\\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\\nChristian's suggestion [0], and also removed the no_scheduler check [1].\\n\\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52738\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52739" + }, + { + "url": "https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23" + }, + { + "url": "https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5" + }, + { + "url": "https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673" + }, + { + "url": "https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52739", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23\",\n \"https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5\",\n \"https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673\",\n \"https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nFix page corruption caused by racy check in __free_pages\\n\\nWhen we upgraded our kernel, we started seeing some page corruption like\\nthe following consistently:\\n\\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\\n flags: 0x17ffffc0000000()\\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\\n page dumped because: nonzero mapcount\\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\\n Call Trace:\\n dump_stack+0x74/0x96\\n bad_page.cold+0x63/0x94\\n check_new_page_bad+0x6d/0x80\\n rmqueue+0x46e/0x970\\n get_page_from_freelist+0xcb/0x3f0\\n ? _cond_resched+0x19/0x40\\n __alloc_pages_nodemask+0x164/0x300\\n alloc_pages_current+0x87/0xf0\\n skb_page_frag_refill+0x84/0x110\\n ...\\n\\nSometimes, it would also show up as corruption in the free list pointer\\nand cause crashes.\\n\\nAfter bisecting the issue, we found the issue started from commit\\ne320d3012d25 (\\\"mm/page_alloc.c: fix freeing non-compound pages\\\"):\\n\\n\\tif (put_page_testzero(page))\\n\\t\\tfree_the_page(page, order);\\n\\telse if (!PageHead(page))\\n\\t\\twhile (order-- > 0)\\n\\t\\t\\tfree_the_page(page + (1 << order), order);\\n\\nSo the problem is the check PageHead is racy because at this point we\\nalready dropped our reference to the page. So even if we came in with\\ncompound page, the page can already be freed and PageHead can return\\nfalse and we will end up freeing all the tail pages causing double free.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52740" + }, + { + "url": "https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1" + }, + { + "url": "https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673" + }, + { + "url": "https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52740", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\n\nThe RFI and STF security mitigation options can flip the\ninterrupt_exit_not_reentrant static branch condition concurrently with\nthe interrupt exit code which tests that branch.\n\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\nagain in the case a soft-masked interrupt is found pending, to recover\nthe MSR so the interrupt can be replayed before attempting to exit\nagain. If the condition changes between these two tests, the MSR and irq\nsoft-mask state will become corrupted, leading to warnings and possible\ncrashes. For example, if the branch is initially true then false,\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\nenabled, leading to warnings in irq_64.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1\",\n \"https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673\",\n \"https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\\n\\nThe RFI and STF security mitigation options can flip the\\ninterrupt_exit_not_reentrant static branch condition concurrently with\\nthe interrupt exit code which tests that branch.\\n\\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\\nagain in the case a soft-masked interrupt is found pending, to recover\\nthe MSR so the interrupt can be replayed before attempting to exit\\nagain. If the condition changes between these two tests, the MSR and irq\\nsoft-mask state will become corrupted, leading to warnings and possible\\ncrashes. For example, if the branch is initially true then false,\\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\\nenabled, leading to warnings in irq_64.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52741", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52741" + }, + { + "url": "https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0" + }, + { + "url": "https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e" + }, + { + "url": "https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211" + }, + { + "url": "https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52741 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52741", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages()\n\nWhen the network status is unstable, use-after-free may occur when\nread data from the server.\n\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\n\n Call Trace:\n \n dump_stack_lvl+0x38/0x4c\n print_report+0x16f/0x4a6\n kasan_report+0xb7/0x130\n readpages_fill_pages+0x14c/0x7e0\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n \n\n Allocated by task 2535:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x82/0x90\n cifs_readdata_direct_alloc+0x2c/0x110\n cifs_readdata_alloc+0x2d/0x60\n cifs_readahead+0x393/0xfe0\n read_pages+0x12f/0x470\n page_cache_ra_unbounded+0x1b1/0x240\n filemap_get_pages+0x1c8/0x9a0\n filemap_read+0x1c0/0x540\n cifs_strict_readv+0x21b/0x240\n vfs_read+0x395/0x4b0\n ksys_read+0xb8/0x150\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 79:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2e/0x50\n __kasan_slab_free+0x10e/0x1a0\n __kmem_cache_free+0x7a/0x1a0\n cifs_readdata_release+0x49/0x60\n process_one_work+0x46c/0x760\n worker_thread+0x2a4/0x6f0\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\n Last potentially related work creation:\n kasan_save_stack+0x22/0x50\n __kasan_record_aux_stack+0x95/0xb0\n insert_work+0x2b/0x130\n __queue_work+0x1fe/0x660\n queue_work_on+0x4b/0x60\n smb2_readv_callback+0x396/0x800\n cifs_abort_connection+0x474/0x6a0\n cifs_reconnect+0x5cb/0xa50\n cifs_readv_from_socket.cold+0x22/0x6c\n cifs_read_page_from_socket+0xc1/0x100\n readpages_fill_pages.cold+0x2f/0x46\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\nThe following function calls will cause UAF of the rdata pointer.\n\nreadpages_fill_pages\n cifs_read_page_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n __cifs_reconnect\n cifs_abort_connection\n mid->callback() --> smb2_readv_callback\n queue_work(&rdata->work) # if the worker completes first,\n # the rdata is freed\n cifs_readv_complete\n kref_put\n cifs_readdata_release\n kfree(rdata)\n return rdata->... # UAF in readpages_fill_pages()\n\nSimilarly, this problem also occurs in the uncache_fill_pages().\n\nFix this by adjusts the order of condition judgment in the return\nstatement.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52741\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52741\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0\",\n \"https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e\",\n \"https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211\",\n \"https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: Fix use-after-free in rdata->read_into_pages()\\n\\nWhen the network status is unstable, use-after-free may occur when\\nread data from the server.\\n\\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\\n\\n Call Trace:\\n \\n dump_stack_lvl+0x38/0x4c\\n print_report+0x16f/0x4a6\\n kasan_report+0xb7/0x130\\n readpages_fill_pages+0x14c/0x7e0\\n cifs_readv_receive+0x46d/0xa40\\n cifs_demultiplex_thread+0x121c/0x1490\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n \\n\\n Allocated by task 2535:\\n kasan_save_stack+0x22/0x50\\n kasan_set_track+0x25/0x30\\n __kasan_kmalloc+0x82/0x90\\n cifs_readdata_direct_alloc+0x2c/0x110\\n cifs_readdata_alloc+0x2d/0x60\\n cifs_readahead+0x393/0xfe0\\n read_pages+0x12f/0x470\\n page_cache_ra_unbounded+0x1b1/0x240\\n filemap_get_pages+0x1c8/0x9a0\\n filemap_read+0x1c0/0x540\\n cifs_strict_readv+0x21b/0x240\\n vfs_read+0x395/0x4b0\\n ksys_read+0xb8/0x150\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\n Freed by task 79:\\n kasan_save_stack+0x22/0x50\\n kasan_set_track+0x25/0x30\\n kasan_save_free_info+0x2e/0x50\\n __kasan_slab_free+0x10e/0x1a0\\n __kmem_cache_free+0x7a/0x1a0\\n cifs_readdata_release+0x49/0x60\\n process_one_work+0x46c/0x760\\n worker_thread+0x2a4/0x6f0\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n\\n Last potentially related work creation:\\n kasan_save_stack+0x22/0x50\\n __kasan_record_aux_stack+0x95/0xb0\\n insert_work+0x2b/0x130\\n __queue_work+0x1fe/0x660\\n queue_work_on+0x4b/0x60\\n smb2_readv_callback+0x396/0x800\\n cifs_abort_connection+0x474/0x6a0\\n cifs_reconnect+0x5cb/0xa50\\n cifs_readv_from_socket.cold+0x22/0x6c\\n cifs_read_page_from_socket+0xc1/0x100\\n readpages_fill_pages.cold+0x2f/0x46\\n cifs_readv_receive+0x46d/0xa40\\n cifs_demultiplex_thread+0x121c/0x1490\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n\\nThe following function calls will cause UAF of the rdata pointer.\\n\\nreadpages_fill_pages\\n cifs_read_page_from_socket\\n cifs_readv_from_socket\\n cifs_reconnect\\n __cifs_reconnect\\n cifs_abort_connection\\n mid->callback() --> smb2_readv_callback\\n queue_work(&rdata->work) # if the worker completes first,\\n # the rdata is freed\\n cifs_readv_complete\\n kref_put\\n cifs_readdata_release\\n kfree(rdata)\\n return rdata->... # UAF in readpages_fill_pages()\\n\\nSimilarly, this problem also occurs in the uncache_fill_pages().\\n\\nFix this by adjusts the order of condition judgment in the return\\nstatement.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52741\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52742" + }, + { + "url": "https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc" + }, + { + "url": "https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727" + }, + { + "url": "https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1" + }, + { + "url": "https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9" + }, + { + "url": "https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63" + }, + { + "url": "https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f" + }, + { + "url": "https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52742", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc\",\n \"https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727\",\n \"https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1\",\n \"https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9\",\n \"https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63\",\n \"https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f\",\n \"https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: USB: Fix wrong-direction WARNING in plusb.c\\n\\nThe syzbot fuzzer detected a bug in the plusb network driver: A\\nzero-length control-OUT transfer was treated as a read instead of a\\nwrite. In modern kernels this error provokes a WARNING:\\n\\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\\nModules linked in:\\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\\n01/12/2023\\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:870 [inline]\\n __se_sys_ioctl fs/ioctl.c:856 [inline]\\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\\nremove the USB_DIR_IN flag.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52743", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52743" + }, + { + "url": "https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255" + }, + { + "url": "https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39" + }, + { + "url": "https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634" + }, + { + "url": "https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede" + }, + { + "url": "https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52743 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52743", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] \n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52743\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52743\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52743\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52743\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52743\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255\",\n \"https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39\",\n \"https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634\",\n \"https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede\",\n \"https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\\n\\nWhen both ice and the irdma driver are loaded, a warning in\\ncheck_flush_dependency is being triggered. This is due to ice driver\\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\\nis not.\\n\\nAccording to kernel documentation, this flag should be set if the\\nworkqueue will be involved in the kernel's memory reclamation flow.\\nSince it is not, there is no need for the ice driver's WQ to have this\\nflag set so remove it.\\n\\nExample trace:\\n\\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\\n[ +0.000161] [last unloaded: bonding]\\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\\n[ +0.000003] Workqueue: ice ice_service_task [ice]\\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ +0.000002] PKRU: 55555554\\n[ +0.000003] Call Trace:\\n[ +0.000002] \\n[ +0.000003] __flush_workqueue+0x203/0x840\\n[ +0.000006] ? mutex_unlock+0x84/0xd0\\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\\n[ +0.000006] ? mutex_lock+0xa3/0xf0\\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\\n[ +0.000059] ? up_write+0x5c/0x90\\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\\n[ +0.000007] device_r\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52743\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52744" + }, + { + "url": "https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d" + }, + { + "url": "https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e" + }, + { + "url": "https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52744", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix potential NULL-ptr-dereference\n\nin_dev_get() can return NULL which will cause a failure once idev is\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\ncheck for NULL value in idev beforehand.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d\",\n \"https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e\",\n \"https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/irdma: Fix potential NULL-ptr-dereference\\n\\nin_dev_get() can return NULL which will cause a failure once idev is\\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\\ncheck for NULL value in idev beforehand.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52745", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52745" + }, + { + "url": "https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6" + }, + { + "url": "https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f" + }, + { + "url": "https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc" + }, + { + "url": "https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf" + }, + { + "url": "https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52745 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52745", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\n\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\n\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52745\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52745\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52745\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52745\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52745\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6\",\n \"https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f\",\n \"https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc\",\n \"https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf\",\n \"https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\\n\\nThe cited commit creates child PKEY interfaces over netlink will\\nmultiple tx and rx queues, but some devices doesn't support more than 1\\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\\nPKEY interface due to the parent having a single queue but the child\\nhaving multiple queues.\\n\\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\\nearliest possible point in time.\\n\\nBUG: kernel NULL pointer dereference, address: 000000000000036b\\nPGD 0 P4D 0\\nOops: 0000 [#1] SMP\\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n skb_clone+0x55/0xd0\\n ip6_finish_output2+0x3fe/0x690\\n ip6_finish_output+0xfa/0x310\\n ip6_send_skb+0x1e/0x60\\n udp_v6_send_skb+0x1e5/0x420\\n udpv6_sendmsg+0xb3c/0xe60\\n ? ip_mc_finish_output+0x180/0x180\\n ? __switch_to_asm+0x3a/0x60\\n ? __switch_to_asm+0x34/0x60\\n sock_sendmsg+0x33/0x40\\n __sys_sendto+0x103/0x160\\n ? _copy_to_user+0x21/0x30\\n ? kvm_clock_get_cycles+0xd/0x10\\n ? ktime_get_ts64+0x49/0xe0\\n __x64_sys_sendto+0x25/0x30\\n do_syscall_64+0x3d/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\nRIP: 0033:0x7f9374f1ed14\\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52745\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52746", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52746" + }, + { + "url": "https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d" + }, + { + "url": "https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5" + }, + { + "url": "https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0" + }, + { + "url": "https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52746 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52746", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\n\n int type = nla_type(nla);\n\n if (type > XFRMA_MAX) {\n return -EOPNOTSUPP;\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\n if (nla_len(nla) < compat_policy[type].len) {\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52746\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52746\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52746\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52746\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52746\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d\",\n \"https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5\",\n \"https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0\",\n \"https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\\n\\n int type = nla_type(nla);\\n\\n if (type > XFRMA_MAX) {\\n return -EOPNOTSUPP;\\n }\\n\\n@type is then used as an array index and can be used\\nas a Spectre v1 gadget.\\n\\n if (nla_len(nla) < compat_policy[type].len) {\\n\\narray_index_nospec() can be used to prevent leaking\\ncontent of kernel memory to malicious users.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52746\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52747", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52747" + }, + { + "url": "https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45" + }, + { + "url": "https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae" + }, + { + "url": "https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68" + }, + { + "url": "https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321" + }, + { + "url": "https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef" + }, + { + "url": "https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52747 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52747", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Restore allocated resources on failed copyout\n\nFix a resource leak if an error occurs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52747\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52747\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52747\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52747\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52747\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45\",\n \"https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae\",\n \"https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68\",\n \"https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321\",\n \"https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef\",\n \"https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/hfi1: Restore allocated resources on failed copyout\\n\\nFix a resource leak if an error occurs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52747\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52748", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52748" + }, + { + "url": "https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f" + }, + { + "url": "https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79" + }, + { + "url": "https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00" + }, + { + "url": "https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f" + }, + { + "url": "https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063" + }, + { + "url": "https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52748 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52748", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid format-overflow warning\n\nWith gcc and W=1 option, there's a warning like this:\n\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\n\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52748\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52748\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52748\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52748\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52748\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f\",\n \"https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79\",\n \"https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00\",\n \"https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f\",\n \"https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063\",\n \"https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: avoid format-overflow warning\\n\\nWith gcc and W=1 option, there's a warning like this:\\n\\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\\n1 and 7 bytes into a region of size between 5 and 8\\n[-Werror=format-overflow=]\\n 1984 | sprintf(slab_name, \\\"f2fs_page_array_entry-%u:%u\\\", MAJOR(dev),\\n\\t\\tMINOR(dev));\\n | ^~\\n\\nString \\\"f2fs_page_array_entry-%u:%u\\\" can up to 35. The first \\\"%u\\\" can up\\nto 4 and the second \\\"%u\\\" can up to 7, so total size is \\\"24 + 4 + 7 = 35\\\".\\nslab_name's size should be 35 rather than 32.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52748\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52749", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52749" + }, + { + "url": "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068" + }, + { + "url": "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e" + }, + { + "url": "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52749 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52749", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr->cur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52749\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52749\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52749\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52749\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52749\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068\",\n \"https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e\",\n \"https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: Fix null dereference on suspend\\n\\nA race condition exists where a synchronous (noqueue) transfer can be\\nactive during a system suspend. This can cause a null pointer\\ndereference exception to occur when the system resumes.\\n\\nExample order of events leading to the exception:\\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\\n ctlr->cur_msg\\n2. Spi transfer begins via spi_transfer_one_message()\\n3. System is suspended interrupting the transfer context\\n4. System is resumed\\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\\n to NULL\\n7. Spi transfer context resumes and spi_finalize_current_message() is\\n called which dereferences cur_msg (which is now NULL)\\n\\nWait for synchronous transfers to complete before suspending by\\nacquiring the bus mutex and setting/checking a suspend flag.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52749\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52750", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52750" + }, + { + "url": "https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848" + }, + { + "url": "https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28" + }, + { + "url": "https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9" + }, + { + "url": "https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a" + }, + { + "url": "https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a" + }, + { + "url": "https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52750 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52750", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\n\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\n\nThis went unnoticed until commit:\n\n 34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\n\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\n\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\n\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x13c/0x340\n| el1t_64_irq_handler+0x0/0x1c\n| el1_abort+0x0/0x5c\n| el1h_64_sync+0x64/0x68\n| __pi_strcmp+0x1c/0x150\n| unflatten_dt_nodes+0x1e8/0x2d8\n| __unflatten_device_tree+0x5c/0x15c\n| unflatten_device_tree+0x38/0x50\n| setup_arch+0x164/0x1e0\n| start_kernel+0x64/0x38c\n| __primary_switched+0xbc/0xc4\n\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52750\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52750\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52750\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52750\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52750\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848\",\n \"https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28\",\n \"https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9\",\n \"https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a\",\n \"https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a\",\n \"https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\\n\\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\\nbyte-swap NOP when compiling for big-endian, and the resulting series of\\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\\n\\nThis went unnoticed until commit:\\n\\n 34f66c4c4d5518c1 (\\\"arm64: Use a positive cpucap for FP/SIMD\\\")\\n\\nPrior to that commit, the kernel would always enable the use of FPSIMD\\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\\nFNMADD within the kernel was not detected, but could result in the\\ncorruption of user or kernel FPSIMD state.\\n\\nAfter that commit, the instructions happen to trap during boot prior to\\nFPSIMD being detected and enabled, e.g.\\n\\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\\n| Hardware name: linux,dummy-virt (DT)\\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n| pc : __pi_strcmp+0x1c/0x150\\n| lr : populate_properties+0xe4/0x254\\n| sp : ffffd014173d3ad0\\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\\n| Kernel panic - not syncing: Unhandled exception\\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\\n| Hardware name: linux,dummy-virt (DT)\\n| Call trace:\\n| dump_backtrace+0xec/0x108\\n| show_stack+0x18/0x2c\\n| dump_stack_lvl+0x50/0x68\\n| dump_stack+0x18/0x24\\n| panic+0x13c/0x340\\n| el1t_64_irq_handler+0x0/0x1c\\n| el1_abort+0x0/0x5c\\n| el1h_64_sync+0x64/0x68\\n| __pi_strcmp+0x1c/0x150\\n| unflatten_dt_nodes+0x1e8/0x2d8\\n| __unflatten_device_tree+0x5c/0x15c\\n| unflatten_device_tree+0x38/0x50\\n| setup_arch+0x164/0x1e0\\n| start_kernel+0x64/0x38c\\n| __primary_switched+0xbc/0xc4\\n\\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\\ncommit.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52750\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52751", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52751" + }, + { + "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b" + }, + { + "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9" + }, + { + "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52751 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52751", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52751\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52751\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52751\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52751\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52751\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b\",\n \"https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9\",\n \"https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix use-after-free in smb2_query_info_compound()\\n\\nThe following UAF was triggered when running fstests generic/072 with\\nKASAN enabled against Windows Server 2022 and mount options\\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\\n\\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\\n\\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\\n Call Trace:\\n dump_stack_lvl+0x4a/0x80\\n print_report+0xcf/0x650\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __phys_addr+0x46/0x90\\n kasan_report+0xda/0x110\\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\\n smb2_query_info_compound+0x423/0x6d0 [cifs]\\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __stack_depot_save+0x39/0x480\\n ? kasan_save_stack+0x33/0x60\\n ? kasan_set_track+0x25/0x30\\n ? ____kasan_slab_free+0x126/0x170\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\\n ? __pfx___lock_acquire+0x10/0x10\\n smb311_queryfs+0x210/0x220 [cifs]\\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __lock_acquire+0x480/0x26c0\\n ? lock_release+0x1ed/0x640\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? do_raw_spin_unlock+0x9b/0x100\\n cifs_statfs+0x18c/0x4b0 [cifs]\\n statfs_by_dentry+0x9b/0xf0\\n fd_statfs+0x4e/0xb0\\n __do_sys_fstatfs+0x7f/0xe0\\n ? __pfx___do_sys_fstatfs+0x10/0x10\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? lockdep_hardirqs_on_prepare+0x136/0x200\\n ? srso_alias_return_thunk+0x5/0x7f\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n\\n Allocated by task 27534:\\n kasan_save_stack+0x33/0x60\\n kasan_set_track+0x25/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n open_cached_dir+0x71b/0x1240 [cifs]\\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n smb311_queryfs+0x210/0x220 [cifs]\\n cifs_statfs+0x18c/0x4b0 [cifs]\\n statfs_by_dentry+0x9b/0xf0\\n fd_statfs+0x4e/0xb0\\n __do_sys_fstatfs+0x7f/0xe0\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n\\n Freed by task 27534:\\n kasan_save_stack+0x33/0x60\\n kasan_set_track+0x25/0x30\\n kasan_save_free_info+0x2b/0x50\\n ____kasan_slab_free+0x126/0x170\\n slab_free_freelist_hook+0xd0/0x1e0\\n __kmem_cache_free+0x9d/0x1b0\\n open_cached_dir+0xff5/0x1240 [cifs]\\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n\\nThis is a race between open_cached_dir() and cached_dir_lease_break()\\nwhere the cache entry for the open directory handle receives a lease\\nbreak while creating it. And before returning from open_cached_dir(),\\nwe put the last reference of the new @cfid because of\\n!@cfid->has_lease.\\n\\nBesides the UAF, while running xfstests a lot of missed lease breaks\\nhave been noticed in tests that run several concurrent statfs(2) calls\\non those cached fids\\n\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test No task to wake, unknown frame...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\\n CIFS: VFS: Dump pending requests:\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test No task to wake, unknown frame...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\\n ...\\n\\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\\nright before sending out compounded request so that any potential\\nlease break will be get processed by demultiplex thread while we're\\nstill caching @cfid. And, if open failed for some reason, re-check\\n@cfid->has_lease to decide whether or not put lease reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52751\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52752", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52752" + }, + { + "url": "https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a" + }, + { + "url": "https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7" + }, + { + "url": "https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09" + }, + { + "url": "https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52752 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52752", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52752\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52752\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52752\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a\",\n \"https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7\",\n \"https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09\",\n \"https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\\n\\nSkip SMB sessions that are being teared down\\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\\nto avoid use-after-free in @ses.\\n\\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\\nwhile mounting and umounting\\n\\n [ 816.251274] general protection fault, probably for non-canonical\\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\\n ...\\n [ 816.260138] Call Trace:\\n [ 816.260329] \\n [ 816.260499] ? die_addr+0x36/0x90\\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\\n [ 816.262689] ? seq_read_iter+0x379/0x470\\n [ 816.262995] seq_read_iter+0x118/0x470\\n [ 816.263291] proc_reg_read_iter+0x53/0x90\\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\\n [ 816.263945] vfs_read+0x201/0x350\\n [ 816.264211] ksys_read+0x75/0x100\\n [ 816.264472] do_syscall_64+0x3f/0x90\\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n [ 816.265135] RIP: 0033:0x7fd5e669d381\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52752\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52753", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52753" + }, + { + "url": "https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd" + }, + { + "url": "https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9" + }, + { + "url": "https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68" + }, + { + "url": "https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db" + }, + { + "url": "https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c" + }, + { + "url": "https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6" + }, + { + "url": "https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89" + }, + { + "url": "https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52753 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52753", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52753\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52753\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52753\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52753\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52753\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd\",\n \"https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9\",\n \"https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68\",\n \"https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db\",\n \"https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c\",\n \"https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6\",\n \"https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89\",\n \"https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Avoid NULL dereference of timing generator\\n\\n[Why & How]\\nCheck whether assigned timing generator is NULL or not before\\naccessing its funcs to prevent NULL dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52753\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52754", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52754" + }, + { + "url": "https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f" + }, + { + "url": "https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9" + }, + { + "url": "https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f" + }, + { + "url": "https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a" + }, + { + "url": "https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52754 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52754", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: fix access to invalid resource for the second interface\n\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver. It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor. Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\n\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52754\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52754\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52754\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52754\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52754\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f\",\n \"https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9\",\n \"https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f\",\n \"https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a\",\n \"https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7\",\n \"https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: imon: fix access to invalid resource for the second interface\\n\\nimon driver probes two USB interfaces, and at the probe of the second\\ninterface, the driver assumes blindly that the first interface got\\nbound with the same imon driver. It's usually true, but it's still\\npossible that the first interface is bound with another driver via a\\nmalformed descriptor. Then it may lead to a memory corruption, as\\nspotted by syzkaller; imon driver accesses the data from drvdata as\\nstruct imon_context object although it's a completely different one\\nthat was assigned by another driver.\\n\\nThis patch adds a sanity check -- whether the first interface is\\nreally bound with the imon driver or not -- for avoiding the problem\\nabove at the probe time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52754\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52755", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52755" + }, + { + "url": "https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70" + }, + { + "url": "https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb" + }, + { + "url": "https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa" + }, + { + "url": "https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819" + }, + { + "url": "https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52755 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52755", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52755\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52755\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52755\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52755\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52755\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70\",\n \"https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb\",\n \"https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa\",\n \"https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819\",\n \"https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\\n\\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\\nallocation size. This patch add the check to validate 3 offsets using\\nallocation size.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52755\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52756", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52756" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52756 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52756", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52756\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52756\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52756\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52756\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52756\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52756\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52757", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52757" + }, + { + "url": "https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29" + }, + { + "url": "https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf" + }, + { + "url": "https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26" + }, + { + "url": "https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52757 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52757", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0 CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\n release_mid()\n spin_lock(&server->mid_lock);\n spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t spin_lock(&server->mid_lock)\n __release_mid()\n smb2_find_smb_tcon()\n spin_lock(&cifs_tcp_ses_lock) *deadlock*", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52757\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52757\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52757\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52757\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52757\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29\",\n \"https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf\",\n \"https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26\",\n \"https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential deadlock when releasing mids\\n\\nAll release_mid() callers seem to hold a reference of @mid so there is\\nno need to call kref_put(&mid->refcount, __release_mid) under\\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\\nwould have occurred anyways.\\n\\nBy getting rid of such spinlock also fixes a potential deadlock as\\nshown below\\n\\nCPU 0 CPU 1\\n------------------------------------------------------------------\\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\\n release_mid()\\n spin_lock(&server->mid_lock);\\n spin_lock(&cifs_tcp_ses_lock)\\n\\t\\t\\t\\t spin_lock(&server->mid_lock)\\n __release_mid()\\n smb2_find_smb_tcon()\\n spin_lock(&cifs_tcp_ses_lock) *deadlock*\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52757\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52759", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52759" + }, + { + "url": "https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b" + }, + { + "url": "https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4" + }, + { + "url": "https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c" + }, + { + "url": "https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae" + }, + { + "url": "https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2" + }, + { + "url": "https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5" + }, + { + "url": "https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3" + }, + { + "url": "https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3" + }, + { + "url": "https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52759 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52759", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: ignore negated quota changes\n\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\n\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\n\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\n\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\n\ngfs2_quota_change\n do_qc\n qd_hold\n slot_hold\n\nLater, when the changes are to be synced:\n\ngfs2_quota_sync\n qd_fish\n qd_check_sync\n gets qd ref via lockref_get_not_dead\n do_sync\n do_qc(QC_SYNC)\n qd_put\n\t lockref_put_or_lock\n qd_unlock\n qd_put\n lockref_put_or_lock\n\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52759\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52759\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52759\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52759\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52759\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b\",\n \"https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4\",\n \"https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c\",\n \"https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae\",\n \"https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2\",\n \"https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5\",\n \"https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3\",\n \"https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3\",\n \"https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: ignore negated quota changes\\n\\nWhen lots of quota changes are made, there may be cases in which an\\ninode's quota information is increased and then decreased, such as when\\nblocks are added to a file, then deleted from it. If the timing is\\nright, function do_qc can add pending quota changes to a transaction,\\nthen later, another call to do_qc can negate those changes, resulting\\nin a net gain of 0. The quota_change information is recorded in the qc\\nbuffer (and qd element of the inode as well). The buffer is added to the\\ntransaction by the first call to do_qc, but a subsequent call changes\\nthe value from non-zero back to zero. At that point it's too late to\\nremove the buffer_head from the transaction. Later, when the quota sync\\ncode is called, the zero-change qd element is discovered and flagged as\\nan assert warning. If the fs is mounted with errors=panic, the kernel\\nwill panic.\\n\\nThis is usually seen when files are truncated and the quota changes are\\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\\nand gfs2_quota_unlock which automatically do quota sync.\\n\\nThis patch solves the problem by adding a check to qd_check_sync such\\nthat net-zero quota changes already added to the transaction are no\\nlonger deemed necessary to be synced, and skipped.\\n\\nIn this case references are taken for the qd and the slot from do_qc\\nso those need to be put. The normal sequence of events for a normal\\nnon-zero quota change is as follows:\\n\\ngfs2_quota_change\\n do_qc\\n qd_hold\\n slot_hold\\n\\nLater, when the changes are to be synced:\\n\\ngfs2_quota_sync\\n qd_fish\\n qd_check_sync\\n gets qd ref via lockref_get_not_dead\\n do_sync\\n do_qc(QC_SYNC)\\n qd_put\\n\\t lockref_put_or_lock\\n qd_unlock\\n qd_put\\n lockref_put_or_lock\\n\\nIn the net-zero change case, we add a check to qd_check_sync so it puts\\nthe qd and slot references acquired in gfs2_quota_change and skip the\\nunneeded sync.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52759\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52760", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52760" + }, + { + "url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81" + }, + { + "url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba" + }, + { + "url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52760 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52760", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52760\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52760\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52760\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52760\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52760\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81\",\n \"https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba\",\n \"https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\\n\\nIn gfs2_put_super(), whether withdrawn or not, the quota should\\nbe cleaned up by gfs2_quota_cleanup().\\n\\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\\ncallback) has run for all gfs2_quota_data objects, resulting in\\nuse-after-free.\\n\\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\\ngfs2_make_fs_ro(), there is no need to call them again.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52760\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52761", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52761" + }, + { + "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788" + }, + { + "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76" + }, + { + "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52761 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52761", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52761\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52761\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52761\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52761\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52761\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788\",\n \"https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76\",\n \"https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: VMAP_STACK overflow detection thread-safe\\n\\ncommit 31da94c25aea (\\\"riscv: add VMAP_STACK overflow detection\\\") added\\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\\n`shadow_stack` temporarily before switching finally to per-cpu\\n`overflow_stack`.\\n\\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\\nor both will end up corrupting each other state because `shadow_stack` is\\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\\n\\nFollowing are the changes in this patch\\n\\n - Defines an asm macro to obtain per-cpu symbols in destination\\n register.\\n - In entry.S, when overflow is detected, per-cpu overflow stack is\\n located using per-cpu asm macro. Computing per-cpu symbol requires\\n a temporary register. x31 is saved away into CSR_SCRATCH\\n (CSR_SCRATCH is anyways zero since we're in kernel).\\n\\nPlease see Links for additional relevant disccussion and alternative\\nsolution.\\n\\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\\nKernel crash log below\\n\\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n epc : __memset+0x60/0xfc\\n ra : recursive_loop+0x48/0xc6 [lkdtm]\\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\\n Kernel panic - not syncing: Kernel stack overflow\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n Call Trace:\\n [] dump_backtrace+0x30/0x38\\n [] show_stack+0x40/0x4c\\n [] dump_stack_lvl+0x44/0x5c\\n [] dump_stack+0x18/0x20\\n [] panic+0x126/0x2fe\\n [] walk_stackframe+0x0/0xf0\\n [] recursive_loop+0x48/0xc6 [lkdtm]\\n SMP: stopping secondary CPUs\\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52761\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52762", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52762" + }, + { + "url": "https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9" + }, + { + "url": "https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48" + }, + { + "url": "https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b" + }, + { + "url": "https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90" + }, + { + "url": "https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52762 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52762", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\n\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\n\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52762\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52762\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52762\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52762\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52762\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9\",\n \"https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48\",\n \"https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b\",\n \"https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90\",\n \"https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\\n\\nThe following codes have an implicit conversion from size_t to u32:\\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\\n\\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\\ninstead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52762\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52763", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52763" + }, + { + "url": "https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442" + }, + { + "url": "https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781" + }, + { + "url": "https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b" + }, + { + "url": "https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9" + }, + { + "url": "https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52763 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52763", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\n\nThe `i3c_master_bus_init` function may attach the I2C devices before the\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\nthe DAT `cleanup` will execute before the device is detached, which will\nexecue DAT `free_entry` function. The above scenario can cause the driver\nto use DAT_data when it is NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52763\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52763\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52763\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52763\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52763\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442\",\n \"https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781\",\n \"https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b\",\n \"https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9\",\n \"https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\\n\\nThe `i3c_master_bus_init` function may attach the I2C devices before the\\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\\nthe DAT `cleanup` will execute before the device is detached, which will\\nexecue DAT `free_entry` function. The above scenario can cause the driver\\nto use DAT_data when it is NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52763\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52764", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52764" + }, + { + "url": "https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953" + }, + { + "url": "https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26" + }, + { + "url": "https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb" + }, + { + "url": "https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060" + }, + { + "url": "https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b" + }, + { + "url": "https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809" + }, + { + "url": "https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177" + }, + { + "url": "https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a" + }, + { + "url": "https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52764 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52764", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\n\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\n\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52764\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52764\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52764\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52764\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52764\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953\",\n \"https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26\",\n \"https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb\",\n \"https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060\",\n \"https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b\",\n \"https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809\",\n \"https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177\",\n \"https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a\",\n \"https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\\n\\nSyzkaller reported the following issue:\\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\\nshift exponent 245 is too large for 32-bit type 'int'\\n\\nWhen the value of the variable \\\"sd->params.exposure.gain\\\" exceeds the\\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\\nis triggered because the variable \\\"currentexp\\\" cannot be left-shifted by\\nmore than the number of bits in an integer. In order to avoid invalid\\nrange during left-shift, the conditional expression is added.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52764\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52766", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52766" + }, + { + "url": "https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574" + }, + { + "url": "https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65" + }, + { + "url": "https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6" + }, + { + "url": "https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b" + }, + { + "url": "https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52766 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52766", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\n\nDo not loop over ring headers in hci_dma_irq_handler() that are not\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\nwill occur from rings->headers[i] access when i >= number of allocated\nring headers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52766\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52766\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52766\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52766\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52766\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574\",\n \"https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65\",\n \"https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6\",\n \"https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b\",\n \"https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\\n\\nDo not loop over ring headers in hci_dma_irq_handler() that are not\\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\\nwill occur from rings->headers[i] access when i >= number of allocated\\nring headers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52766\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52768", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52768" + }, + { + "url": "https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3" + }, + { + "url": "https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c" + }, + { + "url": "https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27" + }, + { + "url": "https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8" + }, + { + "url": "https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52768 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52768", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: use vmm_table as array in wilc struct\n\nEnabling KASAN and running some iperf tests raises some memory issues with\nvmm_table:\n\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\n\nKASAN detects that we are writing data beyond range allocated to vmm_table.\nThere is indeed a mismatch between the size passed to allocator in\nwilc_wlan_init, and the range of possible indexes used later: allocation\nsize is missing a multiplication by sizeof(u32)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52768\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52768\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52768\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52768\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52768\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3\",\n \"https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c\",\n \"https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27\",\n \"https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8\",\n \"https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wilc1000: use vmm_table as array in wilc struct\\n\\nEnabling KASAN and running some iperf tests raises some memory issues with\\nvmm_table:\\n\\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\\n\\nKASAN detects that we are writing data beyond range allocated to vmm_table.\\nThere is indeed a mismatch between the size passed to allocator in\\nwilc_wlan_init, and the range of possible indexes used later: allocation\\nsize is missing a multiplication by sizeof(u32)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52768\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52772", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52772" + }, + { + "url": "https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce" + }, + { + "url": "https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d" + }, + { + "url": "https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef" + }, + { + "url": "https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700" + }, + { + "url": "https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52772 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52772", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52772\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52772\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52772\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52772\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52772\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce\",\n \"https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d\",\n \"https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef\",\n \"https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700\",\n \"https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: fix use-after-free in unix_stream_read_actor()\\n\\nsyzbot reported the following crash [1]\\n\\nAfter releasing unix socket lock, u->oob_skb can be changed\\nby another thread. We must temporarily increase skb refcount\\nto make sure this other thread will not free the skb under us.\\n\\n[1]\\n\\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\\n\\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\\nCall Trace:\\n\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\\nprint_address_description mm/kasan/report.c:364 [inline]\\nprint_report+0xc4/0x620 mm/kasan/report.c:475\\nkasan_report+0xda/0x110 mm/kasan/report.c:588\\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\\nsock_recvmsg_nosec net/socket.c:1044 [inline]\\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\\nRIP: 0033:0x7fc67492c559\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\\n\\n\\nAllocated by task 5295:\\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\\nslab_post_alloc_hook mm/slab.h:763 [inline]\\nslab_alloc_node mm/slub.c:3478 [inline]\\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\\nalloc_skb include/linux/skbuff.h:1286 [inline]\\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\\nqueue_oob net/unix/af_unix.c:2147 [inline]\\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\\nsock_sendmsg_nosec net/socket.c:730 [inline]\\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nFreed by task 5295:\\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\\n____kasan_slab_free mm/kasan/common.c:236 [inline]\\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\\nkasan_slab_free include/linux/kasan.h:164 [inline]\\nslab_free_hook mm/slub.c:1800 [inline]\\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\\nslab_free mm/slub.c:3809 [inline]\\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\\n__kfree_skb net/core/skbuff.c:1073 [inline]\\nconsume_skb net/core/skbuff.c:1288 [inline]\\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\\nqueue_oob net/unix/af_unix.c:2178 [inline]\\nu\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52772\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52774", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52774" + }, + { + "url": "https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250" + }, + { + "url": "https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240" + }, + { + "url": "https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a" + }, + { + "url": "https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885" + }, + { + "url": "https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be" + }, + { + "url": "https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f" + }, + { + "url": "https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d" + }, + { + "url": "https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52774 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52774", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52774\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52774\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52774\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52774\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52774\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250\",\n \"https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240\",\n \"https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a\",\n \"https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885\",\n \"https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be\",\n \"https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f\",\n \"https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d\",\n \"https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: protect device queue against concurrent access\\n\\nIn dasd_profile_start() the amount of requests on the device queue are\\ncounted. The access to the device queue is unprotected against\\nconcurrent access. With a lot of parallel I/O, especially with alias\\ndevices enabled, the device queue can change while dasd_profile_start()\\nis accessing the queue. In the worst case this leads to a kernel panic\\ndue to incorrect pointer accesses.\\n\\nFix this by taking the device lock before accessing the queue and\\ncounting the requests. Additionally the check for a valid profile data\\npointer can be done earlier to avoid unnecessary locking in a hot path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52774\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52775", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52775" + }, + { + "url": "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c" + }, + { + "url": "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1" + }, + { + "url": "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c" + }, + { + "url": "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add" + }, + { + "url": "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52775 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52775", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n ¦ clc proposal\n ------------->\n ¦ clc accept\n <-------------\n ¦ clc confirm\n ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n ¦failed llc confirm\n ¦ x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n ¦ decline\n -------------->\n ¦ decline\n <--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52775\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52775\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52775\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52775\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52775\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c\",\n \"https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1\",\n \"https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c\",\n \"https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add\",\n \"https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: avoid data corruption caused by decline\\n\\nWe found a data corruption issue during testing of SMC-R on Redis\\napplications.\\n\\nThe benchmark has a low probability of reporting a strange error as\\nshown below.\\n\\n\\\"Error: Protocol error, got \\\"\\\\xe2\\\" as reply type byte\\\"\\n\\nFinally, we found that the retrieved error data was as follows:\\n\\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\\n\\nIt is quite obvious that this is a SMC DECLINE message, which means that\\nthe applications received SMC protocol message.\\nWe found that this was caused by the following situations:\\n\\nclient server\\n ¦ clc proposal\\n ------------->\\n ¦ clc accept\\n <-------------\\n ¦ clc confirm\\n ------------->\\nwait llc confirm\\n\\t\\t\\tsend llc confirm\\n ¦failed llc confirm\\n ¦ x------\\n(after 2s)timeout\\n wait llc confirm rsp\\n\\nwait decline\\n\\n(after 1s) timeout\\n (after 2s) timeout\\n ¦ decline\\n -------------->\\n ¦ decline\\n <--------------\\n\\nAs a result, a decline message was sent in the implementation, and this\\nmessage was read from TCP by the already-fallback connection.\\n\\nThis patch double the client timeout as 2x of the server value,\\nWith this simple change, the Decline messages should never cross or\\ncollide (during Confirm link timeout).\\n\\nThis issue requires an immediate solution, since the protocol updates\\ninvolve a more long-term solution.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52775\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52781", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52781" + }, + { + "url": "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702" + }, + { + "url": "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8" + }, + { + "url": "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc" + }, + { + "url": "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223" + }, + { + "url": "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52781 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52781", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a 'goto' statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702\",\n \"https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8\",\n \"https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc\",\n \"https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223\",\n \"https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\\n\\nThe BOS descriptor defines a root descriptor and is the base descriptor for\\naccessing a family of related descriptors.\\n\\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\\nthe same descriptor being read repeatedly.\\n\\nTo address this issue, a 'goto' statement is introduced to ensure that the\\npointer and the amount read is updated correctly. This ensures that the\\nfunction iterates to the next descriptor instead of reading the same\\ndescriptor repeatedly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52781\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52784", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52784" + }, + { + "url": "https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4" + }, + { + "url": "https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc" + }, + { + "url": "https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2" + }, + { + "url": "https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c" + }, + { + "url": "https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c" + }, + { + "url": "https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe" + }, + { + "url": "https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52784 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52784", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: stop the device in bond_setup_by_slave()\n\nCommit 9eed321cde22 (\"net: lapbether: only support ethernet devices\")\nhas been able to keep syzbot away from net/lapb, until today.\n\nIn the following splat [1], the issue is that a lapbether device has\nbeen created on a bonding device without members. Then adding a non\nARPHRD_ETHER member forced the bonding master to change its type.\n\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\nso that the potential linked lapbether devices (or any other devices\nhaving assumptions on the physical device) are removed.\n\nA similar bug has been addressed in commit 40baec225765\n(\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\")\n\n[1]\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\nkernel BUG at net/core/skbuff.c:192 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic net/core/skbuff.c:188 [inline]\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nlr : skb_panic net/core/skbuff.c:188 [inline]\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nsp : ffff800096a06aa0\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\nCall trace:\nskb_panic net/core/skbuff.c:188 [inline]\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\ndev_hard_header include/linux/netdevice.h:3136 [inline]\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\ndev_ifsioc+0x754/0x9ac\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52784\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52784\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52784\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52784\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52784\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4\",\n \"https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc\",\n \"https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2\",\n \"https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c\",\n \"https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c\",\n \"https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe\",\n \"https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: stop the device in bond_setup_by_slave()\\n\\nCommit 9eed321cde22 (\\\"net: lapbether: only support ethernet devices\\\")\\nhas been able to keep syzbot away from net/lapb, until today.\\n\\nIn the following splat [1], the issue is that a lapbether device has\\nbeen created on a bonding device without members. Then adding a non\\nARPHRD_ETHER member forced the bonding master to change its type.\\n\\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\\nso that the potential linked lapbether devices (or any other devices\\nhaving assumptions on the physical device) are removed.\\n\\nA similar bug has been addressed in commit 40baec225765\\n(\\\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\\\")\\n\\n[1]\\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\\nkernel BUG at net/core/skbuff.c:192 !\\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : skb_panic net/core/skbuff.c:188 [inline]\\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nlr : skb_panic net/core/skbuff.c:188 [inline]\\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nsp : ffff800096a06aa0\\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\\nCall trace:\\nskb_panic net/core/skbuff.c:188 [inline]\\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\\ndev_hard_header include/linux/netdevice.h:3136 [inline]\\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\\ndev_close+0x174/0x250 net/core/dev.c:1585\\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\\ndev_close+0x174/0x250 net/core/dev.c:1585\\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\\ndev_ifsioc+0x754/0x9ac\\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\\nvfs_ioctl fs/ioctl.c:51 [inline]\\n__do_\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52784\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52788", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52788" + }, + { + "url": "https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98" + }, + { + "url": "https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1" + }, + { + "url": "https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83" + }, + { + "url": "https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e" + }, + { + "url": "https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52788 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52788", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\n\nWhen i915 perf interface is not available dereferencing it will lead to\nNULL dereferences.\n\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\navailable.\n\n[tursulin: added stable tag]\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52788\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52788\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52788\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52788\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52788\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98\",\n \"https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1\",\n \"https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83\",\n \"https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e\",\n \"https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\\n\\nWhen i915 perf interface is not available dereferencing it will lead to\\nNULL dereferences.\\n\\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\\navailable.\\n\\n[tursulin: added stable tag]\\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52788\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52789", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52789" + }, + { + "url": "https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3" + }, + { + "url": "https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac" + }, + { + "url": "https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9" + }, + { + "url": "https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc" + }, + { + "url": "https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06" + }, + { + "url": "https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2" + }, + { + "url": "https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a" + }, + { + "url": "https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200" + }, + { + "url": "https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52789 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52789", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vcc: Add check for kstrdup() in vcc_probe()\n\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52789\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52789\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52789\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52789\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52789\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3\",\n \"https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac\",\n \"https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9\",\n \"https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc\",\n \"https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06\",\n \"https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2\",\n \"https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a\",\n \"https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200\",\n \"https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: vcc: Add check for kstrdup() in vcc_probe()\\n\\nAdd check for the return value of kstrdup() and return the error, if it\\nfails in order to avoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52789\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52791", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52791" + }, + { + "url": "https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c" + }, + { + "url": "https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0" + }, + { + "url": "https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809" + }, + { + "url": "https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91" + }, + { + "url": "https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1" + }, + { + "url": "https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02" + }, + { + "url": "https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52791 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52791", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Run atomic i2c xfer when !preemptible\n\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\n\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\n\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\n\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52791\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52791\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52791\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c\",\n \"https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0\",\n \"https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809\",\n \"https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91\",\n \"https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1\",\n \"https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02\",\n \"https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: core: Run atomic i2c xfer when !preemptible\\n\\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\\nwait_for_completion() while waiting for the DMA).\\n\\npanic() calls preempt_disable_notrace() before calling\\nemergency_restart(). Therefore, if an i2c device is used for the\\nrestart, the xfer should be atomic. This avoids warnings like:\\n\\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\\n...\\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\\n...\\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\\n\\nUse !preemptible() instead, which is basically the same check as\\npre-v5.2.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52791\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52796", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52796" + }, + { + "url": "https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458" + }, + { + "url": "https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2" + }, + { + "url": "https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f" + }, + { + "url": "https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02" + }, + { + "url": "https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542" + }, + { + "url": "https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a" + }, + { + "url": "https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760" + }, + { + "url": "https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52796 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52796", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: add ipvlan_route_v6_outbound() helper\n\nInspired by syzbot reports using a stack of multiple ipvlan devices.\n\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\n\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\n\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\n\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n\n\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[] cpu_online include/linux/cpumask.h:1092 [inline]\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\n[ 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n<#DF>\\n\\n\\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\\n[] cpu_online include/linux/cpumask.h:1092 [inline]\\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\\n[] xmit_one net/core/dev.c:3644 [inline]\\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\\n[dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52799\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52799\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52799\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52799\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52799\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20f9310a18e3e99fc031e036fcbed67105ae1859\",\n \"https://git.kernel.org/stable/c/22cad8bc1d36547cdae0eef316c47d917ce3147c\",\n \"https://git.kernel.org/stable/c/81aa58cd8495b8c3b527f58ccbe19478d8087f61\",\n \"https://git.kernel.org/stable/c/86df90f3fea7c5591f05c8a0010871d435e83046\",\n \"https://git.kernel.org/stable/c/87c681ab49e99039ff2dd3e71852417381b13878\",\n \"https://git.kernel.org/stable/c/88b7894a8f8705bf4e7ea90b10229376abf14514\",\n \"https://git.kernel.org/stable/c/a50b796d36719757526ee094c703378895ab5e67\",\n \"https://git.kernel.org/stable/c/da3da5e1e6f71c21d8e6149d7076d936ef5d4cb9\",\n \"https://git.kernel.org/stable/c/ecfb47f13b08b02cf28b7b50d4941eefa21954d2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix array-index-out-of-bounds in dbFindLeaf\\n\\nCurrently while searching for dmtree_t for sufficient free blocks there\\nis an array out of bounds while getting element in tp->dm_stree. To add\\nthe required check for out of bound we first need to determine the type\\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\\nof tree can be determined and the required check can be applied.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52799\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52800", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52800" + }, + { + "url": "https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679" + }, + { + "url": "https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e" + }, + { + "url": "https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d" + }, + { + "url": "https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8" + }, + { + "url": "https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c" + }, + { + "url": "https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52800 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52800", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52800\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52800\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52800\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52800\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52800\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679\",\n \"https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e\",\n \"https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d\",\n \"https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8\",\n \"https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c\",\n \"https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: fix htt pktlog locking\\n\\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\\nread-side critical section.\\n\\nMark the code in question as an RCU read-side critical section to avoid\\nany potential use-after-free issues.\\n\\nCompile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52800\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52802", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52802" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52802 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52802", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52802\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52802\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52802\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52802\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52802\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52802\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52803" + }, + { + "url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a" + }, + { + "url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df" + }, + { + "url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618" + }, + { + "url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680" + }, + { + "url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5" + }, + { + "url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264" + }, + { + "url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a" + }, + { + "url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52803", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a\",\n \"https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df\",\n \"https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618\",\n \"https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680\",\n \"https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5\",\n \"https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264\",\n \"https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a\",\n \"https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\\n\\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\\nworkqueue,which takes care about pipefs superblock locking.\\nIn some special scenarios, when kernel frees the pipefs sb of the\\ncurrent client and immediately alloctes a new pipefs sb,\\nrpc_remove_pipedir function would misjudge the existence of pipefs\\nsb which is not the one it used to hold. As a result,\\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\\n\\nTo fix this issue, rpc_remove_pipedir should check whether the\\ncurrent pipefs sb is consistent with the original pipefs sb.\\n\\nThis error can be catched by KASAN:\\n=========================================================\\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\\n[ 250.500549] Workqueue: events rpc_free_client_work\\n[ 250.501001] Call Trace:\\n[ 250.502880] kasan_report+0xb6/0xf0\\n[ 250.503209] ? dget_parent+0x195/0x200\\n[ 250.503561] dget_parent+0x195/0x200\\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\\n[ 250.505195] rpc_free_client_work+0xe4/0x230\\n[ 250.505598] process_one_work+0x8ee/0x13b0\\n...\\n[ 22.039056] Allocated by task 244:\\n[ 22.039390] kasan_save_stack+0x22/0x50\\n[ 22.039758] kasan_set_track+0x25/0x30\\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\\n[ 22.040889] __d_alloc+0x31/0x8e0\\n[ 22.041207] d_alloc+0x44/0x1f0\\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\\n[ 22.042459] rpc_create_client_dir+0x34/0x150\\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\\n[ 22.043284] rpc_client_register+0x136/0x4e0\\n[ 22.043689] rpc_new_client+0x911/0x1020\\n[ 22.044057] rpc_create_xprt+0xcb/0x370\\n[ 22.044417] rpc_create+0x36b/0x6c0\\n...\\n[ 22.049524] Freed by task 0:\\n[ 22.049803] kasan_save_stack+0x22/0x50\\n[ 22.050165] kasan_set_track+0x25/0x30\\n[ 22.050520] kasan_save_free_info+0x2b/0x50\\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\\n[ 22.051306] kmem_cache_free+0xa5/0x390\\n[ 22.051667] rcu_core+0x62c/0x1930\\n[ 22.051995] __do_softirq+0x165/0x52a\\n[ 22.052347]\\n[ 22.052503] Last potentially related work creation:\\n[ 22.052952] kasan_save_stack+0x22/0x50\\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\\n[ 22.054209] dentry_free+0xb2/0x140\\n[ 22.054540] __dentry_kill+0x3be/0x540\\n[ 22.054900] shrink_dentry_list+0x199/0x510\\n[ 22.055293] shrink_dcache_parent+0x190/0x240\\n[ 22.055703] do_one_tree+0x11/0x40\\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\\n[ 22.056461] generic_shutdown_super+0x70/0x590\\n[ 22.056879] kill_anon_super+0x3a/0x60\\n[ 22.057234] rpc_kill_sb+0x121/0x200\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52804", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52804" + }, + { + "url": "https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e" + }, + { + "url": "https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f" + }, + { + "url": "https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b" + }, + { + "url": "https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f" + }, + { + "url": "https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e" + }, + { + "url": "https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb" + }, + { + "url": "https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a" + }, + { + "url": "https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809" + }, + { + "url": "https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52804 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52804", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add validity check for db_maxag and db_agpref\n\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\n\nThe following is related bug reported by Syzbot:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\n\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52804\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52804\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52804\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52804\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52804\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e\",\n \"https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f\",\n \"https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b\",\n \"https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f\",\n \"https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e\",\n \"https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb\",\n \"https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a\",\n \"https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809\",\n \"https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/jfs: Add validity check for db_maxag and db_agpref\\n\\nBoth db_maxag and db_agpref are used as the index of the\\ndb_agfree array, but there is currently no validity check for\\ndb_maxag and db_agpref, which can lead to errors.\\n\\nThe following is related bug reported by Syzbot:\\n\\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\\nindex 7936 is out of range for type 'atomic_t[128]'\\n\\nAdd checking that the values of db_maxag and db_agpref are valid\\nindexes for the db_agfree array.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52804\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52805", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52805" + }, + { + "url": "https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483" + }, + { + "url": "https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8" + }, + { + "url": "https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1" + }, + { + "url": "https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9" + }, + { + "url": "https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641" + }, + { + "url": "https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777" + }, + { + "url": "https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c" + }, + { + "url": "https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d" + }, + { + "url": "https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52805 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52805", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52805\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52805\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52805\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52805\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52805\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483\",\n \"https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8\",\n \"https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1\",\n \"https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9\",\n \"https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641\",\n \"https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777\",\n \"https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c\",\n \"https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d\",\n \"https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix array-index-out-of-bounds in diAlloc\\n\\nCurrently there is not check against the agno of the iag while\\nallocating new inodes to avoid fragmentation problem. Added the check\\nwhich is required.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52805\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52806", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52806" + }, + { + "url": "https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250" + }, + { + "url": "https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7" + }, + { + "url": "https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4" + }, + { + "url": "https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd" + }, + { + "url": "https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e" + }, + { + "url": "https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323" + }, + { + "url": "https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b" + }, + { + "url": "https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236" + }, + { + "url": "https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52806 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52806", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52806\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52806\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52806\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52806\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52806\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250\",\n \"https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7\",\n \"https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4\",\n \"https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd\",\n \"https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e\",\n \"https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323\",\n \"https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b\",\n \"https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236\",\n \"https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\\n\\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\\nnothing blocks a user to attempt to assign a COUPLED stream. As\\nsupplied substream instance may be a stub, what is the case when\\ncode-loading, such scenario ends with null-ptr-deref.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52806\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52808" + }, + { + "url": "https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec" + }, + { + "url": "https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be" + }, + { + "url": "https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db" + }, + { + "url": "https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be" + }, + { + "url": "https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\n\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\n\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000] down_write+0x24/0x70\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175] pci_device_remove+0x48/0xd8\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\n[ 1669.993282] device_release_driver+0x28/0x38\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244] remove_store+0xfc/0x140\n[ 1670.010802] dev_attr_store+0x44/0x60\n[ 1670.014448] sysfs_kf_write+0x58/0x80\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000] __vfs_write+0x60/0x190\n[ 1670.025472] vfs_write+0xac/0x1c0\n[ 1670.028771] ksys_write+0x6c/0xd8\n[ 1670.032071] __arm64_sys_write+0x24/0x30\n[ 1670.035977] el0_svc_common+0x78/0x130\n[ 1670.039710] el0_svc_handler+0x38/0x78\n[ 1670.043442] el0_svc+0x8/0xc\n\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec\",\n \"https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be\",\n \"https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db\",\n \"https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be\",\n \"https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\\n\\nIf init debugfs failed during device registration due to memory allocation\\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\\nnot set to NULL. debugfs_remove_recursive() will be called again during\\ndevice removal. As a result, illegal pointer is accessed.\\n\\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\\n...\\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\\n[ 1669.872669] pc : down_write+0x24/0x70\\n[ 1669.876315] lr : down_write+0x1c/0x70\\n[ 1669.879961] sp : ffff000036f53a30\\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\\n[ 1669.962563] Call trace:\\n[ 1669.965000] down_write+0x24/0x70\\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\\n[ 1669.984175] pci_device_remove+0x48/0xd8\\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\\n[ 1669.993282] device_release_driver+0x28/0x38\\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\\n[ 1670.007244] remove_store+0xfc/0x140\\n[ 1670.010802] dev_attr_store+0x44/0x60\\n[ 1670.014448] sysfs_kf_write+0x58/0x80\\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\\n[ 1670.022000] __vfs_write+0x60/0x190\\n[ 1670.025472] vfs_write+0xac/0x1c0\\n[ 1670.028771] ksys_write+0x6c/0xd8\\n[ 1670.032071] __arm64_sys_write+0x24/0x30\\n[ 1670.035977] el0_svc_common+0x78/0x130\\n[ 1670.039710] el0_svc_handler+0x38/0x78\\n[ 1670.043442] el0_svc+0x8/0xc\\n\\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52809", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52809" + }, + { + "url": "https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba" + }, + { + "url": "https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f" + }, + { + "url": "https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b" + }, + { + "url": "https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106" + }, + { + "url": "https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa" + }, + { + "url": "https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e" + }, + { + "url": "https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00" + }, + { + "url": "https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01" + }, + { + "url": "https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52809 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52809", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52809\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52809\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52809\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52809\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52809\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba\",\n \"https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f\",\n \"https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b\",\n \"https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106\",\n \"https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa\",\n \"https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e\",\n \"https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00\",\n \"https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01\",\n \"https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\\n\\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\\nwhich can return NULL and would cause a NULL pointer dereference. Address\\nthis issue by checking return value of fc_rport_create() and log error\\nmessage on fc_rport_create() failed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52809\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52810", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52810" + }, + { + "url": "https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6" + }, + { + "url": "https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b" + }, + { + "url": "https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45" + }, + { + "url": "https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907" + }, + { + "url": "https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa" + }, + { + "url": "https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f" + }, + { + "url": "https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc" + }, + { + "url": "https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1" + }, + { + "url": "https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52810 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52810", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add check for negative db_l2nbperpage\n\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\n\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\n\nSyzbot reported this bug:\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52810\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52810\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52810\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52810\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52810\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6\",\n \"https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b\",\n \"https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45\",\n \"https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907\",\n \"https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa\",\n \"https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f\",\n \"https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc\",\n \"https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1\",\n \"https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/jfs: Add check for negative db_l2nbperpage\\n\\nl2nbperpage is log2(number of blks per page), and the minimum legal\\nvalue should be 0, not negative.\\n\\nIn the case of l2nbperpage being negative, an error will occur\\nwhen subsequently used as shift exponent.\\n\\nSyzbot reported this bug:\\n\\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\\nshift exponent -16777216 is negative\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52810\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52811" + }, + { + "url": "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4" + }, + { + "url": "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d" + }, + { + "url": "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f" + }, + { + "url": "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8" + }, + { + "url": "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue's event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4\",\n \"https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d\",\n \"https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f\",\n \"https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8\",\n \"https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\\n\\nIn practice the driver should never send more commands than are allocated\\nto a queue's event pool. In the unlikely event that this happens, the code\\nasserts a BUG_ON, and in the case that the kernel is not configured to\\ncrash on panic returns a junk event pointer from the empty event list\\ncausing things to spiral from there. This BUG_ON is a historical artifact\\nof the ibmvfc driver first being upstreamed, and it is well known now that\\nthe use of BUG_ON is bad practice except in the most unrecoverable\\nscenario. There is nothing about this scenario that prevents the driver\\nfrom recovering and carrying on.\\n\\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\\npointer in the case of an empty event pool. Update all call sites to\\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\\nfailure or recovery action.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52812", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52812" + }, + { + "url": "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a" + }, + { + "url": "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec" + }, + { + "url": "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52812 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52812", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52812\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52812\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52812\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52812\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52812\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a\",\n \"https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec\",\n \"https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: check num of link levels when update pcie param\\n\\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\\nbe 0, and num_of_levels - 1 will cause array index out of bounds\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52812\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52813" + }, + { + "url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0" + }, + { + "url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28" + }, + { + "url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316" + }, + { + "url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523" + }, + { + "url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e" + }, + { + "url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7" + }, + { + "url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf" + }, + { + "url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d" + }, + { + "url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst->flags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst->flags & PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0\",\n \"https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28\",\n \"https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316\",\n \"https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523\",\n \"https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e\",\n \"https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7\",\n \"https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf\",\n \"https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d\",\n \"https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\\n\\nWe found a hungtask bug in test_aead_vec_cfg as follows:\\n\\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\\n\\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\nCall trace:\\n __switch_to+0x98/0xe0\\n __schedule+0x6c4/0xf40\\n schedule+0xd8/0x1b4\\n schedule_timeout+0x474/0x560\\n wait_for_common+0x368/0x4e0\\n wait_for_completion+0x20/0x30\\n wait_for_completion+0x20/0x30\\n test_aead_vec_cfg+0xab4/0xd50\\n test_aead+0x144/0x1f0\\n alg_test_aead+0xd8/0x1e0\\n alg_test+0x634/0x890\\n cryptomgr_test+0x40/0x70\\n kthread+0x1e0/0x220\\n ret_from_fork+0x10/0x18\\n Kernel panic - not syncing: hung_task: blocked tasks\\n\\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\\nhung at wait_for_completion(&wait->completion), which will cause\\nhungtask.\\n\\nThe problem comes as following:\\n(padata_do_parallel) |\\n rcu_read_lock_bh(); |\\n err = -EINVAL; | (padata_replace)\\n | pinst->flags |= PADATA_RESET;\\n err = -EBUSY |\\n if (pinst->flags & PADATA_RESET) |\\n rcu_read_unlock_bh() |\\n return err\\n\\nIn order to resolve the problem, we replace the return err -EBUSY with\\n-EAGAIN, which means parallel_data is changing, and the caller should call\\nit again.\\n\\nv3:\\nremove retry and just change the return err.\\nv2:\\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\\npcrypt_aead_decrypt to solve the hungtask.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52815", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52815" + }, + { + "url": "https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f" + }, + { + "url": "https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a" + }, + { + "url": "https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34" + }, + { + "url": "https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c" + }, + { + "url": "https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52815 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52815", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52815\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52815\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52815\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52815\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52815\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f\",\n \"https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a\",\n \"https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34\",\n \"https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c\",\n \"https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/vkms: fix a possible null pointer dereference\\n\\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_cvt_mode(). Add a check to avoid null pointer\\ndereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52815\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52816", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52816" + }, + { + "url": "https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c" + }, + { + "url": "https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5" + }, + { + "url": "https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f" + }, + { + "url": "https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c" + }, + { + "url": "https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52816 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52816", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix shift out-of-bounds issue\n\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\n[ 567.614748] Call Trace:\n[ 567.614750] \n[ 567.614753] dump_stack_lvl+0x48/0x70\n[ 567.614761] dump_stack+0x10/0x20\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\n[ 567.615286] do_swap_page+0x7b6/0xa30\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615294] ? __free_pages+0x119/0x130\n[ 567.615299] handle_pte_fault+0x227/0x280\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\n[ 567.615311] handle_mm_fault+0x119/0x330\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\n[ 567.615323] exc_page_fault+0x81/0x1b0\n[ 567.615328] asm_exc_page_fault+0x27/0x30\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52816\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52816\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52816\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52816\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52816\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c\",\n \"https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5\",\n \"https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f\",\n \"https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c\",\n \"https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix shift out-of-bounds issue\\n\\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\\n[ 567.614748] Call Trace:\\n[ 567.614750] \\n[ 567.614753] dump_stack_lvl+0x48/0x70\\n[ 567.614761] dump_stack+0x10/0x20\\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\\n[ 567.615286] do_swap_page+0x7b6/0xa30\\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.615294] ? __free_pages+0x119/0x130\\n[ 567.615299] handle_pte_fault+0x227/0x280\\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\\n[ 567.615311] handle_mm_fault+0x119/0x330\\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\\n[ 567.615323] exc_page_fault+0x81/0x1b0\\n[ 567.615328] asm_exc_page_fault+0x27/0x30\\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52816\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52817" + }, + { + "url": "https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455" + }, + { + "url": "https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9" + }, + { + "url": "https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad" + }, + { + "url": "https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736" + }, + { + "url": "https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996" + }, + { + "url": "https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398" + }, + { + "url": "https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455\",\n \"https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9\",\n \"https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad\",\n \"https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736\",\n \"https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288\",\n \"https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996\",\n \"https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398\",\n \"https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\\n\\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\\n\\n1. Navigate to the directory: /sys/kernel/debug/dri/0\\n2. Execute command: cat amdgpu_regs_smc\\n3. Exception Log::\\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\\n[4005007.702567] #PF: error_code(0x0010) - not-present page\\n[4005007.702570] PGD 0 P4D 0\\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\\n[4005007.702590] RIP: 0010:0x0\\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\\n[4005007.702633] Call Trace:\\n[4005007.702636] \\n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\\n[4005007.703002] full_proxy_read+0x5c/0x80\\n[4005007.703011] vfs_read+0x9f/0x1a0\\n[4005007.703019] ksys_read+0x67/0xe0\\n[4005007.703023] __x64_sys_read+0x19/0x20\\n[4005007.703028] do_syscall_64+0x5c/0xc0\\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\\n[4005007.703052] ? irqentry_exit+0x19/0x30\\n[4005007.703057] ? exc_page_fault+0x89/0x160\\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[4005007.703075] RIP: 0033:0x7f5e07672992\\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\\n[4005007.703105] \\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\\n[4005007.703184] CR2: 0000000000000000\\n[4005007.703188] ---[ en\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52818", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52818" + }, + { + "url": "https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94" + }, + { + "url": "https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3" + }, + { + "url": "https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4" + }, + { + "url": "https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97" + }, + { + "url": "https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47" + }, + { + "url": "https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f" + }, + { + "url": "https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928" + }, + { + "url": "https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498" + }, + { + "url": "https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52818 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52818", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52818\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52818\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52818\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52818\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52818\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94\",\n \"https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3\",\n \"https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4\",\n \"https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97\",\n \"https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47\",\n \"https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f\",\n \"https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928\",\n \"https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498\",\n \"https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\\n\\nFor pptable structs that use flexible array sizes, use flexible arrays.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52818\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52819" + }, + { + "url": "https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356" + }, + { + "url": "https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6" + }, + { + "url": "https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216" + }, + { + "url": "https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92" + }, + { + "url": "https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1" + }, + { + "url": "https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e" + }, + { + "url": "https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18" + }, + { + "url": "https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4" + }, + { + "url": "https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356\",\n \"https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6\",\n \"https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216\",\n \"https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92\",\n \"https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1\",\n \"https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e\",\n \"https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18\",\n \"https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4\",\n \"https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\\n\\nFor pptable structs that use flexible array sizes, use flexible arrays.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52821", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52821" + }, + { + "url": "https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190" + }, + { + "url": "https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4" + }, + { + "url": "https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402" + }, + { + "url": "https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992" + }, + { + "url": "https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229" + }, + { + "url": "https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52821 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52821", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52821\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52821\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52821\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52821\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52821\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190\",\n \"https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4\",\n \"https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402\",\n \"https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992\",\n \"https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229\",\n \"https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel: fix a possible null pointer dereference\\n\\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52821\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52825" + }, + { + "url": "https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e" + }, + { + "url": "https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74" + }, + { + "url": "https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34" + }, + { + "url": "https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf" + }, + { + "url": "https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52825", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\n\nprange->svm_bo unref can happen in both mmu callback and a callback after\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\nunref operation to avoid random \"use-after-free\".", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e\",\n \"https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74\",\n \"https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34\",\n \"https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf\",\n \"https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\\n\\nprange->svm_bo unref can happen in both mmu callback and a callback after\\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\\nunref operation to avoid random \\\"use-after-free\\\".\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52826", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52826" + }, + { + "url": "https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea" + }, + { + "url": "https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c" + }, + { + "url": "https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc" + }, + { + "url": "https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca" + }, + { + "url": "https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f" + }, + { + "url": "https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52826 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52826", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea\",\n \"https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c\",\n \"https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc\",\n \"https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca\",\n \"https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f\",\n \"https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\\n\\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52826\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52828", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52828" + }, + { + "url": "https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5" + }, + { + "url": "https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18" + }, + { + "url": "https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21" + }, + { + "url": "https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922" + }, + { + "url": "https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f" + }, + { + "url": "https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5\",\n \"https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18\",\n \"https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21\",\n \"https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922\",\n \"https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f\",\n \"https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Detect IP == ksym.end as part of BPF program\\n\\nNow that bpf_throw kfunc is the first such call instruction that has\\nnoreturn semantics within the verifier, this also kicks in dead code\\nelimination in unprecedented ways. For one, any instruction following\\na bpf_throw call will never be marked as seen. Moreover, if a callchain\\nends up throwing, any instructions after the call instruction to the\\neventually throwing subprog in callers will also never be marked as\\nseen.\\n\\nThe tempting way to fix this would be to emit extra 'int3' instructions\\nwhich bump the jited_len of a program, and ensure that during runtime\\nwhen a program throws, we can discover its boundaries even if the call\\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\\nas the final instruction in the program.\\n\\nAn example of such a program would be this:\\n\\ndo_something():\\n\\t...\\n\\tr0 = 0\\n\\texit\\n\\nfoo():\\n\\tr1 = 0\\n\\tcall bpf_throw\\n\\tr0 = 0\\n\\texit\\n\\nbar(cond):\\n\\tif r1 != 0 goto pc+2\\n\\tcall do_something\\n\\texit\\n\\tcall foo\\n\\tr0 = 0 // Never seen by verifier\\n\\texit\\t//\\n\\nmain(ctx):\\n\\tr1 = ...\\n\\tcall bar\\n\\tr0 = 0\\n\\texit\\n\\nHere, if we do end up throwing, the stacktrace would be the following:\\n\\nbpf_throw\\nfoo\\nbar\\nmain\\n\\nIn bar, the final instruction emitted will be the call to foo, as such,\\nthe return address will be the subsequent instruction (which the JIT\\nemits as int3 on x86). This will end up lying outside the jited_len of\\nthe program, thus, when unwinding, we will fail to discover the return\\naddress as belonging to any program and end up in a panic due to the\\nunreliable stack unwinding of BPF programs that we never expect.\\n\\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\\npart of the BPF program, so that is_bpf_text_address returns true when\\nsuch a case occurs, and we are able to unwind reliably when the final\\ninstruction ends up being a call instruction.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52829", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52829" + }, + { + "url": "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e" + }, + { + "url": "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c" + }, + { + "url": "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52829 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52829", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52829\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52829\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52829\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52829\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52829\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e\",\n \"https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c\",\n \"https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\\n\\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\\nin case some errors happen. As a result out-of-bound write may occur to\\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\\n\\nThis is found during code review.\\n\\nCompile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52829\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52831", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52831" + }, + { + "url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63" + }, + { + "url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13" + }, + { + "url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908" + }, + { + "url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52831 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52831", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don't offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(&doms, &attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52831\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52831\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63\",\n \"https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13\",\n \"https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908\",\n \"https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpu/hotplug: Don't offline the last non-isolated CPU\\n\\nIf a system has isolated CPUs via the \\\"isolcpus=\\\" command line parameter,\\nthen an attempt to offline the last housekeeping CPU will result in a\\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\\nto and unhandled empty CPU mas in partition_sched_domains_locked().\\n\\ncpuset_hotplug_workfn()\\n rebuild_sched_domains_locked()\\n ndoms = generate_sched_domains(&doms, &attr);\\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\\n\\nThus results in an empty CPU mask which triggers the warning and then the\\nsubsequent crash:\\n\\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\\nCall trace:\\n build_sched_domains+0x120c/0x1408\\n partition_sched_domains_locked+0x234/0x880\\n rebuild_sched_domains_locked+0x37c/0x798\\n rebuild_sched_domains+0x30/0x58\\n cpuset_hotplug_workfn+0x2a8/0x930\\n\\nUnable to handle kernel paging request at virtual address fffe80027ab37080\\n partition_sched_domains_locked+0x318/0x880\\n rebuild_sched_domains_locked+0x37c/0x798\\n\\nAside of the resulting crash, it does not make any sense to offline the last\\nlast housekeeping CPU.\\n\\nPrevent this by masking out the non-housekeeping CPUs when selecting a\\ntarget CPU for initiating the CPU unplug operation via the work queue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52831\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52832" + }, + { + "url": "https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f" + }, + { + "url": "https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846" + }, + { + "url": "https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62" + }, + { + "url": "https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6" + }, + { + "url": "https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7" + }, + { + "url": "https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea" + }, + { + "url": "https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a" + }, + { + "url": "https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f" + }, + { + "url": "https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f\",\n \"https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846\",\n \"https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62\",\n \"https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6\",\n \"https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7\",\n \"https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea\",\n \"https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a\",\n \"https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f\",\n \"https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\\n\\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\\nINT_MIN value mac80211 internally uses for \\\"unset power level\\\".\\n\\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\\n -2147483648 * 100 cannot be represented in type 'int'\\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\\n Call Trace:\\n dump_stack+0x74/0x92\\n ubsan_epilogue+0x9/0x50\\n handle_overflow+0x8d/0xd0\\n __ubsan_handle_mul_overflow+0xe/0x10\\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\\n [...]\\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\\n [...]\\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\\n\\nIn this case, simply return an error instead, to indicate\\nthat no data is available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52833" + }, + { + "url": "https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30" + }, + { + "url": "https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a" + }, + { + "url": "https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9" + }, + { + "url": "https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3" + }, + { + "url": "https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0" + }, + { + "url": "https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30\",\n \"https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a\",\n \"https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9\",\n \"https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3\",\n \"https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0\",\n \"https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: btusb: Add date->evt_skb is NULL check\\n\\nfix crash because of null pointers\\n\\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\\n[ 6104.969667] #PF: supervisor read access in kernel mode\\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\\n[ 6104.969670] PGD 0 P4D 0\\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\\n[ 6104.969701] PKRU: 55555554\\n[ 6104.969702] Call Trace:\\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\\n[ 6104.969753] rfkill_set_block+0x92/0x160\\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\\n[ 6104.969759] __vfs_write+0x18/0x40\\n[ 6104.969761] vfs_write+0xdf/0x1c0\\n[ 6104.969763] ksys_write+0xb1/0xe0\\n[ 6104.969765] __x64_sys_write+0x1a/0x20\\n[ 6104.969769] do_syscall_64+0x51/0x180\\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52834" + }, + { + "url": "https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb" + }, + { + "url": "https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa" + }, + { + "url": "https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6" + }, + { + "url": "https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf" + }, + { + "url": "https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\natl1c: Work around the DMA RX overflow issue\n\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\n\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\n\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\n\nTested on AR8131 on Acer 4540.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb\",\n \"https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa\",\n \"https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6\",\n \"https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf\",\n \"https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\natl1c: Work around the DMA RX overflow issue\\n\\nThis is based on alx driver commit 881d0327db37 (\\\"net: alx: Work around\\nthe DMA RX overflow issue\\\").\\n\\nThe alx and atl1c drivers had RX overflow error which was why a custom\\nallocator was created to avoid certain addresses. The simpler workaround\\nthen created for alx driver, but not for atl1c due to lack of tester.\\n\\nInstead of using a custom allocator, check the allocated skb address and\\nuse skb_reserve() to move away from problematic 0x...fc0 address.\\n\\nTested on AR8131 on Acer 4540.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52835" + }, + { + "url": "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece" + }, + { + "url": "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a" + }, + { + "url": "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb" + }, + { + "url": "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916" + }, + { + "url": "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734" + }, + { + "url": "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f" + }, + { + "url": "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a" + }, + { + "url": "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece\",\n \"https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a\",\n \"https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb\",\n \"https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916\",\n \"https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734\",\n \"https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f\",\n \"https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a\",\n \"https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/core: Bail out early if the request AUX area is out of bound\\n\\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\\n\\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\\n failed to mmap with 12 (Cannot allocate memory)\\n\\nand it reveals a WARNING with __alloc_pages():\\n\\n\\t------------[ cut here ]------------\\n\\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\\n\\tCall trace:\\n\\t __alloc_pages+0x1ec/0x248\\n\\t __kmalloc_large_node+0xc0/0x1f8\\n\\t __kmalloc_node+0x134/0x1e8\\n\\t rb_alloc_aux+0xe0/0x298\\n\\t perf_mmap+0x440/0x660\\n\\t mmap_region+0x308/0x8a8\\n\\t do_mmap+0x3c0/0x528\\n\\t vm_mmap_pgoff+0xf4/0x1b8\\n\\t ksys_mmap_pgoff+0x18c/0x218\\n\\t __arm64_sys_mmap+0x38/0x58\\n\\t invoke_syscall+0x50/0x128\\n\\t el0_svc_common.constprop.0+0x58/0x188\\n\\t do_el0_svc+0x34/0x50\\n\\t el0_svc+0x34/0x108\\n\\t el0t_64_sync_handler+0xb8/0xc0\\n\\t el0t_64_sync+0x1a4/0x1a8\\n\\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\\nmaintains AUX trace pages. The allocated page for this array is physically\\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\\nWARNING.\\n\\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\\ne.g.:\\n\\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\\n failed to mmap with 12 (Cannot allocate memory)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52836" + }, + { + "url": "https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479" + }, + { + "url": "https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75" + }, + { + "url": "https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e" + }, + { + "url": "https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc" + }, + { + "url": "https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389" + }, + { + "url": "https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715" + }, + { + "url": "https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5" + }, + { + "url": "https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c" + }, + { + "url": "https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52836", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/ww_mutex/test: Fix potential workqueue corruption\n\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\n\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\n\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\n\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\n\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\n\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479\",\n \"https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75\",\n \"https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e\",\n \"https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc\",\n \"https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389\",\n \"https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715\",\n \"https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5\",\n \"https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c\",\n \"https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlocking/ww_mutex/test: Fix potential workqueue corruption\\n\\nIn some cases running with the test-ww_mutex code, I was seeing\\nodd behavior where sometimes it seemed flush_workqueue was\\nreturning before all the work threads were finished.\\n\\nOften this would cause strange crashes as the mutexes would be\\nfreed while they were being used.\\n\\nLooking at the code, there is a lifetime problem as the\\ncontrolling thread that spawns the work allocates the\\n\\\"struct stress\\\" structures that are passed to the workqueue\\nthreads. Then when the workqueue threads are finished,\\nthey free the stress struct that was passed to them.\\n\\nUnfortunately the workqueue work_struct node is in the stress\\nstruct. Which means the work_struct is freed before the work\\nthread returns and while flush_workqueue is waiting.\\n\\nIt seems like a better idea to have the controlling thread\\nboth allocate and free the stress structures, so that we can\\nbe sure we don't corrupt the workqueue by freeing the structure\\nprematurely.\\n\\nSo this patch reworks the test to do so, and with this change\\nI no longer see the early flush_workqueue returns.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52837" + }, + { + "url": "https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b" + }, + { + "url": "https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3" + }, + { + "url": "https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe" + }, + { + "url": "https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_open\n\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\n\nFix this by implementing ->free_disk and free private data in it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b\",\n \"https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3\",\n \"https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe\",\n \"https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: fix uaf in nbd_open\\n\\nCommit 4af5f2e03013 (\\\"nbd: use blk_mq_alloc_disk and\\nblk_cleanup_disk\\\") cleans up disk by blk_cleanup_disk() and it won't set\\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\\nif someone tries to open nbd device right after nbd_put() since nbd has\\nbeen free in nbd_dev_remove().\\n\\nFix this by implementing ->free_disk and free private data in it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52838", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52838" + }, + { + "url": "https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a" + }, + { + "url": "https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485" + }, + { + "url": "https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d" + }, + { + "url": "https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d" + }, + { + "url": "https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513" + }, + { + "url": "https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4" + }, + { + "url": "https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b" + }, + { + "url": "https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52838 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52838", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imsttfb: fix a resource leak in probe\n\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52838\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52838\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52838\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52838\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52838\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a\",\n \"https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485\",\n \"https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d\",\n \"https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d\",\n \"https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513\",\n \"https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4\",\n \"https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b\",\n \"https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbdev: imsttfb: fix a resource leak in probe\\n\\nI've re-written the error handling but the bug is that if init_imstt()\\nfails we need to call iounmap(par->cmap_regs).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52838\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52840" + }, + { + "url": "https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f" + }, + { + "url": "https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2" + }, + { + "url": "https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff" + }, + { + "url": "https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5" + }, + { + "url": "https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f" + }, + { + "url": "https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585" + }, + { + "url": "https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683" + }, + { + "url": "https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\n\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f\",\n \"https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2\",\n \"https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff\",\n \"https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5\",\n \"https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f\",\n \"https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585\",\n \"https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683\",\n \"https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\\n\\nThe put_device() calls rmi_release_function() which frees \\\"fn\\\" so the\\ndereference on the next line \\\"fn->num_of_irqs\\\" is a use after free.\\nMove the put_device() to the end to fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52841" + }, + { + "url": "https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78" + }, + { + "url": "https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb" + }, + { + "url": "https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68" + }, + { + "url": "https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4" + }, + { + "url": "https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785" + }, + { + "url": "https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52841 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52841", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: mux: Add check and kfree for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52841\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52841\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78\",\n \"https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb\",\n \"https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68\",\n \"https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4\",\n \"https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785\",\n \"https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: vidtv: mux: Add check and kfree for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\\nMoreover, use kfree() in the later error handling in order to avoid\\nmemory leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52841\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52843", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52843" + }, + { + "url": "https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a" + }, + { + "url": "https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b" + }, + { + "url": "https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779" + }, + { + "url": "https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b" + }, + { + "url": "https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535" + }, + { + "url": "https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c" + }, + { + "url": "https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f" + }, + { + "url": "https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29" + }, + { + "url": "https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52843 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52843", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: verify mac len before reading mac header\n\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\n\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\n\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\n\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\n\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\n\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\n\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\n\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52843\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52843\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52843\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52843\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52843\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a\",\n \"https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b\",\n \"https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779\",\n \"https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b\",\n \"https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535\",\n \"https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c\",\n \"https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f\",\n \"https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29\",\n \"https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nllc: verify mac len before reading mac header\\n\\nLLC reads the mac header with eth_hdr without verifying that the skb\\nhas an Ethernet header.\\n\\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\\npackets without mac len and with user configurable skb->protocol\\n(passing a tun_pi header when not configuring IFF_NO_PI).\\n\\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\\n\\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\\n\\nThere are further uses in include/net/llc_pdu.h. All these are\\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\\nprotect against this tun scenario.\\n\\nBut the mac_len test added in this patch in llc_fixup_skb will\\nindirectly protect those too. That is called from llc_rcv before any\\nother LLC code.\\n\\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\\nnot sure whether that could break valid LLC paths that do not assume\\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\\nprotocols in principle. The below referenced commit shows that used\\nto, on top of Token Ring.\\n\\nAt least one of the three eth_hdr uses goes back to before the start\\nof git history. But the one that syzbot exercises is introduced in\\nthis commit. That commit is old enough (2008), that effectively all\\nstable kernels should receive this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52843\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52844" + }, + { + "url": "https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9" + }, + { + "url": "https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0" + }, + { + "url": "https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad" + }, + { + "url": "https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d" + }, + { + "url": "https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a" + }, + { + "url": "https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: psi: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9\",\n \"https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0\",\n \"https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad\",\n \"https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d\",\n \"https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a\",\n \"https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: vidtv: psi: Add check for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52845", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52845" + }, + { + "url": "https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579" + }, + { + "url": "https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0" + }, + { + "url": "https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6" + }, + { + "url": "https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8" + }, + { + "url": "https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4" + }, + { + "url": "https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709" + }, + { + "url": "https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d" + }, + { + "url": "https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04" + }, + { + "url": "https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52845 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52845", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\n\nsyzbot reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\n\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\n\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52845\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52845\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52845\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52845\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52845\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579\",\n \"https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0\",\n \"https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6\",\n \"https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8\",\n \"https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4\",\n \"https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709\",\n \"https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d\",\n \"https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04\",\n \"https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\\n\\nsyzbot reported the following uninit-value access issue [1]:\\n\\n=====================================================\\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\\n strlen lib/string.c:418 [inline]\\n strstr+0xb8/0x2f0 lib/string.c:756\\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n sock_sendmsg net/socket.c:753 [inline]\\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\\n __sys_sendmsg net/socket.c:2624 [inline]\\n __do_sys_sendmsg net/socket.c:2633 [inline]\\n __se_sys_sendmsg net/socket.c:2631 [inline]\\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nUninit was created at:\\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\\n slab_alloc_node mm/slub.c:3478 [inline]\\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\\n alloc_skb include/linux/skbuff.h:1286 [inline]\\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n sock_sendmsg net/socket.c:753 [inline]\\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\\n __sys_sendmsg net/socket.c:2624 [inline]\\n __do_sys_sendmsg net/socket.c:2633 [inline]\\n __se_sys_sendmsg net/socket.c:2631 [inline]\\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nTIPC bearer-related names including link names must be null-terminated\\nstrings. If a link name which is not null-terminated is passed through\\nnetlink, strstr() and similar functions can cause buffer overrun. This\\ncauses the above issue.\\n\\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\\nnull-terminated strings are accepted as bearer-related names.\\n\\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\\nroot cause of this issue is that a non-null-terminated bearer name was\\npassed. This patch also resolved this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52845\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52846" + }, + { + "url": "https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18" + }, + { + "url": "https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db" + }, + { + "url": "https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d" + }, + { + "url": "https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da" + }, + { + "url": "https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363" + }, + { + "url": "https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Prevent use after free in prp_create_tagged_frame()\n\nThe prp_fill_rct() function can fail. In that situation, it frees the\nskb and returns NULL. Meanwhile on the success path, it returns the\noriginal skb. So it's straight forward to fix bug by using the returned\nvalue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18\",\n \"https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db\",\n \"https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d\",\n \"https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da\",\n \"https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363\",\n \"https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhsr: Prevent use after free in prp_create_tagged_frame()\\n\\nThe prp_fill_rct() function can fail. In that situation, it frees the\\nskb and returns NULL. Meanwhile on the success path, it returns the\\noriginal skb. So it's straight forward to fix bug by using the returned\\nvalue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52847" + }, + { + "url": "https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267" + }, + { + "url": "https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226" + }, + { + "url": "https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b" + }, + { + "url": "https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574" + }, + { + "url": "https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132" + }, + { + "url": "https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a" + }, + { + "url": "https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9" + }, + { + "url": "https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bttv: fix use after free error due to btv->timeout timer\n\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\n\nThis bug is found by static analysis, it may be false positive.\n\nFix it by adding del_timer_sync invoking to the remove function.\n\ncpu0 cpu1\n bttv_probe\n ->timer_setup\n ->bttv_set_dma\n ->mod_timer;\nbttv_remove\n ->kfree(btv);\n ->bttv_irq_timeout\n ->USE btv", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267\",\n \"https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226\",\n \"https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b\",\n \"https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574\",\n \"https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132\",\n \"https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a\",\n \"https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9\",\n \"https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: bttv: fix use after free error due to btv->timeout timer\\n\\nThere may be some a race condition between timer function\\nbttv_irq_timeout and bttv_remove. The timer is setup in\\nprobe and there is no timer_delete operation in remove\\nfunction. When it hit kfree btv, the function might still be\\ninvoked, which will cause use after free bug.\\n\\nThis bug is found by static analysis, it may be false positive.\\n\\nFix it by adding del_timer_sync invoking to the remove function.\\n\\ncpu0 cpu1\\n bttv_probe\\n ->timer_setup\\n ->bttv_set_dma\\n ->mod_timer;\\nbttv_remove\\n ->kfree(btv);\\n ->bttv_irq_timeout\\n ->USE btv\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52849" + }, + { + "url": "https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c" + }, + { + "url": "https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f" + }, + { + "url": "https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b" + }, + { + "url": "https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209" + }, + { + "url": "https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that removing cxl_mock_mem causes a crash with the following\ntrace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000044\n [..]\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x29/0x40 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n device_unregister+0x13/0x60\n devm_release_action+0x4d/0x90\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\n delete_endpoint+0x121/0x130 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n ? lock_release+0x142/0x290\n cdev_device_del+0x15/0x50\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\n\nThis crash is due to the clearing out the cxl_memdev's driver context\n(@cxlds) before the subsystem is done with it. This is ultimately due to\nthe region(s), that this memdev is a member, being torn down and expecting\nto be able to de-reference @cxlds, like here:\n\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\n...\n if (cxlds->rcd)\n goto endpoint_reset;\n...\n\nFix it by keeping the driver context valid until memdev-device\nunregistration, and subsequently the entire stack of related\ndependencies, unwinds.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c\",\n \"https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f\",\n \"https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b\",\n \"https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209\",\n \"https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/mem: Fix shutdown order\\n\\nIra reports that removing cxl_mock_mem causes a crash with the following\\ntrace:\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000044\\n [..]\\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\\n [..]\\n Call Trace:\\n \\n cxl_region_detach+0xe8/0x210 [cxl_core]\\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\\n cxld_unregister+0x29/0x40 [cxl_core]\\n devres_release_all+0xb8/0x110\\n device_unbind_cleanup+0xe/0x70\\n device_release_driver_internal+0x1d2/0x210\\n bus_remove_device+0xd7/0x150\\n device_del+0x155/0x3e0\\n device_unregister+0x13/0x60\\n devm_release_action+0x4d/0x90\\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\\n delete_endpoint+0x121/0x130 [cxl_core]\\n devres_release_all+0xb8/0x110\\n device_unbind_cleanup+0xe/0x70\\n device_release_driver_internal+0x1d2/0x210\\n bus_remove_device+0xd7/0x150\\n device_del+0x155/0x3e0\\n ? lock_release+0x142/0x290\\n cdev_device_del+0x15/0x50\\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\\n\\nThis crash is due to the clearing out the cxl_memdev's driver context\\n(@cxlds) before the subsystem is done with it. This is ultimately due to\\nthe region(s), that this memdev is a member, being torn down and expecting\\nto be able to de-reference @cxlds, like here:\\n\\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\\n...\\n if (cxlds->rcd)\\n goto endpoint_reset;\\n...\\n\\nFix it by keeping the driver context valid until memdev-device\\nunregistration, and subsequently the entire stack of related\\ndependencies, unwinds.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52852", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52852" + }, + { + "url": "https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5" + }, + { + "url": "https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401" + }, + { + "url": "https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c" + }, + { + "url": "https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2" + }, + { + "url": "https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52852 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52852", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52852\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52852\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52852\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52852\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52852\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5\",\n \"https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401\",\n \"https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c\",\n \"https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2\",\n \"https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to avoid use-after-free on dic\\n\\nCall trace:\\n __memcpy+0x128/0x250\\n f2fs_read_multi_pages+0x940/0xf7c\\n f2fs_mpage_readpages+0x5a8/0x624\\n f2fs_readahead+0x5c/0x110\\n page_cache_ra_unbounded+0x1b8/0x590\\n do_sync_mmap_readahead+0x1dc/0x2e4\\n filemap_fault+0x254/0xa8c\\n f2fs_filemap_fault+0x2c/0x104\\n __do_fault+0x7c/0x238\\n do_handle_mm_fault+0x11bc/0x2d14\\n do_mem_abort+0x3a8/0x1004\\n el0_da+0x3c/0xa0\\n el0t_64_sync_handler+0xc4/0xec\\n el0t_64_sync+0x1b4/0x1b8\\n\\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\\nwe hit cached page in compress_inode's cache, dic may be released, it needs\\nbreak the loop rather than continuing it, in order to avoid accessing\\ninvalid dic pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52852\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52853" + }, + { + "url": "https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf" + }, + { + "url": "https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd" + }, + { + "url": "https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819" + }, + { + "url": "https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38" + }, + { + "url": "https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6" + }, + { + "url": "https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42" + }, + { + "url": "https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c" + }, + { + "url": "https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf\",\n \"https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd\",\n \"https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819\",\n \"https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38\",\n \"https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6\",\n \"https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42\",\n \"https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c\",\n \"https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhid: cp2112: Fix duplicate workqueue initialization\\n\\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\\nworkqueue on subsequent IRQ startups following an initial request. This\\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\\nNULL dereference within process_one_work in workqueue.c.\\n\\nInitialize the workqueue within _probe instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52854" + }, + { + "url": "https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5" + }, + { + "url": "https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b" + }, + { + "url": "https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f" + }, + { + "url": "https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d" + }, + { + "url": "https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f" + }, + { + "url": "https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix refcnt handling in padata_free_shell()\n\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\n\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\n\n```c\nstruct request {\n struct padata_priv padata;\n struct completion *done;\n};\n\nvoid parallel(struct padata_priv *padata) {\n do_something();\n}\n\nvoid serial(struct padata_priv *padata) {\n struct request *request = container_of(padata,\n \t\t\t\tstruct request,\n\t\t\t\tpadata);\n complete(request->done);\n}\n\nvoid user_function() {\n DECLARE_COMPLETION(done)\n padata->parallel = parallel;\n padata->serial = serial;\n padata_do_parallel();\n wait_for_completion(&done);\n padata_free_shell();\n}\n```\n\nIn the corresponding padata.c file, there's the following code:\n\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n ...\n cnt = 0;\n\n while (!list_empty(&local_list)) {\n ...\n padata->serial(padata);\n cnt++;\n }\n\n local_bh_enable();\n\n if (refcount_sub_and_test(cnt, &pd->refcnt))\n padata_free_pd(pd);\n}\n```\n\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\n\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5\",\n \"https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b\",\n \"https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f\",\n \"https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d\",\n \"https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f\",\n \"https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: Fix refcnt handling in padata_free_shell()\\n\\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\\nthe pcrypt_aead01 function call, I'll describe the problem scenario\\nusing a simplified model:\\n\\nSuppose there's a user of padata named `user_function` that adheres to\\nthe padata requirement of calling `padata_free_shell` after `serial()`\\nhas been invoked, as demonstrated in the following code:\\n\\n```c\\nstruct request {\\n struct padata_priv padata;\\n struct completion *done;\\n};\\n\\nvoid parallel(struct padata_priv *padata) {\\n do_something();\\n}\\n\\nvoid serial(struct padata_priv *padata) {\\n struct request *request = container_of(padata,\\n \\t\\t\\t\\tstruct request,\\n\\t\\t\\t\\tpadata);\\n complete(request->done);\\n}\\n\\nvoid user_function() {\\n DECLARE_COMPLETION(done)\\n padata->parallel = parallel;\\n padata->serial = serial;\\n padata_do_parallel();\\n wait_for_completion(&done);\\n padata_free_shell();\\n}\\n```\\n\\nIn the corresponding padata.c file, there's the following code:\\n\\n```c\\nstatic void padata_serial_worker(struct work_struct *serial_work) {\\n ...\\n cnt = 0;\\n\\n while (!list_empty(&local_list)) {\\n ...\\n padata->serial(padata);\\n cnt++;\\n }\\n\\n local_bh_enable();\\n\\n if (refcount_sub_and_test(cnt, &pd->refcnt))\\n padata_free_pd(pd);\\n}\\n```\\n\\nBecause of the high system load and the accumulation of unexecuted\\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\\n`pd` has already been released by `padata_free_shell()`, resulting\\nin a UAF issue with `pd->refcnt`.\\n\\nThe fix is straightforward: add `refcount_dec_and_test` before calling\\n`padata_free_pd` in `padata_free_shell`.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52855", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52855" + }, + { + "url": "https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72" + }, + { + "url": "https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d" + }, + { + "url": "https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e" + }, + { + "url": "https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790" + }, + { + "url": "https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90" + }, + { + "url": "https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6" + }, + { + "url": "https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6" + }, + { + "url": "https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001" + }, + { + "url": "https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52855 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52855", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\n\nIn _dwc2_hcd_urb_enqueue(), \"urb->hcpriv = NULL\" is executed without\nholding the lock \"hsotg->lock\". In _dwc2_hcd_urb_dequeue():\n\n spin_lock_irqsave(&hsotg->lock, flags);\n ...\n\tif (!urb->hcpriv) {\n\t\tdev_dbg(hsotg->dev, \"## urb->hcpriv is NULL ##\\n\");\n\t\tgoto out;\n\t}\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\n ...\nout:\n spin_unlock_irqrestore(&hsotg->lock, flags);\n\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\nconcurrently executed, the NULL check of \"urb->hcpriv\" can be executed\nbefore \"urb->hcpriv = NULL\". After urb->hcpriv is NULL, it can be used\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\npointer dereference.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by myself. This tool analyzes the locking APIs to extract\nfunction pairs that can be concurrently executed, and then analyzes the\ninstructions in the paired functions to identify possible concurrency\nbugs including data races and atomicity violations. The above possible\nbug is reported, when my tool analyzes the source code of Linux 6.5.\n\nTo fix this possible bug, \"urb->hcpriv = NULL\" should be executed with\nholding the lock \"hsotg->lock\". After using this patch, my tool never\nreports the possible bug, with the kernelconfiguration allyesconfig for\nx86_64. Because I have no associated hardware, I cannot test the patch\nin runtime testing, and just verify it according to the code logic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52855\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52855\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52855\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52855\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52855\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72\",\n \"https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d\",\n \"https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e\",\n \"https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790\",\n \"https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90\",\n \"https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6\",\n \"https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6\",\n \"https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001\",\n \"https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\\n\\nIn _dwc2_hcd_urb_enqueue(), \\\"urb->hcpriv = NULL\\\" is executed without\\nholding the lock \\\"hsotg->lock\\\". In _dwc2_hcd_urb_dequeue():\\n\\n spin_lock_irqsave(&hsotg->lock, flags);\\n ...\\n\\tif (!urb->hcpriv) {\\n\\t\\tdev_dbg(hsotg->dev, \\\"## urb->hcpriv is NULL ##\\\\n\\\");\\n\\t\\tgoto out;\\n\\t}\\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\\n ...\\nout:\\n spin_unlock_irqrestore(&hsotg->lock, flags);\\n\\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\\nconcurrently executed, the NULL check of \\\"urb->hcpriv\\\" can be executed\\nbefore \\\"urb->hcpriv = NULL\\\". After urb->hcpriv is NULL, it can be used\\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\\npointer dereference.\\n\\nThis possible bug is found by an experimental static analysis tool\\ndeveloped by myself. This tool analyzes the locking APIs to extract\\nfunction pairs that can be concurrently executed, and then analyzes the\\ninstructions in the paired functions to identify possible concurrency\\nbugs including data races and atomicity violations. The above possible\\nbug is reported, when my tool analyzes the source code of Linux 6.5.\\n\\nTo fix this possible bug, \\\"urb->hcpriv = NULL\\\" should be executed with\\nholding the lock \\\"hsotg->lock\\\". After using this patch, my tool never\\nreports the possible bug, with the kernelconfiguration allyesconfig for\\nx86_64. Because I have no associated hardware, I cannot test the patch\\nin runtime testing, and just verify it according to the code logic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52855\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52856" + }, + { + "url": "https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e" + }, + { + "url": "https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347" + }, + { + "url": "https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a" + }, + { + "url": "https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6" + }, + { + "url": "https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52856", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: lt8912b: Fix crash on bridge detach\n\nThe lt8912b driver, in its bridge detach function, calls\ndrm_connector_unregister() and drm_connector_cleanup().\n\ndrm_connector_unregister() should be called only for connectors\nexplicitly registered with drm_connector_register(), which is not the\ncase in lt8912b.\n\nThe driver's drm_connector_funcs.destroy hook is set to\ndrm_connector_cleanup().\n\nThus the driver should not call either drm_connector_unregister() nor\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\ncrash on bridge detach:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\nsp : ffff800082ed3a90\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n drm_connector_cleanup+0x78/0x2d4 [drm]\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\n drm_bridge_detach+0x44/0x84 [drm]\n drm_encoder_cleanup+0x40/0xb8 [drm]\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\n drm_managed_release+0xac/0x148 [drm]\n drm_dev_put.part.0+0x88/0xb8 [drm]\n devm_drm_dev_init_release+0x14/0x24 [drm]\n devm_action_release+0x14/0x20\n release_nodes+0x5c/0x90\n devres_release_all+0x8c/0xe0\n device_unbind_cleanup+0x18/0x68\n device_release_driver_internal+0x208/0x23c\n driver_detach+0x4c/0x94\n bus_remove_driver+0x70/0xf4\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\n __arm64_sys_delete_module+0x1a0/0x2b4\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x60/0x10c\n do_el0_svc_compat+0x1c/0x40\n el0_svc_compat+0x40/0xac\n el0t_32_sync_handler+0xb0/0x138\n el0t_32_sync+0x194/0x198\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e\",\n \"https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347\",\n \"https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a\",\n \"https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6\",\n \"https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: lt8912b: Fix crash on bridge detach\\n\\nThe lt8912b driver, in its bridge detach function, calls\\ndrm_connector_unregister() and drm_connector_cleanup().\\n\\ndrm_connector_unregister() should be called only for connectors\\nexplicitly registered with drm_connector_register(), which is not the\\ncase in lt8912b.\\n\\nThe driver's drm_connector_funcs.destroy hook is set to\\ndrm_connector_cleanup().\\n\\nThus the driver should not call either drm_connector_unregister() nor\\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\\ncrash on bridge detach:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\nMem abort info:\\n ESR = 0x0000000096000006\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x06: level 2 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\\nsp : ffff800082ed3a90\\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\\nCall trace:\\n drm_connector_cleanup+0x78/0x2d4 [drm]\\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\\n drm_bridge_detach+0x44/0x84 [drm]\\n drm_encoder_cleanup+0x40/0xb8 [drm]\\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\\n drm_managed_release+0xac/0x148 [drm]\\n drm_dev_put.part.0+0x88/0xb8 [drm]\\n devm_drm_dev_init_release+0x14/0x24 [drm]\\n devm_action_release+0x14/0x20\\n release_nodes+0x5c/0x90\\n devres_release_all+0x8c/0xe0\\n device_unbind_cleanup+0x18/0x68\\n device_release_driver_internal+0x208/0x23c\\n driver_detach+0x4c/0x94\\n bus_remove_driver+0x70/0xf4\\n driver_unregister+0x30/0x60\\n platform_driver_unregister+0x14/0x20\\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\\n __arm64_sys_delete_module+0x1a0/0x2b4\\n invoke_syscall+0x48/0x110\\n el0_svc_common.constprop.0+0x60/0x10c\\n do_el0_svc_compat+0x1c/0x40\\n el0_svc_compat+0x40/0xac\\n el0t_32_sync_handler+0xb0/0x138\\n el0t_32_sync+0x194/0x198\\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52857", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52857" + }, + { + "url": "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396" + }, + { + "url": "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c" + }, + { + "url": "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52857", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396\",\n \"https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c\",\n \"https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\\n\\n1. Instead of multiplying 2 variable of different types. Change to\\nassign a value of one variable and then multiply the other variable.\\n\\n2. Add a int variable for multiplier calculation instead of calculating\\ndifferent types multiplier with dma_addr_t variable directly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52858", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52858" + }, + { + "url": "https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0" + }, + { + "url": "https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa" + }, + { + "url": "https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee" + }, + { + "url": "https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d" + }, + { + "url": "https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0" + }, + { + "url": "https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e" + }, + { + "url": "https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52858", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0\",\n \"https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa\",\n \"https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee\",\n \"https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d\",\n \"https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0\",\n \"https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e\",\n \"https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52859", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52859" + }, + { + "url": "https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2" + }, + { + "url": "https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda" + }, + { + "url": "https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63" + }, + { + "url": "https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5" + }, + { + "url": "https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52859 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52859", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: hisi: Fix use-after-free when register pmu fails\n\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52859\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52859\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52859\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52859\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52859\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2\",\n \"https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda\",\n \"https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63\",\n \"https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5\",\n \"https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: hisi: Fix use-after-free when register pmu fails\\n\\nWhen we fail to register the uncore pmu, the pmu context may not been\\nallocated. The error handing will call cpuhp_state_remove_instance()\\nto call uncore pmu offline callback, which migrate the pmu context.\\nSince that's liable to lead to some kind of use-after-free.\\n\\nUse cpuhp_state_remove_instance_nocalls() instead of\\ncpuhp_state_remove_instance() so that the notifiers don't execute after\\nthe PMU device has been failed to register.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52859\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52863" + }, + { + "url": "https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0" + }, + { + "url": "https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105" + }, + { + "url": "https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a" + }, + { + "url": "https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062" + }, + { + "url": "https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb" + }, + { + "url": "https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\n\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0\",\n \"https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105\",\n \"https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a\",\n \"https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062\",\n \"https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb\",\n \"https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\\n\\naxi_fan_control_irq_handler(), dependent on the private\\naxi_fan_control_data structure, might be called before the hwmon\\ndevice is registered. That will cause an \\\"Unable to handle kernel\\nNULL pointer dereference\\\" error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52864" + }, + { + "url": "https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e" + }, + { + "url": "https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e" + }, + { + "url": "https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203" + }, + { + "url": "https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6" + }, + { + "url": "https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453" + }, + { + "url": "https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097" + }, + { + "url": "https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6" + }, + { + "url": "https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52864", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: wmi: Fix opening of char device\n\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\n\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e\",\n \"https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e\",\n \"https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203\",\n \"https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6\",\n \"https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453\",\n \"https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097\",\n \"https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6\",\n \"https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/x86: wmi: Fix opening of char device\\n\\nSince commit fa1f68db6ca7 (\\\"drivers: misc: pass miscdevice pointer via\\nfile private data\\\"), the miscdevice stores a pointer to itself inside\\nfilp->private_data, which means that private_data will not be NULL when\\nwmi_char_open() is called. This might cause memory corruption should\\nwmi_char_open() be unable to find its driver, something which can\\nhappen when the associated WMI device is deleted in wmi_free_devices().\\n\\nFix the problem by using the miscdevice pointer to retrieve the WMI\\ndevice data associated with a char device using container_of(). This\\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\\ndriver with the same name as the original driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52865", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52865" + }, + { + "url": "https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478" + }, + { + "url": "https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3" + }, + { + "url": "https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c" + }, + { + "url": "https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4" + }, + { + "url": "https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836" + }, + { + "url": "https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2" + }, + { + "url": "https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf" + }, + { + "url": "https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235" + }, + { + "url": "https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52865 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52865", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52865\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52865\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52865\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52865\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52865\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478\",\n \"https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3\",\n \"https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c\",\n \"https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4\",\n \"https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836\",\n \"https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2\",\n \"https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf\",\n \"https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235\",\n \"https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52865\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52867" + }, + { + "url": "https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783" + }, + { + "url": "https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45" + }, + { + "url": "https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58" + }, + { + "url": "https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94" + }, + { + "url": "https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896" + }, + { + "url": "https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f" + }, + { + "url": "https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855" + }, + { + "url": "https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4" + }, + { + "url": "https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: possible buffer overflow\n\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783\",\n \"https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45\",\n \"https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58\",\n \"https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94\",\n \"https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896\",\n \"https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f\",\n \"https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855\",\n \"https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4\",\n \"https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: possible buffer overflow\\n\\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\\nchecked after access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52868" + }, + { + "url": "https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97" + }, + { + "url": "https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb" + }, + { + "url": "https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c" + }, + { + "url": "https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c" + }, + { + "url": "https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521" + }, + { + "url": "https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8" + }, + { + "url": "https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8" + }, + { + "url": "https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5" + }, + { + "url": "https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: prevent potential string overflow\n\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX. If it's too high then these sprintf()s will overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97\",\n \"https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb\",\n \"https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c\",\n \"https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c\",\n \"https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521\",\n \"https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8\",\n \"https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8\",\n \"https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5\",\n \"https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal: core: prevent potential string overflow\\n\\nThe dev->id value comes from ida_alloc() so it's a number between zero\\nand INT_MAX. If it's too high then these sprintf()s will overflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52869" + }, + { + "url": "https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a" + }, + { + "url": "https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688" + }, + { + "url": "https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9" + }, + { + "url": "https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c" + }, + { + "url": "https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f" + }, + { + "url": "https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/platform: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a\",\n \"https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688\",\n \"https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9\",\n \"https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c\",\n \"https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f\",\n \"https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore/platform: Add check for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52870" + }, + { + "url": "https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480" + }, + { + "url": "https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a" + }, + { + "url": "https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946" + }, + { + "url": "https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc" + }, + { + "url": "https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830" + }, + { + "url": "https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480\",\n \"https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a\",\n \"https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946\",\n \"https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc\",\n \"https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830\",\n \"https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52871" + }, + { + "url": "https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493" + }, + { + "url": "https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2" + }, + { + "url": "https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0" + }, + { + "url": "https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c" + }, + { + "url": "https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c" + }, + { + "url": "https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8" + }, + { + "url": "https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: llcc: Handle a second device without data corruption\n\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493\",\n \"https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2\",\n \"https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0\",\n \"https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c\",\n \"https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c\",\n \"https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8\",\n \"https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: llcc: Handle a second device without data corruption\\n\\nUsually there is only one llcc device. But if there were a second, even\\na failed probe call would modify the global drv_data pointer. So check\\nif drv_data is valid before overwriting it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52872" + }, + { + "url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890" + }, + { + "url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243" + }, + { + "url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444" + }, + { + "url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a" + }, + { + "url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890\",\n \"https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243\",\n \"https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444\",\n \"https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a\",\n \"https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: fix race condition in status line change on dead connections\\n\\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\\ntimers, removing the virtual tty devices and clearing the data queues.\\nThis procedure, however, may cause subsequent changes of the virtual modem\\nstatus lines of a DLCI. More data is being added the outgoing data queue\\nand the deleted kick timer is restarted to handle this. At this point many\\nresources have already been removed by the cleanup procedure. Thus, a\\nkernel panic occurs.\\n\\nFix this by proving in gsm_modem_update() that the cleanup procedure has\\nnot been started and the mux is still alive.\\n\\nNote that writing to a virtual tty is already protected by checks against\\nthe DLCI specific connection state.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52873" + }, + { + "url": "https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0" + }, + { + "url": "https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a" + }, + { + "url": "https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e" + }, + { + "url": "https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b" + }, + { + "url": "https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e" + }, + { + "url": "https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b" + }, + { + "url": "https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0\",\n \"https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a\",\n \"https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e\",\n \"https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b\",\n \"https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e\",\n \"https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b\",\n \"https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52875" + }, + { + "url": "https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96" + }, + { + "url": "https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3" + }, + { + "url": "https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d" + }, + { + "url": "https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7" + }, + { + "url": "https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802" + }, + { + "url": "https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739" + }, + { + "url": "https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055" + }, + { + "url": "https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95" + }, + { + "url": "https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96\",\n \"https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3\",\n \"https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d\",\n \"https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7\",\n \"https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802\",\n \"https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739\",\n \"https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055\",\n \"https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95\",\n \"https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52876", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52876" + }, + { + "url": "https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9" + }, + { + "url": "https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7" + }, + { + "url": "https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22" + }, + { + "url": "https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783" + }, + { + "url": "https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592" + }, + { + "url": "https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b" + }, + { + "url": "https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52876 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52876", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52876\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52876\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52876\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52876\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52876\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9\",\n \"https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7\",\n \"https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22\",\n \"https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783\",\n \"https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592\",\n \"https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b\",\n \"https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52876\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52877" + }, + { + "url": "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b" + }, + { + "url": "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08" + }, + { + "url": "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b" + }, + { + "url": "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac" + }, + { + "url": "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port->partner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port->partner to avoid dereferencing a NULL pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b\",\n \"https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08\",\n \"https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b\",\n \"https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac\",\n \"https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\\n\\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\\nWhen port->partner is an error, a NULL pointer dereference may occur as\\nshown below.\\n\\n[91222.095236][ T319] typec port0: failed to register partner (-17)\\n...\\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\\nat virtual address 000000000000039f\\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\\n[91225.308067][ T319] Call trace:\\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\\n[91225.355902][ T319] kthread+0x150/0x200\\n[91225.355905][ T319] ret_from_fork+0x10/0x30\\n\\nAdd a check for port->partner to avoid dereferencing a NULL pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52878" + }, + { + "url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4" + }, + { + "url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc" + }, + { + "url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057" + }, + { + "url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444" + }, + { + "url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4\",\n \"https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc\",\n \"https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057\",\n \"https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444\",\n \"https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\\n\\nIf the \\\"struct can_priv::echoo_skb\\\" is accessed out of bounds, this\\nwould cause a kernel crash. Instead, issue a meaningful warning\\nmessage and return with an error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52879" + }, + { + "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706" + }, + { + "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976" + }, + { + "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d" + }, + { + "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e" + }, + { + "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f" + }, + { + "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4" + }, + { + "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\n \"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\n \"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\n \"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\n \"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\n \"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\n \"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have trace_event_file have ref counters\\n\\nThe following can crash the kernel:\\n\\n # cd /sys/kernel/tracing\\n # echo 'p:sched schedule' > kprobe_events\\n # exec 5>>events/kprobes/sched/enable\\n # > kprobe_events\\n # exec 5>&-\\n\\nThe above commands:\\n\\n 1. Change directory to the tracefs directory\\n 2. Create a kprobe event (doesn't matter what one)\\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\\n 4. Delete the kprobe event (removes the files too)\\n 5. Close the bash file descriptor 5\\n\\nThe above causes a crash!\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000028\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP PTI\\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n RIP: 0010:tracing_release_file_tr+0xc/0x50\\n\\nWhat happens here is that the kprobe event creates a trace_event_file\\n\\\"file\\\" descriptor that represents the file in tracefs to the event. It\\nmaintains state of the event (is it enabled for the given instance?).\\nOpening the \\\"enable\\\" file gets a reference to the event \\\"file\\\" descriptor\\nvia the open file descriptor. When the kprobe event is deleted, the file is\\nalso deleted from the tracefs system which also frees the event \\\"file\\\"\\ndescriptor.\\n\\nBut as the tracefs file is still opened by user space, it will not be\\ntotally removed until the final dput() is called on it. But this is not\\ntrue with the event \\\"file\\\" descriptor that is already freed. If the user\\ndoes a write to or simply closes the file descriptor it will reference the\\nevent \\\"file\\\" descriptor that was just freed, causing a use-after-free bug.\\n\\nTo solve this, add a ref count to the event \\\"file\\\" descriptor as well as a\\nnew flag called \\\"FREED\\\". The \\\"file\\\" will not be freed until the last\\nreference is released. But the FREE flag will be set when the event is\\nremoved to prevent any more modifications to that event from happening,\\neven if there's still a reference to the event \\\"file\\\" descriptor.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52880", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52880" + }, + { + "url": "https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167" + }, + { + "url": "https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a" + }, + { + "url": "https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88" + }, + { + "url": "https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58" + }, + { + "url": "https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed" + }, + { + "url": "https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167\",\n \"https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a\",\n \"https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88\",\n \"https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58\",\n \"https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed\",\n \"https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\\n\\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\\nCAP_NET_ADMIN to create a GSM network anyway.\\n\\nRequire initial namespace CAP_NET_ADMIN to do that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52881", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52881" + }, + { + "url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440" + }, + { + "url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc" + }, + { + "url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757" + }, + { + "url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27" + }, + { + "url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a" + }, + { + "url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57" + }, + { + "url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0" + }, + { + "url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52881 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52881", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK < SND.UNA wouldn't be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\n\ntp->bytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52881\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52881\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52881\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52881\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52881\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440\",\n \"https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc\",\n \"https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757\",\n \"https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27\",\n \"https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a\",\n \"https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57\",\n \"https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0\",\n \"https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: do not accept ACK of bytes we never sent\\n\\nThis patch is based on a detailed report and ideas from Yepeng Pan\\nand Christian Rossow.\\n\\nACK seq validation is currently following RFC 5961 5.2 guidelines:\\n\\n The ACK value is considered acceptable only if\\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\\n above condition MUST be discarded and an ACK sent back. It needs to\\n be noted that RFC 793 on page 72 (fifth check) says: \\\"If the ACK is a\\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\\n ACK, drop the segment, and return\\\". The \\\"ignored\\\" above implies that\\n the processing of the incoming data segment continues, which means\\n the ACK value is treated as acceptable. This mitigation makes the\\n ACK check more stringent since any ACK < SND.UNA wouldn't be\\n accepted, instead only ACKs that are in the range ((SND.UNA -\\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\\n\\nThis can be refined for new (and possibly spoofed) flows,\\nby not accepting ACK for bytes that were never sent.\\n\\nThis greatly improves TCP security at a little cost.\\n\\nI added a Fixes: tag to make sure this patch will reach stable trees,\\neven if the 'blamed' patch was adhering to the RFC.\\n\\ntp->bytes_acked was added in linux-4.2\\n\\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\\nthe issue at hand:\\n\\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\\n+0 bind(3, ..., ...) = 0\\n+0 listen(3, 1024) = 0\\n\\n// ---------------- Handshake ------------------- //\\n\\n// when window scale is set to 14 the window size can be extended to\\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\\n// ,though this ack number acknowledges some data never\\n// sent by the server.\\n\\n+0 < S 0:0(0) win 65535 \\n+0 > S. 0:0(0) ack 1 <...>\\n+0 < . 1:1(0) ack 1 win 65535\\n+0 accept(3, ..., ...) = 4\\n\\n// For the established connection, we send an ACK packet,\\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\\n// where 2^32 is used to wrap around.\\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\\n// edge cases.\\n// 1 - 1073725300 + 2^32 = 3221241997\\n\\n// Oops, old kernels happily accept this packet.\\n+0 < . 1:1001(1000) ack 3221241997 win 65535\\n\\n// After the kernel fix the following will be replaced by a challenge ACK,\\n// and prior malicious frame would be dropped.\\n+0 > . 1:1(0) ack 1001\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52881\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52882", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52882" + }, + { + "url": "https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a" + }, + { + "url": "https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069" + }, + { + "url": "https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff" + }, + { + "url": "https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90" + }, + { + "url": "https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175" + }, + { + "url": "https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019" + }, + { + "url": "https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52882 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52882", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52882\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52882\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52882\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52882\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52882\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a\",\n \"https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069\",\n \"https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff\",\n \"https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90\",\n \"https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175\",\n \"https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019\",\n \"https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\\n\\nWhile PLL CPUX clock rate change when CPU is running from it works in\\nvast majority of cases, now and then it causes instability. This leads\\nto system crashes and other undefined behaviour. After a lot of testing\\n(30+ hours) while also doing a lot of frequency switches, we can't\\nobserve any instability issues anymore when doing reparenting to stable\\nclock like 24 MHz oscillator.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52882\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52884" + }, + { + "url": "https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6" + }, + { + "url": "https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7" + }, + { + "url": "https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd" + }, + { + "url": "https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc" + }, + { + "url": "https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6\",\n \"https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7\",\n \"https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd\",\n \"https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc\",\n \"https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: cyapa - add missing input core locking to suspend/resume functions\\n\\nGrab input->mutex during suspend/resume functions like it is done in\\nother input drivers. This fixes the following warning during system\\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\\nModules linked in: ...\\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound async_run_entry_fn\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x58/0x70\\n dump_stack_lvl from __warn+0x1a8/0x1cc\\n __warn from warn_slowpath_fmt+0x18c/0x1b4\\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\\n cyapa_reinitialize from cyapa_resume+0x48/0x98\\n cyapa_resume from dpm_run_callback+0x90/0x298\\n dpm_run_callback from device_resume+0xb4/0x258\\n device_resume from async_resume+0x20/0x64\\n async_resume from async_run_entry_fn+0x40/0x15c\\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\\n process_scheduled_works from worker_thread+0x188/0x454\\n worker_thread from kthread+0x108/0x140\\n kthread from ret_from_fork+0x14/0x28\\nException stack(0xf1625fb0 to 0xf1625ff8)\\n...\\n---[ end trace 0000000000000000 ]---\\n...\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\\nModules linked in: ...\\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound async_run_entry_fn\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x58/0x70\\n dump_stack_lvl from __warn+0x1a8/0x1cc\\n __warn from warn_slowpath_fmt+0x18c/0x1b4\\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\\n cyapa_reinitialize from cyapa_resume+0x48/0x98\\n cyapa_resume from dpm_run_callback+0x90/0x298\\n dpm_run_callback from device_resume+0xb4/0x258\\n device_resume from async_resume+0x20/0x64\\n async_resume from async_run_entry_fn+0x40/0x15c\\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\\n process_scheduled_works from worker_thread+0x188/0x454\\n worker_thread from kthread+0x108/0x140\\n kthread from ret_from_fork+0x14/0x28\\nException stack(0xf1625fb0 to 0xf1625ff8)\\n...\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52885" + }, + { + "url": "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b" + }, + { + "url": "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f" + }, + { + "url": "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428" + }, + { + "url": "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065" + }, + { + "url": "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254" + }, + { + "url": "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e" + }, + { + "url": "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee" + }, + { + "url": "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n \n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n \n \n ...\n \n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b\",\n \"https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f\",\n \"https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428\",\n \"https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065\",\n \"https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254\",\n \"https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e\",\n \"https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee\",\n \"https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\\n\\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\\nfor the established child sock, there is a window that the newsock\\nretaining a freed listener svc_sock in sk_user_data which cloning from\\nparent. In the race window, if data is received on the newsock, we will\\nobserve use-after-free report in svc_tcp_listen_data_ready().\\n\\nReproduce by two tasks:\\n\\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\\n2. while :; do echo \\\"\\\" | ncat -4 127.0.0.1 2049 ; done\\n\\nKASAN report:\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\\n Read of size 8 at addr ffff888139d96228 by task nc/102553\\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\\n Call Trace:\\n \\n dump_stack_lvl+0x33/0x50\\n print_address_description.constprop.0+0x27/0x310\\n print_report+0x3e/0x70\\n kasan_report+0xae/0xe0\\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\\n tcp_data_queue+0x9f4/0x20e0\\n tcp_rcv_established+0x666/0x1f60\\n tcp_v4_do_rcv+0x51c/0x850\\n tcp_v4_rcv+0x23fc/0x2e80\\n ip_protocol_deliver_rcu+0x62/0x300\\n ip_local_deliver_finish+0x267/0x350\\n ip_local_deliver+0x18b/0x2d0\\n ip_rcv+0x2fb/0x370\\n __netif_receive_skb_one_core+0x166/0x1b0\\n process_backlog+0x24c/0x5e0\\n __napi_poll+0xa2/0x500\\n net_rx_action+0x854/0xc90\\n __do_softirq+0x1bb/0x5de\\n do_softirq+0xcb/0x100\\n \\n \\n ...\\n \\n\\n Allocated by task 102371:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n __kasan_kmalloc+0x7b/0x90\\n svc_setup_socket+0x52/0x4f0 [sunrpc]\\n svc_addsock+0x20d/0x400 [sunrpc]\\n __write_ports_addfd+0x209/0x390 [nfsd]\\n write_ports+0x239/0x2c0 [nfsd]\\n nfsctl_transaction_write+0xac/0x110 [nfsd]\\n vfs_write+0x1c3/0xae0\\n ksys_write+0xed/0x1c0\\n do_syscall_64+0x38/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\n Freed by task 102551:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n kasan_save_free_info+0x2a/0x50\\n __kasan_slab_free+0x106/0x190\\n __kmem_cache_free+0x133/0x270\\n svc_xprt_free+0x1e2/0x350 [sunrpc]\\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\\n nfsd_put+0x125/0x240 [nfsd]\\n nfsd_svc+0x2cb/0x3c0 [nfsd]\\n write_threads+0x1ac/0x2a0 [nfsd]\\n nfsctl_transaction_write+0xac/0x110 [nfsd]\\n vfs_write+0x1c3/0xae0\\n ksys_write+0xed/0x1c0\\n do_syscall_64+0x38/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\\nchild socket.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52886" + }, + { + "url": "https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5" + }, + { + "url": "https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee" + }, + { + "url": "https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f" + }, + { + "url": "https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848" + }, + { + "url": "https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5" + }, + { + "url": "https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5\",\n \"https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee\",\n \"https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f\",\n \"https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848\",\n \"https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5\",\n \"https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\\n\\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\\n\\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\\n\\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\\n print_report mm/kasan/report.c:462 [inline]\\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\\n...\\nAllocated by task 758:\\n...\\n __do_kmalloc_node mm/slab_common.c:966 [inline]\\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\\n kmalloc include/linux/slab.h:563 [inline]\\n kzalloc include/linux/slab.h:680 [inline]\\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\\n\\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\\nread_descriptors() and hub_port_init(): The first routine uses a field\\nin udev->descriptor, not expecting it to change, while the second\\noverwrites it.\\n\\nPrior to commit 45bf39f8df7f (\\\"USB: core: Don't hold device lock while\\nreading the \\\"descriptors\\\" sysfs file\\\") this race couldn't occur,\\nbecause the routines were mutually exclusive thanks to the device\\nlocking. Removing that locking from read_descriptors() exposed it to\\nthe race.\\n\\nThe best way to fix the bug is to keep hub_port_init() from changing\\nudev->descriptor once udev has been initialized and registered.\\nDrivers expect the descriptors stored in the kernel to be immutable;\\nwe should not undermine this expectation. In fact, this change should\\nhave been made long ago.\\n\\nSo now hub_port_init() will take an additional argument, specifying a\\nbuffer in which to store the device descriptor it reads. (If udev has\\nnot yet been initialized, the buffer pointer will be NULL and then\\nhub_port_init() will store the device descriptor in udev as before.)\\nThis eliminates the data race responsible for the out-of-bounds read.\\n\\nThe changes to hub_port_init() appear more extensive than they really\\nare, because of indentation changes resulting from an attempt to avoid\\nwriting to other parts of the usb_device structure after it has been\\ninitialized. Similar changes should be made to the code that reads\\nthe BOS descriptor, but that can be handled in a separate patch later\\non. This patch is sufficient to fix the bug found by syzbot.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52887" + }, + { + "url": "https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed" + }, + { + "url": "https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea" + }, + { + "url": "https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4" + }, + { + "url": "https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2" + }, + { + "url": "https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb" + }, + { + "url": "https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9" + }, + { + "url": "https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\n\nThis patch enhances error handling in scenarios with RTS (Request to\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\nbacktraces with a new error handling method. This provides clearer error\nmessages and allows for the early termination of problematic sessions.\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\n\nPotentially this could be reproduced with something like:\ntestj1939 -r vcan0:0x80 &\nwhile true; do\n\t# send first RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send second RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send abort\n\tcansend vcan0 18EC8090#ff00000000002301;\ndone", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed\",\n \"https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea\",\n \"https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4\",\n \"https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2\",\n \"https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb\",\n \"https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9\",\n \"https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\\n\\nThis patch enhances error handling in scenarios with RTS (Request to\\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\\nbacktraces with a new error handling method. This provides clearer error\\nmessages and allows for the early termination of problematic sessions.\\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\\n\\nPotentially this could be reproduced with something like:\\ntestj1939 -r vcan0:0x80 &\\nwhile true; do\\n\\t# send first RTS\\n\\tcansend vcan0 18EC8090#1014000303002301;\\n\\t# send second RTS\\n\\tcansend vcan0 18EC8090#1014000303002301;\\n\\t# send abort\\n\\tcansend vcan0 18EC8090#ff00000000002301;\\ndone\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52888", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52888" + }, + { + "url": "https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04" + }, + { + "url": "https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91" + }, + { + "url": "https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52888", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn't do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04\",\n \"https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91\",\n \"https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\\n\\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\\ncalled only when the buffer to free exists, there are some instances\\nthat didn't do the check and triggered warnings in practice.\\n\\nWe believe those checks were forgotten unintentionally. Add the checks\\nback to fix the warnings.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52889" + }, + { + "url": "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1" + }, + { + "url": "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697" + }, + { + "url": "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81" + }, + { + "url": "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2" + }, + { + "url": "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961" + }, + { + "url": "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2" + }, + { + "url": "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n BUG: kernel NULL pointer dereference, address: 000000000000004c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n RIP: 0010:aa_label_next_confined+0xb/0x40\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? aa_label_next_confined+0xb/0x40\n apparmor_secmark_check+0xec/0x330\n security_sock_rcv_skb+0x35/0x50\n sk_filter_trim_cap+0x47/0x250\n sock_queue_rcv_skb_reason+0x20/0x60\n raw_rcv+0x13c/0x210\n raw_local_deliver+0x1f3/0x250\n ip_protocol_deliver_rcu+0x4f/0x2f0\n ip_local_deliver_finish+0x76/0xa0\n __netif_receive_skb_one_core+0x89/0xa0\n netif_receive_skb+0x119/0x170\n ? __netdev_alloc_skb+0x3d/0x140\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n __napi_poll+0x28/0x1b0\n net_rx_action+0x2a4/0x380\n __do_softirq+0xd1/0x2c8\n __irq_exit_rcu+0xbb/0xf0\n common_interrupt+0x86/0xa0\n \n \n asm_common_interrupt+0x26/0x40\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n ? __pfx_apparmor_socket_post_create+0x10/0x10\n security_socket_post_create+0x4b/0x80\n __sock_create+0x176/0x1f0\n __sys_socket+0x89/0x100\n __x64_sys_socket+0x17/0x20\n do_syscall_64+0x5d/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1\",\n \"https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697\",\n \"https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81\",\n \"https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2\",\n \"https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961\",\n \"https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2\",\n \"https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\napparmor: Fix null pointer deref when receiving skb during sock creation\\n\\nThe panic below is observed when receiving ICMP packets with secmark set\\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\\nin apparmor_socket_post_create(), but the packet is delivered to the\\nsocket before that, causing the null pointer dereference.\\nDrop the packet if label context is not set.\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000004c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\\n RIP: 0010:aa_label_next_confined+0xb/0x40\\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\\n PKRU: 55555554\\n Call Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x7f/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? aa_label_next_confined+0xb/0x40\\n apparmor_secmark_check+0xec/0x330\\n security_sock_rcv_skb+0x35/0x50\\n sk_filter_trim_cap+0x47/0x250\\n sock_queue_rcv_skb_reason+0x20/0x60\\n raw_rcv+0x13c/0x210\\n raw_local_deliver+0x1f3/0x250\\n ip_protocol_deliver_rcu+0x4f/0x2f0\\n ip_local_deliver_finish+0x76/0xa0\\n __netif_receive_skb_one_core+0x89/0xa0\\n netif_receive_skb+0x119/0x170\\n ? __netdev_alloc_skb+0x3d/0x140\\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\\n __napi_poll+0x28/0x1b0\\n net_rx_action+0x2a4/0x380\\n __do_softirq+0xd1/0x2c8\\n __irq_exit_rcu+0xbb/0xf0\\n common_interrupt+0x86/0xa0\\n \\n \\n asm_common_interrupt+0x26/0x40\\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\\n ? __pfx_apparmor_socket_post_create+0x10/0x10\\n security_socket_post_create+0x4b/0x80\\n __sock_create+0x176/0x1f0\\n __sys_socket+0x89/0x100\\n __x64_sys_socket+0x17/0x20\\n do_syscall_64+0x5d/0x90\\n ? do_syscall_64+0x6c/0x90\\n ? do_syscall_64+0x6c/0x90\\n ? do_syscall_64+0x6c/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52893" + }, + { + "url": "https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a" + }, + { + "url": "https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393" + }, + { + "url": "https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8" + }, + { + "url": "https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd" + }, + { + "url": "https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2" + }, + { + "url": "https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b" + }, + { + "url": "https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a\",\n \"https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393\",\n \"https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8\",\n \"https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd\",\n \"https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2\",\n \"https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b\",\n \"https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngsmi: fix null-deref in gsmi_get_variable\\n\\nWe can get EFI variables without fetching the attribute, so we must\\nallow for that in gsmi.\\n\\ncommit 859748255b43 (\\\"efi: pstore: Omit efivars caching EFI varstore\\naccess layer\\\") added a new get_variable call with attr=NULL, which\\ntriggers panic in gsmi.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52894" + }, + { + "url": "https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497" + }, + { + "url": "https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763" + }, + { + "url": "https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6" + }, + { + "url": "https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea" + }, + { + "url": "https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2" + }, + { + "url": "https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7" + }, + { + "url": "https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497\",\n \"https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763\",\n \"https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6\",\n \"https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea\",\n \"https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2\",\n \"https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7\",\n \"https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\\n\\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\\n\\nAFAICT the source code is at:\\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\\n\\nThe call stack is:\\n ncm_close() -> ncm_notify() -> ncm_do_notify()\\nwith the crash at:\\n ncm_do_notify+0x98/0x270\\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\\n\\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\\n\\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\\n 0B 0D 00 79 strh w11, [x8, #6]\\n\\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\\n 6C 0A 00 B9 str w12, [x19, #8]\\n\\n // x10 (NULL) was read here from offset 0 of valid pointer x9\\n // IMHO we're reading 'cdev->gadget' and getting NULL\\n // gadget is indeed at offset 0 of struct usb_composite_dev\\n 2A 01 40 F9 ldr x10, [x9]\\n\\n // loading req->buf pointer, which is at offset 0 of struct usb_request\\n 69 02 40 F9 ldr x9, [x19]\\n\\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\\n\\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\\n\\n event->wLength = cpu_to_le16(8);\\n req->length = NCM_STATUS_BYTECOUNT;\\n\\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\\n data = req->buf + sizeof *event;\\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\\n\\nMy analysis of registers and NULL ptr deref crash offset\\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\\nwhich calls:\\n ncm_bitrate(NULL)\\nwhich then calls:\\n gadget_is_superspeed(NULL)\\nwhich reads\\n ((struct usb_gadget *)NULL)->max_speed\\nand hits a panic.\\n\\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\\n\\nIt's not at all clear to me how this is all supposed to work...\\nbut returning 0 seems much better than panic-ing...\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52896" + }, + { + "url": "https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1" + }, + { + "url": "https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a" + }, + { + "url": "https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd" + }, + { + "url": "https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233" + }, + { + "url": "https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1\",\n \"https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a\",\n \"https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd\",\n \"https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233\",\n \"https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\\n\\nIf we have one task trying to start the quota rescan worker while another\\none is trying to disable quotas, we can end up hitting a race that results\\nin the quota rescan worker doing a NULL pointer dereference. The steps for\\nthis are the following:\\n\\n1) Quotas are enabled;\\n\\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\\n transaction and commits it;\\n\\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\\n rescan worker is not yet running.\\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\\n\\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\\n\\n5) The rescan worker starts, and calls rescan_should_stop() at the start\\n of its while loop, which results in 0 iterations of the loop, since\\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\\n task B at step 3);\\n\\n6) Task B sets fs_info->quota_root to NULL;\\n\\n7) The rescan worker tries to start a transaction and uses\\n fs_info->quota_root as the root argument for btrfs_start_transaction().\\n This results in a NULL pointer dereference down the call chain of\\n btrfs_start_transaction(). The stack trace is something like the one\\n reported in Link tag below:\\n\\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\\n Code: 48 89 fb 48 (...)\\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n \\n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\\n kthread+0x266/0x300 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n Modules linked in:\\n\\nSo fix this by having the rescan worker function not attempt to start a\\ntransaction if it didn't do any rescan work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52898" + }, + { + "url": "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e" + }, + { + "url": "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368" + }, + { + "url": "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1" + }, + { + "url": "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7" + }, + { + "url": "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea" + }, + { + "url": "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e\",\n \"https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368\",\n \"https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1\",\n \"https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7\",\n \"https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea\",\n \"https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: Fix null pointer dereference when host dies\\n\\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\\nand cause null pointer dereference when host suddenly dies.\\n\\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\\nloop through all the device's endpoints, checking if there are any\\ncancelled urbs left to give back.\\n\\nhold the xhci spinlock while freeing the virt device\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52899" + }, + { + "url": "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833" + }, + { + "url": "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d" + }, + { + "url": "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96" + }, + { + "url": "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e" + }, + { + "url": "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87" + }, + { + "url": "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833\",\n \"https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d\",\n \"https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96\",\n \"https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e\",\n \"https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87\",\n \"https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nAdd exception protection processing for vd in axi_chan_handle_err function\\n\\nSince there is no protection for vd, a kernel panic will be\\ntriggered here in exceptional cases.\\n\\nYou can refer to the processing of axi_chan_block_xfer_complete function\\n\\nThe triggered kernel panic is as follows:\\n\\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\\n[ 67.848447] Mem abort info:\\n[ 67.848449] ESR = 0x96000004\\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 67.848454] SET = 0, FnV = 0\\n[ 67.848456] EA = 0, S1PTW = 0\\n[ 67.848458] Data abort info:\\n[ 67.848460] ISV = 0, ISS = 0x00000004\\n[ 67.848462] CM = 0, WnR = 0\\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\\n[ 67.848475] Modules linked in: dmatest\\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\\n[ 67.848493] sp : ffff0803fe55ae50\\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\\n[ 67.848559] Call trace:\\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\\n[ 67.848573] handle_irq_event+0x64/0x120\\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\\n[ 67.848580] __handle_domain_irq+0x80/0xe0\\n[ 67.848583] gic_handle_irq+0xc0/0x138\\n[ 67.848585] el1_irq+0xc8/0x180\\n[ 67.848588] arch_cpu_idle+0x14/0x2c\\n[ 67.848591] default_idle_call+0x40/0x16c\\n[ 67.848594] do_idle+0x1f0/0x250\\n[ 67.848597] cpu_startup_entry+0x2c/0x60\\n[ 67.848600] rest_init+0xc0/0xcc\\n[ 67.848603] arch_call_rest_init+0x14/0x1c\\n[ 67.848606] start_kernel+0x4cc/0x500\\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\\n[ 67.848613] ---[ end trace 585a97036f88203a ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52900" + }, + { + "url": "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04" + }, + { + "url": "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545" + }, + { + "url": "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062" + }, + { + "url": "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243" + }, + { + "url": "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051" + }, + { + "url": "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d" + }, + { + "url": "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04\",\n \"https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545\",\n \"https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062\",\n \"https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243\",\n \"https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051\",\n \"https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d\",\n \"https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix general protection fault in nilfs_btree_insert()\\n\\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\\nblock by calling __nilfs_btree_get_block() against an invalid virtual\\nblock address, it returns -ENOENT because conversion of the virtual block\\naddress to a disk block address fails. However, this return value is the\\nsame as the internal code that b-tree lookup routines return to indicate\\nthat the block being searched does not exist, so functions that operate on\\nthat b-tree may misbehave.\\n\\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\\nsuccessful and continues the insert operation using incomplete lookup path\\ndata, causing the following crash:\\n\\n general protection fault, probably for non-canonical address\\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\\n ...\\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\\n ...\\n Call Trace:\\n \\n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\\n __block_write_begin fs/buffer.c:2041 [inline]\\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\\n call_write_iter include/linux/fs.h:2186 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\\n ksys_write+0x177/0x2a0 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n ...\\n \\n\\nThis patch fixes the root cause of this problem by replacing the error\\ncode that __nilfs_btree_get_block() returns on block address conversion\\nfailure from -ENOENT to another internal code -EINVAL which means that the\\nb-tree metadata is corrupted.\\n\\nBy returning -EINVAL, it propagates without glitches, and for all relevant\\nb-tree operations, functions in the upper bmap layer output an error\\nmessage indicating corrupted b-tree metadata via\\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\\nit should be.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52901" + }, + { + "url": "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f" + }, + { + "url": "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5" + }, + { + "url": "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a" + }, + { + "url": "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c" + }, + { + "url": "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766" + }, + { + "url": "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654" + }, + { + "url": "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f\",\n \"https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5\",\n \"https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a\",\n \"https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c\",\n \"https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766\",\n \"https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654\",\n \"https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: xhci: Check endpoint is valid before dereferencing it\\n\\nWhen the host controller is not responding, all URBs queued to all\\nendpoints need to be killed. This can cause a kernel panic if we\\ndereference an invalid endpoint.\\n\\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\\nchecking if the endpoint is valid before dereferencing it.\\n\\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\\n\\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\\n\\n[233311.854077] Call trace:\\n[233311.854085] xhci_hc_died+0x10c/0x270\\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\\n[233311.854105] call_timer_fn+0x50/0x2d4\\n[233311.854112] expire_timers+0xac/0x2e4\\n[233311.854118] run_timer_softirq+0x300/0xabc\\n[233311.854127] __do_softirq+0x148/0x528\\n[233311.854135] irq_exit+0x194/0x1a8\\n[233311.854143] __handle_domain_irq+0x164/0x1d0\\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\\n[233311.854156] el1_irq+0xfc/0x1a8\\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\\n[233311.854194] do_idle+0x594/0x6ac\\n[233311.854201] cpu_startup_entry+0x7c/0x80\\n[233311.854209] secondary_start_kernel+0x170/0x198\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52903" + }, + { + "url": "https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7" + }, + { + "url": "https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b" + }, + { + "url": "https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4" + }, + { + "url": "https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7\",\n \"https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b\",\n \"https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4\",\n \"https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: lock overflowing for IOPOLL\\n\\nsyzbot reports an issue with overflow filling for IOPOLL:\\n\\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\\nWorkqueue: events_unbound io_ring_exit_work\\nCall trace:\\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\\n kthread+0x12c/0x158 kernel/kthread.c:376\\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\\n\\nThere is no real problem for normal IOPOLL as flush is also called with\\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52904" + }, + { + "url": "https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8" + }, + { + "url": "https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8\",\n \"https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\\n\\nThe subs function argument may be NULL, so do not use it before the NULL check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52905" + }, + { + "url": "https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3" + }, + { + "url": "https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3\",\n \"https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocteontx2-pf: Fix resource leakage in VF driver unbind\\n\\nresources allocated like mcam entries to support the Ntuple feature\\nand hash tables for the tc feature are not getting freed in driver\\nunbind. This patch fixes the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52906" + }, + { + "url": "https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61" + }, + { + "url": "https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457" + }, + { + "url": "https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644" + }, + { + "url": "https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2" + }, + { + "url": "https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61\",\n \"https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457\",\n \"https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644\",\n \"https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2\",\n \"https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mpls: Fix warning during failed attribute validation\\n\\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\\ncombination according to the comment above 'struct nla_policy':\\n\\n\\\"\\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\\n NLA_BINARY Validation function called for the attribute.\\n All other Unused - but note that it's a union\\n\\\"\\n\\nThis can trigger the warning [1] in nla_get_range_unsigned() when\\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\\nassociated 'min'/'max' fields in the policy are negative as they are\\naliased by the 'validate' field.\\n\\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\\nAs a result, move the length validation to the validation function.\\n\\nNo regressions in MPLS tests:\\n\\n # ./tdc.py -f tc-tests/actions/mpls.json\\n [...]\\n # echo $?\\n 0\\n\\n[1]\\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\\nModules linked in:\\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\\n[...]\\nCall Trace:\\n \\n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\\n sock_sendmsg_nosec net/socket.c:714 [inline]\\n sock_sendmsg net/socket.c:734 [inline]\\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\\n ___sys_sendmsg net/socket.c:2536 [inline]\\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\\n __do_sys_sendmsg net/socket.c:2574 [inline]\\n __se_sys_sendmsg net/socket.c:2572 [inline]\\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52907" + }, + { + "url": "https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a" + }, + { + "url": "https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0" + }, + { + "url": "https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2" + }, + { + "url": "https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1" + }, + { + "url": "https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4" + }, + { + "url": "https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b" + }, + { + "url": "https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a\",\n \"https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0\",\n \"https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2\",\n \"https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1\",\n \"https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4\",\n \"https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b\",\n \"https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\\n\\nFix a use-after-free that occurs in hcd when in_urb sent from\\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\\nfrees the skb data in pn533_send_async_complete() that is used as a\\ntransfer buffer of out_urb. Wait before sending in_urb until the\\ncallback of out_urb is called. To modify the callback of out_urb alone,\\nseparate the complete function of out_urb and ack_urb.\\n\\nFound by a modified version of syzkaller.\\n\\nBUG: KASAN: use-after-free in dummy_timer\\nCall Trace:\\n memcpy (mm/kasan/shadow.c:65)\\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\\n static_key_false (include/linux/jump_label.h:207)\\n timer_expire_exit (include/trace/events/timer.h:127)\\n call_timer_fn (kernel/time/timer.c:1475)\\n expire_timers (kernel/time/timer.c:1519)\\n __run_timers (kernel/time/timer.c:1790)\\n run_timer_softirq (kernel/time/timer.c:1803)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52910" + }, + { + "url": "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f" + }, + { + "url": "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e" + }, + { + "url": "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f\",\n \"https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e\",\n \"https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/iova: Fix alloc iova overflows issue\\n\\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\\noverflow. As a result, if the retry logic is executed, low_pfn is\\nupdated to 0, and then new_pfn < low_pfn returns false to make the\\nallocation successful.\\n\\nThis issue occurs in the following two situations:\\n1. The first iova size exceeds the domain size. When initializing\\niova domain, iovad->cached_node is assigned as iovad->anchor. For\\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\\nand the iova size allocated for the first time is 11M. The\\nfollowing is the log information, new->pfn_lo is smaller than\\niovad->cached_node.\\n\\nExample log as follows:\\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\\n\\n2. The node with the largest iova->pfn_lo value in the iova domain\\nis deleted, iovad->cached_node will be updated to iovad->anchor,\\nand then the alloc iova size exceeds the maximum iova size that can\\nbe allocated in the domain.\\n\\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\\nto fix the overflow issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52911" + }, + { + "url": "https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e" + }, + { + "url": "https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [] lr : [] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e\",\n \"https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm: another fix for the headless Adreno GPU\\n\\nFix another oops reproducible when rebooting the board with the Adreno\\nGPU working in the headless mode (e.g. iMX platforms).\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\\nInternal error: Oops: 17 [#1] ARM\\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\\nHardware name: Freescale i.MX53 (Device Tree Support)\\nPC is at msm_atomic_commit_tail+0x50/0x970\\nLR is at commit_tail+0x9c/0x188\\npc : [] lr : [] psr: 600e0013\\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\\nr10: 00000058 r9 : c2193014 r8 : c4310000\\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\\nControl: 10c5387d Table: 74910019 DAC: 00000051\\nRegister r0 information: NULL pointer\\nRegister r1 information: NULL pointer\\nRegister r2 information: NULL pointer\\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\\nRegister r4 information: NULL pointer\\nRegister r5 information: NULL pointer\\nRegister r6 information: non-paged memory\\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\\nRegister r9 information: non-slab/vmalloc memory\\nRegister r10 information: non-paged memory\\nRegister r11 information: non-paged memory\\nRegister r12 information: non-paged memory\\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\\nStack: (0xe0851d30 to 0xe0852000)\\n1d20: c4759380 fbd77200 000005ff 002b9c70\\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\\n commit_tail from drm_atomic_helper_commit+0x160/0x188\\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\\n device_shutdown from kernel_restart+0x38/0x90\\n kernel_restart from __do_sys_reboot+0x\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52912" + }, + { + "url": "https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199" + }, + { + "url": "https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] \n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199\",\n \"https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\\n\\nFixed bug on error when unloading amdgpu.\\n\\nThe error message is as follows:\\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 377.706361] Call Trace:\\n[ 377.706365] \\n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\\n[ 377.707006] release_nodes+0x35/0xb0\\n[ 377.707014] devres_release_all+0x8b/0xc0\\n[ 377.707020] device_unbind_cleanup+0xe/0x70\\n[ 377.707027] device_release_driver_internal+0xee/0x160\\n[ 377.707033] driver_detach+0x44/0x90\\n[ 377.707039] bus_remove_driver+0x55/0xe0\\n[ 377.707045] pci_unregister_driver+0x3b/0x90\\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\\n[ 377.707215] do_syscall_64+0x38/0x90\\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52913" + }, + { + "url": "https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa" + }, + { + "url": "https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa\",\n \"https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915: Fix potential context UAFs\\n\\ngem_context_register() makes the context visible to userspace, and which\\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\\nSo we need to ensure that nothing uses the ctx ptr after this. And we\\nneed to ensure that adding the ctx to the xarray is the *last* thing\\nthat gem_context_register() does with the ctx pointer.\\n\\n[tursulin: Stable and fixes tags add/tidy.]\\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6240", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6240" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3414" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3421" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3618" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3627" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + }, + { + "url": "https://people.redhat.com/~hkario/marvin/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240628-0002/" + }, + { + "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6240 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6240", + "desc": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:1881\",\n \"https://access.redhat.com/errata/RHSA-2024:1882\",\n \"https://access.redhat.com/errata/RHSA-2024:2758\",\n \"https://access.redhat.com/errata/RHSA-2024:3414\",\n \"https://access.redhat.com/errata/RHSA-2024:3421\",\n \"https://access.redhat.com/errata/RHSA-2024:3618\",\n \"https://access.redhat.com/errata/RHSA-2024:3627\",\n \"https://access.redhat.com/security/cve/CVE-2023-6240\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2250843\",\n \"https://people.redhat.com/~hkario/marvin/\",\n \"https://security.netapp.com/advisory/ntap-20240628-0002/\",\n \"https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/\"\n ],\n \"description\": \"A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6240\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6356", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6356" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6356" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6356 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6356", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6356\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6356\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6356\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6356\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6356\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6356\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254054\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0002/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6356\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6535", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6535" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6535" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6535 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6535", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6535\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6535\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6535\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6535\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254053\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0003/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6535\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6536", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6536" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6536" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254052" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6536 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6536", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6536\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6536\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6536\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6536\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6536\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6536\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254052\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0001/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6536\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6610", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6610" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1404" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6610" + }, + { + "url": "https://bugzilla.kernel.org/show_bug.cgi?id=218219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253614" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6610 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6610", + "desc": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6610\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6610\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6610\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6610\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6610\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:1404\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/security/cve/CVE-2023-6610\",\n \"https://bugzilla.kernel.org/show_bug.cgi?id=218219\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2253614\"\n ],\n \"description\": \"An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6610\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6915" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2950" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3138" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6915" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254982" + }, + { + "url": "https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6915", + "desc": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2394\",\n \"https://access.redhat.com/errata/RHSA-2024:2950\",\n \"https://access.redhat.com/errata/RHSA-2024:3138\",\n \"https://access.redhat.com/security/cve/CVE-2023-6915\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254982\",\n \"https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0564", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0564" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + }, + { + "url": "https://link.springer.com/conference/wisa" + }, + { + "url": "https://wisa.or.kr/accepted" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0564 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-0564", + "desc": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0564\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0564\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0564\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0564\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0564\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-0564\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2258514\",\n \"https://link.springer.com/conference/wisa\",\n \"https://wisa.or.kr/accepted\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \\\"max page sharing=256\\\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \\\"max page share\\\". Through these operations, the attacker can leak the victim's page.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0564\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-21803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-21803" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8081" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-21803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-21803", + "desc": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-21803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-21803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-21803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-21803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8081\"\n ],\n \"description\": \"Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\\n\\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-21803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-21823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-21823" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/15/1" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-21823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-21823", + "desc": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-21823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-21823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-21823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-21823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/15/1\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\",\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html\"\n ],\n \"description\": \"Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.1,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-21823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2193", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2193" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/12/14" + }, + { + "url": "https://download.vusec.net/papers/ghostrace_sec24.pdf" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace" + }, + { + "url": "https://kb.cert.org/vuls/id/488902" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html" + }, + { + "url": "https://www.kb.cert.org/vuls/id/488902" + }, + { + "url": "https://www.vusec.net/projects/ghostrace/" + }, + { + "url": "https://xenbits.xen.org/xsa/advisory-453.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2193 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-2193", + "desc": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2193\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2193\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2193\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2193\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2193\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/12/14\",\n \"https://download.vusec.net/papers/ghostrace_sec24.pdf\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23\",\n \"https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace\",\n \"https://kb.cert.org/vuls/id/488902\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html\",\n \"https://www.kb.cert.org/vuls/id/488902\",\n \"https://www.vusec.net/projects/ghostrace/\",\n \"https://xenbits.xen.org/xsa/advisory-453.html\"\n ],\n \"description\": \"A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2193\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-22386", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-22386" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8147" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-22386 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-22386", + "desc": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-22386\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-22386\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-22386\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-22386\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-22386\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8147\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-22386\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-23307", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-23307" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=7975" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-23307 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-23307", + "desc": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-23307\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-23307\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-23307\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-23307\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23307\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=7975\"\n ],\n \"description\": \"Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-23307\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-23848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-23848" + }, + { + "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-23848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-23848", + "desc": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-23848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-23848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-23848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-23848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/\"\n ],\n \"description\": \"In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-23848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24856" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8764" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24856", + "desc": "The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\nsuccessful allocation, but the subsequent code directly dereferences the\npointer that receives it, which may lead to null pointer dereference.\n\nTo fix this issue, a null pointer check should be added. If it is null, \nreturn exception code AE_NO_MEMORY.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8764\"\n ],\n \"description\": \"The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\\nsuccessful allocation, but the subsequent code directly dereferences the\\npointer that receives it, which may lead to null pointer dereference.\\n\\nTo fix this issue, a null pointer check should be added. If it is null, \\nreturn exception code AE_NO_MEMORY.\",\n \"cvss\": [\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24857", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24857" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8155" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24857", + "desc": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8155\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24858", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24858" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8154" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24858", + "desc": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8154\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24859", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24859" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8153" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24859 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24859", + "desc": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24859\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24859\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24859\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24859\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24859\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8153\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\\n\\n\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24859\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24861" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24861", + "desc": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8150\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24862", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24862" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24862 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24862", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24862\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24862\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24862\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24862\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24862\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24862\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24863" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24863", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\nCVE-2024-24863 has been replaced by CVE-2024-36014.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\\nCVE-2024-24863 has been replaced by CVE-2024-36014.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24864", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24864" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8178" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24864", + "desc": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8178\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25739" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9" + }, + { + "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://www.spinics.net/lists/kernel/msg5074816.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25739", + "desc": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9\",\n \"https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://www.spinics.net/lists/kernel/msg5074816.html\"\n ],\n \"description\": \"create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25740" + }, + { + "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25740", + "desc": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/\"\n ],\n \"description\": \"A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25741", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25741" + }, + { + "url": "https://www.spinics.net/lists/linux-usb/msg252167.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25741 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25741", + "desc": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25741\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25741\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://www.spinics.net/lists/linux-usb/msg252167.html\"\n ],\n \"description\": \"printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25741\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25742" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f" + }, + { + "url": "https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25742", + "desc": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9\",\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f\",\n \"https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html\"\n ],\n \"description\": \"In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25743", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25743" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270836" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1223307" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25743 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25743", + "desc": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25743\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25743\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25743\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25743\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25743\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2270836\",\n \"https://bugzilla.suse.com/show_bug.cgi?id=1223307\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html\"\n ],\n \"description\": \"In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25743\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25744" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25744", + "desc": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30\"\n ],\n \"description\": \"In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26595", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26595" + }, + { + "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + }, + { + "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + }, + { + "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26595 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26595", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26595\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26595\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26595\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26595\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26595\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39\",\n \"https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f\",\n \"https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\\n\\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\\nfailing to attach the region to an ACL group, we hit a NULL pointer\\ndereference upon 'region->group->tcam' [1].\\n\\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\\n\\n[1]\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\n[...]\\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\\n[...]\\nCall Trace:\\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\\n mlxsw_sp_acl_rule_add+0x47/0x240\\n mlxsw_sp_flower_replace+0x1a9/0x1d0\\n tc_setup_cb_add+0xdc/0x1c0\\n fl_hw_replace_filter+0x146/0x1f0\\n fl_change+0xc17/0x1360\\n tc_new_tfilter+0x472/0xb90\\n rtnetlink_rcv_msg+0x313/0x3b0\\n netlink_rcv_skb+0x58/0x100\\n netlink_unicast+0x244/0x390\\n netlink_sendmsg+0x1e4/0x440\\n ____sys_sendmsg+0x164/0x260\\n ___sys_sendmsg+0x9a/0xe0\\n __sys_sendmsg+0x7a/0xc0\\n do_syscall_64+0x40/0xe0\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26595\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26605", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26605" + }, + { + "url": "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3" + }, + { + "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + }, + { + "url": "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c" + }, + { + "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26605 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26605", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26605\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26605\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26605\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26605\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26605\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3\",\n \"https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20\",\n \"https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c\",\n \"https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/ASPM: Fix deadlock when enabling ASPM\\n\\nA last minute revert in 6.7-final introduced a potential deadlock when\\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\\nlockdep:\\n\\n ============================================\\n WARNING: possible recursive locking detected\\n 6.7.0 #40 Not tainted\\n --------------------------------------------\\n kworker/u16:5/90 is trying to acquire lock:\\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\\n\\n but task is already holding lock:\\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\\n\\n other info that might help us debug this:\\n Possible unsafe locking scenario:\\n\\n CPU0\\n ----\\n lock(pci_bus_sem);\\n lock(pci_bus_sem);\\n\\n *** DEADLOCK ***\\n\\n Call trace:\\n print_deadlock_bug+0x25c/0x348\\n __lock_acquire+0x10a4/0x2064\\n lock_acquire+0x1e8/0x318\\n down_read+0x60/0x184\\n pcie_aspm_pm_state_change+0x58/0xdc\\n pci_set_full_power_state+0xa8/0x114\\n pci_set_power_state+0xc4/0x120\\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\\n pci_walk_bus+0x64/0xbc\\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\\n\\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\\nX13s by adding a delay to increase the race window during asynchronous\\nprobe where another thread can take a write lock.\\n\\nAdd a new pci_set_power_state_locked() and associated helper functions that\\ncan be called with the PCI bus semaphore held to avoid taking the read lock\\ntwice.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26605\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26607", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26607" + }, + { + "url": "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9" + }, + { + "url": "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c" + }, + { + "url": "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1" + }, + { + "url": "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26607 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26607", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26607\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26607\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26607\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26607\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26607\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9\",\n \"https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c\",\n \"https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1\",\n \"https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: sii902x: Fix probing race issue\\n\\nA null pointer dereference crash has been observed rarely on TI\\nplatforms using sii9022 bridge:\\n\\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\\n[ 53.341174] platform_probe+0x68/0xc4\\n[ 53.344841] really_probe+0x188/0x3c4\\n[ 53.348501] __driver_probe_device+0x7c/0x16c\\n[ 53.352854] driver_probe_device+0x3c/0x10c\\n[ 53.357033] __device_attach_driver+0xbc/0x158\\n[ 53.361472] bus_for_each_drv+0x88/0xe8\\n[ 53.365303] __device_attach+0xa0/0x1b4\\n[ 53.369135] device_initial_probe+0x14/0x20\\n[ 53.373314] bus_probe_device+0xb0/0xb4\\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\\n[ 53.381757] process_one_work+0x1f0/0x518\\n[ 53.385770] worker_thread+0x1e8/0x3dc\\n[ 53.389519] kthread+0x11c/0x120\\n[ 53.392750] ret_from_fork+0x10/0x20\\n\\nThe issue here is as follows:\\n\\n- tidss probes, but is deferred as sii902x is still missing.\\n- sii902x starts probing and enters sii902x_init().\\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\\n DRM's perspective.\\n- sii902x calls sii902x_audio_codec_init() and\\n platform_device_register_data()\\n- The registration of the audio platform device causes probing of the\\n deferred devices.\\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\\n called.\\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\\n However, the sii902x driver has not set up the i2c part yet, leading\\n to the crash.\\n\\nFix this by moving the drm_bridge_add() to the end of the\\nsii902x_init(), which is also at the very end of sii902x_probe().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26607\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26629", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26629" + }, + { + "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098" + }, + { + "url": "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f" + }, + { + "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b" + }, + { + "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a" + }, + { + "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03" + }, + { + "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26629 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26629", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26629\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26629\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26629\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26629\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26629\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098\",\n \"https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f\",\n \"https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b\",\n \"https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a\",\n \"https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03\",\n \"https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfsd: fix RELEASE_LOCKOWNER\\n\\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\\nharmful. Revert to using check_for_locks(), changing that to not sleep.\\n\\nFirst: harmful.\\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\\ntest on so_count can transiently return a false positive resulting in a\\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\\nclearly a protocol violation and with the Linux NFS client it can cause\\nincorrect behaviour.\\n\\nIf RELEASE_LOCKOWNER is sent while some other thread is still\\nprocessing a LOCK request which failed because, at the time that request\\nwas received, the given owner held a conflicting lock, then the nfsd\\nthread processing that LOCK request can hold a reference (conflock) to\\nthe lock owner that causes nfsd4_release_lockowner() to return an\\nincorrect error.\\n\\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\\nit knows that the error is impossible. It assumes the lock owner was in\\nfact released so it feels free to use the same lock owner identifier in\\nsome later locking request.\\n\\nWhen it does reuse a lock owner identifier for which a previous RELEASE\\nfailed, it will naturally use a lock_seqid of zero. However the server,\\nwhich didn't release the lock owner, will expect a larger lock_seqid and\\nso will respond with NFS4ERR_BAD_SEQID.\\n\\nSo clearly it is harmful to allow a false positive, which testing\\nso_count allows.\\n\\nThe test is nonsense because ... well... it doesn't mean anything.\\n\\nso_count is the sum of three different counts.\\n1/ the set of states listed on so_stateids\\n2/ the set of active vfs locks owned by any of those states\\n3/ various transient counts such as for conflicting locks.\\n\\nWhen it is tested against '2' it is clear that one of these is the\\ntransient reference obtained by find_lockowner_str_locked(). It is not\\nclear what the other one is expected to be.\\n\\nIn practice, the count is often 2 because there is precisely one state\\non so_stateids. If there were more, this would fail.\\n\\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\\nall the lock states being removed, and so the lockowner being discarded\\n(it is removed when there are no more references which usually happens\\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\\nthat the lock owner doesn't exist, it returns success.\\n\\nThe other case shows an so_count of '2' and precisely one state listed\\nin so_stateid. It appears that the Linux client uses a separate lock\\nowner for each file resulting in one lock state per lock owner, so this\\ntest on '2' is safe. For another client it might not be safe.\\n\\nSo this patch changes check_for_locks() to use the (newish)\\nfind_any_file_locked() so that it doesn't take a reference on the\\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\\nthis check is it safe to restore the use of check_for_locks() rather\\nthan testing so_count against the mysterious '2'.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26629\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26639" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26639", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26642", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26642" + }, + { + "url": "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1" + }, + { + "url": "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a" + }, + { + "url": "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199" + }, + { + "url": "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7" + }, + { + "url": "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12" + }, + { + "url": "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9" + }, + { + "url": "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f" + }, + { + "url": "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26642 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26642", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26642\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26642\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26642\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1\",\n \"https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a\",\n \"https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199\",\n \"https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7\",\n \"https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12\",\n \"https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9\",\n \"https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f\",\n \"https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: disallow anonymous set with timeout flag\\n\\nAnonymous sets are never used with timeout from userspace, reject this.\\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26642\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26647", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26647" + }, + { + "url": "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207" + }, + { + "url": "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c" + }, + { + "url": "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26647 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26647", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26647\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26647\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26647\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26647\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26647\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207\",\n \"https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c\",\n \"https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\\n\\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\\nNULL pointer check.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26647\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26648" + }, + { + "url": "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935" + }, + { + "url": "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c" + }, + { + "url": "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935\",\n \"https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c\",\n \"https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\\n\\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26654", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26654" + }, + { + "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457" + }, + { + "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04" + }, + { + "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2" + }, + { + "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901" + }, + { + "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5" + }, + { + "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046" + }, + { + "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845" + }, + { + "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3" + }, + { + "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26654 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26654", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26654\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26654\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26654\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26654\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26654\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457\",\n \"https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04\",\n \"https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2\",\n \"https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901\",\n \"https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5\",\n \"https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046\",\n \"https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845\",\n \"https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3\",\n \"https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\\n\\nThe dreamcastcard->timer could schedule the spu_dma_work and the\\nspu_dma_work could also arm the dreamcastcard->timer.\\n\\nWhen the snd_pcm_substream is closing, the aica_channel will be\\ndeallocated. But it could still be dereferenced in the worker\\nthread. The reason is that del_timer() will return directly\\nregardless of whether the timer handler is running or not and\\nthe worker could be rescheduled in the timer handler. As a result,\\nthe UAF bug will happen. The racy situation is shown below:\\n\\n (Thread 1) | (Thread 2)\\nsnd_aicapcm_pcm_close() |\\n ... | run_spu_dma() //worker\\n | mod_timer()\\n flush_work() |\\n del_timer() | aica_period_elapsed() //timer\\n kfree(dreamcastcard->channel) | schedule_work()\\n | run_spu_dma() //worker\\n ... | dreamcastcard->channel-> //USE\\n\\nIn order to mitigate this bug and other possible corner cases,\\ncall mod_timer() conditionally in run_spu_dma(), then implement\\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\\nop will be called from PCM core appropriately when needed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26654\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26656", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26656" + }, + { + "url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e" + }, + { + "url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c" + }, + { + "url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c" + }, + { + "url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26656 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26656", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26656\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26656\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26656\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26656\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26656\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e\",\n \"https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c\",\n \"https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c\",\n \"https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix use-after-free bug\\n\\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\\nThe bug was reported by Joonkyo Jung .\\nFor example the following code:\\n\\nstatic void Syzkaller1(int fd)\\n{\\n\\tstruct drm_amdgpu_gem_userptr arg;\\n\\tint ret;\\n\\n\\targ.addr = 0xffffffffffff0000;\\n\\targ.size = 0x80000000; /*2 Gb*/\\n\\targ.flags = 0x7;\\n\\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\\n}\\n\\nDue to the address and size are not valid there is a failure in\\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\\nThe following stack is below when the issue is reproduced when Kazan is enabled:\\n\\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\\n[ +0.000010] Call Trace:\\n[ +0.000006] \\n[ +0.000007] ? show_regs+0x6a/0x80\\n[ +0.000018] ? __warn+0xa5/0x1b0\\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000018] ? report_bug+0x24a/0x290\\n[ +0.000022] ? handle_bug+0x46/0x90\\n[ +0.000015] ? exc_invalid_op+0x19/0x50\\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\\n[ +0.000017] ? kasan_save_stack+0x26/0x50\\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\\n[ +0.000013] ? __kasan_check_read+0x11/0x20\\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26656\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26658", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26658" + }, + { + "url": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec" + }, + { + "url": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26658 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26658", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26658\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26658\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26658\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26658\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26658\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec\",\n \"https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: grab s_umount only if snapshotting\\n\\nWhen I was testing mongodb over bcachefs with compression,\\nthere is a lockdep warning when snapshotting mongodb data volume.\\n\\n$ cat test.sh\\nprog=bcachefs\\n\\n$prog subvolume create /mnt/data\\n$prog subvolume create /mnt/data/snapshots\\n\\nwhile true;do\\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\\n sleep 1s\\ndone\\n\\n$ cat /etc/mongodb.conf\\nsystemLog:\\n destination: file\\n logAppend: true\\n path: /mnt/data/mongod.log\\n\\nstorage:\\n dbPath: /mnt/data/\\n\\nlockdep reports:\\n[ 3437.452330] ======================================================\\n[ 3437.452750] WARNING: possible circular locking dependency detected\\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\\n[ 3437.453562] ------------------------------------------------------\\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\\n[ 3437.454875]\\n but task is already holding lock:\\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\\n[ 3437.456009]\\n which lock already depends on the new lock.\\n\\n[ 3437.456553]\\n the existing dependency chain (in reverse order) is:\\n[ 3437.457054]\\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\\n[ 3437.457507] down_read+0x3e/0x170\\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\\n[ 3437.458498] do_syscall_64+0x42/0xf0\\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.459155]\\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\\n[ 3437.459615] down_read+0x3e/0x170\\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\\n[ 3437.460686] notify_change+0x1f1/0x4a0\\n[ 3437.461283] do_truncate+0x7f/0xd0\\n[ 3437.461555] path_openat+0xa57/0xce0\\n[ 3437.461836] do_filp_open+0xb4/0x160\\n[ 3437.462116] do_sys_openat2+0x91/0xc0\\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\\n[ 3437.462701] do_syscall_64+0x42/0xf0\\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.463359]\\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\\n[ 3437.463843] down_write+0x3b/0xc0\\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\\n[ 3437.464493] vfs_write+0x21b/0x4c0\\n[ 3437.464653] ksys_write+0x69/0xf0\\n[ 3437.464839] do_syscall_64+0x42/0xf0\\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.465231]\\n -> #0 (sb_writers#10){.+.+}-{0:0}:\\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\\n[ 3437.465656] lock_acquire+0xc6/0x2b0\\n[ 3437.465822] mnt_want_write+0x46/0x1a0\\n[ 3437.465996] filename_create+0x62/0x190\\n[ 3437.466175] user_path_create+0x2d/0x50\\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\\n[ 3437.466791] do_syscall_64+0x42/0xf0\\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.467180]\\n other info that might help us debug this:\\n\\n[ 3437.469670] 2 locks held by bcachefs/35533:\\n other info that might help us debug this:\\n\\n[ 3437.467507] Chain exists of:\\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\\n\\n[ 3437.467979] Possible unsafe locking scenario:\\n\\n[ 3437.468223] CPU0 CPU1\\n[ 3437.468405] ---- ----\\n[ 3437.468585] rlock(&type->s_umount_key#48);\\n[ 3437.468758] lock(&c->snapshot_create_lock);\\n[ 3437.469030] lock(&type->s_umount_key#48);\\n[ 3437.469291] rlock(sb_writers#10);\\n[ 3437.469434]\\n *** DEADLOCK ***\\n\\n[ 3437.469\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26658\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26661" + }, + { + "url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a" + }, + { + "url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667" + }, + { + "url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a\",\n \"https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667\",\n \"https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\\n\\nIn \\\"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\\\"\\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\\nensure the tg is not NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26662", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26662" + }, + { + "url": "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5" + }, + { + "url": "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d" + }, + { + "url": "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26662 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26662", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26662\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26662\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26662\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26662\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26662\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5\",\n \"https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d\",\n \"https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\\n\\n'panel_cntl' structure used to control the display panel could be null,\\ndereferencing it could lead to a null pointer access.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26662\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26669", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26669" + }, + { + "url": "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8" + }, + { + "url": "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97" + }, + { + "url": "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26669 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26669", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26669\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26669\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26669\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26669\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26669\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8\",\n \"https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97\",\n \"https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: flower: Fix chain template offload\\n\\nWhen a qdisc is deleted from a net device the stack instructs the\\nunderlying driver to remove its flow offload callback from the\\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\\nthen continues to replay the removal of the filters in the block for\\nthis driver by iterating over the chains in the block and invoking the\\n'reoffload' operation of the classifier being used. In turn, the\\nclassifier in its 'reoffload' operation prepares and emits a\\n'FLOW_CLS_DESTROY' command for each filter.\\n\\nHowever, the stack does not do the same for chain templates and the\\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\\na qdisc is deleted. This results in a memory leak [1] which can be\\nreproduced using [2].\\n\\nFix by introducing a 'tmplt_reoffload' operation and have the stack\\ninvoke it with the appropriate arguments as part of the replay.\\nImplement the operation in the sole classifier that supports chain\\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\\ncommand based on whether a flow offload callback is being bound to a\\nfilter block or being unbound from one.\\n\\nAs far as I can tell, the issue happens since cited commit which\\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\\nin __tcf_block_put(). The order cannot be reversed as the filter block\\nis expected to be freed after flushing all the chains.\\n\\n[1]\\nunreferenced object 0xffff888107e28800 (size 2048):\\n comm \\\"tc\\\", pid 1079, jiffies 4294958525 (age 3074.287s)\\n hex dump (first 32 bytes):\\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e8/0x320\\n [] __kmalloc+0x4e/0x90\\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\\n [] tc_setup_cb_call+0x183/0x340\\n [] fl_tmplt_create+0x3da/0x4c0\\n [] tc_ctl_chain+0xa15/0x1170\\n [] rtnetlink_rcv_msg+0x3cc/0xed0\\n [] netlink_rcv_skb+0x170/0x440\\n [] netlink_unicast+0x540/0x820\\n [] netlink_sendmsg+0x8d8/0xda0\\n [] ____sys_sendmsg+0x30f/0xa80\\n [] ___sys_sendmsg+0x13a/0x1e0\\n [] __sys_sendmsg+0x11c/0x1f0\\n [] do_syscall_64+0x40/0xe0\\nunreferenced object 0xffff88816d2c0400 (size 1024):\\n comm \\\"tc\\\", pid 1079, jiffies 4294958525 (age 3074.287s)\\n hex dump (first 32 bytes):\\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e8/0x320\\n [] __kmalloc_node+0x51/0x90\\n [] kvmalloc_node+0xa6/0x1f0\\n [] bucket_table_alloc.isra.0+0x83/0x460\\n [] rhashtable_init+0x43b/0x7c0\\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\\n [] tc_setup_cb_call+0x183/0x340\\n [] fl_tmplt_create+0x3da/0x4c0\\n [] tc_ctl_chain+0xa15/0x1170\\n [] rtnetlink_rcv_msg+0x3cc/0xed0\\n [] netlink_rcv_skb+0x170/0x440\\n [] netlink_unicast+0x540/0x820\\n [] netlink_sendmsg+0x8d8/0xda0\\n [] ____sys_sendmsg+0x30f/0xa80\\n\\n[2]\\n # tc qdisc add dev swp1 clsact\\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\\n # tc qdisc del dev\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26669\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26672" + }, + { + "url": "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0" + }, + { + "url": "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0\",\n \"https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\\n\\nFixes the below:\\n\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\\n\\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\\n\\t\\t\\t\\t enum amdgpu_mca_error_type type,\\n358 int idx, struct mca_bank_entry *entry)\\n359 {\\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\\n\\t\\t\\t\\t\\t\\tadev->mca.mca_funcs;\\n361 int count;\\n362\\n363 switch (type) {\\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\\n365 count = mca_funcs->max_ue_count;\\n\\nmca_funcs is dereferenced here.\\n\\n366 break;\\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\\n368 count = mca_funcs->max_ce_count;\\n\\nmca_funcs is dereferenced here.\\n\\n369 break;\\n370 default:\\n371 return -EINVAL;\\n372 }\\n373\\n374 if (idx >= count)\\n375 return -EINVAL;\\n376\\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\\n\\t ^^^^^^^^^\\n\\nChecked too late!\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26677", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26677" + }, + { + "url": "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2" + }, + { + "url": "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae" + }, + { + "url": "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26677 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26677", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26677\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26677\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26677\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26677\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26677\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2\",\n \"https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae\",\n \"https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrxrpc: Fix delayed ACKs to not set the reference serial number\\n\\nFix the construction of delayed ACKs to not set the reference serial number\\nas they can't be used as an RTT reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26677\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26680", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26680" + }, + { + "url": "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56" + }, + { + "url": "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887" + }, + { + "url": "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12" + }, + { + "url": "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26680 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26680", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26680\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26680\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26680\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26680\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26680\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56\",\n \"https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887\",\n \"https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12\",\n \"https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: atlantic: Fix DMA mapping for PTP hwts ring\\n\\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\\ninto account.\\nCreate and use a specific function to free HWTS ring to fix this\\nissue.\\n\\nTrace:\\n[ 215.351607] ------------[ cut here ]------------\\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\\n...\\n[ 215.581176] Call Trace:\\n[ 215.583632] \\n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\\n[ 215.599305] ? check_unmap+0xa6f/0x2360\\n[ 215.603147] ? __warn+0xca/0x1d0\\n[ 215.606391] ? check_unmap+0xa6f/0x2360\\n[ 215.610237] ? report_bug+0x1ef/0x370\\n[ 215.613921] ? handle_bug+0x3c/0x70\\n[ 215.617423] ? exc_invalid_op+0x14/0x50\\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\\n[ 215.625480] ? check_unmap+0xa6f/0x2360\\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\\n[ 215.648060] dma_free_attrs+0x6d/0x130\\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\\n...\\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\\n[ 216.132160] DMA-API: Mapped at:\\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26680\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26686" + }, + { + "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" + }, + { + "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" + }, + { + "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071\",\n \"https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305\",\n \"https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\\n\\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\\ndo_task_stat() at the same time and the process has NR_THREADS, it will\\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\\n\\nChange do_task_stat() to use sig->stats_lock to gather the statistics\\noutside of ->siglock protected section, in the likely case this code will\\nrun lockless.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26687", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26687" + }, + { + "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" + }, + { + "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" + }, + { + "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" + }, + { + "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" + }, + { + "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" + }, + { + "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26687 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26687", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26687\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26687\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26687\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26687\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26687\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd\",\n \"https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4\",\n \"https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5\",\n \"https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44\",\n \"https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b\",\n \"https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3\",\n \"https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen/events: close evtchn after mapping cleanup\\n\\nshutdown_pirq and startup_pirq are not taking the\\nirq_mapping_update_lock because they can't due to lock inversion. Both\\nare called with the irq_desc->lock being taking. The lock order,\\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\\n\\nThis opens multiple races:\\n- shutdown_pirq can be interrupted by a function that allocates an event\\n channel:\\n\\n CPU0 CPU1\\n shutdown_pirq {\\n xen_evtchn_close(e)\\n __startup_pirq {\\n EVTCHNOP_bind_pirq\\n -> returns just freed evtchn e\\n set_evtchn_to_irq(e, irq)\\n }\\n xen_irq_info_cleanup() {\\n set_evtchn_to_irq(e, -1)\\n }\\n }\\n\\n Assume here event channel e refers here to the same event channel\\n number.\\n After this race the evtchn_to_irq mapping for e is invalid (-1).\\n\\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\\n this case even though the event channel is allocated, its mapping can\\n be unset in evtchn_to_irq.\\n\\nThe fix is to first cleanup the mappings and then close the event\\nchannel. In this way, when an event channel gets allocated it's\\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\\nThis is also the reverse order of the allocation where first the event\\nchannel is allocated and then the mappings are setup.\\n\\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\\\"xen/events: modify internal\\n[un]bind interfaces\\\"), we hit a BUG like the following during probing of NVMe\\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\\nis called for every device which results in a call to shutdown_pirq.\\nWith many nvme devices it's therefore likely to hit this race during\\nboot because there will be multiple calls to shutdown_pirq and\\nstartup_pirq are running potentially in parallel.\\n\\n ------------[ cut here ]------------\\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\\n kernel BUG at drivers/xen/events/events_base.c:499!\\n invalid opcode: 0000 [#1] SMP PTI\\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\\n Workqueue: nvme-reset-wq nvme_reset_work\\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n ? show_trace_log_lvl+0x1c1/0x2d9\\n ? show_trace_log_lvl+0x1c1/0x2d9\\n ? set_affinity_irq+0xdc/0x1c0\\n ? __die_body.cold+0x8/0xd\\n ? die+0x2b/0x50\\n ? do_trap+0x90/0x110\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? do_error_trap+0x65/0x80\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? exc_invalid_op+0x4e/0x70\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? asm_exc_invalid_op+0x12/0x20\\n ? bind_evtchn_to_cpu+0xdf/0x\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26687\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26691" + }, + { + "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" + }, + { + "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" + }, + { + "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc\",\n \"https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc\",\n \"https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: Fix circular locking dependency\\n\\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\\nthe kvm->lock while already holding the vcpu->mutex lock from\\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\\nprotecting the hyp vm handle with the config_lock, much like we already\\ndo for other forms of VM-scoped data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26699" + }, + { + "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" + }, + { + "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc\",\n \"https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\\n\\n[Why]\\nThere is a potential memory access violation while\\niterating through array of dcn35 clks.\\n\\n[How]\\nLimit iteration per array size.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26700" + }, + { + "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" + }, + { + "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" + }, + { + "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" + }, + { + "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238\",\n \"https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f\",\n \"https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5\",\n \"https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix MST Null Ptr for RV\\n\\nThe change try to fix below error specific to RV platform:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\nPGD 0 P4D 0\\nOops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? plist_add+0xbe/0x100\\n ? exc_page_fault+0x7c/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n drm_atomic_check_only+0x5c5/0xa40\\n drm_mode_atomic_ioctl+0x76e/0xbc0\\n ? _copy_to_user+0x25/0x30\\n ? drm_ioctl+0x296/0x4b0\\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\\n drm_ioctl_kernel+0xcd/0x170\\n drm_ioctl+0x26d/0x4b0\\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n __x64_sys_ioctl+0x94/0xd0\\n do_syscall_64+0x60/0x90\\n ? do_syscall_64+0x6c/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\nRIP: 0033:0x7f4dad17f76f\\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\\n \\nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\\nCR2: 0000000000000008\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26714", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26714" + }, + { + "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" + }, + { + "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" + }, + { + "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" + }, + { + "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26714 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26714", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26714\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26714\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26714\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26714\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26714\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7\",\n \"https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0\",\n \"https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0\",\n \"https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\\n\\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\\nthe UFS controller) loses its connection to the rest of the SoC,\\nresulting in a hang of the platform, accompanied by a spectacular\\nlogspam.\\n\\nMark it as keepalive to prevent such cases.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26714\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26718", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26718" + }, + { + "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" + }, + { + "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" + }, + { + "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" + }, + { + "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26718 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26718", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26718\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26718\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26718\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26718\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26718\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189\",\n \"https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257\",\n \"https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94\",\n \"https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-crypt, dm-verity: disable tasklets\\n\\nTasklets have an inherent problem with memory corruption. The function\\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\\nthe structure that contains the tasklet or if it calls some code that may\\nfree it, tasklet_unlock will write into free memory.\\n\\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\\nit is not a sufficient fix and the data corruption can still happen [1].\\nThere is no fix for dm-verity and dm-verity will write into free memory\\nwith every tasklet-processed bio.\\n\\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\\nwill have better interface and they will not suffer from the memory\\ncorruption problem.\\n\\nBut we need something that stops the memory corruption now and that can be\\nbackported to the stable kernels. So, I'm proposing this commit that\\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\\nremove the tasklet support, because the tasklet code will be reused when\\natomic workqueues will be implemented.\\n\\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26718\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26719", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26719" + }, + { + "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" + }, + { + "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" + }, + { + "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26719 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26719", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26719\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26719\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26719\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26719\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26719\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0\",\n \"https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9\",\n \"https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: offload fence uevents work to workqueue\\n\\nThis should break the deadlock between the fctx lock and the irq lock.\\n\\nThis offloads the processing off the work from the irq into a workqueue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26719\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26726", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26726" + }, + { + "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" + }, + { + "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" + }, + { + "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" + }, + { + "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26726 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26726", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26726\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26726\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26726\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26726\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26726\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555\",\n \"https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade\",\n \"https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7\",\n \"https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: don't drop extent_map for free space inode on write error\\n\\nWhile running the CI for an unrelated change I hit the following panic\\nwith generic/648 on btrfs_holes_spacecache.\\n\\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\\n------------[ cut here ]------------\\nkernel BUG at fs/btrfs/extent_io.c:1385!\\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\\nCall Trace:\\n \\n extent_write_cache_pages+0x2ac/0x8f0\\n extent_writepages+0x87/0x110\\n do_writepages+0xd5/0x1f0\\n filemap_fdatawrite_wbc+0x63/0x90\\n __filemap_fdatawrite_range+0x5c/0x80\\n btrfs_fdatawrite_range+0x1f/0x50\\n btrfs_write_out_cache+0x507/0x560\\n btrfs_write_dirty_block_groups+0x32a/0x420\\n commit_cowonly_roots+0x21b/0x290\\n btrfs_commit_transaction+0x813/0x1360\\n btrfs_sync_file+0x51a/0x640\\n __x64_sys_fdatasync+0x52/0x90\\n do_syscall_64+0x9c/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nThis happens because we fail to write out the free space cache in one\\ninstance, come back around and attempt to write it again. However on\\nthe second pass through we go to call btrfs_get_extent() on the inode to\\nget the extent mapping. Because this is a new block group, and with the\\nfree space inode we always search the commit root to avoid deadlocking\\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\\nrequested range.\\n\\nThis happens because the first time we try to write the space cache out\\nwe hit an error, and on an error we drop the extent mapping. This is\\nnormal for normal files, but the free space cache inode is special. We\\nalways expect the extent map to be correct. Thus the second time\\nthrough we end up with a bogus extent map.\\n\\nSince we're deprecating this feature, the most straightforward way to\\nfix this is to simply skip dropping the extent map range for this failed\\nrange.\\n\\nI shortened the test by using error injection to stress the area to make\\nit easier to reproduce. With this patch in place we no longer panic\\nwith my error injection test.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26726\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26727", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26727" + }, + { + "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" + }, + { + "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" + }, + { + "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" + }, + { + "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" + }, + { + "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" + }, + { + "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26727 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26727", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26727\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26727\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26727\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26727\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26727\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f\",\n \"https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468\",\n \"https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d\",\n \"https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430\",\n \"https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb\",\n \"https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: do not ASSERT() if the newly created subvolume already got read\\n\\n[BUG]\\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\\ncreation:\\n\\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\\n ------------[ cut here ]------------\\n kernel BUG at fs/btrfs/disk-io.c:1319!\\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\\n \\n btrfs_get_new_fs_root+0xd3/0xf0\\n create_subvol+0xd02/0x1650\\n btrfs_mksubvol+0xe95/0x12b0\\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\\n btrfs_ioctl_snap_create+0x16b/0x200\\n btrfs_ioctl+0x35f0/0x5cf0\\n __x64_sys_ioctl+0x19d/0x210\\n do_syscall_64+0x3f/0xe0\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n ---[ end trace 0000000000000000 ]---\\n\\n[CAUSE]\\nDuring create_subvol(), after inserting root item for the newly created\\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\\nbtrfs_root of that subvolume.\\n\\nThe idea here is, we have preallocated an anonymous device number for\\nthe subvolume, thus we can assign it to the new subvolume.\\n\\nBut there is really nothing preventing things like backref walk to read\\nthe new subvolume.\\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\\nwould be read out, with a new anonymous device number assigned already.\\n\\nIn that case, we would trigger ASSERT(), as we really expect no one to\\nread out that subvolume (which is not yet accessible from the fs).\\nBut things like backref walk is still possible to trigger the read on\\nthe subvolume.\\n\\nThus our assumption on the ASSERT() is not correct in the first place.\\n\\n[FIX]\\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\\nto 0, and continue.\\n\\nIf the subvolume tree is read out by something else, it should have\\nalready get a new anon_dev assigned thus we only need to free the\\npreallocated one.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26727\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26739" + }, + { + "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" + }, + { + "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" + }, + { + "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26739", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210\",\n \"https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d\",\n \"https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: don't override retval if we already lost the skb\\n\\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\\nyet, we need to tell the core to drop the skb by setting the retcode\\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\\nis out of our hands and returning SHOT will lead to UaF.\\n\\nMove the retval override to the error path which actually need it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26740" + }, + { + "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" + }, + { + "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" + }, + { + "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26740", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\",\n \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\",\n \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: use the backlog for mirred ingress\\n\\nThe test Davide added in commit ca22da2fbd69 (\\\"act_mirred: use the backlog\\nfor nested calls to mirred ingress\\\") hangs our testing VMs every 10 or so\\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\\nlockdep.\\n\\nThe problem as previously described by Davide (see Link) is that\\nif we reverse flow of traffic with the redirect (egress -> ingress)\\nwe may reach the same socket which generated the packet. And we may\\nstill be holding its socket lock. The common solution to such deadlocks\\nis to put the packet in the Rx backlog, rather than run the Rx path\\ninline. Do that for all egress -> ingress reversals, not just once\\nwe started to nest mirred calls.\\n\\nIn the past there was a concern that the backlog indirection will\\nlead to loss of error reporting / less accurate stats. But the current\\nworkaround does not seem to address the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26742" + }, + { + "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" + }, + { + "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" + }, + { + "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" + }, + { + "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26742", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe\",\n \"https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df\",\n \"https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a\",\n \"https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: smartpqi: Fix disable_managed_interrupts\\n\\nCorrect blk-mq registration issue with module parameter\\ndisable_managed_interrupts enabled.\\n\\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\\nundefined behavior.\\n\\nStack Trace:\\n[ 7.860089] scsi host2: smartpqi\\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\\n[ 7.963026] Workqueue: events work_for_cpu_fn\\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 8.172818] PKRU: 55555554\\n[ 8.172819] Call Trace:\\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\\n[ 8.323286] local_pci_probe+0x42/0x80\\n[ 8.337855] work_for_cpu_fn+0x16/0x20\\n[ 8.351193] process_one_work+0x1a7/0x360\\n[ 8.364462] ? create_worker+0x1a0/0x1a0\\n[ 8.379252] worker_thread+0x1ce/0x390\\n[ 8.392623] ? create_worker+0x1a0/0x1a0\\n[ 8.406295] kthread+0x10a/0x120\\n[ 8.418428] ? set_kthread_struct+0x50/0x50\\n[ 8.431532] ret_from_fork+0x1f/0x40\\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26756", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26756" + }, + { + "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" + }, + { + "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26756 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26756", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26756\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26756\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26756\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26756\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26756\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417\",\n \"https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't register sync_thread for reshape directly\\n\\nCurrently, if reshape is interrupted, then reassemble the array will\\nregister sync_thread directly from pers->run(), in this case\\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\\n\\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\\nhowever, following hang can still be triggered by dm-raid test\\nshell/lvconvert-raid-reshape.sh occasionally:\\n\\n[root@fedora ~]# cat /proc/1982/stack\\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\\n[<0>] dev_remove+0x165/0x290 [dm_mod]\\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\\n[<0>] vfs_ioctl+0x21/0x60\\n[<0>] __x64_sys_ioctl+0xb9/0xe0\\n[<0>] do_syscall_64+0xc6/0x230\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\\n\\nMeanwhile mddev->recovery is:\\nMD_RECOVERY_RUNNING |\\nMD_RECOVERY_INTR |\\nMD_RECOVERY_RESHAPE |\\nMD_RECOVERY_FROZEN\\n\\nFix this problem by remove the code to register sync_thread directly\\nfrom raid10 and raid5. And let md_check_recovery() to register\\nsync_thread.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26756\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26757", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26757" + }, + { + "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" + }, + { + "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26757 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26757", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26757\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26757\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26757\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26757\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26757\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3\",\n \"https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't ignore read-only array in md_check_recovery()\\n\\nUsually if the array is not read-write, md_check_recovery() won't\\nregister new sync_thread in the first place. And if the array is\\nread-write and sync_thread is registered, md_set_readonly() will\\nunregister sync_thread before setting the array read-only. md/raid\\nfollow this behavior hence there is no problem.\\n\\nAfter commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), following\\nhang can be triggered by test shell/integrity-caching.sh:\\n\\n1) array is read-only. dm-raid update super block:\\nrs_update_sbs\\n ro = mddev->ro\\n mddev->ro = 0\\n -> set array read-write\\n md_update_sb\\n\\n2) register new sync thread concurrently.\\n\\n3) dm-raid set array back to read-only:\\nrs_update_sbs\\n mddev->ro = ro\\n\\n4) stop the array:\\nraid_dtr\\n md_stop\\n stop_sync_thread\\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\\n md_wakeup_thread_directly(mddev->sync_thread);\\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\\n\\n5) sync thread done:\\n md_do_sync\\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\\n md_wakeup_thread(mddev->thread);\\n\\n6) daemon thread can't unregister sync thread:\\n md_check_recovery\\n if (!md_is_rdwr(mddev) &&\\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\\n return;\\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\\n\\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\\nhowever, dm-raid really should stop sync thread before setting the\\narray read-only. Unfortunately, I need to read more code before I\\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\\nthe problem the easy way for now to prevent dm-raid regression.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26757\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26758", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26758" + }, + { + "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" + }, + { + "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26758 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26758", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26758\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26758\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26758\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26758\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26758\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757\",\n \"https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't ignore suspended array in md_check_recovery()\\n\\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\\nignore suspended array in md_check_recovery(), which might cause\\nsync_thread can't be unregistered.\\n\\nAfter commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), following\\nhang can be triggered by test shell/integrity-caching.sh:\\n\\n1) suspend the array:\\nraid_postsuspend\\n mddev_suspend\\n\\n2) stop the array:\\nraid_dtr\\n md_stop\\n __md_stop_writes\\n stop_sync_thread\\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\\n md_wakeup_thread_directly(mddev->sync_thread);\\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\\n\\n3) sync thread done:\\nmd_do_sync\\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\\n md_wakeup_thread(mddev->thread);\\n\\n4) daemon thread can't unregister sync thread:\\nmd_check_recovery\\n if (mddev->suspended)\\n return; -> return directly\\n md_read_sync_thread\\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\\n\\nThis problem is not just related to dm-raid, fix it by ignoring\\nsuspended array in md_check_recovery(). And follow up patches will\\nimprove dm-raid better to frozen sync thread during suspend.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26758\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26759", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26759" + }, + { + "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" + }, + { + "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" + }, + { + "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" + }, + { + "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26759 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26759", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26759\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26759\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26759\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26759\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26759\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458\",\n \"https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95\",\n \"https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a\",\n \"https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/swap: fix race when skipping swapcache\\n\\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\\nswapin the same entry at the same time, they get different pages (A, B). \\nBefore one thread (T0) finishes the swapin and installs page (A) to the\\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\\nentry, then swap out the possibly modified page reusing the same entry. \\nIt breaks the pte_same check in (T0) because PTE value is unchanged,\\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\\nPTE and cause data corruption.\\n\\nOne possible callstack is like this:\\n\\nCPU0 CPU1\\n---- ----\\ndo_swap_page() do_swap_page() with same entry\\n \\n \\nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\\n \\n... set_pte_at()\\n swap_free() <- entry is free\\n \\n \\npte_same() <- Check pass, PTE seems\\n unchanged, but page A\\n is stalled!\\nswap_free() <- page B content lost!\\nset_pte_at() <- staled page A installed!\\n\\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\\nentry content, so even if page (B) is not modified, if swap_read_folio()\\non CPU0 happens later than swap_free() on CPU1, it may also cause data\\nloss.\\n\\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\\nthe cache flag, and allow only one thread to swap it in, also prevent any\\nparallel code from putting the entry in the cache. Release the pin after\\nPT unlocked.\\n\\nRacers just loop and wait since it's a rare and very short event. A\\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\\nfaults wasting too much CPU, causing livelock or adding too much noise to\\nperf statistics. A similar livelock issue was described in commit\\n029c4628b2eb (\\\"mm: swap: get rid of livelock in swapin readahead\\\")\\n\\nReproducer:\\n\\nThis race issue can be triggered easily using a well constructed\\nreproducer and patched brd (with a delay in read path) [1]:\\n\\nWith latest 6.8 mainline, race caused data loss can be observed easily:\\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\\n Polulating 32MB of memory region...\\n Keep swapping out...\\n Starting round 0...\\n Spawning 65536 workers...\\n 32746 workers spawned, wait for done...\\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\\n Round 0 Failed, 15 data loss!\\n\\nThis reproducer spawns multiple threads sharing the same memory region\\nusing a small swap device. Every two threads updates mapped pages one by\\none in opposite direction trying to create a race, with one dedicated\\nthread keep swapping out the data out using madvise.\\n\\nThe reproducer created a reproduce rate of about once every 5 minutes, so\\nthe race should be totally possible in production.\\n\\nAfter this patch, I ran the reproducer for over a few hundred rounds and\\nno data loss observed.\\n\\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\\nzram:\\n\\nBefore: 10934698 us\\nAfter: 11157121 us\\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\\n\\n[kasong@tencent.com: v4]\\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26759\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26767", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26767" + }, + { + "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" + }, + { + "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" + }, + { + "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26767 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26767", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26767\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26767\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26767\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26767\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26767\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738\",\n \"https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375\",\n \"https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fixed integer types and null check locations\\n\\n[why]:\\nissues fixed:\\n- comparison with wider integer type in loop condition which can cause\\ninfinite loops\\n- pointer dereference before null check\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26767\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26770", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26770" + }, + { + "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" + }, + { + "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" + }, + { + "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26770 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26770", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26770\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26770\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26770\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26770\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26770\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100\",\n \"https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183\",\n \"https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\\n\\ndevm_kasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\\n\\n[jkosina@suse.com: tweak changelog a bit]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26770\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26775", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26775" + }, + { + "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" + }, + { + "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" + }, + { + "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" + }, + { + "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26775 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26775", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26775\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26775\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26775\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26775\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26775\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77\",\n \"https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26\",\n \"https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c\",\n \"https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naoe: avoid potential deadlock at set_capacity\\n\\nMove set_capacity() outside of the section procected by (&d->lock).\\nTo avoid possible interrupt unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n[1] lock(&bdev->bd_size_lock);\\n local_irq_disable();\\n [2] lock(&d->lock);\\n [3] lock(&bdev->bd_size_lock);\\n \\n[4] lock(&d->lock);\\n\\n *** DEADLOCK ***\\n\\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\\nIn this situation an attempt to acquire [4]lock(&d->lock) from\\naoecmd_cfg_rsp() will lead to deadlock.\\n\\nSo the simplest solution is breaking lock dependency\\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\\noutside.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26775\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26800", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26800" + }, + { + "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" + }, + { + "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" + }, + { + "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" + }, + { + "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26800 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26800", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26800\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26800\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26800\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26800\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26800\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0\",\n \"https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1\",\n \"https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe\",\n \"https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: fix use-after-free on failed backlog decryption\\n\\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\\nreturns -EBUSY, tls_do_decryption will wait until all async\\ndecryptions have completed. If one of them fails, tls_do_decryption\\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\\nreleasing all the pages. But the pages have been passed to the async\\ncallback, and have already been released by tls_decrypt_done.\\n\\nThe only true async case is when crypto_aead_decrypt returns\\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\\ntls_sw_recvmsg that the data is available for immediate copy, but we\\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\\nmemory has already been released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26800\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26807", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26807" + }, + { + "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" + }, + { + "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" + }, + { + "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26807 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26807", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe ->probe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during ->probe(), as ->probe() enables the device using PM\nruntime, leading the ->runtime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26807\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26807\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26807\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61\",\n \"https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc\",\n \"https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\\nimplementations start with:\\n\\n\\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\\n\\tstruct spi_controller *host = dev_get_drvdata(dev);\\n\\nThis obviously cannot be correct, unless \\\"struct cqspi_st\\\" is the\\nfirst member of \\\" struct spi_controller\\\", or the other way around, but\\nit is not the case. \\\"struct spi_controller\\\" is allocated by\\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\\nprivate data, used to store \\\"struct cqspi_st\\\".\\n\\nThe ->probe() function of the cadence-quadspi driver then sets the\\ndevice drvdata to store the address of the \\\"struct cqspi_st\\\"\\nstructure. Therefore:\\n\\n\\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\\n\\nis correct, but:\\n\\n\\tstruct spi_controller *host = dev_get_drvdata(dev);\\n\\nis not, as it makes \\\"host\\\" point not to a \\\"struct spi_controller\\\" but\\nto the same \\\"struct cqspi_st\\\" structure as above.\\n\\nThis obviously leads to bad things (memory corruption, kernel crashes)\\ndirectly during ->probe(), as ->probe() enables the device using PM\\nruntime, leading the ->runtime_resume() hook being called, which in\\nturns calls spi_controller_resume() with the wrong pointer.\\n\\nThis has at least been reported [0] to cause a kernel crash, but the\\nexact behavior will depend on the memory contents.\\n\\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\\n\\nThis issue potentially affects all platforms that are currently using\\nthe cadence-quadspi driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26807\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26810", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26810" + }, + { + "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf" + }, + { + "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651" + }, + { + "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3" + }, + { + "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5" + }, + { + "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40" + }, + { + "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7" + }, + { + "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26810 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26810", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26810\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26810\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26810\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26810\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26810\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf\",\n \"https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651\",\n \"https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42\",\n \"https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3\",\n \"https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5\",\n \"https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40\",\n \"https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7\",\n \"https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Lock external INTx masking ops\\n\\nMask operations through config space changes to DisINTx may race INTx\\nconfiguration changes via ioctl. Create wrappers that add locking for\\npaths outside of the core interrupt code.\\n\\nIn particular, irq_type is updated holding igate, therefore testing\\nis_intx() requires holding igate. For example clearing DisINTx from\\nconfig space can otherwise race changes of the interrupt configuration.\\n\\nThis aligns interfaces which may trigger the INTx eventfd into two\\ncamps, one side serialized by igate and the other only enabled while\\nINTx is configured. A subsequent patch introduces synchronization for\\nthe latter flows.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26810\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26811" + }, + { + "url": "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd" + }, + { + "url": "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896" + }, + { + "url": "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300" + }, + { + "url": "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c" + }, + { + "url": "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd\",\n \"https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896\",\n \"https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300\",\n \"https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c\",\n \"https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate payload size in ipc response\\n\\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\\nresponse to ksmbd kernel server. ksmbd should validate payload size of\\nipc response from ksmbd.mountd to avoid memory overrun or\\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26812", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26812" + }, + { + "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034" + }, + { + "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d" + }, + { + "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897" + }, + { + "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834" + }, + { + "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c" + }, + { + "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e" + }, + { + "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3" + }, + { + "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26812 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26812", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26812\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26812\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26812\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26812\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26812\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034\",\n \"https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d\",\n \"https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897\",\n \"https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834\",\n \"https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c\",\n \"https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e\",\n \"https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3\",\n \"https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Create persistent INTx handler\\n\\nA vulnerability exists where the eventfd for INTx signaling can be\\ndeconfigured, which unregisters the IRQ handler but still allows\\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\\nor through unmask irqfd if the device interrupt is pending.\\n\\nIdeally this could be solved with some additional locking; the igate\\nmutex serializes the ioctl and config space accesses, and the interrupt\\nhandler is unregistered relative to the trigger, but the irqfd path\\nruns asynchronous to those. The igate mutex cannot be acquired from the\\natomic context of the eventfd wake function. Disabling the irqfd\\nrelative to the eventfd registration is potentially incompatible with\\nexisting userspace.\\n\\nAs a result, the solution implemented here moves configuration of the\\nINTx interrupt handler to track the lifetime of the INTx context object\\nand irq_type configuration, rather than registration of a particular\\ntrigger eventfd. Synchronization is added between the ioctl path and\\neventfd_signal() wrapper such that the eventfd trigger can be\\ndynamically updated relative to in-flight interrupts or irqfd callbacks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26812\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26813" + }, + { + "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e" + }, + { + "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5" + }, + { + "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29" + }, + { + "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086" + }, + { + "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375" + }, + { + "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362" + }, + { + "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a" + }, + { + "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e\",\n \"https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5\",\n \"https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29\",\n \"https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086\",\n \"https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375\",\n \"https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362\",\n \"https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a\",\n \"https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/platform: Create persistent IRQ handlers\\n\\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\\nan interrupt before a signaling eventfd has been configured by the user,\\nwhich thereby allows a NULL pointer dereference.\\n\\nRather than register the IRQ relative to a valid trigger, register all\\nIRQs in a disabled state in the device open path. This allows mask\\noperations on the IRQ to nest within the overall enable state governed\\nby a valid eventfd signal. This decouples @masked, protected by the\\n@locked spinlock from @trigger, protected via the @igate mutex.\\n\\nIn doing so, it's guaranteed that changes to @trigger cannot race the\\nIRQ handlers because the IRQ handler is synchronously disabled before\\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\\nsafe due to serialization with trigger changes via igate.\\n\\nFor compatibility, request_irq() failures are maintained to be local to\\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\\nThis allows, for example, a userspace driver with polling mode support\\nto continue to work regardless of moving the request_irq() call site.\\nThis necessarily blocks all SET_IRQS access to the failed index.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26814", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26814" + }, + { + "url": "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417" + }, + { + "url": "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d" + }, + { + "url": "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9" + }, + { + "url": "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012" + }, + { + "url": "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede" + }, + { + "url": "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d" + }, + { + "url": "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26814 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26814", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26814\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26814\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26814\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26814\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26814\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417\",\n \"https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d\",\n \"https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9\",\n \"https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012\",\n \"https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede\",\n \"https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d\",\n \"https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/fsl-mc: Block calling interrupt handler without trigger\\n\\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\\ninitially NULL and may become NULL if the user sets the trigger\\neventfd to -1. The interrupt handler itself is guaranteed that\\ntrigger is always valid between request_irq() and free_irq(), but\\nthe loopback testing mechanisms to invoke the handler function\\nneed to test the trigger. The triggering and setting ioctl paths\\nboth make use of igate and are therefore mutually exclusive.\\n\\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\\nsupport any sort of masking operations, therefore unlike vfio-pci\\nand vfio-platform, the flow can remain essentially unchanged.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26814\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26817" + }, + { + "url": "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a" + }, + { + "url": "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7" + }, + { + "url": "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0" + }, + { + "url": "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad" + }, + { + "url": "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751" + }, + { + "url": "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a" + }, + { + "url": "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a\",\n \"https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7\",\n \"https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29\",\n \"https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0\",\n \"https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad\",\n \"https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751\",\n \"https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a\",\n \"https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\namdkfd: use calloc instead of kzalloc to avoid integer overflow\\n\\nThis uses calloc instead of doing the multiplication which might\\noverflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26822", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26822" + }, + { + "url": "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157" + }, + { + "url": "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb" + }, + { + "url": "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26822 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26822", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26822\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26822\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26822\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26822\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26822\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157\",\n \"https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb\",\n \"https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: set correct id, uid and cruid for multiuser automounts\\n\\nWhen uid, gid and cruid are not specified, we need to dynamically\\nset them into the filesystem context used for automounting otherwise\\nthey'll end up reusing the values from the parent mount.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26822\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26828", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26828" + }, + { + "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512" + }, + { + "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204" + }, + { + "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301" + }, + { + "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512\",\n \"https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204\",\n \"https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301\",\n \"https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: fix underflow in parse_server_interfaces()\\n\\nIn this loop, we step through the buffer and after each item we check\\nif the size_left is greater than the minimum size we need. However,\\nthe problem is that \\\"bytes_left\\\" is type ssize_t while sizeof() is type\\nsize_t. That means that because of type promotion, the comparison is\\ndone as an unsigned and if we have negative bytes left the loop\\ncontinues instead of ending.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26830", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26830" + }, + { + "url": "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893" + }, + { + "url": "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc" + }, + { + "url": "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404" + }, + { + "url": "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26830 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26830", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26830\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26830\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26830\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26830\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26830\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893\",\n \"https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc\",\n \"https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404\",\n \"https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Do not allow untrusted VF to remove administratively set MAC\\n\\nCurrently when PF administratively sets VF's MAC address and the VF\\nis put down (VF tries to delete all MACs) then the MAC is removed\\nfrom MAC filters and primary VF MAC is zeroed.\\n\\nDo not allow untrusted VF to remove primary MAC when it was set\\nadministratively by PF.\\n\\nReproducer:\\n1) Create VF\\n2) Set VF interface up\\n3) Administratively set the VF's MAC\\n4) Put VF interface down\\n\\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\\n[root@host ~]# ip link set enp2s0f0v0 up\\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\\n[root@host ~]# ip link show enp2s0f0\\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\\n[root@host ~]# ip link set enp2s0f0v0 down\\n[root@host ~]# ip link show enp2s0f0\\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26830\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26837" + }, + { + "url": "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f" + }, + { + "url": "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db" + }, + { + "url": "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b" + }, + { + "url": "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f\",\n \"https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db\",\n \"https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b\",\n \"https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\\n\\nBefore this change, generation of the list of MDB events to replay\\nwould race against the creation of new group memberships, either from\\nthe IGMP/MLD snooping logic or from user configuration.\\n\\nWhile new memberships are immediately visible to walkers of\\nbr->mdb_list, the notification of their existence to switchdev event\\nsubscribers is deferred until a later point in time. So if a replay\\nlist was generated during a time that overlapped with such a window,\\nit would also contain a replay of the not-yet-delivered event.\\n\\nThe driver would thus receive two copies of what the bridge internally\\nconsidered to be one single event. On destruction of the bridge, only\\na single membership deletion event was therefore sent. As a\\nconsequence of this, drivers which reference count memberships (at\\nleast DSA), would be left with orphan groups in their hardware\\ndatabase when the bridge was destroyed.\\n\\nThis is only an issue when replaying additions. While deletion events\\nmay still be pending on the deferred queue, they will already have\\nbeen removed from br->mdb_list, so no duplicates can be generated in\\nthat scenario.\\n\\nTo a user this meant that old group memberships, from a bridge in\\nwhich a port was previously attached, could be reanimated (in\\nhardware) when the port joined a new bridge, without the new bridge's\\nknowledge.\\n\\nFor example, on an mv88e6xxx system, create a snooping bridge and\\nimmediately add a port to it:\\n\\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\\\\n > ip link set dev x3 up master br0\\n\\nAnd then destroy the bridge:\\n\\n root@infix-06-0b-00:~$ ip link del dev br0\\n root@infix-06-0b-00:~$ mvls atu\\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\\n DEV:0 Marvell 88E6393X\\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\\n root@infix-06-0b-00:~$\\n\\nThe two IPv6 groups remain in the hardware database because the\\nport (x3) is notified of the host's membership twice: once via the\\noriginal event and once via a replay. Since only a single delete\\nnotification is sent, the count remains at 1 when the bridge is\\ndestroyed.\\n\\nThen add the same port (or another port belonging to the same hardware\\ndomain) to a new bridge, this time with snooping disabled:\\n\\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\\\\n > ip link set dev x3 up master br1\\n\\nAll multicast, including the two IPv6 groups from br0, should now be\\nflooded, according to the policy of br1. But instead the old\\nmemberships are still active in the hardware database, causing the\\nswitch to only forward traffic to those groups towards the CPU (port\\n0).\\n\\nEliminate the race in two steps:\\n\\n1. Grab the write-side lock of the MDB while generating the replay\\n list.\\n\\nThis prevents new memberships from showing up while we are generating\\nthe replay list. But it leaves the scenario in which a deferred event\\nwas already generated, but not delivered, before we grabbed the\\nlock. Therefore:\\n\\n2. Make sure that no deferred version of a replay event is already\\n enqueued to the switchdev deferred queue, before adding it to the\\n replay list, when replaying additions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26842", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26842" + }, + { + "url": "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe" + }, + { + "url": "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb" + }, + { + "url": "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26842 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26842", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26842\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26842\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26842\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26842\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26842\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe\",\n \"https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb\",\n \"https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\\n\\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\\n\\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\\n[name:mrdump&]PHYS_OFFSET: 0x80000000\\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\\n[name:mrdump&]sp : ffffffc0081471b0\\n\\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\\nCall trace:\\n dump_backtrace+0xf8/0x144\\n show_stack+0x18/0x24\\n dump_stack_lvl+0x78/0x9c\\n dump_stack+0x18/0x44\\n mrdump_common_die+0x254/0x480 [mrdump]\\n ipanic_die+0x20/0x30 [mrdump]\\n notify_die+0x15c/0x204\\n die+0x10c/0x5f8\\n arm64_notify_die+0x74/0x13c\\n do_debug_exception+0x164/0x26c\\n el1_dbg+0x64/0x80\\n el1h_64_sync_handler+0x3c/0x90\\n el1h_64_sync+0x68/0x6c\\n ufshcd_clear_cmd+0x280/0x288\\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\\n ufshcd_verify_dev_init+0x84/0x1c8\\n ufshcd_probe_hba+0x724/0x1ce0\\n ufshcd_host_reset_and_restore+0x260/0x574\\n ufshcd_reset_and_restore+0x138/0xbd0\\n ufshcd_err_handler+0x1218/0x2f28\\n process_one_work+0x5fc/0x1140\\n worker_thread+0x7d8/0xe20\\n kthread+0x25c/0x468\\n ret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26842\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26844" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956" + }, + { + "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6" + }, + { + "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b" + }, + { + "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956\",\n \"https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6\",\n \"https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b\",\n \"https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: Fix WARNING in _copy_from_iter\\n\\nSyzkaller reports a warning in _copy_from_iter because an\\niov_iter is supposedly used in the wrong direction. The reason\\nis that syzcaller managed to generate a request with\\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\\nthe kernel to copy user buffers into the kernel, read into\\nthe copied buffers and then copy the data back to user space.\\n\\nThus the iovec is used in both directions.\\n\\nDetect this situation in the block layer and construct a new\\niterator with the correct direction for the copy-in.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26848" + }, + { + "url": "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470" + }, + { + "url": "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05" + }, + { + "url": "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4" + }, + { + "url": "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31" + }, + { + "url": "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4" + }, + { + "url": "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863" + }, + { + "url": "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b" + }, + { + "url": "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a" + }, + { + "url": "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0" + }, + { + "url": "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809" + }, + { + "url": "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27" + }, + { + "url": "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064" + }, + { + "url": "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a" + }, + { + "url": "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26848", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470\",\n \"https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05\",\n \"https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4\",\n \"https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31\",\n \"https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4\",\n \"https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863\",\n \"https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b\",\n \"https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a\",\n \"https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0\",\n \"https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809\",\n \"https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27\",\n \"https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064\",\n \"https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a\",\n \"https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nafs: Fix endless loop in directory parsing\\n\\nIf a directory has a block with only \\\".__afsXXXX\\\" files in it (from\\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\\nadvancing the file position in the dir_context. This leads to\\nafs_dir_iterate() repeating the block again and again.\\n\\nFix this by making the code that skips the .__afsXXXX file also manually\\nadvance the file position.\\n\\nThe symptoms are a soft lookup:\\n\\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\\n ...\\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\\n ...\\n ? watchdog_timer_fn+0x1a6/0x213\\n ...\\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\\n ? afs_dir_iterate_block+0x39/0x1fd\\n afs_dir_iterate+0x10a/0x148\\n afs_readdir+0x30/0x4a\\n iterate_dir+0x93/0xd3\\n __do_sys_getdents64+0x6b/0xd4\\n\\nThis is almost certainly the actual fix for:\\n\\n https://bugzilla.kernel.org/show_bug.cgi?id=218496\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26853" + }, + { + "url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f" + }, + { + "url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2" + }, + { + "url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a" + }, + { + "url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f\",\n \"https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2\",\n \"https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a\",\n \"https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nigc: avoid returning frame twice in XDP_REDIRECT\\n\\nWhen a frame can not be transmitted in XDP_REDIRECT\\n(e.g. due to a full queue), it is necessary to free\\nit by calling xdp_return_frame_rx_napi.\\n\\nHowever, this is the responsibility of the caller of\\nthe ndo_xdp_xmit (see for example bq_xmit_all in\\nkernel/bpf/devmap.c) and thus calling it inside\\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\\ndriver) as well will lead to memory corruption.\\n\\nIn fact, bq_xmit_all expects that it can return all\\nframes after the last successfully transmitted one.\\nTherefore, break for the first not transmitted frame,\\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\\nThis is equally implemented in other Intel drivers\\nsuch as the igb.\\n\\nThere are two alternatives to this that were rejected:\\n1. Return num_frames as all the frames would have been\\n transmitted and release them inside igc_xdp_xmit.\\n While it might work technically, it is not what\\n the return value is meant to represent (i.e. the\\n number of SUCCESSFULLY transmitted packets).\\n2. Rework kernel/bpf/devmap.c and all drivers to\\n support non-consecutively dropped packets.\\n Besides being complex, it likely has a negative\\n performance impact without a significant gain\\n since it is anyway unlikely that the next frame\\n can be transmitted if the previous one was dropped.\\n\\nThe memory corruption can be reproduced with\\nthe following script which leads to a kernel panic\\nafter a few seconds. It basically generates more\\ntraffic than a i225 NIC can transmit and pushes it\\nvia XDP_REDIRECT from a virtual interface to the\\nphysical interface where frames get dropped.\\n\\n #!/bin/bash\\n INTERFACE=enp4s0\\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\\n\\n sudo ip link add dev veth1 type veth peer name veth2\\n sudo ip link set up $INTERFACE\\n sudo ip link set up veth1\\n sudo ip link set up veth2\\n\\n cat << EOF > redirect.bpf.c\\n\\n SEC(\\\"prog\\\")\\n int redirect(struct xdp_md *ctx)\\n {\\n return bpf_redirect($INTERFACE_IDX, 0);\\n }\\n\\n char _license[] SEC(\\\"license\\\") = \\\"GPL\\\";\\n EOF\\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\\n sudo ip link set veth2 xdp obj redirect.bpf.o\\n\\n cat << EOF > pass.bpf.c\\n\\n SEC(\\\"prog\\\")\\n int pass(struct xdp_md *ctx)\\n {\\n return XDP_PASS;\\n }\\n\\n char _license[] SEC(\\\"license\\\") = \\\"GPL\\\";\\n EOF\\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\\n\\n cat << EOF > trafgen.cfg\\n\\n {\\n /* Ethernet Header */\\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\\n const16(ETH_P_IP),\\n\\n /* IPv4 Header */\\n 0b01000101, 0, # IPv4 version, IHL, TOS\\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\\n const16(2), # IPv4 ident\\n 0b01000000, 0, # IPv4 flags, fragmentation off\\n 64, # IPv4 TTL\\n 17, # Protocol UDP\\n csumip(14, 33), # IPv4 checksum\\n\\n /* UDP Header */\\n 10, 0, 1, 1, # IP Src - adapt as needed\\n 10, 0, 1, 2, # IP Dest - adapt as needed\\n const16(6666), # UDP Src Port\\n const16(6666), # UDP Dest Port\\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\\n csumudp(14, 34), # UDP checksum\\n\\n /* Payload */\\n fill('W', 1000),\\n }\\n EOF\\n\\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26866" + }, + { + "url": "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f" + }, + { + "url": "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861" + }, + { + "url": "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68" + }, + { + "url": "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f\",\n \"https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861\",\n \"https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68\",\n \"https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: lpspi: Avoid potential use-after-free in probe()\\n\\nfsl_lpspi_probe() is allocating/disposing memory manually with\\nspi_alloc_host()/spi_alloc_target(), but uses\\ndevm_spi_register_controller(). In case of error after the latter call the\\nmemory will be explicitly freed in the probe function by\\nspi_controller_put() call, but used afterwards by \\\"devm\\\" management outside\\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\\n...\\nCall trace:\\n kernfs_find_ns\\n kernfs_find_and_get_ns\\n sysfs_remove_group\\n sysfs_remove_groups\\n device_remove_attrs\\n device_del\\n spi_unregister_controller\\n devm_spi_unregister\\n release_nodes\\n devres_release_all\\n really_probe\\n driver_probe_device\\n __device_attach_driver\\n bus_for_each_drv\\n __device_attach\\n device_initial_probe\\n bus_probe_device\\n deferred_probe_work_func\\n process_one_work\\n worker_thread\\n kthread\\n ret_from_fork\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26869" + }, + { + "url": "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253" + }, + { + "url": "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189" + }, + { + "url": "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65" + }, + { + "url": "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253\",\n \"https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189\",\n \"https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65\",\n \"https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to truncate meta inode pages forcely\\n\\nBelow race case can cause data corruption:\\n\\nThread A\\t\\t\\t\\tGC thread\\n\\t\\t\\t\\t\\t- gc_data_segment\\n\\t\\t\\t\\t\\t - ra_data_block\\n\\t\\t\\t\\t\\t - locked meta_inode page\\n- f2fs_inplace_write_data\\n - invalidate_mapping_pages\\n : fail to invalidate meta_inode page\\n due to lock failure or dirty|writeback\\n status\\n - f2fs_submit_page_bio\\n : write last dirty data to old blkaddr\\n\\t\\t\\t\\t\\t - move_data_block\\n\\t\\t\\t\\t\\t - load old data from meta_inode page\\n\\t\\t\\t\\t\\t - f2fs_submit_page_write\\n\\t\\t\\t\\t\\t : write old data to new blkaddr\\n\\nBecause invalidate_mapping_pages() will skip invalidating page which\\nhas unclear status including locked, dirty, writeback and so on, so\\nwe need to use truncate_inode_pages_range() instead of\\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26876", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26876" + }, + { + "url": "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e" + }, + { + "url": "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c" + }, + { + "url": "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26876 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26876", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26876\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26876\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26876\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26876\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26876\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e\",\n \"https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c\",\n \"https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: adv7511: fix crash on irq during probe\\n\\nMoved IRQ registration down to end of adv7511_probe().\\n\\nIf an IRQ already is pending during adv7511_probe\\n(before adv7511_cec_init) then cec_received_msg_ts\\ncould crash using uninitialized data:\\n\\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\\n Call trace:\\n cec_received_msg_ts+0x48/0x990 [cec]\\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\\n adv7511_irq_process+0xd8/0x120 [adv7511]\\n adv7511_irq_handler+0x1c/0x30 [adv7511]\\n irq_thread_fn+0x30/0xa0\\n irq_thread+0x14c/0x238\\n kthread+0x190/0x1a8\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26876\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26886" + }, + { + "url": "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" + }, + { + "url": "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c" + }, + { + "url": "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7" + }, + { + "url": "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955\",\n \"https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c\",\n \"https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7\",\n \"https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae\",\n \"https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: af_bluetooth: Fix deadlock\\n\\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\\non bt_sock_ioctl to avoid the UAF:\\n\\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\\n Not tainted 6.7.6-lemon #183\\nWorkqueue: hci0 hci_rx_work\\nCall Trace:\\n \\n __schedule+0x37d/0xa00\\n schedule+0x32/0xe0\\n __lock_sock+0x68/0xa0\\n ? __pfx_autoremove_wake_function+0x10/0x10\\n lock_sock_nested+0x43/0x50\\n l2cap_sock_recv_cb+0x21/0xa0\\n l2cap_recv_frame+0x55b/0x30a0\\n ? psi_task_switch+0xeb/0x270\\n ? finish_task_switch.isra.0+0x93/0x2a0\\n hci_rx_work+0x33a/0x3f0\\n process_one_work+0x13a/0x2f0\\n worker_thread+0x2f0/0x410\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe0/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x2c/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26893" + }, + { + "url": "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4" + }, + { + "url": "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773" + }, + { + "url": "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d" + }, + { + "url": "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4\",\n \"https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c\",\n \"https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773\",\n \"https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d\",\n \"https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\\n\\nWhen the generic SCMI code tears down a channel, it calls the chan_free\\ncallback function, defined by each transport. Since multiple protocols\\nmight share the same transport_info member, chan_free() might want to\\nclean up the same member multiple times within the given SCMI transport\\nimplementation. In this case, it is SMC transport. This will lead to a NULL\\npointer dereference at the second time:\\n\\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\\n | arm-scmi firmware:scmi: unable to communicate with SCMI\\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n | Mem abort info:\\n | ESR = 0x0000000096000004\\n | EC = 0x25: DABT (current EL), IL = 32 bits\\n | SET = 0, FnV = 0\\n | EA = 0, S1PTW = 0\\n | FSC = 0x04: level 0 translation fault\\n | Data abort info:\\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\\n | Modules linked in:\\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\\n | Hardware name: FVP Base RevC (DT)\\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n | pc : smc_chan_free+0x3c/0x6c\\n | lr : smc_chan_free+0x3c/0x6c\\n | Call trace:\\n | smc_chan_free+0x3c/0x6c\\n | idr_for_each+0x68/0xf8\\n | scmi_cleanup_channels.isra.0+0x2c/0x58\\n | scmi_probe+0x434/0x734\\n | platform_probe+0x68/0xd8\\n | really_probe+0x110/0x27c\\n | __driver_probe_device+0x78/0x12c\\n | driver_probe_device+0x3c/0x118\\n | __driver_attach+0x74/0x128\\n | bus_for_each_dev+0x78/0xe0\\n | driver_attach+0x24/0x30\\n | bus_add_driver+0xe4/0x1e8\\n | driver_register+0x60/0x128\\n | __platform_driver_register+0x28/0x34\\n | scmi_driver_init+0x84/0xc0\\n | do_one_initcall+0x78/0x33c\\n | kernel_init_freeable+0x2b8/0x51c\\n | kernel_init+0x24/0x130\\n | ret_from_fork+0x10/0x20\\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\\n | ---[ end trace 0000000000000000 ]---\\n\\nSimply check for the struct pointer being NULL before trying to access\\nits members, to avoid this situation.\\n\\nThis was found when a transport doesn't really work (for instance no SMC\\nservice), the probe routines then tries to clean up, and triggers a crash.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26896", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26896" + }, + { + "url": "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3" + }, + { + "url": "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b" + }, + { + "url": "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3" + }, + { + "url": "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc" + }, + { + "url": "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3\",\n \"https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b\",\n \"https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3\",\n \"https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc\",\n \"https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wfx: fix memory leak when starting AP\\n\\nKmemleak reported this error:\\n\\n unreferenced object 0xd73d1180 (size 184):\\n comm \\\"wpa_supplicant\\\", pid 1559, jiffies 13006305 (age 964.245s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\\n backtrace:\\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\\n [<127bdd74>] __alloc_skb+0x144/0x170\\n [] __netdev_alloc_skb+0x50/0x180\\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\\n [<6b7c977a>] genl_rcv+0x34/0x44\\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\\n [] netlink_sendmsg+0x1e8/0x428\\n [] ____sys_sendmsg+0x1e0/0x274\\n [] ___sys_sendmsg+0x80/0xb4\\n [<69954f45>] __sys_sendmsg+0x64/0xa8\\n unreferenced object 0xce087000 (size 1024):\\n comm \\\"wpa_supplicant\\\", pid 1559, jiffies 13006305 (age 964.246s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\\n backtrace:\\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\\n [] kmalloc_reserve.constprop.0+0x30/0x74\\n [] __alloc_skb+0xa0/0x170\\n [] __netdev_alloc_skb+0x50/0x180\\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\\n [<6b7c977a>] genl_rcv+0x34/0x44\\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\\n [] netlink_sendmsg+0x1e8/0x428\\n [] ____sys_sendmsg+0x1e0/0x274\\n [] ___sys_sendmsg+0x80/0xb4\\n\\nHowever, since the kernel is build optimized, it seems the stack is not\\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\\nis obvious in this function: memory allocated by ieee80211_beacon_get()\\nis never released. Fixing this leak makes kmemleak happy.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26900" + }, + { + "url": "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366" + }, + { + "url": "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4" + }, + { + "url": "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea" + }, + { + "url": "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995" + }, + { + "url": "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9" + }, + { + "url": "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9" + }, + { + "url": "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366\",\n \"https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4\",\n \"https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea\",\n \"https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995\",\n \"https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9\",\n \"https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9\",\n \"https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: fix kmemleak of rdev->serial\\n\\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\\nalloc not be freed, and kmemleak occurs.\\n\\nunreferenced object 0xffff88815a350000 (size 49152):\\n comm \\\"mdadm\\\", pid 789, jiffies 4294716910\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace (crc f773277a):\\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26905" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26905", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26917", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26917" + }, + { + "url": "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b" + }, + { + "url": "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21" + }, + { + "url": "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783" + }, + { + "url": "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5" + }, + { + "url": "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0" + }, + { + "url": "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b" + }, + { + "url": "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6" + }, + { + "url": "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26917 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26917", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26917\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26917\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26917\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26917\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26917\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b\",\n \"https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21\",\n \"https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783\",\n \"https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5\",\n \"https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0\",\n \"https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b\",\n \"https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6\",\n \"https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: Revert \\\"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\\\"\\n\\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\\n\\nThis commit causes interrupts to be lost for FCoE devices, since it changed\\nsping locks from \\\"bh\\\" to \\\"irqsave\\\".\\n\\nInstead, a work queue should be used, and will be addressed in a separate\\ncommit.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26917\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26921", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26921" + }, + { + "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272" + }, + { + "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325" + }, + { + "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981" + }, + { + "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26921 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26921", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26921\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26921\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26921\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26921\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26921\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272\",\n \"https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325\",\n \"https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981\",\n \"https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninet: inet_defrag: prevent sk release while still in use\\n\\nip_local_out() and other functions can pass skb->sk as function argument.\\n\\nIf the skb is a fragment and reassembly happens before such function call\\nreturns, the sk must not be released.\\n\\nThis affects skb fragments reassembled via netfilter or similar\\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\\n\\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\\n Calling ip_defrag() in output path is also implying skb_orphan(),\\n which is buggy because output path relies on sk not disappearing.\\n\\n A relevant old patch about the issue was :\\n 8282f27449bf (\\\"inet: frag: Always orphan skbs inside ip_defrag()\\\")\\n\\n [..]\\n\\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\\n inet socket, not an arbitrary one.\\n\\n If we orphan the packet in ipvlan, then downstream things like FQ\\n packet scheduler will not work properly.\\n\\n We need to change ip_defrag() to only use skb_orphan() when really\\n needed, ie whenever frag_list is going to be used.\\n\\nEric suggested to stash sk in fragment queue and made an initial patch.\\nHowever there is a problem with this:\\n\\nIf skb is refragmented again right after, ip_do_fragment() will copy\\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\\nfully reassembled skb, else wmem will underflow.\\n\\nThis change moves the orphan down into the core, to last possible moment.\\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\\noffset into the FRAG_CB, else skb->sk gets clobbered.\\n\\nThis allows to delay the orphaning long enough to learn if the skb has\\nto be queued or if the skb is completing the reasm queue.\\n\\nIn the former case, things work as before, skb is orphaned. This is\\nsafe because skb gets queued/stolen and won't continue past reasm engine.\\n\\nIn the latter case, we will steal the skb->sk reference, reattach it to\\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26921\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26922" + }, + { + "url": "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d" + }, + { + "url": "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284" + }, + { + "url": "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75" + }, + { + "url": "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2" + }, + { + "url": "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa" + }, + { + "url": "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d" + }, + { + "url": "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee" + }, + { + "url": "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d\",\n \"https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284\",\n \"https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75\",\n \"https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2\",\n \"https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa\",\n \"https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d\",\n \"https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee\",\n \"https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\\n\\nVerify the parameters of\\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26923", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26923" + }, + { + "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3" + }, + { + "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f" + }, + { + "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51" + }, + { + "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9" + }, + { + "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423" + }, + { + "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009" + }, + { + "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26923 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26923", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\",\n \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\",\n \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\",\n \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\",\n \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\",\n \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\",\n \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\",\n \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix garbage collector racing against connect()\\n\\nGarbage collector does not take into account the risk of embryo getting\\nenqueued during the garbage collection. If such embryo has a peer that\\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\\ndifferent set of children. Leading to an incorrectly elevated inflight\\ncount, and then a dangling pointer within the gc_inflight_list.\\n\\nsockets are AF_UNIX/SOCK_STREAM\\nS is an unconnected socket\\nL is a listening in-flight socket bound to addr, not in fdtable\\nV's fd will be passed via sendmsg(), gets inflight count bumped\\n\\nconnect(S, addr)\\tsendmsg(S, [V]); close(V)\\t__unix_gc()\\n----------------\\t-------------------------\\t-----------\\n\\nNS = unix_create1()\\nskb1 = sock_wmalloc(NS)\\nL = unix_find_other(addr)\\nunix_state_lock(L)\\nunix_peer(S) = NS\\n\\t\\t\\t// V count=1 inflight=0\\n\\n \\t\\t\\tNS = unix_peer(S)\\n \\t\\t\\tskb2 = sock_alloc()\\n\\t\\t\\tskb_queue_tail(NS, skb2[V])\\n\\n\\t\\t\\t// V became in-flight\\n\\t\\t\\t// V count=2 inflight=1\\n\\n\\t\\t\\tclose(V)\\n\\n\\t\\t\\t// V count=1 inflight=1\\n\\t\\t\\t// GC candidate condition met\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_inflight_list:\\n\\t\\t\\t\\t\\t\\t if (total_refs == inflight_refs)\\n\\t\\t\\t\\t\\t\\t add u to gc_candidates\\n\\n\\t\\t\\t\\t\\t\\t// gc_candidates={L, V}\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t scan_children(u, dec_inflight)\\n\\n\\t\\t\\t\\t\\t\\t// embryo (skb1) was not\\n\\t\\t\\t\\t\\t\\t// reachable from L yet, so V's\\n\\t\\t\\t\\t\\t\\t// inflight remains unchanged\\n__skb_queue_tail(L, skb1)\\nunix_state_unlock(L)\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t if (u.inflight)\\n\\t\\t\\t\\t\\t\\t scan_children(u, inc_inflight_move_tail)\\n\\n\\t\\t\\t\\t\\t\\t// V count=1 inflight=2 (!)\\n\\nIf there is a GC-candidate listening socket, lock/unlock its state. This\\nmakes GC wait until the end of any ongoing connect() to that socket. After\\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\\nthis point, unix_inflight() can not happen because unix_gc_lock is already\\ntaken. Inflight graph remains unaffected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26923\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26925", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26925" + }, + { + "url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27" + }, + { + "url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494" + }, + { + "url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428" + }, + { + "url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30" + }, + { + "url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae" + }, + { + "url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1" + }, + { + "url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26925 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26925", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26925\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26925\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26925\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26925\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26925\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27\",\n \"https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494\",\n \"https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428\",\n \"https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30\",\n \"https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae\",\n \"https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1\",\n \"https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\\n\\nThe commit mutex should not be released during the critical section\\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\\nworker could collect expired objects and get the released commit lock\\nwithin the same GC sequence.\\n\\nnf_tables_module_autoload() temporarily releases the mutex to load\\nmodule dependencies, then it goes back to replay the transaction again.\\nMove it at the end of the abort phase after nft_gc_seq_end() is called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26925\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26926", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26926" + }, + { + "url": "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc" + }, + { + "url": "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc" + }, + { + "url": "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12" + }, + { + "url": "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c" + }, + { + "url": "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76" + }, + { + "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40" + }, + { + "url": "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26926 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26926", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26926\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26926\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26926\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26926\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26926\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc\",\n \"https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc\",\n \"https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12\",\n \"https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c\",\n \"https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76\",\n \"https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40\",\n \"https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: check offset alignment in binder_get_object()\\n\\nCommit 6d98eb95b450 (\\\"binder: avoid potential data leakage when copying\\ntxn\\\") introduced changes to how binder objects are copied. In doing so,\\nit unintentionally removed an offset alignment check done through calls\\nto binder_alloc_copy_from_buffer() -> check_buffer().\\n\\nThese calls were replaced in binder_get_object() with copy_from_user(),\\nso now an explicit offset alignment check is needed here. This avoids\\nlater complications when unwinding the objects gets harder.\\n\\nIt is worth noting this check existed prior to commit 7a67a39320df\\n(\\\"binder: add function to copy binder object from buffer\\\"), likely\\nremoved due to redundancy at the time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26926\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26928" + }, + { + "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88" + }, + { + "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1" + }, + { + "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d" + }, + { + "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88\",\n \"https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1\",\n \"https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d\",\n \"https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26929" + }, + { + "url": "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e" + }, + { + "url": "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525" + }, + { + "url": "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774" + }, + { + "url": "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b" + }, + { + "url": "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04" + }, + { + "url": "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e\",\n \"https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525\",\n \"https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774\",\n \"https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b\",\n \"https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04\",\n \"https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix double free of fcport\\n\\nThe server was crashing after LOGO because fcport was getting freed twice.\\n\\n -----------[ cut here ]-----------\\n kernel BUG at mm/slub.c:371!\\n invalid opcode: 0000 1 SMP PTI\\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\\n RIP: 0010:set_freepointer.part.57+0x0/0x10\\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n kfree+0x238/0x250\\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\\n ? kernfs_fop_write+0x11e/0x1a0\\n\\nRemove one of the free calls and add check for valid fcport. Also use\\nfunction qla2x00_free_fcport() instead of kfree().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26931" + }, + { + "url": "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211" + }, + { + "url": "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac" + }, + { + "url": "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d" + }, + { + "url": "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d" + }, + { + "url": "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1" + }, + { + "url": "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a" + }, + { + "url": "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a" + }, + { + "url": "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9" + }, + { + "url": "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211\",\n \"https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac\",\n \"https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d\",\n \"https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d\",\n \"https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1\",\n \"https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a\",\n \"https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a\",\n \"https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9\",\n \"https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix command flush on cable pull\\n\\nSystem crash due to command failed to flush back to SCSI layer.\\n\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\\n PGD 0 P4D 0\\n Oops: 0000 [#1] SMP NOPTI\\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\\n RIP: 0010:__wake_up_common+0x4c/0x190\\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n __wake_up_common_lock+0x7c/0xc0\\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\\n ? __switch_to+0x10c/0x450\\n ? process_one_work+0x1a7/0x360\\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\\n ? worker_thread+0x1ce/0x390\\n ? create_worker+0x1a0/0x1a0\\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\\n ? kthread+0x10a/0x120\\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\\n ? set_kthread_struct+0x40/0x40\\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\\n ? ret_from_fork+0x1f/0x40\\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\\n\\nThe system was under memory stress where driver was not able to allocate an\\nSRB to carry out error recovery of cable pull. The failure to flush causes\\nupper layer to start modifying scsi_cmnd. When the system frees up some\\nmemory, the subsequent cable pull trigger another command flush. At this\\npoint the driver access a null pointer when attempting to DMA unmap the\\nSGL.\\n\\nAdd a check to make sure commands are flush back on session tear down to\\nprevent the null pointer access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26934" + }, + { + "url": "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6" + }, + { + "url": "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384" + }, + { + "url": "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947" + }, + { + "url": "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a" + }, + { + "url": "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5" + }, + { + "url": "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f" + }, + { + "url": "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057" + }, + { + "url": "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6\",\n \"https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384\",\n \"https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947\",\n \"https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a\",\n \"https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5\",\n \"https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f\",\n \"https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5\",\n \"https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057\",\n \"https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix deadlock in usb_deauthorize_interface()\\n\\nAmong the attribute file callback routines in\\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\\nthe only one which acquires a device lock on an ancestor device: It\\ncalls usb_deauthorize_interface(), which locks the interface's parent\\nUSB device.\\n\\nThe will lead to deadlock if another process already owns that lock\\nand tries to remove the interface, whether through a configuration\\nchange or because the device has been disconnected. As part of the\\nremoval procedure, device_del() waits for all ongoing sysfs attribute\\ncallbacks to complete. But usb_deauthorize_interface() can't complete\\nuntil the device lock has been released, and the lock won't be\\nreleased until the removal has finished.\\n\\nThe mechanism provided by sysfs to prevent this kind of deadlock is\\nto use the sysfs_break_active_protection() function, which tells sysfs\\nnot to wait for the attribute callback.\\n\\nReported-and-tested by: Yue Sun \\nReported by: xingwei lee \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26935" + }, + { + "url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac" + }, + { + "url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889" + }, + { + "url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1" + }, + { + "url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee" + }, + { + "url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c" + }, + { + "url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320" + }, + { + "url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84" + }, + { + "url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac\",\n \"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889\",\n \"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1\",\n \"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee\",\n \"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c\",\n \"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320\",\n \"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84\",\n \"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix unremoved procfs host directory regression\\n\\nCommit fc663711b944 (\\\"scsi: core: Remove the /proc/scsi/${proc_name}\\ndirectory earlier\\\") fixed a bug related to modules loading/unloading, by\\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\\nto a potential duplicate call to the hostdir_rm() routine, since it's also\\ncalled from scsi_host_dev_release(). That triggered a regression report,\\nwhich was then fixed by commit be03df3d4bfe (\\\"scsi: core: Fix a procfs host\\ndirectory removal regression\\\"). The fix just dropped the hostdir_rm() call\\nfrom dev_release().\\n\\nBut it happens that this proc directory is created on scsi_host_alloc(),\\nand that function \\\"pairs\\\" with scsi_host_dev_release(), while\\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\\nreason for removing the proc directory on dev_release() was meant to cover\\ncases in which a SCSI host structure was allocated, but the call to\\nscsi_add_host() didn't happen. And that pattern happens to exist in some\\nerror paths, for example.\\n\\nSyzkaller causes that by using USB raw gadget device, error'ing on\\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\\nallocation, but there's no call to scsi_add_host() in such path. That leads\\nto messages like this in dmesg (and a leak of the SCSI host proc\\nstructure):\\n\\nusb-storage 4-1:87.51: USB Mass Storage device detected\\nproc_dir_entry 'scsi/usb-storage' already registered\\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\\n\\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\\nbut guard that with the state check for SHOST_CREATED; there is even a\\ncomment in scsi_host_dev_release() detailing that: such conditional is\\nmeant for cases where the SCSI host was allocated but there was no calls to\\n{add,remove}_host(), like the usb-storage case.\\n\\nThis is what we propose here and with that, the error path of usb-storage\\ndoes not trigger the warning anymore.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26936", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26936" + }, + { + "url": "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a" + }, + { + "url": "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674" + }, + { + "url": "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6" + }, + { + "url": "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11" + }, + { + "url": "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26936 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26936", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26936\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26936\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26936\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26936\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26936\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a\",\n \"https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674\",\n \"https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6\",\n \"https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11\",\n \"https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\\n\\nThe response buffer should be allocated in smb2_allocate_rsp_buf\\nbefore validating request. But the fields in payload as well as smb2 header\\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\\nvalidation to avoid potencial out-of-bounds in request buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26936\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26937" + }, + { + "url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325" + }, + { + "url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895" + }, + { + "url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a" + }, + { + "url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62" + }, + { + "url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c" + }, + { + "url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f" + }, + { + "url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703" + }, + { + "url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325\",\n \"https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895\",\n \"https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a\",\n \"https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62\",\n \"https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c\",\n \"https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f\",\n \"https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703\",\n \"https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Reset queue_priority_hint on parking\\n\\nOriginally, with strict in order execution, we could complete execution\\nonly when the queue was empty. Preempt-to-busy allows replacement of an\\nactive request that may complete before the preemption is processed by\\nHW. If that happens, the request is retired from the queue, but the\\nqueue_priority_hint remains set, preventing direct submission until\\nafter the next CS interrupt is processed.\\n\\nThis preempt-to-busy race can be triggered by the heartbeat, which will\\nalso act as the power-management barrier and upon completion allow us to\\nidle the HW. We may process the completion of the heartbeat, and begin\\nparking the engine before the CS event that restores the\\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\\n\\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\\n<0>[ 166.210781] Dumping ftrace buffer:\\n<0>[ 166.210795] ---------------------------------\\n...\\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\\n<0>[ 167.303811] ---------------------------------\\n<4>[ 167.304722] ------------[ cut here ]------------\\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\\n<4>[ 16\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26938" + }, + { + "url": "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549" + }, + { + "url": "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6" + }, + { + "url": "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac" + }, + { + "url": "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f" + }, + { + "url": "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549\",\n \"https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6\",\n \"https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac\",\n \"https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f\",\n \"https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\\n\\nIf we have no VBT, or the VBT didn't declare the encoder\\nin question, we won't have the 'devdata' for the encoder.\\nInstead of oopsing just bail early.\\n\\nWe won't be able to tell whether the port is DP++ or not,\\nbut so be it.\\n\\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26944" + }, + { + "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302" + }, + { + "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302\",\n \"https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: zoned: fix use-after-free in do_zone_finish()\\n\\nShinichiro reported the following use-after-free triggered by the device\\nreplace operation in fstests btrfs/070.\\n\\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\\n\\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\\n Call Trace:\\n \\n dump_stack_lvl+0x5b/0x90\\n print_report+0xcf/0x670\\n ? __virt_addr_valid+0x200/0x3e0\\n kasan_report+0xd8/0x110\\n ? do_zone_finish+0x91a/0xb90 [btrfs]\\n ? do_zone_finish+0x91a/0xb90 [btrfs]\\n do_zone_finish+0x91a/0xb90 [btrfs]\\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\\n ? btrfs_put_root+0x2d/0x220 [btrfs]\\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\\n cleaner_kthread+0x21e/0x380 [btrfs]\\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\\n kthread+0x2e3/0x3c0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x70\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\n Allocated by task 3493983:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0xaa/0xb0\\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\\n __x64_sys_ioctl+0x134/0x1b0\\n do_syscall_64+0x99/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\n Freed by task 3494056:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3f/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x32/0x70\\n kfree+0x11b/0x320\\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\\n __x64_sys_ioctl+0x134/0x1b0\\n do_syscall_64+0x99/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\n The buggy address belongs to the object at ffff8881543c8000\\n which belongs to the cache kmalloc-1k of size 1024\\n The buggy address is located 96 bytes inside of\\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\\n\\n The buggy address belongs to the physical page:\\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\\n page_type: 0xffffffff()\\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\\n page dumped because: kasan: bad access detected\\n\\n Memory state around the buggy address:\\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ^\\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\nThis UAF happens because we're accessing stale zone information of a\\nalready removed btrfs_device in do_zone_finish().\\n\\nThe sequence of events is as follows:\\n\\nbtrfs_dev_replace_start\\n btrfs_scrub_dev\\n btrfs_dev_replace_finishing\\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\\n btrfs_rm_dev_replace_free_srcdev\\n btrfs_free_device <-- device freed\\n\\ncleaner_kthread\\n btrfs_delete_unused_bgs\\n btrfs_zone_finish\\n do_zone_finish <-- refers the freed device\\n\\nThe reason for this is that we're using a\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26945" + }, + { + "url": "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7" + }, + { + "url": "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7\",\n \"https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: iaa - Fix nr_cpus < nr_iaa case\\n\\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\\ncauses a divide-by-0 in rebalance_wq_table().\\n\\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\\nparanoia.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26947" + }, + { + "url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff" + }, + { + "url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc" + }, + { + "url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7" + }, + { + "url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff\",\n \"https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc\",\n \"https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7\",\n \"https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\\n\\nSince commit a4d5613c4dc6 (\\\"arm: extend pfn_valid to take into account\\nfreed memory map alignment\\\") changes the semantics of pfn_valid() to check\\npresence of the memory map for a PFN. A valid page for an address which\\nis reserved but not mapped by the kernel[1], the system crashed during\\nsome uio test with the following memory layout:\\n\\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\\n the uio layout is:0xc0900000, 0x100000\\n\\nthe crash backtrace like:\\n\\n Unable to handle kernel paging request at virtual address bff00000\\n [...]\\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\\n Hardware name: Generic DT based system\\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\\n LR is at __sync_icache_dcache+0x6c/0x98\\n [...]\\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\\n ---[ end trace 09cf0734c3805d52 ]---\\n Kernel panic - not syncing: Fatal exception\\n\\nSo check if PG_reserved was set to solve this issue.\\n\\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26948" + }, + { + "url": "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98" + }, + { + "url": "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98\",\n \"https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\\n\\n[How]\\nCheck wheather state is NULL before releasing it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26950" + }, + { + "url": "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5" + }, + { + "url": "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068" + }, + { + "url": "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5" + }, + { + "url": "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f" + }, + { + "url": "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996" + }, + { + "url": "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37" + }, + { + "url": "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5\",\n \"https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068\",\n \"https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5\",\n \"https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f\",\n \"https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996\",\n \"https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37\",\n \"https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: netlink: access device through ctx instead of peer\\n\\nThe previous commit fixed a bug that led to a NULL peer->device being\\ndereferenced. It's actually easier and faster performance-wise to\\ninstead get the device from ctx->wg. This semantically makes more sense\\ntoo, since ctx->wg->peer_allowedips.seq is compared with\\nctx->allowedips_seq, basing them both in ctx. This also acts as a\\ndefence in depth provision against freed peers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26951" + }, + { + "url": "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04" + }, + { + "url": "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d" + }, + { + "url": "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4" + }, + { + "url": "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87" + }, + { + "url": "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b" + }, + { + "url": "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac" + }, + { + "url": "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04\",\n \"https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d\",\n \"https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4\",\n \"https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87\",\n \"https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b\",\n \"https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac\",\n \"https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\\n\\nIf all peers are removed via wg_peer_remove_all(), rather than setting\\npeer_list to empty, the peer is added to a temporary list with a head on\\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\\ncursored peer is one that has been removed via wg_peer_remove_all(), it\\nwill iterate from that peer and then attempt to dump freed peers.\\n\\nFix this by instead checking peer->is_dead, which was explictly created\\nfor this purpose. Also move up the device_update_lock lockdep assertion,\\nsince reading is_dead relies on that.\\n\\nIt can be reproduced by a small script like:\\n\\n echo \\\"Setting config...\\\"\\n ip link add dev wg0 type wireguard\\n wg setconf wg0 /big-config\\n (\\n while true; do\\n echo \\\"Showing config...\\\"\\n wg showconf wg0 > /dev/null\\n done\\n ) &\\n sleep 4\\n wg setconf wg0 <(printf \\\"[Peer]\\\\nPublicKey=$(wg genkey)\\\\n\\\")\\n\\nResulting in:\\n\\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\\n Read of size 8 at addr ffff88811956ec70 by task wg/59\\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\\n Call Trace:\\n \\n dump_stack_lvl+0x47/0x70\\n print_address_description.constprop.0+0x2c/0x380\\n print_report+0xab/0x250\\n kasan_report+0xba/0xf0\\n __lock_acquire+0x182a/0x1b20\\n lock_acquire+0x191/0x4b0\\n down_read+0x80/0x440\\n get_peer+0x140/0xcb0\\n wg_get_device_dump+0x471/0x1130\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26952", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26952" + }, + { + "url": "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5" + }, + { + "url": "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63" + }, + { + "url": "https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e" + }, + { + "url": "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26952 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26952", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5\",\n \"https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63\",\n \"https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e\",\n \"https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\\n\\nI found potencial out-of-bounds when buffer offset fields of a few requests\\nis invalid. This patch set the minimum value of buffer offset field to\\n->Buffer offset to validate buffer length.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26952\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26953" + }, + { + "url": "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45" + }, + { + "url": "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664" + }, + { + "url": "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34" + }, + { + "url": "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45\",\n \"https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664\",\n \"https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34\",\n \"https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: esp: fix bad handling of pages from page_pool\\n\\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\\ncoming from the original skb fragments are supposed to be released back\\nto the system through put_page. But if the skb fragment pages are\\noriginating from a page_pool, calling put_page on them will trigger a\\npage_pool leak which will eventually result in a crash.\\n\\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\\nipsec + gre (non offloaded) forwarding:\\n\\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\\n flags: 0x200000000000000(node=0|zone=2)\\n page_type: 0xffffffff()\\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\\n page dumped because: page_pool leak\\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n Call Trace:\\n \\n dump_stack_lvl+0x36/0x50\\n bad_page+0x70/0xf0\\n free_unref_page_prepare+0x27a/0x460\\n free_unref_page+0x38/0x120\\n esp_ssg_unref.isra.0+0x15f/0x200\\n esp_output_tail+0x66d/0x780\\n esp_xmit+0x2c5/0x360\\n validate_xmit_xfrm+0x313/0x370\\n ? validate_xmit_skb+0x1d/0x330\\n validate_xmit_skb_list+0x4c/0x70\\n sch_direct_xmit+0x23e/0x350\\n __dev_queue_xmit+0x337/0xba0\\n ? nf_hook_slow+0x3f/0xd0\\n ip_finish_output2+0x25e/0x580\\n iptunnel_xmit+0x19b/0x240\\n ip_tunnel_xmit+0x5fb/0xb60\\n ipgre_xmit+0x14d/0x280 [ip_gre]\\n dev_hard_start_xmit+0xc3/0x1c0\\n __dev_queue_xmit+0x208/0xba0\\n ? nf_hook_slow+0x3f/0xd0\\n ip_finish_output2+0x1ca/0x580\\n ip_sublist_rcv_finish+0x32/0x40\\n ip_sublist_rcv+0x1b2/0x1f0\\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\\n ip_list_rcv+0x103/0x130\\n __netif_receive_skb_list_core+0x181/0x1e0\\n netif_receive_skb_list_internal+0x1b3/0x2c0\\n napi_gro_receive+0xc8/0x200\\n gro_cell_poll+0x52/0x90\\n __napi_poll+0x25/0x1a0\\n net_rx_action+0x28e/0x300\\n __do_softirq+0xc3/0x276\\n ? sort_range+0x20/0x20\\n run_ksoftirqd+0x1e/0x30\\n smpboot_thread_fn+0xa6/0x130\\n kthread+0xcd/0x100\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork+0x31/0x50\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork_asm+0x11/0x20\\n \\n\\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\\ncovers page refcounting for page_pool pages as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26954" + }, + { + "url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57" + }, + { + "url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178" + }, + { + "url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57\",\n \"https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178\",\n \"https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\\n\\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\\nThis patch set the minimum value of the name offset to the buffer offset\\nto validate name length of smb2_create_req().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26955" + }, + { + "url": "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c" + }, + { + "url": "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5" + }, + { + "url": "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20" + }, + { + "url": "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07" + }, + { + "url": "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39" + }, + { + "url": "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d" + }, + { + "url": "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183" + }, + { + "url": "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c" + }, + { + "url": "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c\",\n \"https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5\",\n \"https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20\",\n \"https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07\",\n \"https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39\",\n \"https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d\",\n \"https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183\",\n \"https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c\",\n \"https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: prevent kernel bug at submit_bh_wbc()\\n\\nFix a bug where nilfs_get_block() returns a successful status when\\nsearching and inserting the specified block both fail inconsistently. If\\nthis inconsistent behavior is not due to a previously fixed bug, then an\\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\\n\\nThis prevents callers such as __block_write_begin_int() from requesting a\\nread into a buffer that is not mapped, which would cause the BUG_ON check\\nfor the BH_Mapped flag in submit_bh_wbc() to fail.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26956" + }, + { + "url": "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84" + }, + { + "url": "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7" + }, + { + "url": "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4" + }, + { + "url": "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e" + }, + { + "url": "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713" + }, + { + "url": "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35" + }, + { + "url": "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb" + }, + { + "url": "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba" + }, + { + "url": "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84\",\n \"https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7\",\n \"https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4\",\n \"https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e\",\n \"https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713\",\n \"https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35\",\n \"https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb\",\n \"https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba\",\n \"https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\\n\\nPatch series \\\"nilfs2: fix kernel bug at submit_bh_wbc()\\\".\\n\\nThis resolves a kernel BUG reported by syzbot. Since there are two\\nflaws involved, I've made each one a separate patch.\\n\\nThe first patch alone resolves the syzbot-reported bug, but I think\\nboth fixes should be sent to stable, so I've tagged them as such.\\n\\n\\nThis patch (of 2):\\n\\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\\nto a nilfs2 file system whose metadata is corrupted.\\n\\nThere are two flaws involved in this issue.\\n\\nThe first flaw is that when nilfs_get_block() locates a data block using\\nbtree or direct mapping, if the disk address translation routine\\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\\ncorruption, it can be passed back to nilfs_get_block(). This causes\\nnilfs_get_block() to misidentify an existing block as non-existent,\\ncausing both data block lookup and insertion to fail inconsistently.\\n\\nThe second flaw is that nilfs_get_block() returns a successful status in\\nthis inconsistent state. This causes the caller __block_write_begin_int()\\nor others to request a read even though the buffer is not mapped,\\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\\nfailing.\\n\\nThis fixes the first issue by changing the return value to code -EINVAL\\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\\nconflicting condition that leads to the kernel bug described above. Here,\\ncode -EINVAL indicates that metadata corruption was detected during the\\nblock lookup, which will be properly handled as a file system error and\\nconverted to -EIO when passing through the nilfs2 bmap layer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26957" + }, + { + "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484" + }, + { + "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c" + }, + { + "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd" + }, + { + "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058" + }, + { + "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55" + }, + { + "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6" + }, + { + "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca" + }, + { + "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d" + }, + { + "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484\",\n \"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c\",\n \"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd\",\n \"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058\",\n \"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55\",\n \"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6\",\n \"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca\",\n \"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d\",\n \"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/zcrypt: fix reference counting on zcrypt card objects\\n\\nTests with hot-plugging crytpo cards on KVM guests with debug\\nkernel build revealed an use after free for the load field of\\nthe struct zcrypt_card. The reason was an incorrect reference\\nhandling of the zcrypt card object which could lead to a free\\nof the zcrypt card object while it was still in use.\\n\\nThis is an example of the slab message:\\n\\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\\n kernel: kmalloc_trace+0x3f2/0x470\\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\\n kernel: ap_device_probe+0x15c/0x290\\n kernel: really_probe+0xd2/0x468\\n kernel: driver_probe_device+0x40/0xf0\\n kernel: __device_attach_driver+0xc0/0x140\\n kernel: bus_for_each_drv+0x8c/0xd0\\n kernel: __device_attach+0x114/0x198\\n kernel: bus_probe_device+0xb4/0xc8\\n kernel: device_add+0x4d2/0x6e0\\n kernel: ap_scan_adapter+0x3d0/0x7c0\\n kernel: ap_scan_bus+0x5a/0x3b0\\n kernel: ap_scan_bus_wq_callback+0x40/0x60\\n kernel: process_one_work+0x26e/0x620\\n kernel: worker_thread+0x21c/0x440\\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\\n kernel: kfree+0x37e/0x418\\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\\n kernel: ap_device_remove+0x4c/0xe0\\n kernel: device_release_driver_internal+0x1c4/0x270\\n kernel: bus_remove_device+0x100/0x188\\n kernel: device_del+0x164/0x3c0\\n kernel: device_unregister+0x30/0x90\\n kernel: ap_scan_adapter+0xc8/0x7c0\\n kernel: ap_scan_bus+0x5a/0x3b0\\n kernel: ap_scan_bus_wq_callback+0x40/0x60\\n kernel: process_one_work+0x26e/0x620\\n kernel: worker_thread+0x21c/0x440\\n kernel: kthread+0x150/0x168\\n kernel: __ret_from_fork+0x3c/0x58\\n kernel: ret_from_fork+0xa/0x30\\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\\n kernel: Call Trace:\\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\\n kernel: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26958" + }, + { + "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af" + }, + { + "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab" + }, + { + "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3" + }, + { + "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5" + }, + { + "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f" + }, + { + "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95" + }, + { + "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af\",\n \"https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab\",\n \"https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3\",\n \"https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5\",\n \"https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f\",\n \"https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95\",\n \"https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfs: fix UAF in direct writes\\n\\nIn production we have been hitting the following warning consistently\\n\\n------------[ cut here ]------------\\nrefcount_t: underflow; use-after-free.\\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __warn+0x9f/0x130\\n ? refcount_warn_saturate+0x9c/0xe0\\n ? report_bug+0xcc/0x150\\n ? handle_bug+0x3d/0x70\\n ? exc_invalid_op+0x16/0x40\\n ? asm_exc_invalid_op+0x16/0x20\\n ? refcount_warn_saturate+0x9c/0xe0\\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\\n process_one_work+0x12f/0x4a0\\n worker_thread+0x14e/0x3b0\\n ? ZSTD_getCParams_internal+0x220/0x220\\n kthread+0xdc/0x120\\n ? __btf_name_valid+0xa0/0xa0\\n ret_from_fork+0x1f/0x30\\n\\nThis is because we're completing the nfs_direct_request twice in a row.\\n\\nThe source of this is when we have our commit requests to submit, we\\nprocess them and send them off, and then in the completion path for the\\ncommit requests we have\\n\\nif (nfs_commit_end(cinfo.mds))\\n\\tnfs_direct_write_complete(dreq);\\n\\nHowever since we're submitting asynchronous requests we sometimes have\\none that completes before we submit the next one, so we end up calling\\ncomplete on the nfs_direct_request twice.\\n\\nThe only other place we use nfs_generic_commit_list() is in\\n__nfs_commit_inode, which wraps this call in a\\n\\nnfs_commit_begin();\\nnfs_commit_end();\\n\\nWhich is a common pattern for this style of completion handling, one\\nthat is also repeated in the direct code with get_dreq()/put_dreq()\\ncalls around where we process events as well as in the completion paths.\\n\\nFix this by using the same pattern for the commit requests.\\n\\nBefore with my 200 node rocksdb stress running this warning would pop\\nevery 10ish minutes. With my patch the stress test has been running for\\nseveral hours without popping.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26960", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26960" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a" + }, + { + "url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a" + }, + { + "url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e" + }, + { + "url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b" + }, + { + "url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39" + }, + { + "url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e" + }, + { + "url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a\",\n \"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a\",\n \"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e\",\n \"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b\",\n \"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39\",\n \"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e\",\n \"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: swap: fix race between free_swap_and_cache() and swapoff()\\n\\nThere was previously a theoretical window where swapoff() could run and\\nteardown a swap_info_struct while a call to free_swap_and_cache() was\\nrunning in another thread. This could cause, amongst other bad\\npossibilities, swap_page_trans_huge_swapped() (called by\\nfree_swap_and_cache()) to access the freed memory for swap_map.\\n\\nThis is a theoretical problem and I haven't been able to provoke it from a\\ntest case. But there has been agreement based on code review that this is\\npossible (see link below).\\n\\nFix it by using get_swap_device()/put_swap_device(), which will stall\\nswapoff(). There was an extra check in _swap_info_get() to confirm that\\nthe swap entry was not free. This isn't present in get_swap_device()\\nbecause it doesn't make sense in general due to the race between getting\\nthe reference and swapoff. So I've added an equivalent check directly in\\nfree_swap_and_cache().\\n\\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\\nfor deriving this):\\n\\n--8<-----\\n\\n__swap_entry_free() might be the last user and result in\\n\\\"count == SWAP_HAS_CACHE\\\".\\n\\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\\n\\nSo the question is: could someone reclaim the folio and turn\\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\\n\\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\\nstill references by swap entries.\\n\\nProcess 1 still references subpage 0 via swap entry.\\nProcess 2 still references subpage 1 via swap entry.\\n\\nProcess 1 quits. Calls free_swap_and_cache().\\n-> count == SWAP_HAS_CACHE\\n[then, preempted in the hypervisor etc.]\\n\\nProcess 2 quits. Calls free_swap_and_cache().\\n-> count == SWAP_HAS_CACHE\\n\\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\\n__try_to_reclaim_swap().\\n\\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\\nswap_entry_free()->swap_range_free()->\\n...\\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\\n\\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\\n\\n--8<-----\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26961" + }, + { + "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531" + }, + { + "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d" + }, + { + "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1" + }, + { + "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88" + }, + { + "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821" + }, + { + "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f" + }, + { + "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26961", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531\",\n \"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d\",\n \"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1\",\n \"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88\",\n \"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821\",\n \"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f\",\n \"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\\n\\nmac802154_llsec_key_del() can free resources of a key directly without\\nfollowing the RCU rules for waiting before the end of a grace period. This\\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\\nlist of keys in parallel with a key deletion:\\n\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\\nModules linked in:\\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\\nCall Trace:\\n \\n llsec_lookup_key.isra.0+0x890/0x9e0\\n mac802154_llsec_encrypt+0x30c/0x9c0\\n ieee802154_subif_start_xmit+0x24/0x1e0\\n dev_hard_start_xmit+0x13e/0x690\\n sch_direct_xmit+0x2ae/0xbc0\\n __dev_queue_xmit+0x11dd/0x3c20\\n dgram_sendmsg+0x90b/0xd60\\n __sys_sendto+0x466/0x4c0\\n __x64_sys_sendto+0xe0/0x1c0\\n do_syscall_64+0x45/0xf0\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nAlso, ieee802154_llsec_key_entry structures are not freed by\\nmac802154_llsec_key_del():\\n\\nunreferenced object 0xffff8880613b6980 (size 64):\\n comm \\\"iwpan\\\", pid 2176, jiffies 4294761134 (age 60.475s)\\n hex dump (first 32 bytes):\\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\\\".......\\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\\n [] kmalloc_trace+0x25/0xc0\\n [] mac802154_llsec_key_add+0xac9/0xcf0\\n [] ieee802154_add_llsec_key+0x5a/0x80\\n [] nl802154_add_llsec_key+0x426/0x5b0\\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\\n [] genl_rcv_msg+0x531/0x7d0\\n [] netlink_rcv_skb+0x169/0x440\\n [] genl_rcv+0x28/0x40\\n [] netlink_unicast+0x53c/0x820\\n [] netlink_sendmsg+0x93b/0xe60\\n [] ____sys_sendmsg+0xac5/0xca0\\n [] ___sys_sendmsg+0x11d/0x1c0\\n [] __sys_sendmsg+0xfa/0x1d0\\n [] do_syscall_64+0x45/0xf0\\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nHandle the proper resource release in the RCU callback function\\nmac802154_llsec_key_del_rcu().\\n\\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\\nllsec_key_get() and locally copies key id from key_entry (which is a\\nlist element). So it's safe to call llsec_key_put() and free the list\\nentry after the RCU grace period elapses.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26962", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26962" + }, + { + "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677" + }, + { + "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1" + }, + { + "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26962 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26962", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26962\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26962\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26962\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26962\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26962\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677\",\n \"https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1\",\n \"https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\\n\\nFor raid456, if reshape is still in progress, then IO across reshape\\nposition will wait for reshape to make progress. However, for dm-raid,\\nin following cases reshape will never make progress hence IO will hang:\\n\\n1) the array is read-only;\\n2) MD_RECOVERY_WAIT is set;\\n3) MD_RECOVERY_FROZEN is set;\\n\\nAfter commit c467e97f079f (\\\"md/raid6: use valid sector values to determine\\nif an I/O should wait on the reshape\\\") fix the problem that IO across\\nreshape position doesn't wait for reshape, the dm-raid test\\nshell/lvconvert-raid-reshape.sh start to hang:\\n\\n[root@fedora ~]# cat /proc/979/stack\\n[<0>] wait_woken+0x7d/0x90\\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\\n[<0>] raid_map+0x2c/0x50 [dm_raid]\\n[<0>] __map_bio+0x251/0x380 [dm_mod]\\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\\n[<0>] __submit_bio+0xc2/0x1c0\\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\\n[<0>] submit_bio_noacct+0x2bc/0x780\\n[<0>] submit_bio+0x70/0xc0\\n[<0>] mpage_readahead+0x169/0x1f0\\n[<0>] blkdev_readahead+0x18/0x30\\n[<0>] read_pages+0x7c/0x3b0\\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\\n[<0>] force_page_cache_ra+0x9e/0x130\\n[<0>] page_cache_sync_ra+0x3b/0x110\\n[<0>] filemap_get_pages+0x143/0xa30\\n[<0>] filemap_read+0xdc/0x4b0\\n[<0>] blkdev_read_iter+0x75/0x200\\n[<0>] vfs_read+0x272/0x460\\n[<0>] ksys_read+0x7a/0x170\\n[<0>] __x64_sys_read+0x1c/0x30\\n[<0>] do_syscall_64+0xc6/0x230\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\\n\\nThis is because reshape can't make progress.\\n\\nFor md/raid, the problem doesn't exist because register new sync_thread\\ndoesn't rely on the IO to be done any more:\\n\\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\\n2) md/raid never set MD_RECOVERY_WAIT;\\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\\n sysfs api 'sync_action'.\\n\\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\\npatch on the one hand make sure raid_message() can't change\\nsync_thread() through raid_message() after presuspend(), on the other\\nhand detect the above 3 cases before wait for IO do be done in\\ndm_suspend(), and let dm-raid requeue those IO.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26962\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26964", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26964" + }, + { + "url": "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd" + }, + { + "url": "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4" + }, + { + "url": "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757" + }, + { + "url": "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d" + }, + { + "url": "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea" + }, + { + "url": "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26964 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26964", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26964\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26964\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26964\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26964\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26964\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd\",\n \"https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4\",\n \"https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757\",\n \"https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d\",\n \"https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea\",\n \"https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: xhci: Add error handling in xhci_map_urb_for_dma\\n\\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\\nthen the following sg_pcopy_to_buffer() can lead to crash since it\\ntries to memcpy to NULL pointer.\\n\\nSo return -ENOMEM if kzalloc returns null pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26964\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26965" + }, + { + "url": "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060" + }, + { + "url": "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589" + }, + { + "url": "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362" + }, + { + "url": "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089" + }, + { + "url": "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194" + }, + { + "url": "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95" + }, + { + "url": "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f" + }, + { + "url": "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2" + }, + { + "url": "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060\",\n \"https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589\",\n \"https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362\",\n \"https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089\",\n \"https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194\",\n \"https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95\",\n \"https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f\",\n \"https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2\",\n \"https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26966" + }, + { + "url": "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99" + }, + { + "url": "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9" + }, + { + "url": "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2" + }, + { + "url": "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8" + }, + { + "url": "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38" + }, + { + "url": "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03" + }, + { + "url": "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f" + }, + { + "url": "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d" + }, + { + "url": "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99\",\n \"https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9\",\n \"https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2\",\n \"https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8\",\n \"https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38\",\n \"https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03\",\n \"https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f\",\n \"https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d\",\n \"https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26969" + }, + { + "url": "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429" + }, + { + "url": "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94" + }, + { + "url": "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe" + }, + { + "url": "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f" + }, + { + "url": "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d" + }, + { + "url": "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566" + }, + { + "url": "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255" + }, + { + "url": "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27" + }, + { + "url": "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429\",\n \"https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94\",\n \"https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe\",\n \"https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f\",\n \"https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d\",\n \"https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566\",\n \"https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255\",\n \"https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27\",\n \"https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26970" + }, + { + "url": "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52" + }, + { + "url": "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb" + }, + { + "url": "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6" + }, + { + "url": "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b" + }, + { + "url": "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52\",\n \"https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb\",\n \"https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6\",\n \"https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b\",\n \"https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d\",\n \"https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d\",\n \"https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26972", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26972" + }, + { + "url": "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae" + }, + { + "url": "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae\",\n \"https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\\n\\nFor error handling path in ubifs_symlink(), inode will be marked as\\nbad first, then iput() is invoked. If inode->i_link is initialized by\\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\\n'S_IFREG'.\\nFollowing kmemleak is easy to be reproduced by injecting error in\\nubifs_jnl_update() when doing symlink in encryption scenario:\\n unreferenced object 0xffff888103da3d98 (size 8):\\n comm \\\"ln\\\", pid 1692, jiffies 4294914701 (age 12.045s)\\n backtrace:\\n kmemdup+0x32/0x70\\n __fscrypt_encrypt_symlink+0xed/0x1c0\\n ubifs_symlink+0x210/0x300 [ubifs]\\n vfs_symlink+0x216/0x360\\n do_symlinkat+0x11a/0x190\\n do_syscall_64+0x3b/0xe0\\nThere are two ways fixing it:\\n 1. Remove make_bad_inode() in error handling path. We can do that\\n because ubifs_evict_inode() will do same processes for good\\n symlink inode and bad symlink inode, for inode->i_nlink checking\\n is before is_bad_inode().\\n 2. Free inode->i_link before marking inode bad.\\nMethod 2 is picked, it has less influence, personally, I think.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26973", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26973" + }, + { + "url": "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb" + }, + { + "url": "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688" + }, + { + "url": "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63" + }, + { + "url": "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6" + }, + { + "url": "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee" + }, + { + "url": "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375" + }, + { + "url": "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6" + }, + { + "url": "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f" + }, + { + "url": "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb\",\n \"https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688\",\n \"https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63\",\n \"https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6\",\n \"https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee\",\n \"https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375\",\n \"https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6\",\n \"https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f\",\n \"https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfat: fix uninitialized field in nostale filehandles\\n\\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\\nstores only first 10 bytes of the file handle. However the length of the\\nfile handle must be a multiple of 4 so the file handle is actually 12\\nbytes long and the last two bytes remain uninitialized. This is not\\ngreat at we potentially leak uninitialized information with the handle\\nto userspace. Properly initialize the full handle length.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26974" + }, + { + "url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be" + }, + { + "url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7" + }, + { + "url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f" + }, + { + "url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c" + }, + { + "url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc" + }, + { + "url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81" + }, + { + "url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828" + }, + { + "url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71" + }, + { + "url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be\",\n \"https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7\",\n \"https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f\",\n \"https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c\",\n \"https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc\",\n \"https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81\",\n \"https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828\",\n \"https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71\",\n \"https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: qat - resolve race condition during AER recovery\\n\\nDuring the PCI AER system's error recovery process, the kernel driver\\nmay encounter a race condition with freeing the reset_data structure's\\nmemory. If the device restart will take more than 10 seconds the function\\nscheduling that restart will exit due to a timeout, and the reset_data\\nstructure will be freed. However, this data structure is used for\\ncompletion notification after the restart is completed, which leads\\nto a UAF bug.\\n\\nThis results in a KFENCE bug notice.\\n\\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\\n process_one_work+0x173/0x340\\n\\nTo resolve this race condition, the memory associated to the container\\nof the work_struct is freed on the worker if the timeout expired,\\notherwise on the function that schedules the worker.\\nThe timeout detection can be done by checking if the caller is\\nstill waiting for completion or not by using completion_done() function.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26976" + }, + { + "url": "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157" + }, + { + "url": "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750" + }, + { + "url": "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb" + }, + { + "url": "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac" + }, + { + "url": "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98" + }, + { + "url": "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5" + }, + { + "url": "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff" + }, + { + "url": "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b" + }, + { + "url": "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157\",\n \"https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750\",\n \"https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb\",\n \"https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac\",\n \"https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98\",\n \"https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5\",\n \"https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff\",\n \"https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b\",\n \"https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\\n\\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\\nKVM must ensure that none of its workqueue callbacks is running when the\\nlast reference to the KVM _module_ is put. Gifting a reference to the\\nassociated VM prevents the workqueue callback from dereferencing freed\\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\\nbefore the callback completes.\\n\\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\\n\\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\\n Workqueue: events async_pf_execute [kvm]\\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\\n Call Trace:\\n \\n async_pf_execute+0x198/0x260 [kvm]\\n process_one_work+0x145/0x2d0\\n worker_thread+0x27e/0x3a0\\n kthread+0xba/0xe0\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n \\n ---[ end trace 0000000000000000 ]---\\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\\n Workqueue: events async_pf_execute [kvm]\\n Call Trace:\\n \\n __schedule+0x33f/0xa40\\n schedule+0x53/0xc0\\n schedule_timeout+0x12a/0x140\\n __wait_for_common+0x8d/0x1d0\\n __flush_work.isra.0+0x19f/0x2c0\\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\\n kvm_put_kvm+0x1c1/0x320 [kvm]\\n async_pf_execute+0x198/0x260 [kvm]\\n process_one_work+0x145/0x2d0\\n worker_thread+0x27e/0x3a0\\n kthread+0xba/0xe0\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n \\n\\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\\nthen there's no need to gift async_pf_execute() a reference because all\\ninvocations of async_pf_execute() will be forced to complete before the\\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\\nunloading bug as __fput() won't do module_put() on the last vCPU reference\\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\\nlast reference to the KVM module.\\n\\nNote that kvm_check_async_pf_completion() may also take the work item off\\nthe completion queue and so also needs to flush the work queue, as the\\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\\non the workqueue could theoretically delay a vCPU due to waiting for the\\nwork to complete, but that's a very, very small chance, and likely a very\\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\\nnew request, i.e. will effectively delay entering the guest, so the\\nremaining work is really just:\\n\\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\\n\\n __kvm_vcpu_wake_up(vcpu);\\n\\n mmput(mm);\\n\\nand mmput() can't drop the last reference to the page tables if the vCPU is\\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\\n\\nAdd a helper to do the flushing, specifically to deal with \\\"wakeup all\\\"\\nwork items, as they aren't actually work items, i.e. are never placed in a\\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\\n__flush_work() complain (kudos to whoever added that sanity check).\\n\\nNote, commit 5f6de5cbebee (\\\"KVM: Prevent module exit until al\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26977" + }, + { + "url": "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6" + }, + { + "url": "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8" + }, + { + "url": "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637" + }, + { + "url": "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed" + }, + { + "url": "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f" + }, + { + "url": "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26977", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6\",\n \"https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8\",\n \"https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637\",\n \"https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed\",\n \"https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f\",\n \"https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npci_iounmap(): Fix MMIO mapping leak\\n\\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\\nwhich means MMIO mappings are leaked.\\n\\nMove the guard so we call iounmap() for MMIO mappings.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26979" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26979", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26980", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26980" + }, + { + "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085" + }, + { + "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1" + }, + { + "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248" + }, + { + "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20" + }, + { + "url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26980 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26980", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26980\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26980\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26980\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26980\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26980\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085\",\n \"https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1\",\n \"https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248\",\n \"https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20\",\n \"https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\\n\\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\\nvalidation could be skipped. if request size is smaller than\\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\\ndecrypting transform request. smb3_decrypt_req() will validate transform\\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26980\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26981", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26981" + }, + { + "url": "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243" + }, + { + "url": "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9" + }, + { + "url": "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1" + }, + { + "url": "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611" + }, + { + "url": "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f" + }, + { + "url": "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8" + }, + { + "url": "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0" + }, + { + "url": "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26981 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26981", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26981\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26981\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26981\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26981\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26981\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243\",\n \"https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9\",\n \"https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1\",\n \"https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611\",\n \"https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f\",\n \"https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8\",\n \"https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0\",\n \"https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix OOB in nilfs_set_de_type\\n\\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\\ndefined as \\\"S_IFMT >> S_SHIFT\\\", but the nilfs_set_de_type() function,\\nwhich uses this array, specifies the index to read from the array in the\\nsame way as \\\"(mode & S_IFMT) >> S_SHIFT\\\".\\n\\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\\n *inode)\\n{\\n\\tumode_t mode = inode->i_mode;\\n\\n\\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\\n}\\n\\nHowever, when the index is determined this way, an out-of-bounds (OOB)\\nerror occurs by referring to an index that is 1 larger than the array size\\nwhen the condition \\\"mode & S_IFMT == S_IFMT\\\" is satisfied. Therefore, a\\npatch to resize the nilfs_type_by_mode array should be applied to prevent\\nOOB errors.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26981\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26982" + }, + { + "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5" + }, + { + "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395" + }, + { + "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5\",\n \"https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395\",\n \"https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSquashfs: check the inode number is not the invalid value of zero\\n\\nSyskiller has produced an out of bounds access in fill_meta_index().\\n\\nThat out of bounds access is ultimately caused because the inode\\nhas an inode number with the invalid value of zero, which was not checked.\\n\\nThe reason this causes the out of bounds access is due to following\\nsequence of events:\\n\\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\\n and fill a metadata index. It however suffers a data read error\\n and aborts, invalidating the newly returned empty metadata index.\\n It does this by setting the inode number of the index to zero,\\n which means unused (zero is not a valid inode number).\\n\\n2. When fill_meta_index() is subsequently called again on another\\n read operation, locate_meta_index() returns the previous index\\n because it matches the inode number of 0. Because this index\\n has been returned it is expected to have been filled, and because\\n it hasn't been, an out of bounds access is performed.\\n\\nThis patch adds a sanity check which checks that the inode number\\nis not zero when the inode is created and returns -EINVAL if it is.\\n\\n[phillip@squashfs.org.uk: whitespace fix]\\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26983", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26983" + }, + { + "url": "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918" + }, + { + "url": "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35" + }, + { + "url": "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0" + }, + { + "url": "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26983 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26983", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26983\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26983\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26983\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26983\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26983\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918\",\n \"https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35\",\n \"https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0\",\n \"https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbootconfig: use memblock_free_late to free xbc memory to buddy\\n\\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\\nover memory to buddy allocator. So it doesn't make sense to free memory\\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\\nFollowing KASAN logs shows this case.\\n\\nThis patch fixes the xbc memory free problem by calling memblock_free()\\nin early xbc init error rewind path and calling memblock_free_late() in\\nxbc exit path to free memory to buddy allocator.\\n\\n[ 9.410890] ==================================================================\\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\\n\\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\\n[ 9.460789] Call Trace:\\n[ 9.463518] \\n[ 9.465859] dump_stack_lvl+0x53/0x70\\n[ 9.469949] print_report+0xce/0x610\\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\\n[ 9.483877] kasan_report+0xc6/0x100\\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\\n[ 9.493125] memblock_isolate_range+0x12d/0x260\\n[ 9.498187] memblock_phys_free+0xb4/0x160\\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\\n[ 9.526426] xbc_exit+0x17/0x70\\n[ 9.529935] kernel_init+0x38/0x1e0\\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\\n[ 9.538601] ret_from_fork+0x2c/0x50\\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\\n[ 9.551552] \\n\\n[ 9.555649] The buggy address belongs to the physical page:\\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\\n[ 9.576271] page_type: 0xffffffff()\\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\\n[ 9.597476] page dumped because: kasan: bad access detected\\n\\n[ 9.605362] Memory state around the buggy address:\\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.634930] ^\\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.654675] ==================================================================\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26983\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26984" + }, + { + "url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716" + }, + { + "url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7" + }, + { + "url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52" + }, + { + "url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572" + }, + { + "url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525" + }, + { + "url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039" + }, + { + "url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9" + }, + { + "url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716\",\n \"https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7\",\n \"https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52\",\n \"https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572\",\n \"https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525\",\n \"https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039\",\n \"https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9\",\n \"https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: fix instmem race condition around ptr stores\\n\\nRunning a lot of VK CTS in parallel against nouveau, once every\\nfew hours you might see something like this crash.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\n...\\n\\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n ? __lock_acquire+0x3ed/0x2170\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\\n\\nAdding any sort of useful debug usually makes it go away, so I hand\\nwrote the function in a line, and debugged the asm.\\n\\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\\nthe nv50_instobj_acquire called from nvkm_kmap.\\n\\nIf Thread A and Thread B both get to nv50_instobj_acquire around\\nthe same time, and Thread A hits the refcount_set line, and in\\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\\nchance the ptrs value won't have been stored since refcount_set\\nis unordered. Force a memory barrier here, I picked smp_mb, since\\nwe want it on all CPUs and it's write followed by a read.\\n\\nv2: use paired smp_rmb/smp_wmb.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26988" + }, + { + "url": "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4" + }, + { + "url": "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a" + }, + { + "url": "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9" + }, + { + "url": "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea" + }, + { + "url": "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8" + }, + { + "url": "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4\",\n \"https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a\",\n \"https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9\",\n \"https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea\",\n \"https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8\",\n \"https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninit/main.c: Fix potential static_command_line memory overflow\\n\\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\\nstatic_command_line, but the strings copied into static_command_line are\\nextra_command_line and command_line, rather than extra_command_line and\\nboot_command_line.\\n\\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\\nwill overflow.\\n\\nThis patch just recovers strlen(command_line) which was miss-consolidated\\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\\\"init/main: add\\nchecks for the return value of memblock_alloc*()\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26989" + }, + { + "url": "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3" + }, + { + "url": "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4" + }, + { + "url": "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457" + }, + { + "url": "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069" + }, + { + "url": "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3\",\n \"https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4\",\n \"https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457\",\n \"https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069\",\n \"https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: hibernate: Fix level3 translation fault in swsusp_save()\\n\\nOn arm64 machines, swsusp_save() faults if it attempts to access\\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\\n\\n Unable to handle kernel paging request at virtual address ffffff8000000000\\n Mem abort info:\\n ESR = 0x0000000096000007\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x07: level 3 translation fault\\n Data abort info:\\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\\n Internal error: Oops: 0000000096000007 [#1] SMP\\n Internal error: Oops: 0000000096000007 [#1] SMP\\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : swsusp_save+0x280/0x538\\n lr : swsusp_save+0x280/0x538\\n sp : ffffffa034a3fa40\\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\\n Call trace:\\n swsusp_save+0x280/0x538\\n swsusp_arch_suspend+0x148/0x190\\n hibernation_snapshot+0x240/0x39c\\n hibernate+0xc4/0x378\\n state_store+0xf0/0x10c\\n kobj_attr_store+0x14/0x24\\n\\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\\n-> kernel_page_present() assuming that a page is always present when\\ncan_set_direct_map() is false (all of rodata_full,\\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\\nshould not be saved during hibernation.\\n\\nThis problem was introduced by changes to the pfn_valid() logic in\\ncommit a7d9f306ba70 (\\\"arm64: drop pfn_valid_within() and simplify\\npfn_valid()\\\").\\n\\nSimilar to other architectures, drop the !can_set_direct_map() check in\\nkernel_page_present() so that page_is_savable() skips such pages.\\n\\n[catalin.marinas@arm.com: rework commit message]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26993", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26993" + }, + { + "url": "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c" + }, + { + "url": "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063" + }, + { + "url": "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b" + }, + { + "url": "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17" + }, + { + "url": "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4" + }, + { + "url": "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78" + }, + { + "url": "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957" + }, + { + "url": "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26993 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26993", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26993\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26993\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26993\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26993\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26993\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c\",\n \"https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063\",\n \"https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b\",\n \"https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17\",\n \"https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4\",\n \"https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78\",\n \"https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957\",\n \"https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\\n\\nThe sysfs_break_active_protection() routine has an obvious reference\\nleak in its error path. If the call to kernfs_find_and_get() fails then\\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\\nroutine won't get called (and would only cause an access violation by\\ntrying to dereference kn->parent if it was called). As a result, the\\nreference to kobj acquired at the start of the function will never be\\nreleased.\\n\\nFix the leak by adding an explicit kobject_put() call when kn is NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26993\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26994", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26994" + }, + { + "url": "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8" + }, + { + "url": "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76" + }, + { + "url": "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222" + }, + { + "url": "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f" + }, + { + "url": "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595" + }, + { + "url": "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f" + }, + { + "url": "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c" + }, + { + "url": "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26994 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26994", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26994\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26994\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26994\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26994\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26994\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8\",\n \"https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76\",\n \"https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222\",\n \"https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f\",\n \"https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595\",\n \"https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f\",\n \"https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c\",\n \"https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspeakup: Avoid crash on very long word\\n\\nIn case a console is set up really large and contains a really long word\\n(> 256 characters), we have to stop before the length of the word buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26994\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26996", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26996" + }, + { + "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93" + }, + { + "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e" + }, + { + "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7" + }, + { + "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca" + }, + { + "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26996 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26996", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26996\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26996\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26996\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26996\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26996\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93\",\n \"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e\",\n \"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7\",\n \"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca\",\n \"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\\n\\nWhen ncm function is working and then stop usb0 interface for link down,\\neth_stop() is called. At this piont, accidentally if usb transport error\\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\\n\\nAfter that, ncm_disable() is called to disable for ncm unbind\\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\\n\\nAs the result, ncm object is released in ncm unbind\\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\\n\\nAnd when ncm bind again to recover netdev, ncm object is reallocated\\nbut usb0 interface is already associated to previous released ncm object.\\n\\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\\n\\n[function unlink via configfs]\\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\\n --> error happens in usb_ep_enable().\\n NCM: ncm_disable: ncm=ffffff9b179c3200\\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\\n\\n[function link via configfs]\\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\\n eth_start_xmit()\\n --> dev->wrap()\\n Unable to handle kernel paging request at virtual address dead00000000014f\\n\\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\\nbut the gether connection might be established.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26996\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26999" + }, + { + "url": "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907" + }, + { + "url": "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7" + }, + { + "url": "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce" + }, + { + "url": "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef" + }, + { + "url": "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928" + }, + { + "url": "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f" + }, + { + "url": "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729" + }, + { + "url": "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907\",\n \"https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7\",\n \"https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce\",\n \"https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef\",\n \"https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928\",\n \"https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f\",\n \"https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729\",\n \"https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\\n\\nThe mitigation was intended to stop the irq completely. That may be\\nbetter than a hard lock-up but it turns out that you get a crash anyway\\nif you're using pmac_zilog as a serial console:\\n\\nttyPZ0: pmz: rx irq flood !\\nBUG: spinlock recursion on CPU#0, swapper/0\\n\\nThat's because the pr_err() call in pmz_receive_chars() results in\\npmz_console_write() attempting to lock a spinlock already locked in\\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\\nBUG splat. The spinlock in question is the one in struct uart_port.\\n\\nEven when it's not fatal, the serial port rx function ceases to work.\\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\\nseen in the bug report linked below.\\n\\nA web search for other reports of the error message \\\"pmz: rx irq flood\\\"\\ndidn't produce anything. So I don't think this code is needed any more.\\nRemove it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27000", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27000" + }, + { + "url": "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37" + }, + { + "url": "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a" + }, + { + "url": "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270" + }, + { + "url": "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495" + }, + { + "url": "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026" + }, + { + "url": "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad" + }, + { + "url": "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37" + }, + { + "url": "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37\",\n \"https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a\",\n \"https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270\",\n \"https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495\",\n \"https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026\",\n \"https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad\",\n \"https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37\",\n \"https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: mxs-auart: add spinlock around changing cts state\\n\\nThe uart_handle_cts_change() function in serial_core expects the caller\\nto hold uport->lock. For example, I have seen the below kernel splat,\\nwhen the Bluetooth driver is loaded on an i.MX28 board.\\n\\n [ 85.119255] ------------[ cut here ]------------\\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\\n (...)\\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\\n (...)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27001", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27001" + }, + { + "url": "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9" + }, + { + "url": "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696" + }, + { + "url": "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2" + }, + { + "url": "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b" + }, + { + "url": "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b" + }, + { + "url": "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f" + }, + { + "url": "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8" + }, + { + "url": "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27001 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27001", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27001\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27001\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27001\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27001\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27001\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9\",\n \"https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696\",\n \"https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2\",\n \"https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b\",\n \"https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b\",\n \"https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f\",\n \"https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8\",\n \"https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncomedi: vmk80xx: fix incomplete endpoint checking\\n\\nWhile vmk80xx does have endpoint checking implemented, some things\\ncan fall through the cracks. Depending on the hardware model,\\nURBs can have either bulk or interrupt type, and current version\\nof vmk80xx_find_usb_endpoints() function does not take that fully\\ninto account. While this warning does not seem to be too harmful,\\nat the very least it will crash systems with 'panic_on_warn' set on\\nthem.\\n\\nFix the issue found by Syzkaller [1] by somewhat simplifying the\\nendpoint checking process with usb_find_common_endpoints() and\\nensuring that only expected endpoint types are present.\\n\\nThis patch has not been tested on real hardware.\\n\\n[1] Syzkaller report:\\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\\n...\\n\\nSimilar issue also found by Syzkaller:\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27001\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27002", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27002" + }, + { + "url": "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8" + }, + { + "url": "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3" + }, + { + "url": "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5" + }, + { + "url": "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27002 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27002", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27002\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27002\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27002\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27002\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27002\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8\",\n \"https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3\",\n \"https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5\",\n \"https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: Do a runtime PM get on controllers during probe\\n\\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\\nstage, which leads to a deadlock in the following call stack:\\n\\nCPU0: genpd_lock --> clk_prepare_lock\\ngenpd_power_off_work_fn()\\n genpd_lock()\\n generic_pm_domain::power_off()\\n clk_unprepare()\\n clk_prepare_lock()\\n\\nCPU1: clk_prepare_lock --> genpd_lock\\nclk_register()\\n __clk_core_init()\\n clk_prepare_lock()\\n clk_pm_runtime_get()\\n genpd_lock()\\n\\nDo a runtime PM get at the probe function to make sure clk_register()\\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\\ndo this on all mediatek clock controller probings because we don't\\nbelieve this would cause any regression.\\n\\nVerified on MT8183 and MT8192 Chromebooks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27002\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27004", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27004" + }, + { + "url": "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c" + }, + { + "url": "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba" + }, + { + "url": "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123" + }, + { + "url": "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5" + }, + { + "url": "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034" + }, + { + "url": "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc" + }, + { + "url": "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c\",\n \"https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba\",\n \"https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123\",\n \"https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5\",\n \"https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034\",\n \"https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc\",\n \"https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: Get runtime PM before walking tree during disable_unused\\n\\nDoug reported [1] the following hung task:\\n\\n INFO: task swapper/0:1 blocked for more than 122 seconds.\\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\\n Call trace:\\n __switch_to+0xf4/0x1f4\\n __schedule+0x418/0xb80\\n schedule+0x5c/0x10c\\n rpm_resume+0xe0/0x52c\\n rpm_resume+0x178/0x52c\\n __pm_runtime_resume+0x58/0x98\\n clk_pm_runtime_get+0x30/0xb0\\n clk_disable_unused_subtree+0x58/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused+0x4c/0xe4\\n do_one_initcall+0xcc/0x2d8\\n do_initcall_level+0xa4/0x148\\n do_initcalls+0x5c/0x9c\\n do_basic_setup+0x24/0x30\\n kernel_init_freeable+0xec/0x164\\n kernel_init+0x28/0x120\\n ret_from_fork+0x10/0x20\\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\\n Workqueue: events_unbound deferred_probe_work_func\\n Call trace:\\n __switch_to+0xf4/0x1f4\\n __schedule+0x418/0xb80\\n schedule+0x5c/0x10c\\n schedule_preempt_disabled+0x2c/0x48\\n __mutex_lock+0x238/0x488\\n __mutex_lock_slowpath+0x1c/0x28\\n mutex_lock+0x50/0x74\\n clk_prepare_lock+0x7c/0x9c\\n clk_core_prepare_lock+0x20/0x44\\n clk_prepare+0x24/0x30\\n clk_bulk_prepare+0x40/0xb0\\n mdss_runtime_resume+0x54/0x1c8\\n pm_generic_runtime_resume+0x30/0x44\\n __genpd_runtime_resume+0x68/0x7c\\n genpd_runtime_resume+0x108/0x1f4\\n __rpm_callback+0x84/0x144\\n rpm_callback+0x30/0x88\\n rpm_resume+0x1f4/0x52c\\n rpm_resume+0x178/0x52c\\n __pm_runtime_resume+0x58/0x98\\n __device_attach+0xe0/0x170\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x3c/0x9c\\n device_add+0x644/0x814\\n mipi_dsi_device_register_full+0xe4/0x170\\n devm_mipi_dsi_device_register_full+0x28/0x70\\n ti_sn_bridge_probe+0x1dc/0x2c0\\n auxiliary_bus_probe+0x4c/0x94\\n really_probe+0xcc/0x2c8\\n __driver_probe_device+0xa8/0x130\\n driver_probe_device+0x48/0x110\\n __device_attach_driver+0xa4/0xcc\\n bus_for_each_drv+0x8c/0xd8\\n __device_attach+0xf8/0x170\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x3c/0x9c\\n deferred_probe_work_func+0x9c/0xd8\\n process_one_work+0x148/0x518\\n worker_thread+0x138/0x350\\n kthread+0x138/0x1e0\\n ret_from_fork+0x10/0x20\\n\\nThe first thread is walking the clk tree and calling\\nclk_pm_runtime_get() to power on devices required to read the clk\\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\\nprepare_lock, and is trying to runtime PM resume a device, when it finds\\nthat the device is in the process of resuming so the thread schedule()s\\naway waiting for the device to finish resuming before continuing. The\\nsecond thread is runtime PM resuming the same device, but the runtime\\nresume callback is calling clk_prepare(), trying to grab the\\nprepare_lock waiting on the first thread.\\n\\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\\nnever runtime PM resume or suspend a device with the clk prepare_lock\\nheld. Actually doing that is near impossible today because the global\\nprepare_lock would have to be dropped in the middle of the tree, the\\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\\nagain to ensure consistency of the clk tree topology. If anything\\nchanges with the clk tree in the meantime, we've lost and will need to\\nstart the operation all over again.\\n\\nLuckily, most of the time we're simply incrementing or decrementing the\\nruntime PM count on an active device, so we don't have the chance to\\nschedule away with the prepare_lock held. Let's fix this immediate\\nproblem that can be\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27005" + }, + { + "url": "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6" + }, + { + "url": "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42" + }, + { + "url": "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6\",\n \"https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42\",\n \"https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninterconnect: Don't access req_list while it's being manipulated\\n\\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\\nprotect access to icc_node::req_list.\\n\\nThe icc_set_bw() function will eventually iterate over req_list while\\nonly holding icc_bw_lock, but req_list can be modified while only\\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\\nand icc_put().\\n\\nExample A:\\n\\n CPU0 CPU1\\n ---- ----\\n icc_set_bw(path_a)\\n mutex_lock(&icc_bw_lock);\\n icc_put(path_b)\\n mutex_lock(&icc_lock);\\n aggregate_requests()\\n hlist_for_each_entry(r, ...\\n hlist_del(...\\n \\n\\nExample B:\\n\\n CPU0 CPU1\\n ---- ----\\n icc_set_bw(path_a)\\n mutex_lock(&icc_bw_lock);\\n path_b = of_icc_get()\\n of_icc_get_by_index()\\n mutex_lock(&icc_lock);\\n path_find()\\n path_init()\\n aggregate_requests()\\n hlist_for_each_entry(r, ...\\n hlist_add_head(...\\n \\n\\nFix this by ensuring icc_bw_lock is always held before manipulating\\nicc_node::req_list. The additional places icc_bw_lock is held don't\\nperform any memory allocations, so we should still be safe from the\\noriginal lockdep splats that motivated the separate locks.\\n\\n[1] commit af42269c3523 (\\\"interconnect: Fix locking for runpm vs reclaim\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27008" + }, + { + "url": "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062" + }, + { + "url": "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5" + }, + { + "url": "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1" + }, + { + "url": "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face" + }, + { + "url": "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042" + }, + { + "url": "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb" + }, + { + "url": "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e" + }, + { + "url": "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062\",\n \"https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5\",\n \"https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1\",\n \"https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face\",\n \"https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042\",\n \"https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb\",\n \"https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e\",\n \"https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: nv04: Fix out of bounds access\\n\\nWhen Output Resource (dcb->or) value is assigned in\\nfabricate_dcb_output(), there may be out of bounds access to\\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\\nused as index there.\\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\\nnumber of bit to set, not value.\\n\\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27009" + }, + { + "url": "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48" + }, + { + "url": "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49" + }, + { + "url": "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538" + }, + { + "url": "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e" + }, + { + "url": "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48\",\n \"https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49\",\n \"https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538\",\n \"https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e\",\n \"https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/cio: fix race condition during online processing\\n\\nA race condition exists in ccw_device_set_online() that can cause the\\nonline process to fail, leaving the affected device in an inconsistent\\nstate. As a result, subsequent attempts to set that device online fail\\nwith return code ENODEV.\\n\\nThe problem occurs when a path verification request arrives after\\na wait for final device state completed, but before the result state\\nis evaluated.\\n\\nFix this by ensuring that the CCW-device lock is held between\\ndetermining final state and checking result state.\\n\\nNote that since:\\n\\ncommit 2297791c92d0 (\\\"s390/cio: dont unregister subchannel from child-drivers\\\")\\n\\npath verification requests are much more likely to occur during boot,\\nresulting in an increased chance of this race condition occurring.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27010", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27010" + }, + { + "url": "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11" + }, + { + "url": "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27010 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27010", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27010\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27010\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27010\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27010\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27010\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11\",\n \"https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Fix mirred deadlock on device recursion\\n\\nWhen the mirred action is used on a classful egress qdisc and a packet is\\nmirrored or redirected to self we hit a qdisc lock deadlock.\\nSee trace below.\\n\\n[..... other info removed for brevity....]\\n[ 82.890906]\\n[ 82.890906] ============================================\\n[ 82.890906] WARNING: possible recursive locking detected\\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\\n[ 82.890906] --------------------------------------------\\n[ 82.890906] ping/418 is trying to acquire lock:\\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\\n__dev_queue_xmit+0x1778/0x3550\\n[ 82.890906]\\n[ 82.890906] but task is already holding lock:\\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\\n__dev_queue_xmit+0x1778/0x3550\\n[ 82.890906]\\n[ 82.890906] other info that might help us debug this:\\n[ 82.890906] Possible unsafe locking scenario:\\n[ 82.890906]\\n[ 82.890906] CPU0\\n[ 82.890906] ----\\n[ 82.890906] lock(&sch->q.lock);\\n[ 82.890906] lock(&sch->q.lock);\\n[ 82.890906]\\n[ 82.890906] *** DEADLOCK ***\\n[ 82.890906]\\n[..... other info removed for brevity....]\\n\\nExample setup (eth0->eth0) to recreate\\ntc qdisc add dev eth0 root handle 1: htb default 30\\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth0\\n\\nAnother example(eth0->eth1->eth0) to recreate\\ntc qdisc add dev eth0 root handle 1: htb default 30\\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth1\\n\\ntc qdisc add dev eth1 root handle 1: htb default 30\\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth0\\n\\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\\nroot qdisc is entered. When the softirq enters it a second time, if the\\nqdisc owner is the same CPU, the packet is dropped to break the loop.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27010\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27011", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27011" + }, + { + "url": "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6" + }, + { + "url": "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27011 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27011", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27011\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27011\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27011\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27011\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27011\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6\",\n \"https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix memleak in map from abort path\\n\\nThe delete set command does not rely on the transaction object for\\nelement removal, therefore, a combination of delete element + delete set\\nfrom the abort path could result in restoring twice the refcount of the\\nmapping.\\n\\nCheck for inactive element in the next generation for the delete element\\ncommand in the abort path, skip restoring state if next generation bit\\nhas been already cleared. This is similar to the activate logic using\\nthe set walk iterator.\\n\\n[ 6170.286929] ------------[ cut here ]------------\\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.287071] Modules linked in: [...]\\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\\n[ 6170.287962] Call Trace:\\n[ 6170.287967] \\n[ 6170.287973] ? __warn+0x9f/0x1a0\\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\\n[ 6170.288104] ? handle_bug+0x3c/0x70\\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27011\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27012" + }, + { + "url": "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637" + }, + { + "url": "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637\",\n \"https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: restore set elements when delete set fails\\n\\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\\nthe original state. Currently, it uses the set->ops->walk() to iterate\\nover these set elements. The existing set iterator skips inactive\\nelements in the next generation, this does not work from the abort path\\nto restore the original state since it has to skip active elements\\ninstead (not inactive ones).\\n\\nThis patch moves the check for inactive elements to the set iterator\\ncallback, then it reverses the logic for the .activate case which\\nneeds to skip active elements.\\n\\nToggle next generation bit for elements when delete set command is\\ninvoked and call nft_clear() from .activate (abort) path to restore the\\nnext generation bit.\\n\\nThe splat below shows an object in mappings memleak:\\n\\n[43929.457523] ------------[ cut here ]------------\\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[...]\\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\\n[43929.458114] Call Trace:\\n[43929.458118] \\n[43929.458121] ? __warn+0x9f/0x1a0\\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458188] ? report_bug+0x1b1/0x1e0\\n[43929.458196] ? handle_bug+0x3c/0x70\\n[43929.458200] ? exc_invalid_op+0x17/0x40\\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\\n[43929.458512] ? rb_insert_color+0x2e/0x280\\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27013" + }, + { + "url": "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421" + }, + { + "url": "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad" + }, + { + "url": "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3" + }, + { + "url": "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa" + }, + { + "url": "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713" + }, + { + "url": "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588" + }, + { + "url": "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb" + }, + { + "url": "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421\",\n \"https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad\",\n \"https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3\",\n \"https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa\",\n \"https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713\",\n \"https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588\",\n \"https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb\",\n \"https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: limit printing rate when illegal packet received by tun dev\\n\\nvhost_worker will call tun call backs to receive packets. If too many\\nillegal packets arrives, tun_do_read will keep dumping packet contents.\\nWhen console is enabled, it will costs much more cpu time to dump\\npacket and soft lockup will be detected.\\n\\nnet_ratelimit mechanism can be used to limit the dumping rate.\\n\\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \\\"vhost-32980\\\"\\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\\n [exception RIP: io_serial_in+20]\\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\\n #12 [ffffa65531497b68] printk at ffffffff89318306\\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27014" + }, + { + "url": "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc" + }, + { + "url": "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b" + }, + { + "url": "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b" + }, + { + "url": "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc\",\n \"https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b\",\n \"https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b\",\n \"https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Prevent deadlock while disabling aRFS\\n\\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\\naRFS works are canceled using the `cancel_work_sync` function,\\nwhich waits for the work to end if it has already started.\\nHowever, while waiting for the work handler, the handler will\\ntry to acquire the `state_lock` which is already acquired.\\n\\nThe worker acquires the lock to delete the rules if the state\\nis down, which is not the worker's responsibility since\\ndisabling aRFS deletes the rules.\\n\\nAdd an aRFS state variable, which indicates whether the aRFS is\\nenabled and prevent adding rules when the aRFS is disabled.\\n\\nKernel log:\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\\n------------------------------------------------------\\nethtool/386089 is trying to acquire lock:\\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\\n\\nbut task is already holding lock:\\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\\n __mutex_lock+0x80/0xc90\\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\\n process_one_work+0x1dc/0x4a0\\n worker_thread+0x1bf/0x3c0\\n kthread+0xd7/0x100\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n\\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\\n __lock_acquire+0x17b4/0x2c80\\n lock_acquire+0xd0/0x2b0\\n __flush_work+0x7a/0x4e0\\n __cancel_work_timer+0x131/0x1c0\\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\\n ethnl_set_channels+0x28f/0x3b0\\n ethnl_default_set_doit+0xec/0x240\\n genl_family_rcv_msg_doit+0xd0/0x120\\n genl_rcv_msg+0x188/0x2c0\\n netlink_rcv_skb+0x54/0x100\\n genl_rcv+0x24/0x40\\n netlink_unicast+0x1a1/0x270\\n netlink_sendmsg+0x214/0x460\\n __sock_sendmsg+0x38/0x60\\n __sys_sendto+0x113/0x170\\n __x64_sys_sendto+0x20/0x30\\n do_syscall_64+0x40/0xe0\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n\\nother info that might help us debug this:\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(&priv->state_lock);\\n lock((work_completion)(&rule->arfs_work));\\n lock(&priv->state_lock);\\n lock((work_completion)(&rule->arfs_work));\\n\\n *** DEADLOCK ***\\n\\n3 locks held by ethtool/386089:\\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\\n\\nstack backtrace:\\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0x60/0xa0\\n check_noncircular+0x144/0x160\\n __lock_acquire+0x17b4/0x2c80\\n lock_acquire+0xd0/0x2b0\\n ? __flush_work+0x74/0x4e0\\n ? save_trace+0x3e/0x360\\n ? __flush_work+0x74/0x4e0\\n __flush_work+0x7a/0x4e0\\n ? __flush_work+0x74/0x4e0\\n ? __lock_acquire+0xa78/0x2c80\\n ? lock_acquire+0xd0/0x2b0\\n ? mark_held_locks+0x49/0x70\\n __cancel_work_timer+0x131/0x1c0\\n ? mark_held_locks+0x49/0x70\\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\\n ethnl_set_channels+0x28f/0x3b0\\n ethnl_default_set_doit+0xec/0x240\\n genl_family_rcv_msg_doit+0xd0/0x120\\n genl_rcv_msg+0x188/0x2c0\\n ? ethn\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27015" + }, + { + "url": "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d" + }, + { + "url": "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27" + }, + { + "url": "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d" + }, + { + "url": "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56" + }, + { + "url": "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d\",\n \"https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27\",\n \"https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d\",\n \"https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56\",\n \"https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: flowtable: incorrect pppoe tuple\\n\\npppoe traffic reaching ingress path does not match the flowtable entry\\nbecause the pppoe header is expected to be at the network header offset.\\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\\nenter the classical forwarding path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27016", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27016" + }, + { + "url": "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf" + }, + { + "url": "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7" + }, + { + "url": "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9" + }, + { + "url": "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163" + }, + { + "url": "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf\",\n \"https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7\",\n \"https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9\",\n \"https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163\",\n \"https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: flowtable: validate pppoe header\\n\\nEnsure there is sufficient room to access the protocol field of the\\nPPPoe header. Validate it once before the flowtable lookup, then use a\\nhelper function to access protocol field.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27017" + }, + { + "url": "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73" + }, + { + "url": "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73\",\n \"https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\\n\\nThe generation mask can be updated while netlink dump is in progress.\\nThe pipapo set backend walk iterator cannot rely on it to infer what\\nview of the datastructure is to be used. Add notation to specify if user\\nwants to read/update the set.\\n\\nBased on patch from Florian Westphal.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27018", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27018" + }, + { + "url": "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d" + }, + { + "url": "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615" + }, + { + "url": "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178" + }, + { + "url": "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6" + }, + { + "url": "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27018 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27018", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27018\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27018\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27018\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27018\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27018\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d\",\n \"https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615\",\n \"https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178\",\n \"https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6\",\n \"https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\\n\\nFor historical reasons, when bridge device is in promisc mode, packets\\nthat are directed to the taps follow bridge input hook path. This patch\\nadds a workaround to reset conntrack for these packets.\\n\\nJianbo Liu reports warning splats in their test infrastructure where\\ncloned packets reach the br_netfilter input hook to confirm the\\nconntrack object.\\n\\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\\nreached the input hook because it is passed up to the bridge device to\\nreach the taps.\\n\\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\\n0000000000000000\\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\\n0000000000000400\\n[ 57.585440] Call Trace:\\n[ 57.585721] \\n[ 57.585976] ? __warn+0x7d/0x130\\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.586811] ? report_bug+0xf1/0x1c0\\n[ 57.587177] ? handle_bug+0x3f/0x70\\n[ 57.587539] ? exc_invalid_op+0x13/0x60\\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.588825] nf_hook_slow+0x3d/0xd0\\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\\n[ 57.589579] br_pass_frame_up+0xfc/0x150\\n[ 57.589970] ? br_port_flags_change+0x40/0x40\\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\\n[ 57.590837] ? ipt_do_table+0x32e/0x430\\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\\n[ 57.597017] ? __napi_build_skb+0x37/0x40\\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27018\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27019", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27019" + }, + { + "url": "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920" + }, + { + "url": "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73" + }, + { + "url": "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e" + }, + { + "url": "https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88" + }, + { + "url": "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484" + }, + { + "url": "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27019 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27019", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27019\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27019\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27019\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27019\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27019\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920\",\n \"https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73\",\n \"https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e\",\n \"https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88\",\n \"https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484\",\n \"https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\\n\\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\\nand there is not any protection when iterate over nf_tables_objects\\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\\nof nf_tables_objects list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\\nnft_obj_type_get() to protect the entire type query process.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27019\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27020" + }, + { + "url": "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f" + }, + { + "url": "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907" + }, + { + "url": "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5" + }, + { + "url": "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05" + }, + { + "url": "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a" + }, + { + "url": "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b" + }, + { + "url": "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c" + }, + { + "url": "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f\",\n \"https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907\",\n \"https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5\",\n \"https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05\",\n \"https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a\",\n \"https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b\",\n \"https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c\",\n \"https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\\n\\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\\nand there is not any protection when iterate over nf_tables_expressions\\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\\nof nf_tables_expressions list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\\nnft_expr_type_get() to protect the entire type query process.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27025", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27025" + }, + { + "url": "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d" + }, + { + "url": "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e" + }, + { + "url": "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced" + }, + { + "url": "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8" + }, + { + "url": "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797" + }, + { + "url": "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983" + }, + { + "url": "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a" + }, + { + "url": "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27025 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27025", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27025\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27025\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27025\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27025\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27025\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d\",\n \"https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e\",\n \"https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced\",\n \"https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8\",\n \"https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797\",\n \"https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983\",\n \"https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a\",\n \"https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: null check for nla_nest_start\\n\\nnla_nest_start() may fail and return NULL. Insert a check and set errno\\nbased on other call sites within the same source code.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27025\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27032", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27032" + }, + { + "url": "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58" + }, + { + "url": "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c" + }, + { + "url": "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1" + }, + { + "url": "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67" + }, + { + "url": "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27032", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58\",\n \"https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c\",\n \"https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1\",\n \"https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67\",\n \"https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to avoid potential panic during recovery\\n\\nDuring recovery, if FAULT_BLOCK is on, it is possible that\\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\\nthen it may trigger panic.\\n\\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\\ntype is on, it may encounter deadloop in loop of block reservation.\\n\\nLet's change as below to fix these issues:\\n- remove bug_on() to avoid panic.\\n- limit the loop count of block reservation to avoid potential\\ndeadloop.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27035", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27035" + }, + { + "url": "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532" + }, + { + "url": "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed" + }, + { + "url": "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00" + }, + { + "url": "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684" + }, + { + "url": "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27035 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27035", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27035\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27035\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27035\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27035\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27035\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532\",\n \"https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed\",\n \"https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00\",\n \"https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684\",\n \"https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\\n\\nIf data block in compressed cluster is not persisted with metadata\\nduring checkpoint, after SPOR, the data may be corrupted, let's\\nguarantee to write compressed page by checkpoint.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27035\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27041", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27041" + }, + { + "url": "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b" + }, + { + "url": "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c" + }, + { + "url": "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957" + }, + { + "url": "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27041 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27041", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27041\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27041\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27041\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27041\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27041\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b\",\n \"https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c\",\n \"https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957\",\n \"https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\\n\\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\\nbefore the call to dc_enable_dmub_notifications(), check\\nbeforehand to ensure there will not be a possible NULL-ptr-deref\\nthere.\\n\\nAlso, since commit 1e88eb1b2c25 (\\\"drm/amd/display: Drop\\nCONFIG_DRM_AMD_DC_HDCP\\\") there are two separate checks for NULL in\\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\\nClean up by combining them all under one 'if'.\\n\\nFound by Linux Verification Center (linuxtesting.org) with static\\nanalysis tool SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27041\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27056", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27056" + }, + { + "url": "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f" + }, + { + "url": "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27056 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27056", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27056\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27056\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27056\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27056\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27056\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f\",\n \"https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\\n\\nThe resume code path assumes that the TX queue for the offloading TID\\nhas been configured. At resume time it then tries to sync the write\\npointer as it may have been updated by the firmware.\\n\\nIn the unusual event that no packets have been send on TID 0, the queue\\nwill not have been allocated and this causes a crash. Fix this by\\nensuring the queue exist at suspend time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27056\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27057", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27057" + }, + { + "url": "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759" + }, + { + "url": "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2" + }, + { + "url": "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27057 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27057", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27057\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27057\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27057\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27057\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27057\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759\",\n \"https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2\",\n \"https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\\n\\nWhen the system is suspended while audio is active, the\\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\\nsuspend the DSP is turned off, streams will be re-started after resume.\\n\\nIf the firmware crashes during while audio is running (or when we reset\\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\\nwill fail with IPC error and the state change is interrupted.\\nThis will cause misalignment between the kernel and firmware state on next\\nDSP boot resulting errors returned by firmware for IPC messages, eventually\\nfailing the audio resume.\\nOn stream close the errors are ignored so the kernel state will be\\ncorrected on the next DSP boot, so the second boot after the DSP panic.\\n\\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\\n\\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\\nignoring error on state sending to allow the kernel's state to be\\nconsistent with the state the firmware will have after the next boot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27057\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27059", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27059" + }, + { + "url": "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49" + }, + { + "url": "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133" + }, + { + "url": "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636" + }, + { + "url": "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964" + }, + { + "url": "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325" + }, + { + "url": "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34" + }, + { + "url": "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f" + }, + { + "url": "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27059 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27059", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27059\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27059\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27059\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27059\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27059\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49\",\n \"https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133\",\n \"https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636\",\n \"https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964\",\n \"https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325\",\n \"https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34\",\n \"https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f\",\n \"https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\\n\\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\\nin the ATA ID information to calculate cylinder and head values when\\ncreating a CDB for READ or WRITE commands. The calculation involves\\ndivision and modulus operations, which will cause a crash if either of\\nthese values is 0. While this never happens with a genuine device, it\\ncould happen with a flawed or subversive emulation, as reported by the\\nsyzbot fuzzer.\\n\\nProtect against this possibility by refusing to bind to the device if\\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\\ninformation is 0. This requires isd200_Initialization() to return a\\nnegative error code when initialization fails; currently it always\\nreturns 0 (even when there is an error).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27059\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27062", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27062" + }, + { + "url": "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7" + }, + { + "url": "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589" + }, + { + "url": "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27062 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27062", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27062\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27062\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27062\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27062\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27062\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7\",\n \"https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589\",\n \"https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: lock the client object tree.\\n\\nIt appears the client object tree has no locking unless I've missed\\nsomething else. Fix races around adding/removing client objects,\\nmostly vram bar mappings.\\n\\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 4562.099544] Call Trace:\\n[ 4562.099555] \\n[ 4562.099573] ? die_addr+0x36/0x90\\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\\n[ 4562.100356] __do_fault+0x32/0x150\\n[ 4562.100362] do_fault+0x7c/0x560\\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\\n[ 4562.100388] do_user_addr_fault+0x208/0x860\\n[ 4562.100395] exc_page_fault+0x7f/0x200\\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\\n[ 4562.100412] RIP: 0033:0x9b9870\\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n[ 4562.100446] \\n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27062\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27072", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27072" + }, + { + "url": "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2" + }, + { + "url": "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27072 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27072", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27072\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27072\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27072\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27072\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27072\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2\",\n \"https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: usbtv: Remove useless locks in usbtv_video_free()\\n\\nRemove locks calls in usbtv_video_free() because\\nare useless and may led to a deadlock as reported here:\\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\\nAlso remove usbtv_stop() call since it will be called when\\nunregistering the device.\\n\\nBefore 'c838530d230b' this issue would only be noticed if you\\ndisconnect while streaming and now it is noticeable even when\\ndisconnecting while not streaming.\\n\\n\\n[hverkuil: fix minor spelling mistake in log message]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27072\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27389", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27389" + }, + { + "url": "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3" + }, + { + "url": "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3" + }, + { + "url": "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a" + }, + { + "url": "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27389 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27389", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27389\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27389\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27389\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27389\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27389\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6\",\n \"https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3\",\n \"https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3\",\n \"https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a\",\n \"https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore: inode: Only d_invalidate() is needed\\n\\nUnloading a modular pstore backend with records in pstorefs would\\ntrigger the dput() double-drop warning:\\n\\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\\n\\nUsing the combo of d_drop()/dput() (as mentioned in\\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\\nleads to the reference counting problem seen above. Use d_invalidate()\\nand update the code to not bother checking for error codes that can\\nnever happen.\\n\\n---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27389\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27393", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27393" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/08/4" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-457.html" + }, + { + "url": "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f" + }, + { + "url": "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629" + }, + { + "url": "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1" + }, + { + "url": "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6" + }, + { + "url": "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27393 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27393", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27393\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27393\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27393\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27393\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27393\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/08/4\",\n \"http://xenbits.xen.org/xsa/advisory-457.html\",\n \"https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f\",\n \"https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629\",\n \"https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1\",\n \"https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6\",\n \"https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen-netfront: Add missing skb_mark_for_recycle\\n\\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\\ncommit 6a5bcd84e886 (\\\"page_pool: Allow drivers to hint on SKB recycling\\\").\\n\\nIt is believed that fixes tag were missing a call to page_pool_release_page()\\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\\nSince v6.6 the call page_pool_release_page() were removed (in\\ncommit 535b9c61bdef (\\\"net: page_pool: hide page_pool_release_page()\\\")\\nand remaining callers converted (in commit 6bfef2ec0172 (\\\"Merge branch\\n'net-page_pool-remove-page_pool_release_page'\\\")).\\n\\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\\\"mm/page_pool: catch\\npage_pool memory leaks\\\").\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27393\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27395", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27395" + }, + { + "url": "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994" + }, + { + "url": "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3" + }, + { + "url": "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424" + }, + { + "url": "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2" + }, + { + "url": "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4" + }, + { + "url": "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1" + }, + { + "url": "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137" + }, + { + "url": "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27395 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27395", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27395\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27395\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27395\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27395\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27395\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994\",\n \"https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3\",\n \"https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424\",\n \"https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2\",\n \"https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4\",\n \"https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1\",\n \"https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137\",\n \"https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\\n\\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\\nis possible that the RCU grace period will pass during the traversal and\\nthe key will be free.\\n\\nTo prevent this, it should be changed to hlist_for_each_entry_safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27395\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27396", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27396" + }, + { + "url": "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58" + }, + { + "url": "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd" + }, + { + "url": "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29" + }, + { + "url": "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6" + }, + { + "url": "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07" + }, + { + "url": "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7" + }, + { + "url": "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474" + }, + { + "url": "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27396 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27396", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27396\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27396\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27396\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27396\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27396\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58\",\n \"https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd\",\n \"https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29\",\n \"https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6\",\n \"https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07\",\n \"https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7\",\n \"https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474\",\n \"https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: gtp: Fix Use-After-Free in gtp_dellink\\n\\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\\nof gtp_dellink, is not part of the RCU read critical section, it\\nis possible that the RCU grace period will pass during the traversal and\\nthe key will be free.\\n\\nTo prevent this, it should be changed to hlist_for_each_entry_safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27396\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27397", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27397" + }, + { + "url": "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d" + }, + { + "url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3" + }, + { + "url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15" + }, + { + "url": "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379" + }, + { + "url": "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01" + }, + { + "url": "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe" + }, + { + "url": "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27397 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27397", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d\",\n \"https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3\",\n \"https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15\",\n \"https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379\",\n \"https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01\",\n \"https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe\",\n \"https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: use timestamp to check for set element timeout\\n\\nAdd a timestamp field at the beginning of the transaction, store it\\nin the nftables per-netns area.\\n\\nUpdate set backend .insert, .deactivate and sync gc path to use the\\ntimestamp, this avoids that an element expires while control plane\\ntransaction is still unfinished.\\n\\n.lookup and .update, which are used from packet path, still use the\\ncurrent time to check if the element has expired. And .get path and dump\\nalso since this runs lockless under rcu read size lock. Then, there is\\nasync gc which also needs to check the current time since it runs\\nasynchronously from a workqueue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27397\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27398", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27398" + }, + { + "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2" + }, + { + "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249" + }, + { + "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014" + }, + { + "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53" + }, + { + "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546" + }, + { + "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178" + }, + { + "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5" + }, + { + "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27398 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27398", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27398\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27398\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27398\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27398\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27398\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2\",\n \"https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249\",\n \"https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014\",\n \"https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53\",\n \"https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546\",\n \"https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178\",\n \"https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5\",\n \"https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\\n\\nWhen the sco connection is established and then, the sco socket\\nis releasing, timeout_work will be scheduled to judge whether\\nthe sco disconnection is timeout. The sock will be deallocated\\nlater, but it is dereferenced again in sco_sock_timeout. As a\\nresult, the use-after-free bugs will happen. The root cause is\\nshown below:\\n\\n Cleanup Thread | Worker Thread\\nsco_sock_release |\\n sco_sock_close |\\n __sco_sock_close |\\n sco_sock_set_timer |\\n schedule_delayed_work |\\n sco_sock_kill | (wait a time)\\n sock_put(sk) //FREE | sco_sock_timeout\\n | sock_hold(sk) //USE\\n\\nThe KASAN report triggered by POC is shown below:\\n\\n[ 95.890016] ==================================================================\\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\\n...\\n[ 95.890755] Workqueue: events sco_sock_timeout\\n[ 95.890755] Call Trace:\\n[ 95.890755] \\n[ 95.890755] dump_stack_lvl+0x45/0x110\\n[ 95.890755] print_address_description+0x78/0x390\\n[ 95.890755] print_report+0x11b/0x250\\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] kasan_report+0x139/0x170\\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] process_one_work+0x561/0xc50\\n[ 95.890755] worker_thread+0xab2/0x13c0\\n[ 95.890755] ? pr_cont_work+0x490/0x490\\n[ 95.890755] kthread+0x279/0x300\\n[ 95.890755] ? pr_cont_work+0x490/0x490\\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\\n[ 95.890755] ret_from_fork+0x34/0x60\\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\\n[ 95.890755] ret_from_fork_asm+0x11/0x20\\n[ 95.890755] \\n[ 95.890755]\\n[ 95.890755] Allocated by task 506:\\n[ 95.890755] kasan_save_track+0x3f/0x70\\n[ 95.890755] __kasan_kmalloc+0x86/0x90\\n[ 95.890755] __kmalloc+0x17f/0x360\\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\\n[ 95.890755] sk_alloc+0x31/0x4e0\\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\\n[ 95.890755] sco_sock_create+0xad/0x320\\n[ 95.890755] bt_sock_create+0x145/0x320\\n[ 95.890755] __sock_create+0x2e1/0x650\\n[ 95.890755] __sys_socket+0xd0/0x280\\n[ 95.890755] __x64_sys_socket+0x75/0x80\\n[ 95.890755] do_syscall_64+0xc4/0x1b0\\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 95.890755]\\n[ 95.890755] Freed by task 506:\\n[ 95.890755] kasan_save_track+0x3f/0x70\\n[ 95.890755] kasan_save_free_info+0x40/0x50\\n[ 95.890755] poison_slab_object+0x118/0x180\\n[ 95.890755] __kasan_slab_free+0x12/0x30\\n[ 95.890755] kfree+0xb2/0x240\\n[ 95.890755] __sk_destruct+0x317/0x410\\n[ 95.890755] sco_sock_release+0x232/0x280\\n[ 95.890755] sock_close+0xb2/0x210\\n[ 95.890755] __fput+0x37f/0x770\\n[ 95.890755] task_work_run+0x1ae/0x210\\n[ 95.890755] get_signal+0xe17/0xf70\\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\\n[ 95.890755] do_syscall_64+0xd1/0x1b0\\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 95.890755]\\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\\n[ 95.890755] The buggy address is located 128 bytes inside of\\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\\n[ 95.890755]\\n[ 95.890755] The buggy address belongs to the physical page:\\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\n[ 95.890755] ano\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27398\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27399", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27399" + }, + { + "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c" + }, + { + "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9" + }, + { + "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33" + }, + { + "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0" + }, + { + "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c" + }, + { + "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae" + }, + { + "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79" + }, + { + "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27399 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27399", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27399\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27399\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27399\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27399\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27399\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c\",\n \"https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9\",\n \"https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33\",\n \"https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0\",\n \"https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c\",\n \"https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae\",\n \"https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79\",\n \"https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\\n\\nThere is a race condition between l2cap_chan_timeout() and\\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\\nchannel, the chan->conn will be set to null. But the conn could\\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\\nAs a result the null pointer dereference bug will happen. The\\nKASAN report triggered by POC is shown below:\\n\\n[ 472.074580] ==================================================================\\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\\n[ 472.075308]\\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[ 472.075308] Workqueue: events l2cap_chan_timeout\\n[ 472.075308] Call Trace:\\n[ 472.075308] \\n[ 472.075308] dump_stack_lvl+0x137/0x1a0\\n[ 472.075308] print_report+0x101/0x250\\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\\n[ 472.075308] ? mutex_lock+0x68/0xc0\\n[ 472.075308] kasan_report+0x139/0x170\\n[ 472.075308] ? mutex_lock+0x68/0xc0\\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\\n[ 472.075308] mutex_lock+0x68/0xc0\\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\\n[ 472.075308] process_one_work+0x5d2/0xe00\\n[ 472.075308] worker_thread+0xe1d/0x1660\\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\\n[ 472.075308] kthread+0x2b7/0x350\\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\\n[ 472.075308] ret_from_fork+0x4d/0x80\\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\\n[ 472.075308] ret_from_fork_asm+0x11/0x20\\n[ 472.075308] \\n[ 472.075308] ==================================================================\\n[ 472.094860] Disabling lock debugging due to kernel taint\\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\\n[ 472.096136] #PF: supervisor write access in kernel mode\\n[ 472.096136] #PF: error_code(0x0002) - not-present page\\n[ 472.096136] PGD 0 P4D 0\\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[ 472.096136] Workqueue: events l2cap_chan_timeout\\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\\n[ 472.096136] Call Trace:\\n[ 472.096136] \\n[ 472.096136] ? __die_body+0x8d/0xe0\\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\\n[ 472.096136] ? _printk+0x7a/0xa0\\n[ 472.096136] ? mutex_lock+0x68/0xc0\\n[ 472.096136] ? add_taint+0x42/0xd0\\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\\n[ 472.096136] ? mutex_lock+0x75/0xc0\\n[ 472.096136] ? mutex_lock+0x88/0xc0\\n[ 472.096136] ? mutex_lock+0x75/0xc0\\n[ 472.096136] l2cap_chan_timeo\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27399\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27400", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27400" + }, + { + "url": "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d" + }, + { + "url": "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be" + }, + { + "url": "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480" + }, + { + "url": "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27400 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27400", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27400\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27400\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27400\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27400\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27400\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d\",\n \"https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be\",\n \"https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480\",\n \"https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\\n\\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\\non same heap. The basic problem here is that after the move the old\\nlocation is simply not available any more.\\n\\nSome fixes were suggested, but essentially we should call the move\\nnotification before actually moving things because only this way we have\\nthe correct order for DMA-buf and VM move notifications as well.\\n\\nAlso rework the statistic handling so that we don't update the eviction\\ncounter before the move.\\n\\nv2: add missing NULL check\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27400\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27401", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27401" + }, + { + "url": "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa" + }, + { + "url": "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98" + }, + { + "url": "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f" + }, + { + "url": "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c" + }, + { + "url": "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285" + }, + { + "url": "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b" + }, + { + "url": "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239" + }, + { + "url": "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27401 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27401", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27401\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27401\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27401\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27401\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27401\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa\",\n \"https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98\",\n \"https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f\",\n \"https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c\",\n \"https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285\",\n \"https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b\",\n \"https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239\",\n \"https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\\n\\nEnsure that packet_buffer_get respects the user_length provided. If\\nthe length of the head packet exceeds the user_length, packet_buffer_get\\nwill now return 0 to signify to the user that no data were read\\nand a larger buffer size is required. Helps prevent user space overflows.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27401\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27402", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27402" + }, + { + "url": "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277" + }, + { + "url": "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5" + }, + { + "url": "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88" + }, + { + "url": "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27402 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27402", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27402\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27402\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27402\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27402\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27402\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277\",\n \"https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5\",\n \"https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88\",\n \"https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nphonet/pep: fix racy skb_queue_empty() use\\n\\nThe receive queues are protected by their respective spin-lock, not\\nthe socket lock. This could lead to skb_peek() unexpectedly\\nreturning NULL or a pointer to an already dequeued socket buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27402\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27407", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27407" + }, + { + "url": "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7" + }, + { + "url": "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb" + }, + { + "url": "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27407 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27407", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27407\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27407\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27407\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27407\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27407\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7\",\n \"https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb\",\n \"https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Fixed overflow check in mi_enum_attr()\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27407\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27408", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27408" + }, + { + "url": "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba" + }, + { + "url": "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3" + }, + { + "url": "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27408 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27408", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27408\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27408\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27408\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27408\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27408\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba\",\n \"https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3\",\n \"https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\\n\\nThe Linked list element and pointer are not stored in the same memory as\\nthe eDMA controller register. If the doorbell register is toggled before\\nthe full write of the linked list a race condition error will occur.\\nIn remote setup we can only use a readl to the memory to assure the full\\nwrite has occurred.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27408\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27418", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27418" + }, + { + "url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3" + }, + { + "url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd" + }, + { + "url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b" + }, + { + "url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27418 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27418", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27418\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27418\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27418\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27418\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27418\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3\",\n \"https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd\",\n \"https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b\",\n \"https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mctp: take ownership of skb in mctp_local_output\\n\\nCurrently, mctp_local_output only takes ownership of skb on success, and\\nwe may leak an skb if mctp_local_output fails in specific states; the\\nskb ownership isn't transferred until the actual output routing occurs.\\n\\nInstead, make mctp_local_output free the skb on all error paths up to\\nthe route action, so it always consumes the passed skb.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27418\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27435", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27435" + }, + { + "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8" + }, + { + "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818" + }, + { + "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96" + }, + { + "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d" + }, + { + "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27435 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27435", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27435\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27435\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27435\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27435\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27435\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8\",\n \"https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818\",\n \"https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96\",\n \"https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d\",\n \"https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: fix reconnection fail due to reserved tag allocation\\n\\nWe found a issue on production environment while using NVMe over RDMA,\\nadmin_q reconnect failed forever while remote target and network is ok.\\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\\nallocation. In my case, the tag was hold by a keep alive request\\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\\nrequest maked as idle and will not process before reset success. As\\nfabric_q shares tagset with admin_q, while reconnect remote target, we\\nneed a tag for connect command, but the only one reserved tag was held\\nby keep alive command which waiting inside admin_q. As a result, we\\nfailed to reconnect admin_q forever. In order to fix this issue, I\\nthink we should keep two reserved tags for admin queue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27435\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27437", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27437" + }, + { + "url": "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060" + }, + { + "url": "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351" + }, + { + "url": "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2" + }, + { + "url": "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda" + }, + { + "url": "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5" + }, + { + "url": "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438" + }, + { + "url": "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec" + }, + { + "url": "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27437 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27437", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27437\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27437\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27437\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27437\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27437\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060\",\n \"https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351\",\n \"https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2\",\n \"https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda\",\n \"https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5\",\n \"https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438\",\n \"https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec\",\n \"https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\\n\\nCurrently for devices requiring masking at the irqchip for INTx, ie.\\ndevices without DisINTx support, the IRQ is enabled in request_irq()\\nand subsequently disabled as necessary to align with the masked status\\nflag. This presents a window where the interrupt could fire between\\nthese events, resulting in the IRQ incrementing the disable depth twice.\\nThis would be unrecoverable for a user since the masked flag prevents\\nnested enables through vfio.\\n\\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\\nis never auto-enabled, then unmask as required.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27437\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-31076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-31076" + }, + { + "url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f" + }, + { + "url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76" + }, + { + "url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420" + }, + { + "url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8" + }, + { + "url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" + }, + { + "url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30" + }, + { + "url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1" + }, + { + "url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-31076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-31076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-31076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-31076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-31076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-31076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-31076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f\",\n \"https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76\",\n \"https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420\",\n \"https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8\",\n \"https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32\",\n \"https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30\",\n \"https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1\",\n \"https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\\n\\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\\ninterrupt affinity reconfiguration via procfs. Instead, the change is\\ndeferred until the next instance of the interrupt being triggered on the\\noriginal CPU.\\n\\nWhen the interrupt next triggers on the original CPU, the new affinity is\\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\\nbut the old vector on the original CPU remains and is not immediately\\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\\nprocess is delayed until the next trigger of the interrupt on the new CPU.\\n\\nUpon the subsequent triggering of the interrupt on the new CPU,\\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\\nremains online. Subsequently, the timer on the old CPU iterates over its\\nvector_cleanup list, reclaiming old vectors.\\n\\nHowever, a rare scenario arises if the old CPU is outgoing before the\\ninterrupt triggers again on the new CPU.\\n\\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\\nthough __vector_schedule_cleanup() is later called on the new CPU, it\\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\\napicd->move_in_progress and apicd->prev_vector to 0.\\n\\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\\nCPU vector leak.\\n\\nTo address this issue, move the invocation of irq_force_complete_move()\\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\\ninterrupt is currently or used to be affine to the outgoing CPU.\\n\\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\\nfollowing a warning message, although theoretically it should never see\\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-31076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-33621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-33621" + }, + { + "url": "https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989" + }, + { + "url": "https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381" + }, + { + "url": "https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48" + }, + { + "url": "https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761" + }, + { + "url": "https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0" + }, + { + "url": "https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5" + }, + { + "url": "https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a" + }, + { + "url": "https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-33621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-33621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-33621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-33621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-33621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-33621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-33621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989\",\n \"https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381\",\n \"https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48\",\n \"https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761\",\n \"https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0\",\n \"https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5\",\n \"https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a\",\n \"https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\\n\\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\\n\\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:sk_mc_loop+0x2d/0x70\\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\n ? __warn (kernel/panic.c:693)\\n ? sk_mc_loop (net/core/sock.c:760)\\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\\n ? handle_bug (arch/x86/kernel/traps.c:239)\\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\\n ? sk_mc_loop (net/core/sock.c:760)\\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\\n ? nf_hook_slow (net/netfilter/core.c:626)\\n ip6_finish_output (net/ipv6/ip6_output.c:222)\\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\\n dev_hard_start_xmit (net/core/dev.c:3594)\\n sch_direct_xmit (net/sched/sch_generic.c:343)\\n __qdisc_run (net/sched/sch_generic.c:416)\\n net_tx_action (net/core/dev.c:5286)\\n handle_softirqs (kernel/softirq.c:555)\\n __irq_exit_rcu (kernel/softirq.c:589)\\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\\n\\nThe warning triggers as this:\\npacket_sendmsg\\n packet_snd //skb->sk is packet sk\\n __dev_queue_xmit\\n __dev_xmit_skb //q->enqueue is not NULL\\n __qdisc_run\\n sch_direct_xmit\\n dev_hard_start_xmit\\n ipvlan_start_xmit\\n ipvlan_xmit_mode_l3 //l3 mode\\n ipvlan_process_outbound //vepa flag\\n ipvlan_process_v6_outbound\\n ip6_local_out\\n __ip6_finish_output\\n ip6_finish_output2 //multicast packet\\n sk_mc_loop //sk->sk_family is AF_PACKET\\n\\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-33621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-33847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-33847" + }, + { + "url": "https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee" + }, + { + "url": "https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec" + }, + { + "url": "https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c" + }, + { + "url": "https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b" + }, + { + "url": "https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d" + }, + { + "url": "https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-33847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-33847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-33847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-33847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-33847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-33847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-33847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee\",\n \"https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec\",\n \"https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c\",\n \"https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b\",\n \"https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d\",\n \"https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: don't allow unaligned truncation on released compress inode\\n\\nf2fs image may be corrupted after below testcase:\\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\\n- mount /dev/vdb /mnt/f2fs\\n- touch /mnt/f2fs/file\\n- f2fs_io setflags compression /mnt/f2fs/file\\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\\n- f2fs_io release_cblocks /mnt/f2fs/file\\n- truncate -s 8192 /mnt/f2fs/file\\n- umount /mnt/f2fs\\n- fsck.f2fs /dev/vdb\\n\\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\\n[FSCK] other corrupted bugs [Fail]\\n\\nThe reason is: partial truncation assume compressed inode has reserved\\nblocks, after partial truncation, valid block count may change w/o\\n.i_blocks and .total_valid_block_count update, result in corruption.\\n\\nThis patch only allow cluster size aligned truncation on released\\ncompress inode for fixing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-33847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34027", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34027" + }, + { + "url": "https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019" + }, + { + "url": "https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b" + }, + { + "url": "https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f" + }, + { + "url": "https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4" + }, + { + "url": "https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b" + }, + { + "url": "https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34027 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-34027", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34027\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34027\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34027\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34027\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34027\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019\",\n \"https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b\",\n \"https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f\",\n \"https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4\",\n \"https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b\",\n \"https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\\n\\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\\nto avoid racing with checkpoint, otherwise, filesystem metadata including\\nblkaddr in dnode, inode fields and .total_valid_block_count may be\\ncorrupted after SPO case.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34027\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34777", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34777" + }, + { + "url": "https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad" + }, + { + "url": "https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b" + }, + { + "url": "https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936" + }, + { + "url": "https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87" + }, + { + "url": "https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34777 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-34777", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34777\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34777\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34777\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34777\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34777\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad\",\n \"https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b\",\n \"https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936\",\n \"https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87\",\n \"https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-mapping: benchmark: fix node id validation\\n\\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\\nleading to:\\n\\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117)\\nkasan_report (mm/kasan/report.c:603)\\nkasan_check_range (mm/kasan/generic.c:189)\\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\\nnode_state (include/linux/nodemask.h:423) [inline]\\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\\n__x64_sys_ioctl (fs/ioctl.c:890)\\ndo_syscall_64 (arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\\nspecial valid case meaning that benchmarking kthreads won't be bound to a\\ncpuset of a given node.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34777\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35247" + }, + { + "url": "https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019" + }, + { + "url": "https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702" + }, + { + "url": "https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8" + }, + { + "url": "https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093" + }, + { + "url": "https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8" + }, + { + "url": "https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35247", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019\",\n \"https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702\",\n \"https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8\",\n \"https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093\",\n \"https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8\",\n \"https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: region: add owner module and take its refcount\\n\\nThe current implementation of the fpga region assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the region\\nduring programming if the parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_region\\nstruct and use it to take the module's refcount. Modify the functions for\\nregistering a region to take an additional owner module parameter and\\nrename them to avoid conflicts. Use the old function names for helper\\nmacros that automatically set the module that registers the region as the\\nowner. This ensures compatibility with existing low-level control modules\\nand reduces the chances of registering a region without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35784", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35784" + }, + { + "url": "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b" + }, + { + "url": "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd" + }, + { + "url": "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35784 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35784", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35784\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35784\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35784\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35784\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35784\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b\",\n \"https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd\",\n \"https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix deadlock with fiemap and extent locking\\n\\nWhile working on the patchset to remove extent locking I got a lockdep\\nsplat with fiemap and pagefaulting with my new extent lock replacement\\nlock.\\n\\nThis deadlock exists with our normal code, we just don't have lockdep\\nannotations with the extent locking so we've never noticed it.\\n\\nSince we're copying the fiemap extent to user space on every iteration\\nwe have the chance of pagefaulting. Because we hold the extent lock for\\nthe entire range we could mkwrite into a range in the file that we have\\nmmap'ed. This would deadlock with the following stack trace\\n\\n[<0>] lock_extent+0x28d/0x2f0\\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\\n[<0>] do_page_mkwrite+0x50/0xb0\\n[<0>] do_fault+0xc1/0x7b0\\n[<0>] __handle_mm_fault+0x2fa/0x460\\n[<0>] handle_mm_fault+0xa4/0x330\\n[<0>] do_user_addr_fault+0x1f4/0x800\\n[<0>] exc_page_fault+0x7c/0x1e0\\n[<0>] asm_exc_page_fault+0x26/0x30\\n[<0>] rep_movs_alternative+0x33/0x70\\n[<0>] _copy_to_user+0x49/0x70\\n[<0>] fiemap_fill_next_extent+0xc8/0x120\\n[<0>] emit_fiemap_extent+0x4d/0xa0\\n[<0>] extent_fiemap+0x7f8/0xad0\\n[<0>] btrfs_fiemap+0x49/0x80\\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\\n[<0>] do_syscall_64+0x94/0x1a0\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nI wrote an fstest to reproduce this deadlock without my replacement lock\\nand verified that the deadlock exists with our existing locking.\\n\\nTo fix this simply don't take the extent lock for the entire duration of\\nthe fiemap. This is safe in general because we keep track of where we\\nare when we're searching the tree, so if an ordered extent updates in\\nthe middle of our fiemap call we'll still emit the correct extents\\nbecause we know what offset we were on before.\\n\\nThe only place we maintain the lock is searching delalloc. Since the\\ndelalloc stuff can change during writeback we want to lock the extent\\nrange so we have a consistent view of delalloc at the time we're\\nchecking to see if we need to set the delalloc flag.\\n\\nWith this patch applied we no longer deadlock with my testcase.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35784\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35785", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35785" + }, + { + "url": "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7" + }, + { + "url": "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee" + }, + { + "url": "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac" + }, + { + "url": "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3" + }, + { + "url": "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35785 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35785", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35785\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35785\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35785\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35785\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35785\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7\",\n \"https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee\",\n \"https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac\",\n \"https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4\",\n \"https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3\",\n \"https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntee: optee: Fix kernel panic caused by incorrect error handling\\n\\nThe error path while failing to register devices on the TEE bus has a\\nbug leading to kernel panic as follows:\\n\\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\\n[ 15.406913] Mem abort info:\\n[ 15.409722] ESR = 0x0000000096000005\\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 15.418814] SET = 0, FnV = 0\\n[ 15.421878] EA = 0, S1PTW = 0\\n[ 15.425031] FSC = 0x05: level 1 translation fault\\n[ 15.429922] Data abort info:\\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\\n\\nCommit 7269cba53d90 (\\\"tee: optee: Fix supplicant based device enumeration\\\")\\nlead to the introduction of this bug. So fix it appropriately.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35785\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35789", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35789" + }, + { + "url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc" + }, + { + "url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685" + }, + { + "url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7" + }, + { + "url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b" + }, + { + "url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931" + }, + { + "url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f" + }, + { + "url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb" + }, + { + "url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e" + }, + { + "url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35789 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35789", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35789\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35789\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35789\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35789\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35789\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc\",\n \"https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685\",\n \"https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7\",\n \"https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b\",\n \"https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931\",\n \"https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f\",\n \"https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb\",\n \"https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e\",\n \"https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\\n\\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\\nafter the VLAN change.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35789\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35790", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35790" + }, + { + "url": "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9" + }, + { + "url": "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531" + }, + { + "url": "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35790 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35790", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35790\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35790\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35790\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35790\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35790\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9\",\n \"https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531\",\n \"https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\\n\\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\\nNULL in those cases.\\n\\nRemove manual sysfs node creation in favor of adding attribute group as\\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\\nnot used here otherwise the path to the sysfs nodes is no longer compliant\\nwith the ABI.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35790\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35791", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35791" + }, + { + "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4" + }, + { + "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d" + }, + { + "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865" + }, + { + "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807" + }, + { + "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7" + }, + { + "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35791 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35791", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35791\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35791\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35791\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4\",\n \"https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d\",\n \"https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865\",\n \"https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807\",\n \"https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7\",\n \"https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\\n\\nDo the cache flush of converted pages in svm_register_enc_region() before\\ndropping kvm->lock to fix use-after-free issues where region and/or its\\narray of pages could be freed by a different task, e.g. if userspace has\\n__unregister_enc_region_locked() already queued up for the region.\\n\\nNote, the \\\"obvious\\\" alternative of using local variables doesn't fully\\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\\nregion structure itself would be fine, but region->pages could be freed.\\n\\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\\nflow is a rare slow path, and the manual flush is only needed on CPUs that\\nlack coherency for encrypted memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35791\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35794", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35794" + }, + { + "url": "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73" + }, + { + "url": "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b" + }, + { + "url": "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35794 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35794", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35794\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35794\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35794\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35794\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35794\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73\",\n \"https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b\",\n \"https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-raid: really frozen sync_thread during suspend\\n\\n1) commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\") remove\\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\\n dm-raid relies on __md_stop_writes() to frozen sync_thread\\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\\n md_stop_writes(), and since stop_sync_thread() is only used for\\n dm-raid in this case, also move stop_sync_thread() to\\n md_stop_writes().\\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\\n it only prevent new sync_thread to start, and it can't stop the\\n running sync thread; In order to frozen sync_thread, after seting the\\n flag, stop_sync_thread() should be used.\\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\\n look correct. Consider that reentrant stop_sync_thread() do nothing,\\n always call md_stop_writes() in raid_postsuspend().\\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\\n new sync_thread can start unexpected. Fix this by disallow\\n raid_message() to change sync_thread status during suspend.\\n\\nNote that after commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), the\\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\\nand with previous fixes, the test won't hang there anymore, however, the\\ntest will still fail and complain that ext4 is corrupted. And with this\\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\\nis corrupted anymore. However, there is still a deadlock related to\\ndm-raid456 that will be fixed in following patches.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35794\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35796", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35796" + }, + { + "url": "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11" + }, + { + "url": "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3" + }, + { + "url": "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a" + }, + { + "url": "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e" + }, + { + "url": "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48" + }, + { + "url": "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8" + }, + { + "url": "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35796 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35796", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35796\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35796\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35796\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35796\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35796\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11\",\n \"https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3\",\n \"https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a\",\n \"https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e\",\n \"https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48\",\n \"https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8\",\n \"https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ll_temac: platform_get_resource replaced by wrong function\\n\\nThe function platform_get_resource was replaced with\\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\\n\\nThis eventually ends up in platform_get_resource_byname in the call\\nstack, where it causes a null pointer in strcmp.\\n\\n\\tif (type == resource_type(r) && !strcmp(r->name, name))\\n\\nIt should have been replaced with devm_platform_ioremap_resource.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35796\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35799", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35799" + }, + { + "url": "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48" + }, + { + "url": "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06" + }, + { + "url": "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38" + }, + { + "url": "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35799 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35799", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35799\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35799\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35799\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35799\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35799\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48\",\n \"https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06\",\n \"https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38\",\n \"https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Prevent crash when disable stream\\n\\n[Why]\\nDisabling stream encoder invokes a function that no longer exists.\\n\\n[How]\\nCheck if the function declaration is NULL in disable stream encoder.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35799\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35801", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35801" + }, + { + "url": "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422" + }, + { + "url": "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd" + }, + { + "url": "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d" + }, + { + "url": "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8" + }, + { + "url": "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35801 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35801", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35801\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35801\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35801\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35801\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35801\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422\",\n \"https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd\",\n \"https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d\",\n \"https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8\",\n \"https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\\n\\nCommit 672365477ae8 (\\\"x86/fpu: Update XFD state where required\\\") and\\ncommit 8bf26758ca96 (\\\"x86/fpu: Add XFD state to fpstate\\\") introduced a\\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\\norder to avoid unnecessary writes to the MSR.\\n\\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\\nwipes out any stale state. But the per CPU cached xfd value is not\\nreset, which brings them out of sync.\\n\\nAs a consequence a subsequent xfd_update_state() might fail to update\\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\\nspace, which crashes the kernel.\\n\\nTo fix this, introduce xfd_set_state() to write xfd_state together\\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35801\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35803" + }, + { + "url": "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926" + }, + { + "url": "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc" + }, + { + "url": "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31" + }, + { + "url": "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02" + }, + { + "url": "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35803", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926\",\n \"https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc\",\n \"https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31\",\n \"https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02\",\n \"https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/efistub: Call mixed mode boot services on the firmware's stack\\n\\nNormally, the EFI stub calls into the EFI boot services using the stack\\nthat was live when the stub was entered. According to the UEFI spec,\\nthis stack needs to be at least 128k in size - this might seem large but\\nall asynchronous processing and event handling in EFI runs from the same\\nstack and so quite a lot of space may be used in practice.\\n\\nIn mixed mode, the situation is a bit different: the bootloader calls\\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\\nentry point, where the boot stack is set up, using a fixed allocation\\nof 16k. This stack is still in use when the EFI stub is started in\\n64-bit mode, and so all calls back into the EFI firmware will be using\\nthe decompressor's limited boot stack.\\n\\nDue to the placement of the boot stack right after the boot heap, any\\nstack overruns have gone unnoticed. However, commit\\n\\n 5c4feadb0011983b (\\\"x86/decompressor: Move global symbol references to C code\\\")\\n\\nmoved the definition of the boot heap into C code, and now the boot\\nstack is placed right at the base of BSS, where any overruns will\\ncorrupt the end of the .data section.\\n\\nWhile it would be possible to work around this by increasing the size of\\nthe boot stack, doing so would affect all x86 systems, and mixed mode\\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\\n\\nSo instead, record the firmware stack pointer value when entering from\\nthe 32-bit firmware, and switch to this stack every time a EFI boot\\nservice call is made.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35804", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35804" + }, + { + "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71" + }, + { + "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06" + }, + { + "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902" + }, + { + "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551" + }, + { + "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35804 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35804", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35804\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35804\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35804\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35804\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35804\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71\",\n \"https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06\",\n \"https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902\",\n \"https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551\",\n \"https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\\n\\nWhen emulating an atomic access on behalf of the guest, mark the target\\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\\nfixes a bug where KVM effectively corrupts guest memory during live\\nmigration by writing to guest memory without informing userspace that the\\npage is dirty.\\n\\nMarking the page dirty got unintentionally dropped when KVM's emulated\\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\\nmapped the guest page into kernel memory, and marked the page dirty during\\nthe unmap phase.\\n\\nMark the page dirty even if the CMPXCHG fails, as the old data is written\\nback on failure, i.e. the page is still written. The value written is\\nguaranteed to be the same because the operation is atomic, but KVM's ABI\\nis that all writes are dirty logged regardless of the value written. And\\nmore importantly, that's what KVM did before the buggy commit.\\n\\nHuge kudos to the folks on the Cc list (and many others), who did all the\\nactual work of triaging and debugging.\\n\\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35804\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35805", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35805" + }, + { + "url": "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7" + }, + { + "url": "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1" + }, + { + "url": "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683" + }, + { + "url": "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc" + }, + { + "url": "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c" + }, + { + "url": "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e" + }, + { + "url": "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35805 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35805", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35805\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35805\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35805\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35805\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35805\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7\",\n \"https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1\",\n \"https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683\",\n \"https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc\",\n \"https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c\",\n \"https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2\",\n \"https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e\",\n \"https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm snapshot: fix lockup in dm_exception_table_exit\\n\\nThere was reported lockup when we exit a snapshot with many exceptions.\\nFix this by adding \\\"cond_resched\\\" to the loop that frees the exceptions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35805\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35806", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35806" + }, + { + "url": "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397" + }, + { + "url": "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f" + }, + { + "url": "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3" + }, + { + "url": "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a" + }, + { + "url": "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03" + }, + { + "url": "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd" + }, + { + "url": "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9" + }, + { + "url": "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec" + }, + { + "url": "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35806 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35806", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35806\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35806\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35806\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35806\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35806\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397\",\n \"https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f\",\n \"https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3\",\n \"https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a\",\n \"https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03\",\n \"https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd\",\n \"https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9\",\n \"https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec\",\n \"https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\\n\\nsmp_call_function_single disables IRQs when executing the callback. To\\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\\nother lockers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35806\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35807", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35807" + }, + { + "url": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6" + }, + { + "url": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5" + }, + { + "url": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd" + }, + { + "url": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1" + }, + { + "url": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc" + }, + { + "url": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c" + }, + { + "url": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a" + }, + { + "url": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c" + }, + { + "url": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35807 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35807", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35807\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35807\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35807\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6\",\n \"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5\",\n \"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd\",\n \"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1\",\n \"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc\",\n \"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c\",\n \"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a\",\n \"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c\",\n \"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix corruption during on-line resize\\n\\nWe observed a corruption during on-line resize of a file system that is\\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\\nresize_inode is turned off by default by mke2fs. The issue can be\\nreproduced on a smaller file system for convenience by explicitly\\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\\nsize of a meta block group in this setup) then leads to a corruption:\\n\\n dev=/dev/ # should be >= 16 GiB\\n mkdir -p /corruption\\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\\n mount -t ext4 $dev /corruption\\n\\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\\n sha1sum /corruption/test\\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\\n\\n /sbin/resize2fs $dev $((2*2**21))\\n # drop page cache to force reload the block from disk\\n echo 1 > /proc/sys/vm/drop_caches\\n\\n sha1sum /corruption/test\\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\\n\\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\\nblock group and 2^6 are the number of block groups that make a meta\\nblock group.\\n\\nThe last checksum might be different depending on how the file is laid\\nout across the physical blocks. The actual corruption occurs at physical\\nblock 63*2^15 = 2064384 which would be the location of the backup of the\\nmeta block group's block descriptor. During the on-line resize the file\\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\\n2 in the example - meaning all block groups after 16 GiB. However, in\\next4_flex_group_add we might add block groups that are not part of the\\nfirst meta block group yet. In the reproducer we achieved this by\\nsubstracting the size of a whole block group from the point where the\\nmeta block group would start. This must be considered when updating the\\nbackup block group descriptors to follow the non-meta_bg layout. The fix\\nis to add a test whether the group to add is already part of the meta\\nblock group or not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35807\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35808" + }, + { + "url": "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc" + }, + { + "url": "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669" + }, + { + "url": "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc\",\n \"https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669\",\n \"https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/dm-raid: don't call md_reap_sync_thread() directly\\n\\nCurrently md_reap_sync_thread() is called from raid_message() directly\\nwithout holding 'reconfig_mutex', this is definitely unsafe because\\nmd_reap_sync_thread() can change many fields that is protected by\\n'reconfig_mutex'.\\n\\nHowever, hold 'reconfig_mutex' here is still problematic because this\\nwill cause deadlock, for example, commit 130443d60b1b (\\\"md: refactor\\nidle/frozen_sync_thread() to fix deadlock\\\").\\n\\nFix this problem by using stop_sync_thread() to unregister sync_thread,\\nlike md/raid did.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35809", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35809" + }, + { + "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1" + }, + { + "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970" + }, + { + "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674" + }, + { + "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b" + }, + { + "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6" + }, + { + "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf" + }, + { + "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491" + }, + { + "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5" + }, + { + "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35809 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35809", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35809\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35809\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35809\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35809\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35809\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1\",\n \"https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970\",\n \"https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674\",\n \"https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b\",\n \"https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6\",\n \"https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf\",\n \"https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491\",\n \"https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5\",\n \"https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/PM: Drain runtime-idle callbacks before driver removal\\n\\nA race condition between the .runtime_idle() callback and the .remove()\\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\\nunhandled page fault [1].\\n\\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\\nguarantee that. It only guarantees that the suspend and resume callbacks\\nwill not be running when it returns.\\n\\nHowever, if a .runtime_idle() callback is already running when\\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\\nstatus of the device is RPM_ACTIVE and it will return right away without\\nwaiting for the former to complete. In fact, it cannot wait for\\n.runtime_idle() to complete because it may be called from that callback (it\\narguably does not make much sense to do that, but it is not strictly\\nprohibited).\\n\\nThus in general, whoever is providing a .runtime_idle() callback needs\\nto protect it from running in parallel with whatever code runs after\\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\\npm_runtime_get_sync() has returned, but it may continue running then if it\\nhas started earlier.]\\n\\nOne way to address that race condition is to call pm_runtime_barrier()\\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\\nbeing invoked) to wait for the .runtime_idle() callback to complete should\\nit be running at that point. A suitable place for doing that is in\\npci_device_remove() which calls pm_runtime_get_sync() before removing the\\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\\nwill prevent the race in question from occurring, not just in the rtsx_pcr\\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35809\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35811" + }, + { + "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb" + }, + { + "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744" + }, + { + "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a" + }, + { + "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169" + }, + { + "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a" + }, + { + "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731" + }, + { + "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1" + }, + { + "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb\",\n \"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744\",\n \"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78\",\n \"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a\",\n \"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169\",\n \"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a\",\n \"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731\",\n \"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1\",\n \"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\\n\\nThis is the candidate patch of CVE-2023-47233 :\\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\\n\\nIn brcm80211 driver,it starts with the following invoking chain\\nto start init a timeout worker:\\n\\n->brcmf_usb_probe\\n ->brcmf_usb_probe_cb\\n ->brcmf_attach\\n ->brcmf_bus_started\\n ->brcmf_cfg80211_attach\\n ->wl_init_priv\\n ->brcmf_init_escan\\n ->INIT_WORK(&cfg->escan_timeout_work,\\n\\t\\t brcmf_cfg80211_escan_timeout_worker);\\n\\nIf we disconnect the USB by hotplug, it will call\\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\\n\\nbrcmf_usb_disconnect\\n ->brcmf_usb_disconnect_cb\\n ->brcmf_detach\\n ->brcmf_cfg80211_detach\\n ->kfree(cfg);\\n\\nWhile the timeout woker may still be running. This will cause\\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\\n\\nFix it by deleting the timer and canceling the worker in\\nbrcmf_cfg80211_detach.\\n\\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35813" + }, + { + "url": "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56" + }, + { + "url": "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6" + }, + { + "url": "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2" + }, + { + "url": "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304" + }, + { + "url": "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28" + }, + { + "url": "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55" + }, + { + "url": "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68" + }, + { + "url": "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56\",\n \"https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6\",\n \"https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2\",\n \"https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304\",\n \"https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28\",\n \"https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55\",\n \"https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68\",\n \"https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: core: Avoid negative index with array access\\n\\nCommit 4d0c8d0aef63 (\\\"mmc: core: Use mrq.sbc in close-ended ffu\\\") assigns\\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\\ngreater than zero. Let's fix this by adding a check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35815", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35815" + }, + { + "url": "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3" + }, + { + "url": "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7" + }, + { + "url": "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50" + }, + { + "url": "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596" + }, + { + "url": "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2" + }, + { + "url": "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a" + }, + { + "url": "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410" + }, + { + "url": "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35815 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35815", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35815\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35815\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35815\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35815\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35815\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3\",\n \"https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7\",\n \"https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50\",\n \"https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596\",\n \"https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2\",\n \"https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a\",\n \"https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410\",\n \"https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\\n\\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\\nthat is not embedded inside struct aio_kiocb. With the current code,\\ndepending on the compiler, the req->ki_ctx read happens either before\\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\\nthat it is guaranteed that the IOCB_AIO_RW test happens first.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35815\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35817" + }, + { + "url": "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe" + }, + { + "url": "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d" + }, + { + "url": "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb" + }, + { + "url": "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3" + }, + { + "url": "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3" + }, + { + "url": "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe\",\n \"https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d\",\n \"https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb\",\n \"https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3\",\n \"https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3\",\n \"https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\\n\\nOtherwise after the GTT bo is released, the GTT and gart space is freed\\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\\nand leave valid mapping entry pointing to the stale system page. Then\\nif GPU access the gart address mistakely, it will read undefined value\\ninstead page fault, harder to debug and reproduce the real issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35819" + }, + { + "url": "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02" + }, + { + "url": "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1" + }, + { + "url": "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa" + }, + { + "url": "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e" + }, + { + "url": "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506" + }, + { + "url": "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14" + }, + { + "url": "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df" + }, + { + "url": "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc" + }, + { + "url": "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02\",\n \"https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1\",\n \"https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa\",\n \"https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e\",\n \"https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506\",\n \"https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14\",\n \"https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df\",\n \"https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc\",\n \"https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\\n\\nsmp_call_function always runs its callback in hard IRQ context, even on\\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\\n\\nAlthough this bug has existed for a while, it was not apparent until\\ncommit ef2a8d5478b9 (\\\"net: dpaa: Adjust queue depth on rate change\\\")\\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\\ntime a link goes up or down.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35821", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35821" + }, + { + "url": "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3" + }, + { + "url": "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566" + }, + { + "url": "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e" + }, + { + "url": "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e" + }, + { + "url": "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f" + }, + { + "url": "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310" + }, + { + "url": "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f" + }, + { + "url": "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3" + }, + { + "url": "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35821 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35821", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35821\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35821\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35821\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35821\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35821\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3\",\n \"https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566\",\n \"https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e\",\n \"https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e\",\n \"https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f\",\n \"https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310\",\n \"https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f\",\n \"https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3\",\n \"https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubifs: Set page uptodate in the correct place\\n\\nPage cache reads are lockless, so setting the freshly allocated page\\nuptodate before we've overwritten it with the data it's supposed to have\\nin it will allow a simultaneous reader to see old data. Move the call\\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\\nnew data into the page.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35821\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35822", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35822" + }, + { + "url": "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e" + }, + { + "url": "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8" + }, + { + "url": "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252" + }, + { + "url": "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c" + }, + { + "url": "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a" + }, + { + "url": "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c" + }, + { + "url": "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290" + }, + { + "url": "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf" + }, + { + "url": "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35822 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35822", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35822\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35822\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35822\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35822\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35822\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e\",\n \"https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8\",\n \"https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252\",\n \"https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c\",\n \"https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a\",\n \"https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c\",\n \"https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290\",\n \"https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf\",\n \"https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: udc: remove warning when queue disabled ep\\n\\nIt is possible trigger below warning message from mass storage function,\\n\\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\\npc : usb_ep_queue+0x7c/0x104\\nlr : fsg_main_thread+0x494/0x1b3c\\n\\nRoot cause is mass storage function try to queue request from main thread,\\nbut other thread may already disable ep when function disable.\\n\\nAs there is no function failure in the driver, in order to avoid effort\\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35822\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35823" + }, + { + "url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f" + }, + { + "url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d" + }, + { + "url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90" + }, + { + "url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1" + }, + { + "url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda" + }, + { + "url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51" + }, + { + "url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d" + }, + { + "url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35823", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f\",\n \"https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d\",\n \"https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90\",\n \"https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1\",\n \"https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda\",\n \"https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51\",\n \"https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d\",\n \"https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvt: fix unicode buffer corruption when deleting characters\\n\\nThis is the same issue that was fixed for the VGA text buffer in commit\\n39cdb68c64d8 (\\\"vt: fix memory overlapping when deleting chars in the\\nbuffer\\\"). The cure is also the same i.e. replace memcpy() with memmove()\\ndue to the overlaping buffers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35825" + }, + { + "url": "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c" + }, + { + "url": "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7" + }, + { + "url": "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b" + }, + { + "url": "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f" + }, + { + "url": "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c" + }, + { + "url": "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779" + }, + { + "url": "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03" + }, + { + "url": "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35825", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c\",\n \"https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7\",\n \"https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b\",\n \"https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f\",\n \"https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c\",\n \"https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779\",\n \"https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03\",\n \"https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: ncm: Fix handling of zero block length packets\\n\\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\\nset to 65536, it has been observed that we receive short packets,\\nwhich come at interval of 5-10 seconds sometimes and have block\\nlength zero but still contain 1-2 valid datagrams present.\\n\\nAccording to the NCM spec:\\n\\n\\\"If wBlockLength = 0x0000, the block is terminated by a\\nshort packet. In this case, the USB transfer must still\\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\\nand the size is a multiple of wMaxPacketSize for the\\ngiven pipe, then no ZLP shall be sent.\\n\\nwBlockLength= 0x0000 must be used with extreme care, because\\nof the possibility that the host and device may get out of\\nsync, and because of test issues.\\n\\nwBlockLength = 0x0000 allows the sender to reduce latency by\\nstarting to send a very large NTB, and then shortening it when\\nthe sender discovers that there’s not sufficient data to justify\\nsending a large NTB\\\"\\n\\nHowever, there is a potential issue with the current implementation,\\nas it checks for the occurrence of multiple NTBs in a single\\ngiveback by verifying if the leftover bytes to be processed is zero\\nor not. If the block length reads zero, we would process the same\\nNTB infintely because the leftover bytes is never zero and it leads\\nto a crash. Fix this by bailing out if block length reads zero.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35826", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35826" + }, + { + "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367" + }, + { + "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6" + }, + { + "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65" + }, + { + "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2" + }, + { + "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35826 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35826", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367\",\n \"https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6\",\n \"https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65\",\n \"https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2\",\n \"https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\\n\\nFix an incorrect number of pages being released for buffers that do not\\nstart at the beginning of a page.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35826\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35832" + }, + { + "url": "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555" + }, + { + "url": "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555\",\n \"https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\\n\\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\\nIt should be freed by kvfree not kfree.\\nOr umount will triger:\\n\\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\\n[ 406.830676 ] #PF: supervisor read access in kernel mode\\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\\n[ 406.832487 ] PGD 0 P4D 0\\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\\n[ 406.841464 ] Call Trace:\\n[ 406.841583 ] \\n[ 406.841682 ] ? __die+0x1f/0x70\\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\\n[ 406.842014 ] ? fixup_exception+0x22/0x310\\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\\n[ 406.842842 ] ? kfree+0x62/0x140\\n[ 406.842988 ] ? kfree+0x104/0x140\\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\\n[ 406.843390 ] kobject_put+0xb7/0x170\\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\\n[ 406.843756 ] cleanup_mnt+0xba/0x150\\n[ 406.843917 ] task_work_run+0x59/0xa0\\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35833" + }, + { + "url": "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3" + }, + { + "url": "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24" + }, + { + "url": "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8" + }, + { + "url": "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59" + }, + { + "url": "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6" + }, + { + "url": "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3\",\n \"https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24\",\n \"https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8\",\n \"https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59\",\n \"https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714\",\n \"https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6\",\n \"https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\\n\\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\\nthe error handling path of fsl_qdma_probe().\\n\\nSwitch to the managed version to fix both issues.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35835" + }, + { + "url": "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7" + }, + { + "url": "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b" + }, + { + "url": "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb" + }, + { + "url": "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b" + }, + { + "url": "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7" + }, + { + "url": "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056" + }, + { + "url": "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5" + }, + { + "url": "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7\",\n \"https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b\",\n \"https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb\",\n \"https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b\",\n \"https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7\",\n \"https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056\",\n \"https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5\",\n \"https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: fix a double-free in arfs_create_groups\\n\\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\\nft->g and return an error. However, arfs_create_table, the only caller of\\narfs_create_groups, will hold this error and call to\\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35837" + }, + { + "url": "https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f" + }, + { + "url": "https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b" + }, + { + "url": "https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38" + }, + { + "url": "https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa" + }, + { + "url": "https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec" + }, + { + "url": "https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f\",\n \"https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b\",\n \"https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38\",\n \"https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa\",\n \"https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec\",\n \"https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mvpp2: clear BM pool before initialization\\n\\nRegister value persist after booting the kernel using\\nkexec which results in kernel panic. Thus clear the\\nBM pool registers before initialisation to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35839" + }, + { + "url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c" + }, + { + "url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b" + }, + { + "url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547" + }, + { + "url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\n\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(&neigh->arp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb->dev = nf_bridge->physindev\n br_handle_frame_finish\n\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\",\n \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\",\n \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\",\n \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\\n\\nAn skb can be added to a neigh->arp_queue while waiting for an arp\\nreply. Where original skb's skb->dev can be different to neigh's\\nneigh->dev. For instance in case of bridging dnated skb from one veth to\\nanother, the skb would be added to a neigh->arp_queue of the bridge.\\n\\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\\nthere is no explicit mechanism that prevents this physindev from been\\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\\ndifferent device's neigh queue) we can crash on e.g. this stack:\\n\\narp_process\\n neigh_update\\n skb = __skb_dequeue(&neigh->arp_queue)\\n neigh_resolve_output(..., skb)\\n ...\\n br_nf_dev_xmit\\n br_nf_pre_routing_finish_bridge_slow\\n skb->dev = nf_bridge->physindev\\n br_handle_frame_finish\\n\\nLet's use plain ifindex instead of net_device link. To peek into the\\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\\nget device and are safe to use it or we don't get it and drop skb.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35840" + }, + { + "url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453" + }, + { + "url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c" + }, + { + "url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a" + }, + { + "url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721" + }, + { + "url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453\",\n \"https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c\",\n \"https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a\",\n \"https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721\",\n \"https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\\n\\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\\nin mptcp_parse_option()\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35843", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35843" + }, + { + "url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15" + }, + { + "url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35843 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35843", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35843\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35843\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35843\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35843\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35843\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15\",\n \"https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Use device rbtree in iopf reporting path\\n\\nThe existing I/O page fault handler currently locates the PCI device by\\ncalling pci_get_domain_bus_and_slot(). This function searches the list\\nof all PCI devices until the desired device is found. To improve lookup\\nefficiency, replace it with device_rbtree_find() to search the device\\nwithin the probed device rbtree.\\n\\nThe I/O page fault is initiated by the device, which does not have any\\nsynchronization mechanism with the software to ensure that the device\\nstays in the probed device tree. Theoretically, a device could be released\\nby the IOMMU subsystem after device_rbtree_find() and before\\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\\n\\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\\nrelease device path. This lock doesn't introduce any performance overhead,\\nas the conflict between I/O page fault reporting and device releasing is\\nvery rare.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35843\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35847" + }, + { + "url": "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792" + }, + { + "url": "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137" + }, + { + "url": "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438" + }, + { + "url": "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52" + }, + { + "url": "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662" + }, + { + "url": "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91" + }, + { + "url": "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9" + }, + { + "url": "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792\",\n \"https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137\",\n \"https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438\",\n \"https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52\",\n \"https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662\",\n \"https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91\",\n \"https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9\",\n \"https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/gic-v3-its: Prevent double free on error\\n\\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\\nwhen its_vpe_init() fails after successfully allocating at least one\\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\\ninterrupts along with the area bitmap and the vprop_page and\\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\\nvprop_page again.\\n\\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\\nfrom its_vpe_irq_domain_alloc().\\n\\n[ tglx: Massaged change log ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35848" + }, + { + "url": "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a" + }, + { + "url": "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676" + }, + { + "url": "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc" + }, + { + "url": "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6" + }, + { + "url": "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da" + }, + { + "url": "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35848", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a\",\n \"https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676\",\n \"https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc\",\n \"https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6\",\n \"https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da\",\n \"https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\neeprom: at24: fix memory corruption race condition\\n\\nIf the eeprom is not accessible, an nvmem device will be registered, the\\nread will fail, and the device will be torn down. If another driver\\naccesses the nvmem device after the teardown, it will reference\\ninvalid memory.\\n\\nMove the failure point before registering the nvmem device.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35849" + }, + { + "url": "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf" + }, + { + "url": "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6" + }, + { + "url": "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc" + }, + { + "url": "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772" + }, + { + "url": "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86" + }, + { + "url": "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6" + }, + { + "url": "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d" + }, + { + "url": "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf\",\n \"https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6\",\n \"https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc\",\n \"https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772\",\n \"https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86\",\n \"https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6\",\n \"https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d\",\n \"https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\\n\\nSyzbot reported the following information leak for in\\nbtrfs_ioctl_logical_to_ino():\\n\\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\\n copy_to_user include/linux/uaccess.h:191 [inline]\\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\\n btrfs_ioctl+0x714/0x1260\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n Uninit was created at:\\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\\n __do_kmalloc_node mm/slub.c:3954 [inline]\\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\\n kmalloc_node include/linux/slab.h:648 [inline]\\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\\n kvmalloc include/linux/slab.h:766 [inline]\\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\\n btrfs_ioctl+0x714/0x1260\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n Bytes 40-65535 of 65536 are uninitialized\\n Memory access of size 65536 starts at ffff888045a40000\\n\\nThis happens, because we're copying a 'struct btrfs_data_container' back\\nto user-space. This btrfs_data_container is allocated in\\n'init_data_container()' via kvmalloc(), which does not zero-fill the\\nmemory.\\n\\nFix this by using kvzalloc() which zeroes out the memory on allocation.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35851", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35851" + }, + { + "url": "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489" + }, + { + "url": "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88" + }, + { + "url": "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371" + }, + { + "url": "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189" + }, + { + "url": "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35851 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35851", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35851\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35851\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35851\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35851\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35851\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489\",\n \"https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88\",\n \"https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371\",\n \"https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189\",\n \"https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: fix NULL-deref on non-serdev suspend\\n\\nQualcomm ROME controllers can be registered from the Bluetooth line\\ndiscipline and in this case the HCI UART serdev pointer is NULL.\\n\\nAdd the missing sanity check to prevent a NULL-pointer dereference when\\nwakeup() is called for a non-serdev controller during suspend.\\n\\nJust return true for now to restore the original behaviour and address\\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\\n(\\\"Bluetooth: hci_qca: only assign wakeup with serial port support\\\") that\\ncauses the crash to happen already at setup() time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35851\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35852", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35852" + }, + { + "url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758" + }, + { + "url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04" + }, + { + "url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f" + }, + { + "url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d" + }, + { + "url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d" + }, + { + "url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab" + }, + { + "url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35852 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35852", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35852\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35852\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35852\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35852\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35852\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758\",\n \"https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04\",\n \"https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f\",\n \"https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d\",\n \"https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d\",\n \"https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab\",\n \"https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\\n\\nThe rehash delayed work is rescheduled with a delay if the number of\\ncredits at end of the work is not negative as supposedly it means that\\nthe migration ended. Otherwise, it is rescheduled immediately.\\n\\nAfter \\\"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\\nrehash\\\" the above is no longer accurate as a non-negative number of\\ncredits is no longer indicative of the migration being done. It can also\\nhappen if the work encountered an error in which case the migration will\\nresume the next time the work is scheduled.\\n\\nThe significance of the above is that it is possible for the work to be\\npending and associated with hints that were allocated when the migration\\nstarted. This leads to the hints being leaked [1] when the work is\\ncanceled while pending as part of ACL region dismantle.\\n\\nFix by freeing the hints if hints are associated with a work that was\\ncanceled while pending.\\n\\nBlame the original commit since the reliance on not having a pending\\nwork associated with hints is fragile.\\n\\n[1]\\nunreferenced object 0xffff88810e7c3000 (size 256):\\n comm \\\"kworker/0:16\\\", pid 176, jiffies 4295460353\\n hex dump (first 32 bytes):\\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\\n backtrace (crc 2544ddb9):\\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\\n [<00000000bda6fe39>] kthread+0x246/0x300\\n [<0000000070056d23>] ret_from_fork+0x34/0x70\\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35852\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35853" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf" + }, + { + "url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e" + }, + { + "url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1" + }, + { + "url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977" + }, + { + "url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d" + }, + { + "url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76" + }, + { + "url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf\",\n \"https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e\",\n \"https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1\",\n \"https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977\",\n \"https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d\",\n \"https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76\",\n \"https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\\n\\nThe rehash delayed work migrates filters from one region to another.\\nThis is done by iterating over all chunks (all the filters with the same\\npriority) in the region and in each chunk iterating over all the\\nfilters.\\n\\nIf the migration fails, the code tries to migrate the filters back to\\nthe old region. However, the rollback itself can also fail in which case\\nanother migration will be erroneously performed. Besides the fact that\\nthis ping pong is not a very good idea, it also creates a problem.\\n\\nEach virtual chunk references two chunks: The currently used one\\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\\nfirst holds the chunk we want to migrate filters to and the second holds\\nthe chunk we are migrating filters from.\\n\\nThe code currently assumes - but does not verify - that the backup chunk\\ndoes not exist (NULL) if the currently used chunk does not reference the\\ntarget region. This assumption breaks when we are trying to rollback a\\nrollback, resulting in the backup chunk being overwritten and leaked\\n[1].\\n\\nFix by not rolling back a failed rollback and add a warning to avoid\\nfuture cases.\\n\\n[1]\\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\\nModules linked in:\\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:parman_destroy+0x17/0x20\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4.7\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35854" + }, + { + "url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049" + }, + { + "url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121" + }, + { + "url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519" + }, + { + "url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887" + }, + { + "url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1" + }, + { + "url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1" + }, + { + "url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049\",\n \"https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121\",\n \"https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519\",\n \"https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887\",\n \"https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1\",\n \"https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1\",\n \"https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\\n\\nThe rehash delayed work migrates filters from one region to another\\naccording to the number of available credits.\\n\\nThe migrated from region is destroyed at the end of the work if the\\nnumber of credits is non-negative as the assumption is that this is\\nindicative of migration being complete. This assumption is incorrect as\\na non-negative number of credits can also be the result of a failed\\nmigration.\\n\\nThe destruction of a region that still has filters referencing it can\\nresult in a use-after-free [1].\\n\\nFix by not destroying the region if migration failed.\\n\\n[1]\\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\\n\\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xce/0x670\\n kasan_report+0xd7/0x110\\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nAllocated by task 174:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n __kmalloc+0x19c/0x360\\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n\\nFreed by task 7:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3b/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x14/0x30\\n kfree+0xc1/0x290\\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35855", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35855" + }, + { + "url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0" + }, + { + "url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4" + }, + { + "url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770" + }, + { + "url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a" + }, + { + "url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758" + }, + { + "url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef" + }, + { + "url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35855 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35855", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35855\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35855\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35855\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35855\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35855\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0\",\n \"https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4\",\n \"https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770\",\n \"https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a\",\n \"https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758\",\n \"https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef\",\n \"https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\\n\\nThe rule activity update delayed work periodically traverses the list of\\nconfigured rules and queries their activity from the device.\\n\\nAs part of this task it accesses the entry pointed by 'ventry->entry',\\nbut this entry can be changed concurrently by the rehash delayed work,\\nleading to a use-after-free [1].\\n\\nFix by closing the race and perform the activity query under the\\n'vregion->lock' mutex.\\n\\n[1]\\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\\n\\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xce/0x670\\n kasan_report+0xd7/0x110\\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nAllocated by task 1039:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n __kmalloc+0x19c/0x360\\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n\\nFreed by task 1039:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3b/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x14/0x30\\n kfree+0xc1/0x290\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35855\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35857", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35857" + }, + { + "url": "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401" + }, + { + "url": "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767" + }, + { + "url": "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270" + }, + { + "url": "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941" + }, + { + "url": "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35857", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401\",\n \"https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767\",\n \"https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270\",\n \"https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941\",\n \"https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nicmp: prevent possible NULL dereferences from icmp_build_probe()\\n\\nFirst problem is a double call to __in_dev_get_rcu(), because\\nthe second one could return NULL.\\n\\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\\n\\nSecond problem is a read from dev->ip6_ptr with no NULL check:\\n\\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\\n\\nUse the correct RCU API to fix these.\\n\\nv2: add missing include \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35861" + }, + { + "url": "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1" + }, + { + "url": "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4" + }, + { + "url": "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f" + }, + { + "url": "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35861", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1\",\n \"https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4\",\n \"https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f\",\n \"https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35862", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35862" + }, + { + "url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d" + }, + { + "url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01" + }, + { + "url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645" + }, + { + "url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35862 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35862", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35862\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35862\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35862\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35862\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35862\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d\",\n \"https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01\",\n \"https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645\",\n \"https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35862\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35863" + }, + { + "url": "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2" + }, + { + "url": "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825" + }, + { + "url": "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac" + }, + { + "url": "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2\",\n \"https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825\",\n \"https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac\",\n \"https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in is_valid_oplock_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35864" + }, + { + "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1" + }, + { + "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb" + }, + { + "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5" + }, + { + "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35864", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1\",\n \"https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb\",\n \"https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5\",\n \"https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35865", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35865" + }, + { + "url": "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd" + }, + { + "url": "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4" + }, + { + "url": "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628" + }, + { + "url": "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35865 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35865", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35865\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35865\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35865\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35865\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35865\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd\",\n \"https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4\",\n \"https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628\",\n \"https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35865\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35866" + }, + { + "url": "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682" + }, + { + "url": "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113" + }, + { + "url": "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682\",\n \"https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113\",\n \"https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_dump_full_key()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35867" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/29/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65" + }, + { + "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49" + }, + { + "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7" + }, + { + "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/29/2\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65\",\n \"https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49\",\n \"https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7\",\n \"https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_stats_proc_show()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35868" + }, + { + "url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b" + }, + { + "url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72" + }, + { + "url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7" + }, + { + "url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b\",\n \"https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72\",\n \"https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7\",\n \"https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_stats_proc_write()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35869" + }, + { + "url": "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a" + }, + { + "url": "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc" + }, + { + "url": "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a\",\n \"https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc\",\n \"https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: guarantee refcounted children from parent session\\n\\nAvoid potential use-after-free bugs when walking DFS referrals,\\nmounting and performing DFS failover by ensuring that all children\\nfrom parent @tcon->ses are also refcounted. They're all needed across\\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\\nit, too.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35870" + }, + { + "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa" + }, + { + "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5" + }, + { + "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\",\n \"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\",\n \"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix UAF in smb2_reconnect_server()\\n\\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\\nis already being teared down by another thread that is executing\\n__cifs_put_smb_ses(). This can happen when (a) the client has\\nconnection to the server but no session or (b) another thread ends up\\nsetting @ses->ses_status again to something different than\\nSES_EXITING.\\n\\nTo fix this, we need to make sure to unconditionally set\\n@ses->ses_status to SES_EXITING and prevent any other threads from\\nsetting a new status while we're still tearing it down.\\n\\nThe following can be reproduced by adding some delay to right after\\nthe ipc is freed in __cifs_put_smb_ses() - which will give\\nsmb2_reconnect_server() worker a chance to run and then accessing\\n@ses->ipc:\\n\\nkinit ...\\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\\n[disconnect srv]\\nls /mnt/1 &>/dev/null\\nsleep 30\\nkdestroy\\n[reconnect srv]\\nsleep 10\\numount /mnt/1\\n...\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\ngeneral protection fault, probably for non-canonical address\\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\\nknlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? die_addr+0x36/0x90\\n ? exc_general_protection+0x1c1/0x3f0\\n ? asm_exc_general_protection+0x26/0x30\\n ? __list_del_entry_valid_or_report+0x33/0xf0\\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\\n smb2_reconnect_server+0x4ed/0x710 [cifs]\\n process_one_work+0x205/0x6b0\\n worker_thread+0x191/0x360\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe2/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35871" + }, + { + "url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4" + }, + { + "url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5" + }, + { + "url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8" + }, + { + "url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9" + }, + { + "url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef" + }, + { + "url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4\",\n \"https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5\",\n \"https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8\",\n \"https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9\",\n \"https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef\",\n \"https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: process: Fix kernel gp leakage\\n\\nchildregs represents the registers which are active for the new thread\\nin user context. For a kernel thread, childregs->gp is never used since\\nthe kernel gp is not touched by switch_to. For a user mode helper, the\\ngp value can be observed in user space after execve or possibly by other\\nmeans.\\n\\n[From the email thread]\\n\\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\\n\\nchildregs is the *user* context during syscall execution and it is observable\\nfrom userspace in at least five ways:\\n\\n1. kernel_execve does not currently clear integer registers, so the starting\\n register state for PID 1 and other user processes started by the kernel has\\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\\n zeroed by the memset in the patch comment.\\n\\n This is a bug in its own right, but I'm unwilling to bet that it is the only\\n way to exploit the issue addressed by this patch.\\n\\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\\n happen at user/kernel boundaries.\\n\\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\\n user_mode_helpers before the exec completes, but gp is not one of the\\n registers it returns.\\n\\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\\n LOCKDOWN_PERF. I have not attempted to write exploit code.\\n\\n5. Much of the tracing infrastructure allows access to user registers. I have\\n not attempted to determine which forms of tracing allow access to user\\n registers without already allowing access to kernel registers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35872" + }, + { + "url": "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5" + }, + { + "url": "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8" + }, + { + "url": "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706" + }, + { + "url": "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e" + }, + { + "url": "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5\",\n \"https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8\",\n \"https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706\",\n \"https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e\",\n \"https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\\n\\nfolio_is_secretmem() currently relies on secretmem folios being LRU\\nfolios, to save some cycles.\\n\\nHowever, folios might reside in a folio batch without the LRU flag set, or\\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\\nunreliable for this purpose.\\n\\nIn particular, this is the case when secretmem_fault() allocates a fresh\\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\\nadded to the per-cpu folio batch and won't get the LRU flag set until the\\nbatch was drained using e.g., lru_add_drain().\\n\\nConsequently, folio_is_secretmem() might not detect secretmem folios and\\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\\nwhen we would later try reading/writing to the folio, because the folio\\nhas been unmapped from the directmap.\\n\\nFix it by removing that unreliable check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35875" + }, + { + "url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e" + }, + { + "url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374" + }, + { + "url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5" + }, + { + "url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e\",\n \"https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374\",\n \"https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5\",\n \"https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\\n\\nThere are few uses of CoCo that don't rely on working cryptography and\\nhence a working RNG. Unfortunately, the CoCo threat model means that the\\nVM host cannot be trusted and may actively work against guests to\\nextract secrets or manipulate computation. Since a malicious host can\\nmodify or observe nearly all inputs to guests, the only remaining source\\nof entropy for CoCo guests is RDRAND.\\n\\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\\nis meant to gracefully continue on gathering entropy from other sources,\\nbut since there aren't other sources on CoCo, this is catastrophic.\\nThis is mostly a concern at boot time when initially seeding the RNG, as\\nafter that the consequences of a broken RDRAND are much more\\ntheoretical.\\n\\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\\nfails, panic(). This will also trigger if the system is booted without\\nRDRAND, as RDRAND is essential for a safe CoCo boot.\\n\\nAdd this deliberately to be \\\"just a CoCo x86 driver feature\\\" and not\\npart of the RNG itself. Many device drivers and platforms have some\\ndesire to contribute something to the RNG, and add_device_randomness()\\nis specifically meant for this purpose.\\n\\nAny driver can call it with seed data of any quality, or even garbage\\nquality, and it can only possibly make the quality of the RNG better or\\nhave no effect, but can never make it worse.\\n\\nRather than trying to build something into the core of the RNG, consider\\nthe particular CoCo issue just a CoCo issue, and therefore separate it\\nall out into driver (well, arch/platform) code.\\n\\n [ bp: Massage commit message. ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35877" + }, + { + "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221" + }, + { + "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173" + }, + { + "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6" + }, + { + "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec" + }, + { + "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a" + }, + { + "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f" + }, + { + "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4" + }, + { + "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221\",\n \"https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173\",\n \"https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6\",\n \"https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec\",\n \"https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a\",\n \"https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f\",\n \"https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4\",\n \"https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/mm/pat: fix VM_PAT handling in COW mappings\\n\\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\\nin fact, all PTEs) can be replaced during write faults to point at anon\\nfolios. Reliably recovering the correct PFN and cachemode using\\nfollow_phys() from PTEs will not work in COW mappings.\\n\\nUsing follow_phys(), we might just get the address+protection of the anon\\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\\ntrack_pfn_copy(), not properly calling free_pfn_range().\\n\\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\\nit with the wrong range, possibly leaking memory.\\n\\nTo fix that, let's update follow_phys() to refuse returning anon folios,\\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\\nif we run into that.\\n\\nWe will now properly handle untrack_pfn() with COW mappings, where we\\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\\nthe first page was replaced by an anon folio, though: we'd have to store\\nthe cachemode in the VMA to make this work, likely growing the VMA size.\\n\\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\\ncase: it would have failed in the past with swap/nonswap entries already,\\nand it would have done the wrong thing with anon folios.\\n\\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\\n\\n<--- C reproducer --->\\n #include \\n #include \\n #include \\n #include \\n\\n int main(void)\\n {\\n struct io_uring_params p = {};\\n int ring_fd;\\n size_t size;\\n char *map;\\n\\n ring_fd = io_uring_setup(1, &p);\\n if (ring_fd < 0) {\\n perror(\\\"io_uring_setup\\\");\\n return 1;\\n }\\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\\n\\n /* Map the submission queue ring MAP_PRIVATE */\\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\\n ring_fd, IORING_OFF_SQ_RING);\\n if (map == MAP_FAILED) {\\n perror(\\\"mmap\\\");\\n return 1;\\n }\\n\\n /* We have at least one page. Let's COW it. */\\n *map = 0;\\n pause();\\n return 0;\\n }\\n<--- C reproducer --->\\n\\nOn a system with 16 GiB RAM and swap configured:\\n # ./iouring &\\n # memhog 16G\\n # killall iouring\\n[ 301.552930] ------------[ cut here ]------------\\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\\n[ 301.565725] PKRU: 55555554\\n[ 301.565944] Call Trace:\\n[ 301.566148] \\n[ 301.566325] ? untrack_pfn+0xf4/0x100\\n[ 301.566618] ? __warn+0x81/0x130\\n[ 301.566876] ? untrack_pfn+0xf4/0x100\\n[ 3\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35878" + }, + { + "url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898" + }, + { + "url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987" + }, + { + "url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898\",\n \"https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987\",\n \"https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: module: prevent NULL pointer dereference in vsnprintf()\\n\\nIn of_modalias(), we can get passed the str and len parameters which would\\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\\nwhen the length is also 0. Also, we need to filter out the negative values\\nof the len parameter as these will result in a really huge buffer since\\nsnprintf() takes size_t parameter while ours is ssize_t...\\n\\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\\nanalysis tool.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35879" + }, + { + "url": "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a" + }, + { + "url": "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c" + }, + { + "url": "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951" + }, + { + "url": "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82" + }, + { + "url": "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84" + }, + { + "url": "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a\",\n \"https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c\",\n \"https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951\",\n \"https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82\",\n \"https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84\",\n \"https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\\n\\nIn the following sequence:\\n 1) of_platform_depopulate()\\n 2) of_overlay_remove()\\n\\nDuring the step 1, devices are destroyed and devlinks are removed.\\nDuring the step 2, OF nodes are destroyed but\\n__of_changeset_entry_destroy() can raise warnings related to missing\\nof_node_put():\\n ERROR: memory leak, expected refcount 1 instead of 2 ...\\n\\nIndeed, during the devlink removals performed at step 1, the removal\\nitself releasing the device (and the attached of_node) is done by a job\\nqueued in a workqueue and so, it is done asynchronously with respect to\\nfunction calls.\\nWhen the warning is present, of_node_put() will be called but wrongly\\ntoo late from the workqueue job.\\n\\nIn order to be sure that any ongoing devlink removals are done before\\nthe of_node destruction, synchronize the of_changeset_destroy() with the\\ndevlink removals.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35884" + }, + { + "url": "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19" + }, + { + "url": "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8" + }, + { + "url": "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4" + }, + { + "url": "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f" + }, + { + "url": "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd" + }, + { + "url": "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19\",\n \"https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8\",\n \"https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4\",\n \"https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f\",\n \"https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd\",\n \"https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\\n\\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\\nbeing forwarded. If such packets might land in a tunnel this can cause\\nvarious issues and udp_gro_receive makes sure this isn't the case by\\nlooking for a matching socket. This is performed in\\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\\nwith tunneled packets when the endpoint is in another netns. In such\\ncases the packets will be GROed at the UDP level, which leads to various\\nissues later on. The same thing can happen with rx-gro-list.\\n\\nWe saw this with geneve packets being GROed at the UDP level. In such\\ncase gso_size is set; later the packet goes through the geneve rx path,\\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\\nare not adjusted with regard to geneve. When those skbs hit\\nskb_fragment, it will misbehave. Different outcomes are possible\\ndepending on what the GROed skbs look like; from corrupted packets to\\nkernel crashes.\\n\\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\\nfrag_list. Because gso_size is wrong (geneve header was pulled)\\nskb_segment thinks there is \\\"geneve header size\\\" of data in frag_list,\\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\\ndo with the issue. This is only one of the potential issues.\\n\\nLooking up for a matching socket in udp_gro_receive is fragile: the\\nlookup could be extended to all netns (not speaking about performances)\\nbut nothing prevents those packets from being modified in between and we\\ncould still not find a matching socket. It's OK to keep the current\\nlogic there as it should cover most cases but we also need to make sure\\nwe handle tunnel packets being GROed too early.\\n\\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\\nbe segmented.\\n\\n[1] kernel BUG at net/core/skbuff.c:4408!\\n RIP: 0010:skb_segment+0xd2a/0xf70\\n __udp_gso_segment+0xaa/0x560\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35885" + }, + { + "url": "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6" + }, + { + "url": "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4" + }, + { + "url": "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971" + }, + { + "url": "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4" + }, + { + "url": "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6\",\n \"https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4\",\n \"https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971\",\n \"https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4\",\n \"https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxbf_gige: stop interface during shutdown\\n\\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\\nexception while the system is shutting down via \\\"reboot\\\" command.\\nThe mlxbf_driver will experience an exception right after executing\\nits shutdown() method. One example of this exception is:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\\nMem abort info:\\n ESR = 0x0000000096000004\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x04: level 0 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000004\\n CM = 0, WnR = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\\nInternal error: Oops: 96000004 [#1] SMP\\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\\nsp : ffff8000080d3c10\\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\\nCall trace:\\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\\n __napi_poll+0x40/0x1c8\\n net_rx_action+0x314/0x3a0\\n __do_softirq+0x128/0x334\\n run_ksoftirqd+0x54/0x6c\\n smpboot_thread_fn+0x14c/0x190\\n kthread+0x10c/0x110\\n ret_from_fork+0x10/0x20\\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\\n---[ end trace 7cc3941aa0d8e6a4 ]---\\nKernel panic - not syncing: Oops: Fatal exception in interrupt\\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\\nPHYS_OFFSET: 0x80000000\\nCPU features: 0x000005c1,a3330e5a\\nMemory Limit: none\\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\\n\\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\\nHowever, the driver's stop() method will only execute if networking interface\\nconfiguration logic within the Linux distribution has been setup to do so.\\n\\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\\nand this can lead to an exception if NAPI is scheduled while the hardware\\ninterface has only been partially deinitialized.\\n\\nThe networking interface managed by the mlxbf_gige driver must be properly\\nstopped during system shutdown so that IFF_UP is cleared, the hardware\\ninterface is put into a clean state, and NAPI is fully deinitialized.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35886" + }, + { + "url": "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2" + }, + { + "url": "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778" + }, + { + "url": "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061" + }, + { + "url": "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe" + }, + { + "url": "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985" + }, + { + "url": "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae" + }, + { + "url": "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776" + }, + { + "url": "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2\",\n \"https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778\",\n \"https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061\",\n \"https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe\",\n \"https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985\",\n \"https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae\",\n \"https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776\",\n \"https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: Fix infinite recursion in fib6_dump_done().\\n\\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\\nnetlink socket destruction. [1]\\n\\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\\nthe response was generated. The following recvmmsg() resumed the dump\\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\\nto the fault injection. [0]\\n\\n 12:01:34 executing program 3:\\n r0 = socket$nl_route(0x10, 0x3, 0x0)\\n sendmsg$nl_route(r0, ... snip ...)\\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\\n\\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\\nreceiving the response halfway through, and finally netlink_sock_destruct()\\ncalled nlk_sk(sk)->cb.done().\\n\\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\\nitself recursively and hitting the stack guard page.\\n\\nTo avoid the issue, let's set the destructor after kzalloc().\\n\\n[0]:\\nFAULT_INJECTION: forcing a failure.\\nname failslab, interval 1, probability 0, space 0, times 0\\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl (lib/dump_stack.c:117)\\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\\n should_failslab (mm/slub.c:3733)\\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\\n rtnl_dump_all (net/core/rtnetlink.c:4029)\\n netlink_dump (net/netlink/af_netlink.c:2269)\\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\\n ___sys_recvmsg (net/socket.c:2846)\\n do_recvmmsg (net/socket.c:2943)\\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\\n\\n[1]:\\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nWorkqueue: events netlink_sock_destruct_work\\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\\nPKRU: 55555554\\nCall Trace:\\n <#DF>\\n \\n \\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n ...\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\\n sk_destruct (net/core/sock.c:2224)\\n __sk_free (net/core/sock.c:2235)\\n sk_free (net/core/sock.c:2246)\\n process_one_work (kernel/workqueue.c:3259)\\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35887" + }, + { + "url": "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b" + }, + { + "url": "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9" + }, + { + "url": "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b\",\n \"https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9\",\n \"https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\\n\\nWhen the ax25 device is detaching, the ax25_dev_device_down()\\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\\nthe timer handler is running, the ax25_ds_del_timer() that\\ncalls del_timer() in it will return directly. As a result,\\nthe use-after-free bugs could happen, one of the scenarios\\nis shown below:\\n\\n (Thread 1) | (Thread 2)\\n | ax25_ds_timeout()\\nax25_dev_device_down() |\\n ax25_ds_del_timer() |\\n del_timer() |\\n ax25_dev_put() //FREE |\\n | ax25_dev-> //USE\\n\\nIn order to mitigate bugs, when the device is detaching, use\\ntimer_shutdown_sync() to stop the timer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35888", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35888" + }, + { + "url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac" + }, + { + "url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446" + }, + { + "url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0" + }, + { + "url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d" + }, + { + "url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d" + }, + { + "url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85" + }, + { + "url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5" + }, + { + "url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35888", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac\",\n \"https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446\",\n \"https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0\",\n \"https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d\",\n \"https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d\",\n \"https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85\",\n \"https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5\",\n \"https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerspan: make sure erspan_base_hdr is present in skb->head\\n\\nsyzbot reported a problem in ip6erspan_rcv() [1]\\n\\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\\nsure erspan_base_hdr is present in skb linear part (skb->head)\\nbefore getting @ver field from it.\\n\\nAdd the missing pskb_may_pull() calls.\\n\\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\\n because skb->head might have changed.\\n\\n[1]\\n\\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\\n dst_input include/net/dst.h:460 [inline]\\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\\n call_write_iter include/linux/fs.h:2108 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xb63/0x1520 fs/read_write.c:590\\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\\n call_write_iter include/linux/fs.h:2108 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xb63/0x1520 fs/read_write.c:590\\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35890", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35890" + }, + { + "url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad" + }, + { + "url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f" + }, + { + "url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f" + }, + { + "url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486" + }, + { + "url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35890 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35890", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35890\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35890\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35890\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35890\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35890\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad\",\n \"https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f\",\n \"https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f\",\n \"https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486\",\n \"https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngro: fix ownership transfer\\n\\nIf packets are GROed with fraglist they might be segmented later on and\\ncontinue their journey in the stack. In skb_segment_list those skbs can\\nbe reused as-is. This is an issue as their destructor was removed in\\nskb_gro_receive_list but not the reference to their socket, and then\\nthey can't be orphaned. Fix this by also removing the reference to the\\nsocket.\\n\\nFor example this could be observed,\\n\\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\\n Call Trace:\\n ipv6_list_rcv+0x250/0x3f0\\n __netif_receive_skb_list_core+0x49d/0x8f0\\n netif_receive_skb_list_internal+0x634/0xd40\\n napi_complete_done+0x1d2/0x7d0\\n gro_cell_poll+0x118/0x1f0\\n\\nA similar construction is found in skb_gro_receive, apply the same\\nchange there.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35890\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35892" + }, + { + "url": "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1" + }, + { + "url": "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b" + }, + { + "url": "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460" + }, + { + "url": "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1\",\n \"https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b\",\n \"https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460\",\n \"https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\\n\\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\\nnot RTNL.\\n\\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\\n\\nsyzbot reported:\\n\\nWARNING: suspicious RCU usage\\n6.1.74-syzkaller #0 Not tainted\\n-----------------------------\\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n3 locks held by udevd/1142:\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\\n\\nstack backtrace:\\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\\nCall Trace:\\n \\n [] __dump_stack lib/dump_stack.c:88 [inline]\\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\\n [] invoke_softirq kernel/softirq.c:447 [inline]\\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35893" + }, + { + "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366" + }, + { + "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5" + }, + { + "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924" + }, + { + "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c" + }, + { + "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14" + }, + { + "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd" + }, + { + "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec" + }, + { + "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366\",\n \"https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5\",\n \"https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924\",\n \"https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c\",\n \"https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14\",\n \"https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd\",\n \"https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec\",\n \"https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_skbmod: prevent kernel-infoleak\\n\\nsyzbot found that tcf_skbmod_dump() was copying four bytes\\nfrom kernel stack to user space [1].\\n\\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\\n\\nWe need to clear the structure before filling fields.\\n\\n[1]\\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n copy_to_user_iter lib/iov_iter.c:24 [inline]\\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n copy_to_iter include/linux/uio.h:196 [inline]\\n simple_copy_to_iter net/core/datagram.c:532 [inline]\\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\\n __do_sys_recvfrom net/socket.c:2260 [inline]\\n __se_sys_recvfrom net/socket.c:2256 [inline]\\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\\n nlmsg_unicast include/net/netlink.h:1144 [inline]\\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\\n tcf_add_notify net/sched/act_api.c:2048 [inline]\\n tcf_action_add net/sched/act_api.c:2071 [inline]\\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\\n __sys_sendmsg net/socket.c:2667 [inline]\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n __nla_put lib/nlattr.c:1041 [inline]\\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\\n tcf_add_notify net/sched/act_api.c:2042 [inline]\\n tcf_action_add net/sched/act_api.c:2071 [inline]\\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35895" + }, + { + "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86" + }, + { + "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd" + }, + { + "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5" + }, + { + "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec" + }, + { + "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75" + }, + { + "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058" + }, + { + "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86\",\n \"https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd\",\n \"https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5\",\n \"https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec\",\n \"https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75\",\n \"https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058\",\n \"https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\\n\\nsyzkaller started using corpuses where a BPF tracing program deletes\\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\\ninvoked from any interrupt context, locks taken during a map_delete_elem\\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\\nis possible, as reported by lockdep:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(&htab->buckets[i].lock);\\n local_irq_disable();\\n lock(&host->lock);\\n lock(&htab->buckets[i].lock);\\n \\n lock(&host->lock);\\n\\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\\nenabled, or in softirq context.\\n\\nDetect when map_delete_elem operation is invoked from a context which is\\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\\nerror.\\n\\nNote that map updates are not affected by this issue. BPF verifier does not\\nallow updating sockmap/sockhash from a BPF tracing program today.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35896" + }, + { + "url": "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc" + }, + { + "url": "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6" + }, + { + "url": "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5" + }, + { + "url": "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b" + }, + { + "url": "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018" + }, + { + "url": "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc\",\n \"https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6\",\n \"https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5\",\n \"https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b\",\n \"https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018\",\n \"https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: validate user input for expected length\\n\\nI got multiple syzbot reports showing old bugs exposed\\nby BPF after commit 20f2505fb436 (\\\"bpf: Try to avoid kzalloc\\nin cgroup/{s,g}etsockopt\\\")\\n\\nsetsockopt() @optlen argument should be taken into account\\nbefore copying data.\\n\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\\n\\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\\nRIP: 0033:0x7fd22067dde9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\\n \\n\\nAllocated by task 7238:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\\n kasan_kmalloc include/linux/kasan.h:211 [inline]\\n __do_kmalloc_node mm/slub.c:4069 [inline]\\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\\n kmalloc_noprof include/linux/slab.h:664 [inline]\\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\\n\\nThe buggy address belongs to the object at ffff88802cd73da0\\n which belongs to the cache kmalloc-8 of size 8\\nThe buggy address is located 0 bytes inside of\\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\\n\\nThe buggy address belongs to the physical page:\\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\\npage_type: 0xffffefff(slab)\\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35897", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35897" + }, + { + "url": "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518" + }, + { + "url": "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4" + }, + { + "url": "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb" + }, + { + "url": "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927" + }, + { + "url": "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827" + }, + { + "url": "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78" + }, + { + "url": "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362" + }, + { + "url": "https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35897 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35897", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35897\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35897\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35897\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35897\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35897\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518\",\n \"https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4\",\n \"https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb\",\n \"https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927\",\n \"https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827\",\n \"https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78\",\n \"https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362\",\n \"https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\\n\\nHook unregistration is deferred to the commit phase, same occurs with\\nhook updates triggered by the table dormant flag. When both commands are\\ncombined, this results in deleting a basechain while leaving its hook\\nstill registered in the core.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35897\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35898" + }, + { + "url": "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304" + }, + { + "url": "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8" + }, + { + "url": "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007" + }, + { + "url": "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df" + }, + { + "url": "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331" + }, + { + "url": "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b" + }, + { + "url": "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77" + }, + { + "url": "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304\",\n \"https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8\",\n \"https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007\",\n \"https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df\",\n \"https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331\",\n \"https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b\",\n \"https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77\",\n \"https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\\n\\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\\nAnd thhere is not any protection when iterate over nf_tables_flowtables\\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\\ndata-race of nf_tables_flowtables list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\\nnft_flowtable_type_get() to protect the entire type query process.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35899" + }, + { + "url": "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2" + }, + { + "url": "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7" + }, + { + "url": "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31" + }, + { + "url": "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e" + }, + { + "url": "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6" + }, + { + "url": "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86" + }, + { + "url": "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2\",\n \"https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7\",\n \"https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31\",\n \"https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e\",\n \"https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6\",\n \"https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86\",\n \"https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: flush pending destroy work before exit_net release\\n\\nSimilar to 2c9f0293280e (\\\"netfilter: nf_tables: flush pending destroy\\nwork before netlink notifier\\\") to address a race between exit_net and\\nthe destroy workqueue.\\n\\nThe trace below shows an element to be released via destroy workqueue\\nwhile exit_net path (triggered via module removal) has already released\\nthe set that is used in such transaction.\\n\\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\\n[ 1360.547984] Call Trace:\\n[ 1360.547991] \\n[ 1360.547998] dump_stack_lvl+0x53/0x70\\n[ 1360.548014] print_report+0xc4/0x610\\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548176] kasan_report+0xae/0xe0\\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\\n[ 1360.548591] process_one_work+0x2f1/0x670\\n[ 1360.548610] worker_thread+0x4d3/0x760\\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\\n[ 1360.548640] kthread+0x16b/0x1b0\\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\\n[ 1360.548665] ret_from_fork+0x2f/0x50\\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\\n[ 1360.548707] \\n\\n[ 1360.548719] Allocated by task 192061:\\n[ 1360.548726] kasan_save_stack+0x20/0x40\\n[ 1360.548739] kasan_save_track+0x14/0x30\\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\\n[ 1360.548927] netlink_unicast+0x367/0x4f0\\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\\n[ 1360.548971] do_syscall_64+0x55/0x120\\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\\n\\n[ 1360.548994] Freed by task 192222:\\n[ 1360.548999] kasan_save_stack+0x20/0x40\\n[ 1360.549009] kasan_save_track+0x14/0x30\\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\\n[ 1360.549028] poison_slab_object+0x100/0x180\\n[ 1360.549036] __kasan_slab_free+0x14/0x30\\n[ 1360.549042] kfree+0xb6/0x260\\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\\n[ 1360.549221] ops_exit_list+0x50/0xa0\\n[ 1360.549229] free_exit_list+0x101/0x140\\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\\n[ 1360.549352] do_syscall_64+0x55/0x120\\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\\n\\n(gdb) list *__nft_release_table+0x473\\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\\n11350 list_del(&flowtable->list);\\n11351 nft_use_dec(&table->use);\\n11352 nf_tables_flowtable_destroy(flowtable);\\n11353 }\\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\\n11355 list_del(&set->list);\\n11356 nft_use_dec(&table->use);\\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\\n11358 nft_map_deactivat\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35900" + }, + { + "url": "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab" + }, + { + "url": "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7" + }, + { + "url": "https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8" + }, + { + "url": "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830" + }, + { + "url": "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b" + }, + { + "url": "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb" + }, + { + "url": "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769" + }, + { + "url": "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab\",\n \"https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7\",\n \"https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8\",\n \"https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830\",\n \"https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b\",\n \"https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb\",\n \"https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769\",\n \"https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: reject new basechain after table flag update\\n\\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\\niterating over current chains in table (existing and new).\\n\\nThe following configuration allows for an inconsistent state:\\n\\n add table x\\n add chain x y { type filter hook input priority 0; }\\n add table x { flags dormant; }\\n add chain x w { type filter hook input priority 1; }\\n\\nwhich triggers the following warning when trying to unregister chain w\\nwhich is already unregistered.\\n\\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\\n[...]\\n[ 127.322519] Call Trace:\\n[ 127.322521] \\n[ 127.322524] ? __warn+0x9f/0x1a0\\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\\n[ 127.322537] ? report_bug+0x1b1/0x1e0\\n[ 127.322545] ? handle_bug+0x3c/0x70\\n[ 127.322552] ? exc_invalid_op+0x17/0x40\\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35902" + }, + { + "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b" + }, + { + "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a" + }, + { + "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d" + }, + { + "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9" + }, + { + "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196" + }, + { + "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14" + }, + { + "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c" + }, + { + "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b\",\n \"https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a\",\n \"https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d\",\n \"https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9\",\n \"https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196\",\n \"https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14\",\n \"https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c\",\n \"https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/rds: fix possible cp null dereference\\n\\ncp might be null, calling cp->cp_conn would produce null dereference\\n\\n[Simon Horman adds:]\\n\\nAnalysis:\\n\\n* cp is a parameter of __rds_rdma_map and is not reassigned.\\n\\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\\n\\n - rds_get_mr()\\n - rds_get_mr_for_dest\\n\\n* Prior to the code above, the following assumes that cp may be NULL\\n (which is indicative, but could itself be unnecessary)\\n\\n\\ttrans_private = rs->rs_transport->get_mr(\\n\\t\\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\\n\\t\\targs->vec.addr, args->vec.bytes,\\n\\t\\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\\n\\n* The code modified by this patch is guarded by IS_ERR(trans_private),\\n where trans_private is assigned as per the previous point in this analysis.\\n\\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\\n which can return an ERR_PTR if the conn (4th) argument is NULL.\\n\\n* ret is set to PTR_ERR(trans_private).\\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\\n Thus ret may be -ENODEV in which case the code in question will execute.\\n\\nConclusion:\\n* cp may be NULL at the point where this patch adds a check;\\n this patch does seem to address a possible bug\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35904" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b" + }, + { + "url": "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e" + }, + { + "url": "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b\",\n \"https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e\",\n \"https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nselinux: avoid dereference of garbage after mount failure\\n\\nIn case kern_mount() fails and returns an error pointer return in the\\nerror branch instead of continuing and dereferencing the error pointer.\\n\\nWhile on it drop the never read static variable selinuxfs_mount.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35905" + }, + { + "url": "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103" + }, + { + "url": "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69" + }, + { + "url": "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69" + }, + { + "url": "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1" + }, + { + "url": "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d" + }, + { + "url": "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103\",\n \"https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69\",\n \"https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69\",\n \"https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1\",\n \"https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d\",\n \"https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Protect against int overflow for stack access size\\n\\nThis patch re-introduces protection against the size of access to stack\\nmemory being negative; the access size can appear negative as a result\\nof overflowing its signed int representation. This should not actually\\nhappen, as there are other protections along the way, but we should\\nprotect against it anyway. One code path was missing such protections\\n(fixed in the previous patch in the series), causing out-of-bounds array\\naccesses in check_stack_range_initialized(). This patch causes the\\nverification of a program with such a non-sensical access size to fail.\\n\\nThis check used to exist in a more indirect way, but was inadvertendly\\nremoved in a833a17aeac7.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35907" + }, + { + "url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab" + }, + { + "url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e" + }, + { + "url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52" + }, + { + "url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3" + }, + { + "url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab\",\n \"https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e\",\n \"https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52\",\n \"https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3\",\n \"https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxbf_gige: call request_irq() after NAPI initialized\\n\\nThe mlxbf_gige driver encounters a NULL pointer exception in\\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\\nthe exception is as follows:\\na) enable kdump\\nb) trigger kdump via \\\"echo c > /proc/sysrq-trigger\\\"\\nc) kdump kernel executes\\nd) kdump kernel loads mlxbf_gige module\\ne) the mlxbf_gige module runs its open() as the\\n the \\\"oob_net0\\\" interface is brought up\\nf) mlxbf_gige module will experience an exception\\n during its open(), something like:\\n\\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n Mem abort info:\\n ESR = 0x0000000086000004\\n EC = 0x21: IABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x04: level 0 translation fault\\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\\n Internal error: Oops: 0000000086000004 [#1] SMP\\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : 0x0\\n lr : __napi_poll+0x40/0x230\\n sp : ffff800008003e00\\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\\n Call trace:\\n 0x0\\n net_rx_action+0x178/0x360\\n __do_softirq+0x15c/0x428\\n __irq_exit_rcu+0xac/0xec\\n irq_exit+0x18/0x2c\\n handle_domain_irq+0x6c/0xa0\\n gic_handle_irq+0xec/0x1b0\\n call_on_irq_stack+0x20/0x2c\\n do_interrupt_handler+0x5c/0x70\\n el1_interrupt+0x30/0x50\\n el1h_64_irq_handler+0x18/0x2c\\n el1h_64_irq+0x7c/0x80\\n __setup_irq+0x4c0/0x950\\n request_threaded_irq+0xf4/0x1bc\\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\\n __dev_open+0x100/0x220\\n __dev_change_flags+0x16c/0x1f0\\n dev_change_flags+0x2c/0x70\\n do_setlink+0x220/0xa40\\n __rtnl_newlink+0x56c/0x8a0\\n rtnl_newlink+0x58/0x84\\n rtnetlink_rcv_msg+0x138/0x3c4\\n netlink_rcv_skb+0x64/0x130\\n rtnetlink_rcv+0x20/0x30\\n netlink_unicast+0x2ec/0x360\\n netlink_sendmsg+0x278/0x490\\n __sock_sendmsg+0x5c/0x6c\\n ____sys_sendmsg+0x290/0x2d4\\n ___sys_sendmsg+0x84/0xd0\\n __sys_sendmsg+0x70/0xd0\\n __arm64_sys_sendmsg+0x2c/0x40\\n invoke_syscall+0x78/0x100\\n el0_svc_common.constprop.0+0x54/0x184\\n do_el0_svc+0x30/0xac\\n el0_svc+0x48/0x160\\n el0t_64_sync_handler+0xa4/0x12c\\n el0t_64_sync+0x1a4/0x1a8\\n Code: bad PC value\\n ---[ end trace 7d1c3f3bf9d81885 ]---\\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\\n PHYS_OFFSET: 0x80000000\\n CPU features: 0x0,000005c1,a3332a5a\\n Memory Limit: none\\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\\n\\nThe exception happens because there is a pending RX interrupt before the\\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\\nimmediately after this request_irq() completes. The\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35908" + }, + { + "url": "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8" + }, + { + "url": "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be" + }, + { + "url": "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3" + }, + { + "url": "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8\",\n \"https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be\",\n \"https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3\",\n \"https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: get psock ref after taking rxlock to avoid leak\\n\\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\\nthen call tls_rx_reader_lock. If that fails, we return directly\\nwithout releasing the reference.\\n\\nInstead of adding a new label, just take the reference after locking\\nhas succeeded, since we don't need it before.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35910" + }, + { + "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada" + }, + { + "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4" + }, + { + "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f" + }, + { + "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a" + }, + { + "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de" + }, + { + "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50" + }, + { + "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87" + }, + { + "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada\",\n \"https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4\",\n \"https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f\",\n \"https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a\",\n \"https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de\",\n \"https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50\",\n \"https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87\",\n \"https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: properly terminate timers for kernel sockets\\n\\nWe had various syzbot reports about tcp timers firing after\\nthe corresponding netns has been dismantled.\\n\\nFortunately Josef Bacik could trigger the issue more often,\\nand could test a patch I wrote two years ago.\\n\\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\\nto 'stop' the timers.\\n\\ninet_csk_clear_xmit_timers() can be called from any context,\\nincluding when socket lock is held.\\nThis is the reason it uses sk_stop_timer(), aka del_timer().\\nThis means that ongoing timers might finish much later.\\n\\nFor user sockets, this is fine because each running timer\\nholds a reference on the socket, and the user socket holds\\na reference on the netns.\\n\\nFor kernel sockets, we risk that the netns is freed before\\ntimer can complete, because kernel sockets do not hold\\nreference on the netns.\\n\\nThis patch adds inet_csk_clear_xmit_timers_sync() function\\nthat using sk_stop_timer_sync() to make sure all timers\\nare terminated before the kernel socket is released.\\nModules using kernel sockets close them in their netns exit()\\nhandler.\\n\\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\\nwhile socket lock is held.\\n\\nIt is very possible we can revert in the future commit\\n3a58f13a881e (\\\"net: rds: acquire refcount on TCP sockets\\\")\\nwhich attempted to solve the issue in rds only.\\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\\n\\nWe probably can remove the check_net() tests from\\ntcp_out_of_resources() and __tcp_close() in the future.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35912" + }, + { + "url": "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341" + }, + { + "url": "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5" + }, + { + "url": "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62" + }, + { + "url": "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8" + }, + { + "url": "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341\",\n \"https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5\",\n \"https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62\",\n \"https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8\",\n \"https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\\n\\nIf the rx payload length check fails, or if kmemdup() fails,\\nwe still need to free the command response. Fix that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35915" + }, + { + "url": "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff" + }, + { + "url": "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240" + }, + { + "url": "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c" + }, + { + "url": "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a" + }, + { + "url": "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a" + }, + { + "url": "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16" + }, + { + "url": "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7" + }, + { + "url": "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff\",\n \"https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240\",\n \"https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c\",\n \"https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a\",\n \"https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a\",\n \"https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16\",\n \"https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7\",\n \"https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\\n\\nsyzbot reported the following uninit-value access issue [1][2]:\\n\\nnci_rx_work() parses and processes received packet. When the payload\\nlength is zero, each message type handler reads uninitialized payload\\nand KMSAN detects this issue. The receipt of a packet with a zero-size\\npayload is considered unexpected, and therefore, such packets should be\\nsilently discarded.\\n\\nThis patch resolved this issue by checking payload size before calling\\neach message type handler codes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35918" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35918", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35920", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35920" + }, + { + "url": "https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6" + }, + { + "url": "https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38" + }, + { + "url": "https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35920 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35920", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect decoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.\n\nHardware name: Google juniper sku16 board (DT)\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\nsp : ffffffc0131dbbd0\nx29: ffffffc0131dbbd0 x28: 0000000000000000\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\nx21: 0000000000000010 x20: ffffff9b050ea328\nx19: ffffffc0131dbc08 x18: 0000000000001000\nx17: 0000000000000000 x16: ffffffd2d461c6e0\nx15: 0000000000000242 x14: 000000000000018f\nx13: 000000000000004d x12: 0000000000000000\nx11: 0000000000000001 x10: fffffffffffffff0\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : fffffffffffffff0\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\nCall trace:\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\nirq_thread_fn+0x38/0x94\nirq_thread+0x100/0x1c0\nkthread+0x140/0x1fc\nret_from_fork+0x10/0x30\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\n---[ end trace ace43ce36cbd5c93 ]---\nKernel panic - not syncing: Oops: Fatal exception\nSMP: stopping secondary CPUs\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\nPHYS_OFFSET: 0xffffffe580000000\nCPU features: 0x08240002,2188200c\nMemory Limit: none", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35920\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35920\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35920\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35920\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35920\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6\",\n \"https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38\",\n \"https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: adding lock to protect decoder context list\\n\\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\\nbeen deleted due to an unexpected behavior on the SCP IP block.\\n\\nHardware name: Google juniper sku16 board (DT)\\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\\nsp : ffffffc0131dbbd0\\nx29: ffffffc0131dbbd0 x28: 0000000000000000\\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\\nx21: 0000000000000010 x20: ffffff9b050ea328\\nx19: ffffffc0131dbc08 x18: 0000000000001000\\nx17: 0000000000000000 x16: ffffffd2d461c6e0\\nx15: 0000000000000242 x14: 000000000000018f\\nx13: 000000000000004d x12: 0000000000000000\\nx11: 0000000000000001 x10: fffffffffffffff0\\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\\nx7 : 0000000000000000 x6 : 000000000000003f\\nx5 : 0000000000000040 x4 : fffffffffffffff0\\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\\nCall trace:\\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\\nirq_thread_fn+0x38/0x94\\nirq_thread+0x100/0x1c0\\nkthread+0x140/0x1fc\\nret_from_fork+0x10/0x30\\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\\n---[ end trace ace43ce36cbd5c93 ]---\\nKernel panic - not syncing: Oops: Fatal exception\\nSMP: stopping secondary CPUs\\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\\nPHYS_OFFSET: 0xffffffe580000000\\nCPU features: 0x08240002,2188200c\\nMemory Limit: none\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35920\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35922" + }, + { + "url": "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4" + }, + { + "url": "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f" + }, + { + "url": "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33" + }, + { + "url": "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029" + }, + { + "url": "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971" + }, + { + "url": "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270" + }, + { + "url": "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0" + }, + { + "url": "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4\",\n \"https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f\",\n \"https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33\",\n \"https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029\",\n \"https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971\",\n \"https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270\",\n \"https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0\",\n \"https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbmon: prevent division by zero in fb_videomode_from_videomode()\\n\\nThe expression htotal * vtotal can have a zero value on\\noverflow. It is necessary to prevent division by zero like in\\nfb_var_to_videomode().\\n\\nFound by Linux Verification Center (linuxtesting.org) with Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35924", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35924" + }, + { + "url": "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f" + }, + { + "url": "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40" + }, + { + "url": "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35924 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35924", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35924\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35924\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35924\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35924\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35924\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f\",\n \"https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40\",\n \"https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: ucsi: Limit read size on v1.2\\n\\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\\nincreased from 16 to 256. In order to avoid overflowing reads for older\\nsystems, add a mechanism to use the read UCSI version to truncate read\\nsizes on UCSI v1.2.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35924\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35925", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35925" + }, + { + "url": "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8" + }, + { + "url": "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854" + }, + { + "url": "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe" + }, + { + "url": "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7" + }, + { + "url": "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02" + }, + { + "url": "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68" + }, + { + "url": "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c" + }, + { + "url": "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35925 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35925", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35925\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35925\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35925\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35925\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35925\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8\",\n \"https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854\",\n \"https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe\",\n \"https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7\",\n \"https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02\",\n \"https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68\",\n \"https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c\",\n \"https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: prevent division by zero in blk_rq_stat_sum()\\n\\nThe expression dst->nr_samples + src->nr_samples may\\nhave zero value on overflow. It is necessary to add\\na check to avoid division by zero.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35925\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35926", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35926" + }, + { + "url": "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054" + }, + { + "url": "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35926 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35926", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35926\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35926\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35926\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35926\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35926\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054\",\n \"https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: iaa - Fix async_disable descriptor leak\\n\\nThe disable_async paths of iaa_compress/decompress() don't free idxd\\ndescriptors in the async_disable case. Currently this only happens in\\nthe testcases where req->dst is set to null. Add a test to free them\\nin those paths.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35926\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35927" + }, + { + "url": "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545" + }, + { + "url": "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c" + }, + { + "url": "https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e" + }, + { + "url": "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd" + }, + { + "url": "https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545\",\n \"https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c\",\n \"https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e\",\n \"https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd\",\n \"https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: Check output polling initialized before disabling\\n\\nIn drm_kms_helper_poll_disable() check if output polling\\nsupport is initialized before disabling polling. If not flag\\nthis as a warning.\\nAdditionally in drm_mode_config_helper_suspend() and\\ndrm_mode_config_helper_resume() calls, that re the callers of these\\nfunctions, avoid invoking them if polling is not initialized.\\nFor drivers like hyperv-drm, that do not initialize connector\\npolling, if suspend is called without this check, it leads to\\nsuspend failure with following stack\\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\\n[ 770.948823] ------------[ cut here ]------------\\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\\n[ 770.948879] Call Trace:\\n[ 770.948880] \\n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948889] ? __warn+0x81/0x110\\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948892] ? report_bug+0x10a/0x140\\n[ 770.948895] ? handle_bug+0x3c/0x70\\n[ 770.948898] ? exc_invalid_op+0x14/0x70\\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948905] __cancel_work_timer+0x103/0x190\\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\\n[ 770.948951] dpm_run_callback+0x4c/0x140\\n[ 770.948954] __device_suspend_noir\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35928" + }, + { + "url": "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69" + }, + { + "url": "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c" + }, + { + "url": "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587" + }, + { + "url": "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69\",\n \"https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c\",\n \"https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587\",\n \"https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\\n\\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\\nproperly handled in amdgpu_device_init(). If the function exits early\\ndue to an error, the memory is unmapped. If the function completes\\nsuccessfully, the memory remains mapped.\\n\\nReported by smatch:\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35929" + }, + { + "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc" + }, + { + "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a" + }, + { + "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc\",\n \"https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a\",\n \"https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\\n\\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\\n\\n CPU2 CPU11\\nkthread\\nrcu_nocb_cb_kthread ksys_write\\nrcu_do_batch vfs_write\\nrcu_torture_timer_cb proc_sys_write\\n__kmem_cache_free proc_sys_call_handler\\nkmemleak_free drop_caches_sysctl_handler\\ndelete_object_full drop_slab\\n__delete_object shrink_slab\\nput_object lazy_rcu_shrink_scan\\ncall_rcu rcu_nocb_flush_bypass\\n__call_rcu_commn rcu_nocb_bypass_lock\\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\\n atomic_inc(&rdp->nocb_lock_contended);\\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\\n\\nReproduce this bug with \\\"echo 3 > /proc/sys/vm/drop_caches\\\".\\n\\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\\ndirectly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35930", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35930" + }, + { + "url": "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf" + }, + { + "url": "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b" + }, + { + "url": "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f" + }, + { + "url": "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7" + }, + { + "url": "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a" + }, + { + "url": "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8" + }, + { + "url": "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8" + }, + { + "url": "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35930 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35930", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35930\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35930\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35930\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35930\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35930\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf\",\n \"https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b\",\n \"https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f\",\n \"https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7\",\n \"https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a\",\n \"https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8\",\n \"https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8\",\n \"https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\\n\\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\\nunsuccessful status. In such cases, the elsiocb is not issued, the\\ncompletion is not called, and thus the elsiocb resource is leaked.\\n\\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\\nrelease the elsiocb resource.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35930\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35931" + }, + { + "url": "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35" + }, + { + "url": "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35\",\n \"https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\\n\\nWhy:\\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\\n caused system hang.\\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\\n [ 557.373718] [drm] PCIE GART of 512M enabled.\\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\\n [ 557.373789] [drm] PSP is resuming...\\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\\n [ 557.547069] [drm] No support for XGMI hive yet...\\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\\n [ 557.610492] [drm] PCI error: slot reset callback!!\\n ...\\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\\n [ 560.843444] PKRU: 55555554\\n [ 560.846480] Call Trace:\\n [ 560.849225] \\n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\\n [ 560.867778] ? show_regs.part.0+0x23/0x29\\n [ 560.872293] ? __die_body.cold+0x8/0xd\\n [ 560.876502] ? die_addr+0x3e/0x60\\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\\n [ 560.904520] process_one_work+0x228/0x3d0\\nHow:\\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35932", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35932" + }, + { + "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40" + }, + { + "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd" + }, + { + "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9" + }, + { + "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35932 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35932", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35932\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35932\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35932\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35932\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35932\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40\",\n \"https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd\",\n \"https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9\",\n \"https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vc4: don't check if plane->state->fb == state->fb\\n\\nCurrently, when using non-blocking commits, we can see the following\\nkernel warning:\\n\\n[ 110.908514] ------------[ cut here ]------------\\n[ 110.908529] refcount_t: underflow; use-after-free.\\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\\n[ 110.909170] sp : ffffffc00913b9c0\\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\\n[ 110.909434] Call trace:\\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\\n[ 110.914873] invoke_syscall+0x4c/0x114\\n[ 110.914897] el0_svc_common+0xd0/0x118\\n[ 110.914917] do_el0_svc+0x38/0xd0\\n[ 110.914936] el0_svc+0x30/0x8c\\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\\n[ 110.914979] el0t_64_sync+0x18c/0x190\\n[ 110.914996] ---[ end trace 0000000000000000 ]---\\n\\nThis happens because, although `prepare_fb` and `cleanup_fb` are\\nperfectly balanced, we cannot guarantee consistency in the check\\nplane->state->fb == state->fb. This means that sometimes we can increase\\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\\nopposite can also be true.\\n\\nIn fact, the struct drm_plane .state shouldn't be accessed directly\\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\\nbe used. So, we could stick to this check, but using\\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35932\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35933", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35933" + }, + { + "url": "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28" + }, + { + "url": "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e" + }, + { + "url": "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b" + }, + { + "url": "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9" + }, + { + "url": "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912" + }, + { + "url": "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645" + }, + { + "url": "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990" + }, + { + "url": "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35933 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35933", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35933\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35933\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35933\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35933\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35933\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28\",\n \"https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e\",\n \"https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b\",\n \"https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9\",\n \"https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912\",\n \"https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645\",\n \"https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990\",\n \"https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\\n\\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\\nhdev->req_skb is NULL, which will cause this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35933\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35934" + }, + { + "url": "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0" + }, + { + "url": "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec" + }, + { + "url": "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4" + }, + { + "url": "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2" + }, + { + "url": "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0\",\n \"https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7\",\n \"https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec\",\n \"https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4\",\n \"https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2\",\n \"https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\\n\\nMany syzbot reports show extreme rtnl pressure, and many of them hint\\nthat smc acquires rtnl in netns creation for no good reason [1]\\n\\nThis patch returns early from smc_pnet_net_init()\\nif there is no netdevice yet.\\n\\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\\nbecause smc_pnet_netdev_event() is also calling\\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\\n\\n[1] extract of typical syzbot reports\\n\\n2 locks held by syz-executor.3/12252:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.4/12253:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.1/12257:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.2/12261:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.0/12265:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.3/12268:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.4/12271:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.1/12274:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.2/12280:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35935" + }, + { + "url": "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229" + }, + { + "url": "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5" + }, + { + "url": "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a" + }, + { + "url": "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501" + }, + { + "url": "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9" + }, + { + "url": "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c" + }, + { + "url": "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3" + }, + { + "url": "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229\",\n \"https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5\",\n \"https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a\",\n \"https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501\",\n \"https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9\",\n \"https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c\",\n \"https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3\",\n \"https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\\n\\nChange BUG_ON to proper error handling if building the path buffer\\nfails. The pointers are not printed so we don't accidentally leak kernel\\naddresses.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35936", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35936" + }, + { + "url": "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d" + }, + { + "url": "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da" + }, + { + "url": "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2" + }, + { + "url": "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9" + }, + { + "url": "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99" + }, + { + "url": "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385" + }, + { + "url": "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89" + }, + { + "url": "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35936 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35936", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35936\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35936\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35936\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35936\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35936\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d\",\n \"https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da\",\n \"https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2\",\n \"https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9\",\n \"https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99\",\n \"https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385\",\n \"https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89\",\n \"https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\\n\\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\\nas it could be caused only by two impossible conditions:\\n\\n- at first the search key is set up to look for a chunk tree item, with\\n offset -1, this is an inexact search and the key->offset will contain\\n the correct offset upon a successful search, a valid chunk tree item\\n cannot have an offset -1\\n\\n- after first successful search, the found_key corresponds to a chunk\\n item, the offset is decremented by 1 before the next loop, it's\\n impossible to find a chunk item there due to alignment and size\\n constraints\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35936\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35937" + }, + { + "url": "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544" + }, + { + "url": "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9" + }, + { + "url": "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544\",\n \"https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9\",\n \"https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: check A-MSDU format more carefully\\n\\nIf it looks like there's another subframe in the A-MSDU\\nbut the header isn't fully there, we can end up reading\\ndata out of bounds, only to discard later. Make this a\\nbit more careful and check if the subframe header can\\neven be present.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35938" + }, + { + "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793" + }, + { + "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015" + }, + { + "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de" + }, + { + "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559" + }, + { + "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793\",\n \"https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015\",\n \"https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de\",\n \"https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559\",\n \"https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: decrease MHI channel buffer length to 8KB\\n\\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\\nwith 0, making MHI use a default size, 64KB, to allocate channel\\nbuffers. This is likely to fail in some scenarios where system\\nmemory is highly fragmented and memory compaction or reclaim is\\nnot allowed.\\n\\nThere is a fail report which is caused by it:\\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\\nWorkqueue: events_unbound async_run_entry_fn\\nCall Trace:\\n \\n dump_stack_lvl+0x47/0x60\\n warn_alloc+0x13a/0x1b0\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __alloc_pages_direct_compact+0xab/0x210\\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\\n __alloc_pages+0x32d/0x350\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __kmalloc_large_node+0x72/0x110\\n __kmalloc+0x37c/0x480\\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n device_for_each_child+0x5c/0xa0\\n ? __pfx_pci_pm_resume+0x10/0x10\\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n dpm_run_callback+0x8c/0x1e0\\n device_resume+0x104/0x340\\n ? __pfx_dpm_watchdog_handler+0x10/0x10\\n async_resume+0x1d/0x30\\n async_run_entry_fn+0x32/0x120\\n process_one_work+0x168/0x330\\n worker_thread+0x2f5/0x410\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe8/0x120\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nActually those buffers are used only by QMI target -> host communication.\\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\\nthan 6KB. So change buf_len field to 8KB, which results in order 1\\nallocation if page size is 4KB. In this way, we can at least save some\\nmemory, and as well as decrease the possibility of allocation failure\\nin those scenarios.\\n\\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35939" + }, + { + "url": "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a" + }, + { + "url": "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9" + }, + { + "url": "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c" + }, + { + "url": "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a\",\n \"https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9\",\n \"https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c\",\n \"https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-direct: Leak pages on dma_set_decrypted() failure\\n\\nOn TDX it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\\nshould be a rare case. Just leak the pages in this case instead of\\nfreeing them.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35940" + }, + { + "url": "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb" + }, + { + "url": "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682" + }, + { + "url": "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc" + }, + { + "url": "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8" + }, + { + "url": "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041" + }, + { + "url": "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb\",\n \"https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682\",\n \"https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc\",\n \"https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8\",\n \"https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041\",\n \"https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore/zone: Add a null pointer check to the psz_kmsg_read\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35941" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35941", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35942" + }, + { + "url": "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d" + }, + { + "url": "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c" + }, + { + "url": "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d\",\n \"https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c\",\n \"https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\\n\\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\\nhdmi rx verification IP that should not enable for HDMI TX.\\nBut actually if the clock is disabled before HDMI/LCDIF probe,\\nLCDIF will not get pixel clock from HDMI PHY and print the error\\nlogs:\\n\\n[CRTC:39:crtc-2] vblank wait timed out\\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\\n\\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35943", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35943" + }, + { + "url": "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f" + }, + { + "url": "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3" + }, + { + "url": "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35943 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35943", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f\",\n \"https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3\",\n \"https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\\n\\ndevm_kasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35943\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35944" + }, + { + "url": "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74" + }, + { + "url": "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec" + }, + { + "url": "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f" + }, + { + "url": "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100" + }, + { + "url": "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73" + }, + { + "url": "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051" + }, + { + "url": "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b" + }, + { + "url": "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74\",\n \"https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec\",\n \"https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f\",\n \"https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100\",\n \"https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73\",\n \"https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051\",\n \"https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b\",\n \"https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\\n\\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\\n\\nmemcpy: detected field-spanning write (size 56) of single field \\\"&dg_info->msg\\\"\\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\\n\\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\\n\\nSome code commentry, based on my understanding:\\n\\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\\n/// This is 24 + payload_size\\n\\nmemcpy(&dg_info->msg, dg, dg_size);\\n\\tDestination = dg_info->msg ---> this is a 24 byte\\n\\t\\t\\t\\t\\tstructure(struct vmci_datagram)\\n\\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\\n\\tSize = dg_size = 24 + payload_size\\n\\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\\n\\n 35 struct delayed_datagram_info {\\n 36 struct datagram_entry *entry;\\n 37 struct work_struct work;\\n 38 bool in_dg_host_queue;\\n 39 /* msg and msg_payload must be together. */\\n 40 struct vmci_datagram msg;\\n 41 u8 msg_payload[];\\n 42 };\\n\\nSo those extra bytes of payload are copied into msg_payload[], a run time\\nwarning is seen while fuzzing with Syzkaller.\\n\\nOne possible way to fix the warning is to split the memcpy() into\\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\\n\\nGustavo quoted:\\n\\\"Under FORTIFY_SOURCE we should not copy data across multiple members\\nin a structure.\\\"\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35945" + }, + { + "url": "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311" + }, + { + "url": "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b" + }, + { + "url": "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311\",\n \"https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b\",\n \"https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\\n\\nIf phydev->irq is set unconditionally, check\\nfor valid interrupt handler or fall back to polling mode to prevent\\nnullptr exceptions in interrupt service routine.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35946", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35946" + }, + { + "url": "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2" + }, + { + "url": "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35946 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35946", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35946\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35946\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35946\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35946\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35946\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d\",\n \"https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2\",\n \"https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fix null pointer access when abort scan\\n\\nDuring cancel scan we might use vif that weren't scanning.\\nFix this by using the actual scanning vif.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35946\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35947" + }, + { + "url": "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081" + }, + { + "url": "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38" + }, + { + "url": "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b" + }, + { + "url": "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0" + }, + { + "url": "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab" + }, + { + "url": "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c\",\n \"https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081\",\n \"https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38\",\n \"https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b\",\n \"https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0\",\n \"https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab\",\n \"https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc\",\n \"https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndyndbg: fix old BUG_ON in >control parser\\n\\nFix a BUG_ON from 2009. Even if it looks \\\"unreachable\\\" (I didn't\\nreally look), lets make sure by removing it, doing pr_err and return\\n-EINVAL instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35948" + }, + { + "url": "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: Check for journal entries overruning end of sb clean section\\n\\nFix a missing bounds check in superblock validation.\\n\\nNote that we don't yet have repair code for this case - repair code for\\nindividual items is generally low priority, since the whole superblock\\nis checksummed, validated prior to write, and we have backups.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35949", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35949" + }, + { + "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273" + }, + { + "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35949 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35949", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35949\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35949\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35949\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35949\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35949\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273\",\n \"https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: make sure that WRITTEN is set on all metadata blocks\\n\\nWe previously would call btrfs_check_leaf() if we had the check\\nintegrity code enabled, which meant that we could only run the extended\\nleaf checks if we had WRITTEN set on the header flags.\\n\\nThis leaves a gap in our checking, because we could end up with\\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\\nextended leaf checks don't get run which we rely on to validate all of\\nthe item pointers to make sure we don't access memory outside of the\\nextent buffer.\\n\\nHowever, since 732fab95abe2 (\\\"btrfs: check-integrity: remove\\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\\\") we no longer call\\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\\never call it on blocks that are being written out, and thus have WRITTEN\\nset, or that are being read in, which should have WRITTEN set.\\n\\nAdd checks to make sure we have WRITTEN set appropriately, and then make\\nsure __btrfs_check_leaf() always does the item checking. This will\\nprotect us from file systems that have been corrupted and no longer have\\nWRITTEN set on some of the blocks.\\n\\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\\nKASAN as out-of-bound access in the eb accessors. The example is a dir\\nitem at the end of an eb.\\n\\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\\n [2.621] Call Trace:\\n [2.621] \\n [2.621] ? show_regs+0x74/0x80\\n [2.621] ? die_addr+0x46/0xc0\\n [2.621] ? exc_general_protection+0x161/0x2a0\\n [2.621] ? asm_exc_general_protection+0x26/0x30\\n [2.621] ? btrfs_get_16+0x33a/0x6d0\\n [2.621] ? btrfs_get_16+0x34b/0x6d0\\n [2.621] ? btrfs_get_16+0x33a/0x6d0\\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\\n [2.621] btrfs_get_tree+0xd25/0x1910\\n\\n[ copy more details from report ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35949\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35950" + }, + { + "url": "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984" + }, + { + "url": "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055" + }, + { + "url": "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea" + }, + { + "url": "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0" + }, + { + "url": "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e" + }, + { + "url": "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984\",\n \"https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055\",\n \"https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea\",\n \"https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0\",\n \"https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e\",\n \"https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764\",\n \"https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\\n\\nThe modes[] array contains pointers to modes on the connectors'\\nmode lists, which are protected by dev->mode_config.mutex.\\nThus we need to extend modes[] the same protection or by the\\ntime we use it the elements may already be pointing to\\nfreed/reused memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35951" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3" + }, + { + "url": "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002" + }, + { + "url": "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3\",\n \"https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002\",\n \"https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\\n\\nSubject: [PATCH] drm/panfrost: Fix the error path in\\n panfrost_mmu_map_fault_addr()\\n\\nIf some the pages or sgt allocation failed, we shouldn't release the\\npages ref we got earlier, otherwise we will end up with unbalanced\\nget/put_pages() calls. We should instead leave everything in place\\nand let the BO release function deal with extra cleanup when the object\\nis destroyed, or let the fault handler try again next time it's called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35955" + }, + { + "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e" + }, + { + "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8" + }, + { + "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0" + }, + { + "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d" + }, + { + "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808" + }, + { + "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412" + }, + { + "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33" + }, + { + "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e\",\n \"https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8\",\n \"https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0\",\n \"https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d\",\n \"https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808\",\n \"https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412\",\n \"https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33\",\n \"https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkprobes: Fix possible use-after-free issue on kprobe registration\\n\\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\\na time. `is_module_text_address()` and `__module_text_address()`\\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\\nIf we use `is_module_text_address()` and `__module_text_address()`\\nseparately, there is a chance that the first one is succeeded but the\\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\\nbetween those operations.\\n\\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\\nis failed, that is ignored because it expected a kernel_text address.\\nBut it may have failed simply because module->state has been changed\\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\\nnon-exist module text address (use-after-free).\\n\\nTo fix this problem, we should not use separated `is_module_text_address()`\\nand `__module_text_address()`, but use only `__module_text_address()`\\nonce and do `try_module_get(module)` which is only available with\\nMODULE_STATE_LIVE.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35956" + }, + { + "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9" + }, + { + "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c" + }, + { + "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9\",\n \"https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c\",\n \"https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\\n\\nCreate subvolume, create snapshot and delete subvolume all use\\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\\ndone to the parent subvolume's fs tree, which cannot be mediated in the\\nnormal way via start_transaction. When quota groups (squota or qgroups)\\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\\noperation is associated to a transaction, we convert PREALLOC to\\nPERTRANS, which gets cleared in bulk at the end of the transaction.\\n\\nHowever, the error paths of these three operations were not implementing\\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\\nPERTRANS in a generic cleanup step regardless of errors or whether the\\noperation was fully associated to a transaction or not. This resulted in\\nerror paths occasionally converting this rsv to PERTRANS without calling\\nrecord_root_in_trans successfully, which meant that unless that root got\\nrecorded in the transaction by some other thread, the end of the\\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\\nfor the leaked reservation.\\n\\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\\nfollowing properties:\\n\\n1. any failure before record_root_in_trans is called successfully\\n results in freeing the PREALLOC reservation.\\n2. after record_root_in_trans, we convert to PERTRANS, and now the\\n transaction owns freeing the reservation.\\n\\nThis patch enforces those properties on the three operations. Without\\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\\nruns on my system. With this patch, it ran successfully 1000 times in a\\nrow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35958" + }, + { + "url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1" + }, + { + "url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7" + }, + { + "url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0" + }, + { + "url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde" + }, + { + "url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1\",\n \"https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7\",\n \"https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0\",\n \"https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde\",\n \"https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d\",\n \"https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ena: Fix incorrect descriptor free behavior\\n\\nENA has two types of TX queues:\\n- queues which only process TX packets arriving from the network stack\\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\\n or XDP_TX instructions\\n\\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\\nand unmaps + frees every descriptor that hasn't been acknowledged yet\\nby the device (uncompleted TX transactions).\\nThe function assumes that the processed TX queue is necessarily from\\nthe first category listed above and ends up using napi_consume_skb()\\nfor descriptors belonging to an XDP specific queue.\\n\\nThis patch solves a bug in which, in case of a VF reset, the\\ndescriptors aren't freed correctly, leading to crashes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35959" + }, + { + "url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7" + }, + { + "url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76" + }, + { + "url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519" + }, + { + "url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7\",\n \"https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76\",\n \"https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519\",\n \"https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\\n\\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\\nlockdep_is_held().\\n\\nAcquire the state_lock in mlx5e_selq_cleanup().\\n\\nKernel log:\\n=============================\\nWARNING: suspicious RCU usage\\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\\n-----------------------------\\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n2 locks held by systemd-modules/293:\\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\\n\\nstack backtrace:\\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0x8a/0xa0\\n lockdep_rcu_suspicious+0x154/0x1a0\\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\\n rdma_init_netdev+0x4e/0x80 [ib_core]\\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\\n add_client_context+0x112/0x1c0 [ib_core]\\n ib_register_client+0x166/0x1b0 [ib_core]\\n ? 0xffffffffa0573000\\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\\n do_one_initcall+0x61/0x250\\n do_init_module+0x8a/0x270\\n init_module_from_file+0x8b/0xd0\\n idempotent_init_module+0x17d/0x230\\n __x64_sys_finit_module+0x61/0xb0\\n do_syscall_64+0x71/0x140\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35960" + }, + { + "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423" + }, + { + "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f" + }, + { + "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801" + }, + { + "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0" + }, + { + "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64" + }, + { + "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453" + }, + { + "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d" + }, + { + "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423\",\n \"https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f\",\n \"https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801\",\n \"https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0\",\n \"https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64\",\n \"https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453\",\n \"https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d\",\n \"https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Properly link new fs rules into the tree\\n\\nPreviously, add_rule_fg would only add newly created rules from the\\nhandle into the tree when they had a refcount of 1. On the other hand,\\ncreate_flow_handle tries hard to find and reference already existing\\nidentical rules instead of creating new ones.\\n\\nThese two behaviors can result in a situation where create_flow_handle\\n1) creates a new rule and references it, then\\n2) in a subsequent step during the same handle creation references it\\n again,\\nresulting in a rule with a refcount of 2 that is not linked into the\\ntree, will have a NULL parent and root and will result in a crash when\\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\\ndeletion, assumes node->parent is != NULL.\\n\\nThis happened in the wild, due to another bug related to incorrect\\nhandling of duplicate pkt_reformat ids, which lead to the code in\\ncreate_flow_handle incorrectly referencing a just-added rule in the same\\nflow handle, resulting in the problem described above. Full details are\\nat [1].\\n\\nThis patch changes add_rule_fg to add new rules without parents into\\nthe tree, properly initializing them and avoiding the crash. This makes\\nit more consistent with how rules are added to an FTE in\\ncreate_flow_handle.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35965" + }, + { + "url": "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846" + }, + { + "url": "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9" + }, + { + "url": "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846\",\n \"https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9\",\n \"https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix not validating setsockopt user input\\n\\nCheck user input length before copying data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35966" + }, + { + "url": "https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546" + }, + { + "url": "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695" + }, + { + "url": "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546\",\n \"https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695\",\n \"https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: RFCOMM: Fix not validating setsockopt user input\\n\\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\\nchecking user input length.\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\\ninclude/linux/sockptr.h:49 [inline]\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\\ninclude/linux/sockptr.h:55 [inline]\\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\\nnet/bluetooth/rfcomm/sock.c:632 [inline]\\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\\nnet/bluetooth/rfcomm/sock.c:673\\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35967" + }, + { + "url": "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7" + }, + { + "url": "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01" + }, + { + "url": "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c" + }, + { + "url": "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315" + }, + { + "url": "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7\",\n \"https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01\",\n \"https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c\",\n \"https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315\",\n \"https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: SCO: Fix not validating setsockopt user input\\n\\nsyzbot reported sco_sock_setsockopt() is copying data without\\nchecking user input length.\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\\ninclude/linux/sockptr.h:49 [inline]\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\\ninclude/linux/sockptr.h:55 [inline]\\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\\nnet/bluetooth/sco.c:893\\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35969" + }, + { + "url": "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652" + }, + { + "url": "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70" + }, + { + "url": "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb" + }, + { + "url": "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83" + }, + { + "url": "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129" + }, + { + "url": "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1" + }, + { + "url": "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903" + }, + { + "url": "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652\",\n \"https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70\",\n \"https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb\",\n \"https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83\",\n \"https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129\",\n \"https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1\",\n \"https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903\",\n \"https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\\n\\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\\nstill means hlist_for_each_entry_rcu can return an item that got removed\\nfrom the list. The memory itself of such item is not freed thanks to RCU\\nbut nothing guarantees the actual content of the memory is sane.\\n\\nIn particular, the reference count can be zero. This can happen if\\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\\ntiming, this can happen:\\n\\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\\n\\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\\n reference count drops to zero and kfree_rcu is scheduled.\\n\\n3. ipv6_get_ifaddr continues and tries to increments the reference count\\n (in6_ifa_hold).\\n\\n4. The rcu is unlocked and the entry is freed.\\n\\n5. The freed entry is returned.\\n\\nPrevent increasing of the reference count in such case. The name\\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\\n\\n[ 41.506330] refcount_t: addition on 0; use-after-free.\\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\\n[ 41.507413] Modules linked in: veth bridge stp llc\\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 41.516799] Call Trace:\\n[ 41.517037] \\n[ 41.517249] ? __warn+0x7b/0x120\\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\\n[ 41.517923] ? report_bug+0x164/0x190\\n[ 41.518240] ? handle_bug+0x3d/0x70\\n[ 41.518541] ? exc_invalid_op+0x17/0x70\\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\\n[ 41.523102] ? netlink_unicast+0x30f/0x390\\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\\n[ 41.523832] netlink_rcv_skb+0x53/0x100\\n[ 41.524157] netlink_unicast+0x23b/0x390\\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\\n[ 41.525467] do_syscall_64+0xa5/0x1b0\\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\\n[ 41.527942] RSP: 002b:00007f\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35970" + }, + { + "url": "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6" + }, + { + "url": "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf" + }, + { + "url": "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9" + }, + { + "url": "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e" + }, + { + "url": "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6\",\n \"https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf\",\n \"https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9\",\n \"https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e\",\n \"https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Clear stale u->oob_skb.\\n\\nsyzkaller started to report deadlock of unix_gc_lock after commit\\n4090fa373f0e (\\\"af_unix: Replace garbage collection algorithm.\\\"), but\\nit just uncovers the bug that has been there since commit 314001f0bf92\\n(\\\"af_unix: Add OOB support\\\").\\n\\nThe repro basically does the following.\\n\\n from socket import *\\n from array import array\\n\\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\\\"i\\\", [c2.fileno()]))], MSG_OOB)\\n c2.recv(1) # blocked as no normal data in recv queue\\n\\n c2.close() # done async and unblock recv()\\n c1.close() # done async and trigger GC\\n\\nA socket sends its file descriptor to itself as OOB data and tries to\\nreceive normal data, but finally recv() fails due to async close().\\n\\nThe problem here is wrong handling of OOB skb in manage_oob(). When\\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\\nThis is wrong in terms of uAPI.\\n\\nLet's say we send \\\"hello\\\" with MSG_OOB, and \\\"world\\\" without MSG_OOB.\\nThe 'o' is handled as OOB data. When recv() is called twice without\\nMSG_OOB, the OOB data should be lost.\\n\\n >>> from socket import *\\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\\n 5\\n >>> c1.send(b'world')\\n 5\\n >>> c2.recv(5) # OOB data is not received\\n b'hell'\\n >>> c2.recv(5) # OOB date is skipped\\n b'world'\\n >>> c2.recv(5, MSG_OOB) # This should return an error\\n b'o'\\n\\nIn the same situation, TCP actually returns -EINVAL for the last\\nrecv().\\n\\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\\nEPOLLPRI even though the data has passed through by previous recv().\\n\\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\\nit from recv queue.\\n\\nThe reason why the old GC did not trigger the deadlock is because the\\nold GC relied on the receive queue to detect the loop.\\n\\nWhen it is triggered, the socket with OOB data is marked as GC candidate\\nbecause file refcount == inflight count (1). However, after traversing\\nall inflight sockets, the socket still has a positive inflight count (1),\\nthus the socket is excluded from candidates. Then, the old GC lose the\\nchance to garbage-collect the socket.\\n\\nWith the old GC, the repro continues to create true garbage that will\\nnever be freed nor detected by kmemleak as it's linked to the global\\ninflight list. That's why we couldn't even notice the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35971" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540" + }, + { + "url": "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b" + }, + { + "url": "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f" + }, + { + "url": "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540\",\n \"https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b\",\n \"https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f\",\n \"https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\\n\\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\\nimplementation is guarded by local_bh_disable() and local_bh_enable().\\nThe local_bh_enable() may call do_softirq() to run softirqs in case\\nany are pending. One of the softirqs is net_rx_action, which ultimately\\nreaches the driver .start_xmit callback. If that happens, the system\\nhangs. The entire call chain is below:\\n\\nks8851_start_xmit_par from netdev_start_xmit\\nnetdev_start_xmit from dev_hard_start_xmit\\ndev_hard_start_xmit from sch_direct_xmit\\nsch_direct_xmit from __dev_queue_xmit\\n__dev_queue_xmit from __neigh_update\\n__neigh_update from neigh_update\\nneigh_update from arp_process.constprop.0\\narp_process.constprop.0 from __netif_receive_skb_one_core\\n__netif_receive_skb_one_core from process_backlog\\nprocess_backlog from __napi_poll.constprop.0\\n__napi_poll.constprop.0 from net_rx_action\\nnet_rx_action from __do_softirq\\n__do_softirq from call_with_stack\\ncall_with_stack from do_softirq\\ndo_softirq from __local_bh_enable_ip\\n__local_bh_enable_ip from netif_rx\\nnetif_rx from ks8851_irq\\nks8851_irq from irq_thread_fn\\nirq_thread_fn from irq_thread\\nirq_thread from kthread\\nkthread from ret_from_fork\\n\\nThe hang happens because ks8851_irq() first locks a spinlock in\\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\\nand with that spinlock locked, calls netif_rx(). Once the execution\\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\\nwhich attempts to claim the already locked spinlock again, and the\\nhang happens.\\n\\nMove the do_softirq() call outside of the spinlock protected section\\nof ks8851_irq() by disabling BHs around the entire spinlock protected\\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\\nthe spinlock protected section, so that it can trigger do_softirq()\\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\\nsafely call ks8851_start_xmit_par() without attempting to lock the\\nalready locked spinlock.\\n\\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\\nlocal_bh_disable()/local_bh_enable() calls.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35973", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35973" + }, + { + "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915" + }, + { + "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e" + }, + { + "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852" + }, + { + "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" + }, + { + "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536" + }, + { + "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670" + }, + { + "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c" + }, + { + "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915\",\n \"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e\",\n \"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852\",\n \"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79\",\n \"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536\",\n \"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670\",\n \"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c\",\n \"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngeneve: fix header validation in geneve[6]_xmit_skb\\n\\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\\n\\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\\nskb->protocol.\\n\\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\\npskb_inet_may_pull() does nothing at all.\\n\\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\\nthe network header might not point to the correct location, and skb\\nlinear part could be smaller than expected.\\n\\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\\n\\nUse this in geneve for the moment, I suspect we need to adopt this\\nmore broadly.\\n\\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\\n - Only call __vlan_get_protocol() for vlan types.\\n\\nv2,v3 - Addressed Sabrina comments on v1 and v2\\n\\n[1]\\n\\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3081 [inline]\\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n __sys_sendto+0x685/0x830 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\\n packet_snd net/packet/af_packet.c:3024 [inline]\\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n __sys_sendto+0x685/0x830 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35976" + }, + { + "url": "https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d" + }, + { + "url": "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44" + }, + { + "url": "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa" + }, + { + "url": "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6" + }, + { + "url": "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417" + }, + { + "url": "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c" + }, + { + "url": "https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd" + }, + { + "url": "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d\",\n \"https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44\",\n \"https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa\",\n \"https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6\",\n \"https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417\",\n \"https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c\",\n \"https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd\",\n \"https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\\n\\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\\n\\nMake sure to validate setsockopt() @optlen parameter.\\n\\n[1]\\n\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\\n\\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\nRIP: 0033:0x7fb40587de69\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\\n \\n\\nAllocated by task 7549:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\\n kasan_kmalloc include/linux/kasan.h:211 [inline]\\n __do_kmalloc_node mm/slub.c:3966 [inline]\\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\\n kmalloc include/linux/slab.h:632 [inline]\\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nThe buggy address belongs to the object at ffff888028c6cde0\\n which belongs to the cache kmalloc-8 of size 8\\nThe buggy address is located 1 bytes to the right of\\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\\n\\nThe buggy address belongs to the physical page:\\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\\npage_type: 0xffffffff()\\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\npage_owner tracks the page as allocated\\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\\n set_page_owner include/linux/page_owner.h:31 [inline]\\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\\n prep_new_page mm/page_alloc.c:\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.7,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35978" + }, + { + "url": "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810" + }, + { + "url": "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2" + }, + { + "url": "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8" + }, + { + "url": "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06" + }, + { + "url": "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0" + }, + { + "url": "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67" + }, + { + "url": "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76" + }, + { + "url": "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810\",\n \"https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2\",\n \"https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8\",\n \"https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06\",\n \"https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0\",\n \"https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67\",\n \"https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76\",\n \"https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix memory leak in hci_req_sync_complete()\\n\\nIn 'hci_req_sync_complete()', always free the previous sync\\nrequest state before assigning reference to a new one.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35979" + }, + { + "url": "https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268" + }, + { + "url": "https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446" + }, + { + "url": "https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35979", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268\",\n \"https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446\",\n \"https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nraid1: fix use-after-free for original bio in raid1_write_request()\\n\\nr1_bio->bios[] is used to record new bios that will be issued to\\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\\nto be freed:\\n\\nraid1_write_request()\\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\\n for (i = 0; i < disks; i++) -> for each rdev in conf\\n // first rdev is normal\\n r1_bio->bios[0] = bio; -> set to original bio\\n // second rdev is blocked\\n if (test_bit(Blocked, &rdev->flags))\\n break\\n\\n if (blocked_rdev)\\n free_r1bio()\\n put_all_bios()\\n bio_put(r1_bio->bios[0]) -> original bio is freed\\n\\nTest scripts:\\n\\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\\\\n -iodepth=128 -name=test -direct=1\\necho blocked > /sys/block/md0/md/rd2/state\\n\\nTest result:\\n\\nBUG bio-264 (Not tainted): Object already free\\n-----------------------------------------------------------------------------\\n\\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\\n kmem_cache_alloc+0x324/0x480\\n mempool_alloc_slab+0x24/0x50\\n mempool_alloc+0x6e/0x220\\n bio_alloc_bioset+0x1af/0x4d0\\n blkdev_direct_IO+0x164/0x8a0\\n blkdev_write_iter+0x309/0x440\\n aio_write+0x139/0x2f0\\n io_submit_one+0x5ca/0xb70\\n __do_sys_io_submit+0x86/0x270\\n __x64_sys_io_submit+0x22/0x30\\n do_syscall_64+0xb1/0x210\\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\\n kmem_cache_free+0x28c/0x550\\n mempool_free_slab+0x1f/0x30\\n mempool_free+0x40/0x100\\n bio_free+0x59/0x80\\n bio_put+0xf0/0x220\\n free_r1bio+0x74/0xb0\\n raid1_make_request+0xadf/0x1150\\n md_handle_request+0xc7/0x3b0\\n md_submit_bio+0x76/0x130\\n __submit_bio+0xd8/0x1d0\\n submit_bio_noacct_nocheck+0x1eb/0x5c0\\n submit_bio_noacct+0x169/0xd40\\n submit_bio+0xee/0x1d0\\n blkdev_direct_IO+0x322/0x8a0\\n blkdev_write_iter+0x309/0x440\\n aio_write+0x139/0x2f0\\n\\nSince that bios for underlying disks are not allocated yet, fix this\\nproblem by using mempool_free() directly to free the r1_bio.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35982" + }, + { + "url": "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924" + }, + { + "url": "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259" + }, + { + "url": "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2" + }, + { + "url": "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d" + }, + { + "url": "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f" + }, + { + "url": "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa" + }, + { + "url": "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6" + }, + { + "url": "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924\",\n \"https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259\",\n \"https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2\",\n \"https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d\",\n \"https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f\",\n \"https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa\",\n \"https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6\",\n \"https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbatman-adv: Avoid infinite loop trying to resize local TT\\n\\nIf the MTU of one of an attached interface becomes too small to transmit\\nthe local translation table then it must be resized to fit inside all\\nfragments (when enabled) or a single packet.\\n\\nBut if the MTU becomes too low to transmit even the header + the VLAN\\nspecific part then the resizing of the local TT will never succeed. This\\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\\non top of batman-adv. In this case, at least 116 byte would be needed.\\nThere will just be an endless spam of\\n\\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\\n\\nin the log but the function will never finish. Problem here is that the\\ntimeout will be halved all the time and will then stagnate at 0 and\\ntherefore never be able to reduce the table even more.\\n\\nThere are other scenarios possible with a similar result. The number of\\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\\nhigh to fit inside a packet. Such a scenario can therefore happen also with\\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\\nbytes.\\n\\nWhile this should be handled proactively when:\\n\\n* interface with too low MTU is added\\n* VLAN is added\\n* non-purgeable local mac is added\\n* MTU of an attached interface is reduced\\n* fragmentation setting gets disabled (which most likely requires dropping\\n attached interfaces)\\n\\nnot all of these scenarios can be prevented because batman-adv is only\\nconsuming events without the the possibility to prevent these actions\\n(non-purgable MAC address added, MTU of an attached interface is reduced).\\nIt is therefore necessary to also make sure that the code is able to handle\\nalso the situations when there were already incompatible system\\nconfiguration are present.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.1,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35984" + }, + { + "url": "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83" + }, + { + "url": "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d" + }, + { + "url": "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde" + }, + { + "url": "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620" + }, + { + "url": "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec" + }, + { + "url": "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f" + }, + { + "url": "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23" + }, + { + "url": "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83\",\n \"https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d\",\n \"https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde\",\n \"https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620\",\n \"https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec\",\n \"https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f\",\n \"https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23\",\n \"https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: smbus: fix NULL function pointer dereference\\n\\nBaruch reported an OOPS when using the designware controller as target\\nonly. Target-only modes break the assumption of one transfer function\\nalways being available. Fix this by always checking the pointer in\\n__i2c_transfer.\\n\\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35988" + }, + { + "url": "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6" + }, + { + "url": "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be" + }, + { + "url": "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b" + }, + { + "url": "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948" + }, + { + "url": "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa" + }, + { + "url": "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6\",\n \"https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be\",\n \"https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b\",\n \"https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948\",\n \"https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa\",\n \"https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: Fix TASK_SIZE on 64-bit NOMMU\\n\\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\\ncausing spurious failures in the userspace access routines.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35989" + }, + { + "url": "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e" + }, + { + "url": "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb" + }, + { + "url": "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b" + }, + { + "url": "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be" + }, + { + "url": "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e\",\n \"https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb\",\n \"https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b\",\n \"https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be\",\n \"https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\\n\\nDuring the removal of the idxd driver, registered offline callback is\\ninvoked as part of the clean up process. However, on systems with only\\none CPU online, no valid target is available to migrate the\\nperf context, resulting in a kernel oops:\\n\\n BUG: unable to handle page fault for address: 000000000002a2b8\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD 1470e1067 P4D 0\\n Oops: 0002 [#1] PREEMPT SMP NOPTI\\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\\n RIP: 0010:mutex_lock+0x2e/0x50\\n ...\\n Call Trace:\\n \\n __die+0x24/0x70\\n page_fault_oops+0x82/0x160\\n do_user_addr_fault+0x65/0x6b0\\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\\n exc_page_fault+0x7d/0x170\\n asm_exc_page_fault+0x26/0x30\\n mutex_lock+0x2e/0x50\\n mutex_lock+0x1e/0x50\\n perf_pmu_migrate_context+0x87/0x1f0\\n perf_event_cpu_offline+0x76/0x90 [idxd]\\n cpuhp_invoke_callback+0xa2/0x4f0\\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\\n cpuhp_thread_fun+0x98/0x150\\n smpboot_thread_fn+0x27/0x260\\n smpboot_thread_fn+0x1af/0x260\\n __pfx_smpboot_thread_fn+0x10/0x10\\n kthread+0x103/0x140\\n __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x50\\n __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nFix the issue by preventing the migration of the perf context to an\\ninvalid target.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35990", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35990" + }, + { + "url": "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076" + }, + { + "url": "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38" + }, + { + "url": "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11" + }, + { + "url": "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b" + }, + { + "url": "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557" + }, + { + "url": "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35990 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35990", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35990\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35990\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35990\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35990\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35990\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076\",\n \"https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38\",\n \"https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11\",\n \"https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b\",\n \"https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557\",\n \"https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma: xilinx_dpdma: Fix locking\\n\\nThere are several places where either chan->lock or chan->vchan.lock was\\nnot held. Add appropriate locking. This fixes lockdep warnings like\\n\\n[ 31.077578] ------------[ cut here ]------------\\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.077953] Modules linked in:\\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\\n[ 31.078550] sp : ffffffc083bb2e10\\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\\n[ 31.080307] Call trace:\\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\\n[ 31.081139] commit_tail+0x234/0x294\\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\\n[ 31.081363] drm_atomic_commit+0x100/0x140\\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\\n[ 31.081971] fbcon_init+0x538/0xc48\\n[ 31.082047] visual_init+0x16c/0x23c\\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\\n[ 31.082320] do_take_over_console+0x24c/0x33c\\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\\n[ 31.082663] register_framebuffer+0x27c/0x38c\\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\\n[ 31.083115] drm_client_register+0xa0/0xf4\\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\\n[ 31.083616] platform_probe+0x8c/0x13c\\n[ 31.083713] really_probe+0x258/0x59c\\n[ 31.083793] __driver_probe_device+0xc4/0x224\\n[ 31.083878] driver_probe_device+0x70/0x1c0\\n[ 31.083961] __device_attach_driver+0x108/0x1e0\\n[ 31.084052] bus_for_each_drv+0x9c/0x100\\n[ 31.084125] __device_attach+0x100/0x298\\n[ 31.084207] device_initial_probe+0x14/0x20\\n[ 31.084292] bus_probe_device+0xd8/0xdc\\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\\n[ 31.084451] process_one_work+0x3ac/0x988\\n[ 31.084643] worker_thread+0x398/0x694\\n[ 31.084752] kthread+0x1bc/0x1c0\\n[ 31.084848] ret_from_fork+0x10/0x20\\n[ 31.084932] irq event stamp: 64549\\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\\n[ 31.085157]\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35990\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35995" + }, + { + "url": "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3" + }, + { + "url": "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4" + }, + { + "url": "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c" + }, + { + "url": "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87" + }, + { + "url": "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1" + }, + { + "url": "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3" + }, + { + "url": "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35995", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3\",\n \"https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4\",\n \"https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c\",\n \"https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87\",\n \"https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1\",\n \"https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3\",\n \"https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: CPPC: Use access_width over bit_width for system memory accesses\\n\\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\\ncannot be depended on to be always on a clean 8b boundary. This was\\nuncovered on the Cobalt 100 platform.\\n\\nSError Interrupt on CPU26, code 0xbe000011 -- SError\\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\\n pc : cppc_get_perf_caps+0xec/0x410\\n lr : cppc_get_perf_caps+0xe8/0x410\\n sp : ffff8000155ab730\\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\\n Kernel panic - not syncing: Asynchronous SError Interrupt\\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\\n5.15.2.1-13 #1\\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\\n Call trace:\\n dump_backtrace+0x0/0x1e0\\n show_stack+0x24/0x30\\n dump_stack_lvl+0x8c/0xb8\\n dump_stack+0x18/0x34\\n panic+0x16c/0x384\\n add_taint+0x0/0xc0\\n arm64_serror_panic+0x7c/0x90\\n arm64_is_fatal_ras_serror+0x34/0xa4\\n do_serror+0x50/0x6c\\n el1h_64_error_handler+0x40/0x74\\n el1h_64_error+0x7c/0x80\\n cppc_get_perf_caps+0xec/0x410\\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\\n cpufreq_online+0x2dc/0xa30\\n cpufreq_add_dev+0xc0/0xd4\\n subsys_interface_register+0x134/0x14c\\n cpufreq_register_driver+0x1b0/0x354\\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\\n do_one_initcall+0x50/0x250\\n do_init_module+0x60/0x27c\\n load_module+0x2300/0x2570\\n __do_sys_finit_module+0xa8/0x114\\n __arm64_sys_finit_module+0x2c/0x3c\\n invoke_syscall+0x78/0x100\\n el0_svc_common.constprop.0+0x180/0x1a0\\n do_el0_svc+0x84/0xa0\\n el0_svc+0x2c/0xc0\\n el0t_64_sync_handler+0xa4/0x12c\\n el0t_64_sync+0x1a4/0x1a8\\n\\nInstead, use access_width to determine the size and use the offset and\\nwidth to shift and mask the bits to read/write out. Make sure to add a\\ncheck for system memory since pcc redefines the access_width to\\nsubspace id.\\n\\nIf access_width is not set, then fall back to using bit_width.\\n\\n[ rjw: Subject and changelog edits, comment adjustments ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35997", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35997" + }, + { + "url": "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1" + }, + { + "url": "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401" + }, + { + "url": "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722" + }, + { + "url": "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497" + }, + { + "url": "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22" + }, + { + "url": "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e" + }, + { + "url": "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8" + }, + { + "url": "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35997 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35997", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35997\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35997\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35997\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35997\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35997\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1\",\n \"https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401\",\n \"https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722\",\n \"https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497\",\n \"https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22\",\n \"https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e\",\n \"https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8\",\n \"https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\\n\\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\\nHowever, this is not necessary, because I2C core already has its own\\nlocking for that.\\n\\nMore importantly, this flag can cause a lock-up: if the flag is set in\\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\\n(i2c_hid_irq) will check this flag and return immediately without doing\\nanything, then the interrupt handler will be invoked again in an\\ninfinite loop.\\n\\nSince interrupt handler is an RT task, it takes over the CPU and the\\nflag-clearing task never gets scheduled, thus we have a lock-up.\\n\\nDelete this unnecessary flag.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35997\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35998", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35998" + }, + { + "url": "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75" + }, + { + "url": "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc" + }, + { + "url": "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f" + }, + { + "url": "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35998 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35998", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35998\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35998\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35998\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35998\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35998\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75\",\n \"https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc\",\n \"https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f\",\n \"https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\\n\\nCoverity spotted that the cifs_sync_mid_result function could deadlock\\n\\n\\\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\\\"\\n\\nAddresses-Coverity: 1590401 (\\\"Thread deadlock (ORDER_REVERSAL)\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35998\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35999" + }, + { + "url": "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e" + }, + { + "url": "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00" + }, + { + "url": "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887" + }, + { + "url": "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e\",\n \"https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00\",\n \"https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887\",\n \"https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: missing lock when picking channel\\n\\nCoverity spotted a place where we should have been holding the\\nchannel lock when accessing the ses channel index.\\n\\nAddresses-Coverity: 1582039 (\\\"Data race condition (MISSING_LOCK)\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36000", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36000" + }, + { + "url": "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc" + }, + { + "url": "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10" + }, + { + "url": "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2" + }, + { + "url": "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc\",\n \"https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10\",\n \"https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2\",\n \"https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\\n\\nThere is a recent report on UFFDIO_COPY over hugetlb:\\n\\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\\n\\n350:\\tlockdep_assert_held(&hugetlb_lock);\\n\\nShould be an issue in hugetlb but triggered in an userfault context, where\\nit goes into the unlikely path where two threads modifying the resv map\\ntogether. Mike has a fix in that path for resv uncharge but it looks like\\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\\nwill update the cgroup pointer, so it requires to be called with the lock\\nheld.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36003", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36003" + }, + { + "url": "https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c" + }, + { + "url": "https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f" + }, + { + "url": "https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36003 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36003", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix LAG and VF lock dependency in ice_reset_vf()\n\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\n\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\n\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\n\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\n ice_service_task+0x2c9/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\n check_prev_add+0xe2/0xc50\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_reset_vf+0x22f/0x4d0 [ice]\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0 CPU1\n ---- ----\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n\n *** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n \n dump_stack_lvl+0x4a/0x80\n check_noncircular+0x12d/0x150\n check_prev_add+0xe2/0xc50\n ? save_trace+0x59/0x230\n ? add_chain_cache+0x109/0x450\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n ? lockdep_hardirqs_on+0x7d/0x100\n lock_acquire+0xd4/0x2d0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? lock_is_held_type+0xc7/0x120\n __mutex_lock+0x9b/0xbf0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? rcu_is_watching+0x11/0x50\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ice_reset_vf+0x22f/0x4d0 [ice]\n ? process_one_work+0x176/0x4d0\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x104/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36003\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36003\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36003\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36003\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36003\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c\",\n \"https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f\",\n \"https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: fix LAG and VF lock dependency in ice_reset_vf()\\n\\n9f74a3dfcf83 (\\\"ice: Fix VF Reset paths when interface in a failed over\\naggregate\\\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\\nThe commit placed this lock acquisition just prior to the acquisition of\\nthe VF configuration lock.\\n\\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\\nacquires the locks in the order of the VF configuration lock and then the\\nLAG mutex.\\n\\nLockdep reports this violation almost immediately on creating and then\\nremoving 2 VF:\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.8.0-rc6 #54 Tainted: G W O\\n------------------------------------------------------\\nkworker/60:3/6771 is trying to acquire lock:\\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\\n\\nbut task is already holding lock:\\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\\n __lock_acquire+0x4f8/0xb40\\n lock_acquire+0xd4/0x2d0\\n __mutex_lock+0x9b/0xbf0\\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\\n ice_service_task+0x2c9/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n kthread+0x104/0x140\\n ret_from_fork+0x31/0x50\\n ret_from_fork_asm+0x1b/0x30\\n\\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\\n check_prev_add+0xe2/0xc50\\n validate_chain+0x558/0x800\\n __lock_acquire+0x4f8/0xb40\\n lock_acquire+0xd4/0x2d0\\n __mutex_lock+0x9b/0xbf0\\n ice_reset_vf+0x22f/0x4d0 [ice]\\n ice_process_vflr_event+0x98/0xd0 [ice]\\n ice_service_task+0x1cc/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n kthread+0x104/0x140\\n ret_from_fork+0x31/0x50\\n ret_from_fork_asm+0x1b/0x30\\n\\nother info that might help us debug this:\\n Possible unsafe locking scenario:\\n CPU0 CPU1\\n ---- ----\\n lock(&pf->lag_mutex);\\n lock(&vf->cfg_lock);\\n lock(&pf->lag_mutex);\\n lock(&vf->cfg_lock);\\n\\n *** DEADLOCK ***\\n4 locks held by kworker/60:3/6771:\\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\\n\\nstack backtrace:\\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\\nHardware name:\\nWorkqueue: ice ice_service_task [ice]\\nCall Trace:\\n \\n dump_stack_lvl+0x4a/0x80\\n check_noncircular+0x12d/0x150\\n check_prev_add+0xe2/0xc50\\n ? save_trace+0x59/0x230\\n ? add_chain_cache+0x109/0x450\\n validate_chain+0x558/0x800\\n __lock_acquire+0x4f8/0xb40\\n ? lockdep_hardirqs_on+0x7d/0x100\\n lock_acquire+0xd4/0x2d0\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? lock_is_held_type+0xc7/0x120\\n __mutex_lock+0x9b/0xbf0\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? rcu_is_watching+0x11/0x50\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ice_reset_vf+0x22f/0x4d0 [ice]\\n ? process_one_work+0x176/0x4d0\\n ice_process_vflr_event+0x98/0xd0 [ice]\\n ice_service_task+0x1cc/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0x104/0x140\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nTo avoid deadlock, we must acquire the LAG \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36003\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36004", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36004" + }, + { + "url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c" + }, + { + "url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939" + }, + { + "url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e" + }, + { + "url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c" + }, + { + "url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd" + }, + { + "url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0" + }, + { + "url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22" + }, + { + "url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c\",\n \"https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939\",\n \"https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e\",\n \"https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c\",\n \"https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd\",\n \"https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0\",\n \"https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22\",\n \"https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\\n\\nIssue reported by customer during SRIOV testing, call trace:\\nWhen both i40e and the i40iw driver are loaded, a warning\\nin check_flush_dependency is being triggered. This seems\\nto be because of the i40e driver workqueue is allocated with\\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\\n\\nSimilar error was encountered on ice too and it was fixed by\\nremoving the flag. Do the same for i40e too.\\n\\n[Feb 9 09:08] ------------[ cut here ]------------\\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\\nflushing !WQ_MEM_RECLAIM infiniband:0x0\\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\\ncheck_flush_dependency+0x10b/0x120\\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\\ndm_region_hash dm_log dm_mod fuse\\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\\n0000000000000027\\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\\nffff94d47f620bc0\\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\\n00000000ffff7fff\\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\\nffff94c5451ea180\\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\\nffff94c5f1330ab0\\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\\nknlGS:0000000000000000\\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\\n00000000007706f0\\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\\n0000000000000000\\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\\n0000000000000400\\n[ +0.000001] PKRU: 55555554\\n[ +0.000001] Call Trace:\\n[ +0.000001] \\n[ +0.000002] ? __warn+0x80/0x130\\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] ? report_bug+0x195/0x1a0\\n[ +0.000005] ? handle_bug+0x3c/0x70\\n[ +0.000003] ? exc_invalid_op+0x14/0x70\\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] __flush_workqueue+0x126/0x3f0\\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\\n[ +0.000024] process_one_work+0x174/0x340\\n[ +0.000003] worker_th\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36005" + }, + { + "url": "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9" + }, + { + "url": "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2" + }, + { + "url": "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816" + }, + { + "url": "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2" + }, + { + "url": "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a" + }, + { + "url": "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9\",\n \"https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2\",\n \"https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816\",\n \"https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2\",\n \"https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a\",\n \"https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\\n\\nCheck for table dormant flag otherwise netdev release event path tries\\nto unregister an already unregistered hook.\\n\\n[524854.857999] ------------[ cut here ]------------\\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\\n[...]\\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\\n[524854.858869] Workqueue: netns cleanup_net\\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\\n[524854.859000] Call Trace:\\n[524854.859006] \\n[524854.859013] ? __warn+0x9f/0x1a0\\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\\n[524854.859044] ? report_bug+0x1b1/0x1e0\\n[524854.859060] ? handle_bug+0x3c/0x70\\n[524854.859071] ? exc_invalid_op+0x17/0x40\\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\\n[524854.859461] ? packet_notifier+0xb3/0x360\\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\\n[524854.859661] notifier_call_chain+0x7d/0x140\\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36006", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36006" + }, + { + "url": "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530" + }, + { + "url": "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a" + }, + { + "url": "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154" + }, + { + "url": "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0" + }, + { + "url": "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40" + }, + { + "url": "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97" + }, + { + "url": "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36006 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36006", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36006\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36006\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36006\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36006\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36006\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530\",\n \"https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a\",\n \"https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154\",\n \"https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0\",\n \"https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40\",\n \"https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97\",\n \"https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\\n\\nBoth the function that migrates all the chunks within a region and the\\nfunction that migrates all the entries within a chunk call\\nlist_first_entry() on the respective lists without checking that the\\nlists are not empty. This is incorrect usage of the API, which leads to\\nthe following warning [1].\\n\\nFix by returning if the lists are empty as there is nothing to migrate\\nin this case.\\n\\n[1]\\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\\nModules linked in:\\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36006\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36007" + }, + { + "url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573" + }, + { + "url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596" + }, + { + "url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d" + }, + { + "url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952" + }, + { + "url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b" + }, + { + "url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916" + }, + { + "url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36007", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573\",\n \"https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596\",\n \"https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d\",\n \"https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952\",\n \"https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b\",\n \"https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916\",\n \"https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\\n\\nAs previously explained, the rehash delayed work migrates filters from\\none region to another. This is done by iterating over all chunks (all\\nthe filters with the same priority) in the region and in each chunk\\niterating over all the filters.\\n\\nWhen the work runs out of credits it stores the current chunk and entry\\nas markers in the per-work context so that it would know where to resume\\nthe migration from the next time the work is scheduled.\\n\\nUpon error, the chunk marker is reset to NULL, but without resetting the\\nentry markers despite being relative to it. This can result in migration\\nbeing resumed from an entry that does not belong to the chunk being\\nmigrated. In turn, this will eventually lead to a chunk being iterated\\nover as if it is an entry. Because of how the two structures happen to\\nbe defined, this does not lead to KASAN splats, but to warnings such as\\n[1].\\n\\nFix by creating a helper that resets all the markers and call it from\\nall the places the currently only reset the chunk marker. For good\\nmeasures also call it when starting a completely new rehash. Add a\\nwarning to avoid future cases.\\n\\n[1]\\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\\nModules linked in:\\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36008" + }, + { + "url": "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1" + }, + { + "url": "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1" + }, + { + "url": "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0" + }, + { + "url": "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4" + }, + { + "url": "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655" + }, + { + "url": "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1\",\n \"https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1\",\n \"https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0\",\n \"https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4\",\n \"https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655\",\n \"https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4: check for NULL idev in ip_route_use_hint()\\n\\nsyzbot was able to trigger a NULL deref in fib_validate_source()\\nin an old tree [1].\\n\\nIt appears the bug exists in latest trees.\\n\\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\\n\\n[1]\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36009" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851" + }, + { + "url": "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b" + }, + { + "url": "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530" + }, + { + "url": "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851\",\n \"https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b\",\n \"https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530\",\n \"https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix netdev refcount issue\\n\\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\\nax25 device is detaching, the dev_tracker of ax25_cb should be\\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\\nof ax25_dev. The log reported by ref_tracker is shown below:\\n\\n[ 80.884935] ref_tracker: reference already released.\\n[ 80.885150] ref_tracker: allocated in:\\n[ 80.885349] ax25_dev_device_up+0x105/0x540\\n[ 80.885730] ax25_device_event+0xa4/0x420\\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\\n[ 80.885730] __dev_notify_flags+0x138/0x280\\n[ 80.885730] dev_change_flags+0xd7/0x180\\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\\n[ 80.885730] dev_ioctl+0x4d8/0xd90\\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\\n[ 80.885730] sock_ioctl+0x38b/0x4f0\\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\\n[ 80.885730] do_syscall_64+0xc4/0x1b0\\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 80.885730] ref_tracker: freed in:\\n[ 80.885730] ax25_device_event+0x272/0x420\\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\\n[ 80.885730] dev_close_many+0x272/0x370\\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\\n[ 80.885730] unregister_netdev+0xcf/0x120\\n[ 80.885730] sixpack_close+0x11f/0x1b0\\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\\n[ 80.885730] __tty_hangup+0x504/0x740\\n[ 80.885730] tty_release+0x46e/0xd80\\n[ 80.885730] __fput+0x37f/0x770\\n[ 80.885730] __x64_sys_close+0x7b/0xb0\\n[ 80.885730] do_syscall_64+0xc4/0x1b0\\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 80.893739] ------------[ cut here ]------------\\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\\n[ 80.894297] Modules linked in:\\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\\n...\\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\\n[ 80.935774] ax25_bind+0x424/0x4e0\\n[ 80.935774] __sys_bind+0x1d9/0x270\\n[ 80.935774] __x64_sys_bind+0x75/0x80\\n[ 80.935774] do_syscall_64+0xc4/0x1b0\\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n\\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\\nin order to mitigate the bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36012" + }, + { + "url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac" + }, + { + "url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56" + }, + { + "url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940" + }, + { + "url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac\",\n \"https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56\",\n \"https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940\",\n \"https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\\n\\nTying the msft->data lifetime to hdev by freeing it in\\nhci_release_dev() to fix the following case:\\n\\n[use]\\nmsft_do_close()\\n msft = hdev->msft_data;\\n if (!msft) ...(1) <- passed.\\n return;\\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\\n\\n[free]\\nmsft_unregister()\\n msft = hdev->msft_data;\\n hdev->msft_data = NULL; ...(2)\\n kfree(msft); ...(3) <- msft is freed.\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\\nkernel/locking/mutex.c:587 [inline]\\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\\nkernel/locking/mutex.c:752\\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36013" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658" + }, + { + "url": "https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6" + }, + { + "url": "https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n l2cap_connect\n ┌ mutex_lock(&conn->chan_lock);\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\n │ __l2cap_chan_add(conn, chan);\n │ l2cap_chan_hold(chan);\n │ list_add(&chan->list, &conn->chan_l); ... (1)\n └ mutex_unlock(&conn->chan_lock);\n chan->conf_state ... (4) <- use after free\n\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn->chan_lock);\n│ foreach chan in conn->chan_l: ... (2)\n│ l2cap_chan_put(chan);\n│ l2cap_chan_destroy\n│ kfree(chan) ... (3) <- chan freed\n└ mutex_unlock(&conn->chan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658\",\n \"https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6\",\n \"https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\\n\\nExtend a critical section to prevent chan from early freeing.\\nAlso make the l2cap_connect() return type void. Nothing is using the\\nreturned value but it is ugly to return a potentially freed pointer.\\nMaking it void will help with backports because earlier kernels did use\\nthe return value. Now the compile will break for kernels where this\\npatch is not a complete fix.\\n\\nCall stack summary:\\n\\n[use]\\nl2cap_bredr_sig_cmd\\n l2cap_connect\\n ┌ mutex_lock(&conn->chan_lock);\\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\\n │ __l2cap_chan_add(conn, chan);\\n │ l2cap_chan_hold(chan);\\n │ list_add(&chan->list, &conn->chan_l); ... (1)\\n └ mutex_unlock(&conn->chan_lock);\\n chan->conf_state ... (4) <- use after free\\n\\n[free]\\nl2cap_conn_del\\n┌ mutex_lock(&conn->chan_lock);\\n│ foreach chan in conn->chan_l: ... (2)\\n│ l2cap_chan_put(chan);\\n│ l2cap_chan_destroy\\n│ kfree(chan) ... (3) <- chan freed\\n└ mutex_unlock(&conn->chan_lock);\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\\ninclude/linux/instrumented.h:68 [inline]\\nBUG: KASAN: slab-use-after-free in _test_bit\\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\\nnet/bluetooth/l2cap_core.c:4260\\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36014" + }, + { + "url": "https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5" + }, + { + "url": "https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490" + }, + { + "url": "https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c" + }, + { + "url": "https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639" + }, + { + "url": "https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea" + }, + { + "url": "https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb" + }, + { + "url": "https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818" + }, + { + "url": "https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d" + }, + { + "url": "https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5\",\n \"https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490\",\n \"https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c\",\n \"https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639\",\n \"https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea\",\n \"https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb\",\n \"https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818\",\n \"https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d\",\n \"https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/arm/malidp: fix a possible null pointer dereference\\n\\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\\nno check is performed. In order to prevent null pointer dereferencing,\\nensure that mw_state is checked before calling\\n__drm_atomic_helper_connector_reset.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36015" + }, + { + "url": "https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39" + }, + { + "url": "https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e" + }, + { + "url": "https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a" + }, + { + "url": "https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9" + }, + { + "url": "https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b" + }, + { + "url": "https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828" + }, + { + "url": "https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57" + }, + { + "url": "https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nppdev: Add an error check in register_device\n\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\n\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39\",\n \"https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e\",\n \"https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a\",\n \"https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9\",\n \"https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b\",\n \"https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828\",\n \"https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57\",\n \"https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppdev: Add an error check in register_device\\n\\nIn register_device, the return value of ida_simple_get is unchecked,\\nin witch ida_simple_get will use an invalid index value.\\n\\nTo address this issue, index should be checked after ida_simple_get. When\\nthe index value is abnormal, a warning message should be printed, the port\\nshould be dropped, and the value should be recorded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36016", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36016" + }, + { + "url": "https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04" + }, + { + "url": "https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc" + }, + { + "url": "https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a" + }, + { + "url": "https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54" + }, + { + "url": "https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350" + }, + { + "url": "https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5" + }, + { + "url": "https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56" + }, + { + "url": "https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d" + }, + { + "url": "https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\n\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\n\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\n\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04\",\n \"https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc\",\n \"https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a\",\n \"https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54\",\n \"https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350\",\n \"https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5\",\n \"https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56\",\n \"https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d\",\n \"https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\\n\\nAssuming the following:\\n- side A configures the n_gsm in basic option mode\\n- side B sends the header of a basic option mode frame with data length 1\\n- side A switches to advanced option mode\\n- side B sends 2 data bytes which exceeds gsm->len\\n Reason: gsm->len is not used in advanced option mode.\\n- side A switches to basic option mode\\n- side B keeps sending until gsm0_receive() writes past gsm->buf\\n Reason: Neither gsm->state nor gsm->len have been reset after\\n reconfiguration.\\n\\nFix this by changing gsm->count to gsm->len comparison from equal to less\\nthan. Also add upper limit checks against the constant MAX_MRU in\\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\\ngsm->len and gsm->mru.\\n\\nAll other checks remain as we still need to limit the data according to the\\nuser configuration and actual payload size.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36017" + }, + { + "url": "https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489" + }, + { + "url": "https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b" + }, + { + "url": "https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8" + }, + { + "url": "https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169" + }, + { + "url": "https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de" + }, + { + "url": "https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7" + }, + { + "url": "https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a" + }, + { + "url": "https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489\",\n \"https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b\",\n \"https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8\",\n \"https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169\",\n \"https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de\",\n \"https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7\",\n \"https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a\",\n \"https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\\n\\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\\nis not enough and a too small attribute might be cast to a\\nstruct ifla_vf_vlan_info, this might result in an out of bands\\nread access when accessing the saved (casted) entry in ivvl.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36020" + }, + { + "url": "https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6" + }, + { + "url": "https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0" + }, + { + "url": "https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba" + }, + { + "url": "https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31" + }, + { + "url": "https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a" + }, + { + "url": "https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c" + }, + { + "url": "https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d" + }, + { + "url": "https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6\",\n \"https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0\",\n \"https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba\",\n \"https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31\",\n \"https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a\",\n \"https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c\",\n \"https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d\",\n \"https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: fix vf may be used uninitialized in this function warning\\n\\nTo fix the regression introduced by commit 52424f974bc5, which causes\\nservers hang in very hard to reproduce conditions with resets races.\\nUsing two sources for the information is the root cause.\\nIn this function before the fix bumping v didn't mean bumping vf\\npointer. But the code used this variables interchangeably, so stale vf\\ncould point to different/not intended vf.\\n\\nRemove redundant \\\"v\\\" variable and iterate via single VF pointer across\\nwhole function instead to guarantee VF pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36021", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36021" + }, + { + "url": "https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86" + }, + { + "url": "https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3" + }, + { + "url": "https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5" + }, + { + "url": "https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36021 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36021", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during pf initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36021\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36021\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36021\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36021\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36021\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86\",\n \"https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3\",\n \"https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5\",\n \"https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash when devlink reload during pf initialization\\n\\nThe devlink reload process will access the hardware resources,\\nbut the register operation is done before the hardware is initialized.\\nSo, processing the devlink reload during initialization may lead to kernel\\ncrash. This patch fixes this by taking devl_lock during initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36021\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36022", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36022" + }, + { + "url": "https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6" + }, + { + "url": "https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36022 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36022", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\n\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\nis triggered after initializing the necessary IPs, That init does not\ninclude KFD, and KFD init waits until the reset is completed. KFD init\nis called in the reset handler, but in this case, the zone device and\ndrm client is not initialized, causing app to create kernel panic.\n\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\nAs the previous version has the potential of creating DRM client twice.\n\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\nto guard against drm client creation call multiple times.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36022\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36022\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36022\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36022\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36022\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6\",\n \"https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\\n\\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\\nis triggered after initializing the necessary IPs, That init does not\\ninclude KFD, and KFD init waits until the reset is completed. KFD init\\nis called in the reset handler, but in this case, the zone device and\\ndrm client is not initialized, causing app to create kernel panic.\\n\\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\\nAs the previous version has the potential of creating DRM client twice.\\n\\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\\nto guard against drm client creation call multiple times.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36022\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36024", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36024" + }, + { + "url": "https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7" + }, + { + "url": "https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36024 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36024", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\n\n[Why]\nWorkaroud for a race condition where DMCUB is in the process of\ncommitting to IPS1 during the handshake causing us to miss the\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\n\n[How]\nDisable the reallow to ensure that we have enough of a gap between entry\nand exit and we're not seeing back-to-back wake_and_executes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36024\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36024\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36024\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36024\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36024\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7\",\n \"https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\\n\\n[Why]\\nWorkaroud for a race condition where DMCUB is in the process of\\ncommitting to IPS1 during the handshake causing us to miss the\\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\\n\\n[How]\\nDisable the reallow to ensure that we have enough of a gap between entry\\nand exit and we're not seeing back-to-back wake_and_executes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36024\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36025", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36025" + }, + { + "url": "https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd" + }, + { + "url": "https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a" + }, + { + "url": "https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab" + }, + { + "url": "https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510" + }, + { + "url": "https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36025 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36025", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\n\nThe app_reply->elem[] array is allocated earlier in this function and it\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\nprevent memory corruption.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36025\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36025\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36025\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36025\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36025\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd\",\n \"https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a\",\n \"https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab\",\n \"https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510\",\n \"https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\\n\\nThe app_reply->elem[] array is allocated earlier in this function and it\\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\\nprevent memory corruption.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36025\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36026", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36026" + }, + { + "url": "https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5" + }, + { + "url": "https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113" + }, + { + "url": "https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d" + }, + { + "url": "https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36026 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36026", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\n\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\nan invalid state resulting into hard hangs.\n\nAdding a GFX reset as workaround just before sending the\nMP1_UNLOAD message avoids this failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36026\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36026\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36026\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36026\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36026\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5\",\n \"https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113\",\n \"https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d\",\n \"https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\\n\\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\\nan invalid state resulting into hard hangs.\\n\\nAdding a GFX reset as workaround just before sending the\\nMP1_UNLOAD message avoids this failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36026\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36029", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36029" + }, + { + "url": "https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045" + }, + { + "url": "https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af" + }, + { + "url": "https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20" + }, + { + "url": "https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5" + }, + { + "url": "https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36029 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36029", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-msm: pervent access to suspended controller\n\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36029\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36029\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36029\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36029\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36029\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045\",\n \"https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af\",\n \"https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20\",\n \"https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5\",\n \"https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: sdhci-msm: pervent access to suspended controller\\n\\nGeneric sdhci code registers LED device and uses host->runtime_suspended\\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\\nwhich causes a crash when LED is accessed while controller is runtime\\nsuspended. Fix this by setting the flag correctly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36029\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36031", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36031" + }, + { + "url": "https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7" + }, + { + "url": "https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41" + }, + { + "url": "https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252" + }, + { + "url": "https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a" + }, + { + "url": "https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a" + }, + { + "url": "https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d" + }, + { + "url": "https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36031 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36031", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix overwrite of key expiration on instantiation\n\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36031\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36031\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36031\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36031\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36031\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7\",\n \"https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41\",\n \"https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252\",\n \"https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a\",\n \"https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a\",\n \"https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d\",\n \"https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkeys: Fix overwrite of key expiration on instantiation\\n\\nThe expiry time of a key is unconditionally overwritten during\\ninstantiation, defaulting to turn it permanent. This causes a problem\\nfor DNS resolution as the expiration set by user-space is overwritten to\\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\\ncondition that key_set_expiry is only called when the pre-parser sets a\\nspecific expiry.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36031\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36032", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36032" + }, + { + "url": "https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488" + }, + { + "url": "https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe" + }, + { + "url": "https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a" + }, + { + "url": "https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1" + }, + { + "url": "https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36032", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching fw build id\n\nAdd the missing sanity checks and move the 255-byte build-id buffer off\nthe stack to avoid leaking stack data through debugfs in case the\nbuild-info reply is malformed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488\",\n \"https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe\",\n \"https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a\",\n \"https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1\",\n \"https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: fix info leak when fetching fw build id\\n\\nAdd the missing sanity checks and move the 255-byte build-id buffer off\\nthe stack to avoid leaking stack data through debugfs in case the\\nbuild-info reply is malformed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36244", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36244" + }, + { + "url": "https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724" + }, + { + "url": "https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2" + }, + { + "url": "https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36244 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36244", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36244\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36244\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36244\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36244\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36244\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724\",\n \"https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2\",\n \"https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\\n\\nIt is possible for syzbot to side-step the restriction imposed by the\\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\\ncycle-time different from (and potentially shorter than) the sum of\\nentry intervals.\\n\\nWe need one more restriction, which is that the cycle time itself must\\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\\nentries. This restriction needs to apply regardless of whether the cycle\\ntime came from the user or was the implicit, auto-calculated value, so\\nwe move the existing \\\"cycle == 0\\\" check outside the \\\"if \\\"(!new->cycle_time)\\\"\\nbranch. This way covers both conditions and scenarios.\\n\\nAdd a selftest which illustrates the issue triggered by syzbot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36244\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36270", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36270" + }, + { + "url": "https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c" + }, + { + "url": "https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d" + }, + { + "url": "https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3" + }, + { + "url": "https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0" + }, + { + "url": "https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03" + }, + { + "url": "https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c" + }, + { + "url": "https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36270 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36270", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36270\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36270\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36270\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36270\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36270\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c\",\n \"https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d\",\n \"https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3\",\n \"https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0\",\n \"https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03\",\n \"https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c\",\n \"https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: tproxy: bail out if IP has been disabled on the device\\n\\nsyzbot reports:\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\\n[..]\\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\\nCall Trace:\\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\\n\\n__in_dev_get_rcu() can return NULL, so check for this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36270\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36286", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36286" + }, + { + "url": "https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a" + }, + { + "url": "https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4" + }, + { + "url": "https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256" + }, + { + "url": "https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5" + }, + { + "url": "https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9" + }, + { + "url": "https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718" + }, + { + "url": "https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec" + }, + { + "url": "https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36286 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36286", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36286\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36286\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36286\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a\",\n \"https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4\",\n \"https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256\",\n \"https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5\",\n \"https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9\",\n \"https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718\",\n \"https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec\",\n \"https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\\n\\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\\n\\nWARNING: suspicious RCU usage\\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\\n\\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n2 locks held by syz-executor.4/13427:\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\\n\\nstack backtrace:\\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\\n __do_softirq kernel/softirq.c:588 [inline]\\n invoke_softirq kernel/softirq.c:428 [inline]\\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\\n \\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36286\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36478", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36478" + }, + { + "url": "https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47" + }, + { + "url": "https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36478 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36478", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36478\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36478\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36478\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36478\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36478\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47\",\n \"https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\\n\\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\\npanic:\\n\\nTest script:\\n\\nmodprobe null_blk nr_devices=0\\nmkdir -p /sys/kernel/config/nullb/nullb0\\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\\nwhile true; do echo 1 > power; echo 0 > power; done\\n\\nTest result:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000148\\nOops: 0000 [#1] PREEMPT SMP\\nRIP: 0010:__lock_acquire+0x41d/0x28f0\\nCall Trace:\\n \\n lock_acquire+0x121/0x450\\n down_write+0x5f/0x1d0\\n simple_recursive_removal+0x12f/0x5c0\\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\\n blk_mq_update_nr_hw_queues+0x4a3/0x720\\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\\n configfs_write_iter+0x119/0x1e0\\n vfs_write+0x326/0x730\\n ksys_write+0x74/0x150\\n\\nThis is because del_gendisk() can concurrent with\\nblk_mq_update_nr_hw_queues():\\n\\nnullb_device_power_store\\tnullb_apply_submit_queues\\n null_del_dev\\n del_gendisk\\n\\t\\t\\t\\t nullb_update_nr_hw_queues\\n\\t\\t\\t\\t if (!dev->nullb)\\n\\t\\t\\t\\t // still set while gendisk is deleted\\n\\t\\t\\t\\t return 0\\n\\t\\t\\t\\t blk_mq_update_nr_hw_queues\\n dev->nullb = NULL\\n\\nFix this problem by resuing the global mutex to protect\\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36478\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36479", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36479" + }, + { + "url": "https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529" + }, + { + "url": "https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125" + }, + { + "url": "https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36479 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36479", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36479\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36479\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36479\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36479\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36479\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529\",\n \"https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125\",\n \"https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: bridge: add owner module and take its refcount\\n\\nThe current implementation of the fpga bridge assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the bridge if\\nthe parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_bridge\\nstruct and use it to take the module's refcount. Modify the function for\\nregistering a bridge to take an additional owner module parameter and\\nrename it to avoid conflicts. Use the old function name for a helper macro\\nthat automatically sets the module that registers the bridge as the owner.\\nThis ensures compatibility with existing low-level control modules and\\nreduces the chances of registering a bridge without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga bridge.\\n\\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\\nthe bridge device is taken in these functions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36479\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36484" + }, + { + "url": "https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165" + }, + { + "url": "https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495" + }, + { + "url": "https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d" + }, + { + "url": "https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3" + }, + { + "url": "https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822" + }, + { + "url": "https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04" + }, + { + "url": "https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc" + }, + { + "url": "https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165\",\n \"https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495\",\n \"https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d\",\n \"https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3\",\n \"https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822\",\n \"https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04\",\n \"https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc\",\n \"https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: relax socket state check at accept time.\\n\\nChristoph reported the following splat:\\n\\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\\nModules linked in:\\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\\n do_accept+0x435/0x620 net/socket.c:1929\\n __sys_accept4_file net/socket.c:1969 [inline]\\n __sys_accept4+0x9b/0x110 net/socket.c:1999\\n __do_sys_accept net/socket.c:2016 [inline]\\n __se_sys_accept net/socket.c:2013 [inline]\\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\nRIP: 0033:0x4315f9\\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\\n \\n\\nThe reproducer invokes shutdown() before entering the listener status.\\nAfter commit 94062790aedb (\\\"tcp: defer shutdown(SEND_SHUTDOWN) for\\nTCP_SYN_RECV sockets\\\"), the above causes the child to reach the accept\\nsyscall in FIN_WAIT1 status.\\n\\nEric noted we can relax the existing assertion in __inet_accept()\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36489", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36489" + }, + { + "url": "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b" + }, + { + "url": "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b" + }, + { + "url": "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302" + }, + { + "url": "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c" + }, + { + "url": "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071" + }, + { + "url": "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36489 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36489", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36489\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36489\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36489\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36489\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36489\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b\",\n \"https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b\",\n \"https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302\",\n \"https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c\",\n \"https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071\",\n \"https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: fix missing memory barrier in tls_init\\n\\nIn tls_init(), a write memory barrier is missing, and store-store\\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\\n\\nCPU0 CPU1\\n----- -----\\n// In tls_init()\\n// In tls_ctx_create()\\nctx = kzalloc()\\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\\n\\n// In update_sk_prot()\\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\\n\\n // In sock_common_setsockopt()\\n READ_ONCE(sk->sk_prot)->setsockopt()\\n\\n // In tls_{setsockopt,getsockopt}()\\n ctx->sk_proto->setsockopt() -(3)\\n\\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\\nthe NULL value of ctx->sk_proto, causing NULL dereference.\\n\\nTo fix it, we rely on rcu_assign_pointer() which implies the release\\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\\ninitialized, we can ensure that ctx->sk_proto are visible when\\nchanging sk->sk_prot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36489\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36880" + }, + { + "url": "https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e" + }, + { + "url": "https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c" + }, + { + "url": "https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d" + }, + { + "url": "https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d" + }, + { + "url": "https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: add missing firmware sanity checks\n\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e\",\n \"https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c\",\n \"https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d\",\n \"https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d\",\n \"https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: add missing firmware sanity checks\\n\\nAdd the missing sanity checks when parsing the firmware files before\\ndownloading them to avoid accessing and corrupting memory beyond the\\nvmalloced buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36883", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36883" + }, + { + "url": "https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7" + }, + { + "url": "https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42" + }, + { + "url": "https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3" + }, + { + "url": "https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f" + }, + { + "url": "https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030" + }, + { + "url": "https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6" + }, + { + "url": "https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd" + }, + { + "url": "https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36883 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36883", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36883\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36883\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36883\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36883\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36883\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7\",\n \"https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42\",\n \"https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3\",\n \"https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f\",\n \"https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030\",\n \"https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6\",\n \"https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd\",\n \"https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix out-of-bounds access in ops_init\\n\\nnet_alloc_generic is called by net_alloc, which is called without any\\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\\nis read twice, first to allocate an array, then to set s.len, which is\\nlater used to limit the bounds of the array access.\\n\\nIt is possible that the array is allocated and another thread is\\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\\nto set s.len with a larger than allocated length for the variable array.\\n\\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36883\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36885" + }, + { + "url": "https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e" + }, + { + "url": "https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2" + }, + { + "url": "https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup:\n\n kernel BUG at include/linux/scatterlist.h:187!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\n RIP: 0010:sg_init_one+0x85/0xa0\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\n Call Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\n nvkm_subdev_init_+0x39/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_init+0x44/0x90 [nouveau]\n nvkm_device_init+0x166/0x2e0 [nouveau]\n nvkm_udevice_init+0x47/0x70 [nouveau]\n nvkm_object_init+0x41/0x1c0 [nouveau]\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\n nvkm_ioctl+0x126/0x290 [nouveau]\n nvif_object_ctor+0x112/0x190 [nouveau]\n nvif_device_ctor+0x23/0x60 [nouveau]\n nouveau_cli_init+0x164/0x640 [nouveau]\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? pci_update_current_state+0x72/0xb0\n ? srso_return_thunk+0x5/0x5f\n nouveau_drm_probe+0x12c/0x280 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n local_pci_probe+0x45/0xa0\n pci_device_probe+0xc7/0x270\n really_probe+0xe6/0x3a0\n __driver_probe_device+0x87/0x160\n driver_probe_device+0x1f/0xc0\n __driver_attach+0xec/0x1f0\n ? __pfx___driver_attach+0x10/0x10\n bus_for_each_dev+0x88/0xd0\n bus_add_driver+0x116/0x220\n driver_register+0x59/0x100\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\n do_one_initcall+0x5b/0x320\n do_init_module+0x60/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x120/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x83/0x160\n ? srso_return_thunk+0x5/0x5f\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n RIP: 0033:0x7feeb5cc20cd\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e\",\n \"https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2\",\n \"https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\\n\\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\\nBUG() on startup:\\n\\n kernel BUG at include/linux/scatterlist.h:187!\\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\\n RIP: 0010:sg_init_one+0x85/0xa0\\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\\n Call Trace:\\n \\n ? die+0x36/0x90\\n ? do_trap+0xdd/0x100\\n ? sg_init_one+0x85/0xa0\\n ? do_error_trap+0x65/0x80\\n ? sg_init_one+0x85/0xa0\\n ? exc_invalid_op+0x50/0x70\\n ? sg_init_one+0x85/0xa0\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? sg_init_one+0x85/0xa0\\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? srso_return_thunk+0x5/0x5f\\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? srso_return_thunk+0x5/0x5f\\n ? ktime_get+0x47/0xb0\\n ? srso_return_thunk+0x5/0x5f\\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\\n nvkm_subdev_init_+0x39/0x140 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n nvkm_subdev_init+0x44/0x90 [nouveau]\\n nvkm_device_init+0x166/0x2e0 [nouveau]\\n nvkm_udevice_init+0x47/0x70 [nouveau]\\n nvkm_object_init+0x41/0x1c0 [nouveau]\\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\\n nvkm_ioctl+0x126/0x290 [nouveau]\\n nvif_object_ctor+0x112/0x190 [nouveau]\\n nvif_device_ctor+0x23/0x60 [nouveau]\\n nouveau_cli_init+0x164/0x640 [nouveau]\\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? pci_update_current_state+0x72/0xb0\\n ? srso_return_thunk+0x5/0x5f\\n nouveau_drm_probe+0x12c/0x280 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n local_pci_probe+0x45/0xa0\\n pci_device_probe+0xc7/0x270\\n really_probe+0xe6/0x3a0\\n __driver_probe_device+0x87/0x160\\n driver_probe_device+0x1f/0xc0\\n __driver_attach+0xec/0x1f0\\n ? __pfx___driver_attach+0x10/0x10\\n bus_for_each_dev+0x88/0xd0\\n bus_add_driver+0x116/0x220\\n driver_register+0x59/0x100\\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\\n do_one_initcall+0x5b/0x320\\n do_init_module+0x60/0x250\\n init_module_from_file+0x86/0xc0\\n idempotent_init_module+0x120/0x2b0\\n __x64_sys_finit_module+0x5e/0xb0\\n do_syscall_64+0x83/0x160\\n ? srso_return_thunk+0x5/0x5f\\n entry_SYSCALL_64_after_hwframe+0x71/0x79\\n RIP: 0033:0x7feeb5cc20cd\\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36886" + }, + { + "url": "https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b" + }, + { + "url": "https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14" + }, + { + "url": "https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1" + }, + { + "url": "https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684" + }, + { + "url": "https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40" + }, + { + "url": "https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90" + }, + { + "url": "https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd" + }, + { + "url": "https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \n \n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b\",\n \"https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14\",\n \"https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1\",\n \"https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684\",\n \"https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40\",\n \"https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90\",\n \"https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd\",\n \"https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix UAF in error path\\n\\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\\na UAF in the tipc_buf_append() error path:\\n\\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\\nlinux/net/core/skbuff.c:1183\\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\\n\\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n1.16.0-debian-1.16.0-5 04/01/2014\\nCall Trace:\\n \\n __dump_stack linux/lib/dump_stack.c:88\\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\\n print_address_description linux/mm/kasan/report.c:377\\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\\n skb_release_all linux/net/core/skbuff.c:1094\\n __kfree_skb linux/net/core/skbuff.c:1108\\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\\n kfree_skb linux/./include/linux/skbuff.h:1244\\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\\n NF_HOOK linux/./include/linux/netfilter.h:314\\n NF_HOOK linux/./include/linux/netfilter.h:308\\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\\n dst_input linux/./include/net/dst.h:461\\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\\n NF_HOOK linux/./include/linux/netfilter.h:314\\n NF_HOOK linux/./include/linux/netfilter.h:308\\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\\n napi_poll linux/net/core/dev.c:6645\\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\\n do_softirq linux/kernel/softirq.c:454\\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\\n \\n \\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\\n local_bh_enable linux/./include/linux/bottom_half.h:33\\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\\n neigh_hh_output linux/./include/net/neighbour.h:526\\n neigh_output linux/./include/net/neighbour.h:540\\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\\n __ip_finish_output linux/net/ipv4/ip_output.c:313\\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\\n dst_output linux/./include/net/dst.h:451\\n ip_local_out linux/net/ipv4/ip_output.c:129\\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\\n sock_sendmsg_nosec linux/net/socket.c:730\\n __sock_sendmsg linux/net/socket.c:745\\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\\n __do_sys_sendto linux/net/socket.c:2203\\n __se_sys_sendto linux/net/socket.c:2199\\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\\n do_syscall_x64 linux/arch/x86/entry/common.c:52\\n do_syscall_\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36889" + }, + { + "url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012" + }, + { + "url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe" + }, + { + "url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4" + }, + { + "url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f" + }, + { + "url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193" + }, + { + "url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012\",\n \"https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe\",\n \"https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4\",\n \"https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f\",\n \"https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193\",\n \"https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure snd_nxt is properly initialized on connect\\n\\nChristoph reported a splat hinting at a corrupted snd_una:\\n\\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n Modules linked in:\\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n Workqueue: events mptcp_worker\\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\\n \\t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\\n \\t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\\n Call Trace:\\n \\n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\\n process_scheduled_works kernel/workqueue.c:3335 [inline]\\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\\n kthread+0x121/0x170 kernel/kthread.c:388\\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\\n \\n\\nWhen fallback to TCP happens early on a client socket, snd_nxt\\nis not yet initialized and any incoming ack will copy such value\\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\\nre-injection after such ack, that would unconditionally trigger a send\\nbuffer cleanup using 'bad' snd_una values.\\n\\nWe could easily disable re-injection for fallback sockets, but such\\ndumb behavior already helped catching a few subtle issues and a very\\nlow to zero impact in practice.\\n\\nInstead address the issue always initializing snd_nxt (and write_seq,\\nfor consistency) at connect time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36893" + }, + { + "url": "https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637" + }, + { + "url": "https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd" + }, + { + "url": "https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57" + }, + { + "url": "https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637\",\n \"https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd\",\n \"https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57\",\n \"https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: tcpm: Check for port partner validity before consuming it\\n\\ntypec_register_partner() does not guarantee partner registration\\nto always succeed. In the event of failure, port->partner is set\\nto the error value or NULL. Given that port->partner validity is\\nnot checked, this results in the following crash:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address xx\\n pc : run_state_machine+0x1bc8/0x1c08\\n lr : run_state_machine+0x1b90/0x1c08\\n..\\n Call trace:\\n run_state_machine+0x1bc8/0x1c08\\n tcpm_state_machine_work+0x94/0xe4\\n kthread_worker_fn+0x118/0x328\\n kthread+0x1d0/0x23c\\n ret_from_fork+0x10/0x20\\n\\nTo prevent the crash, check for port->partner validity before\\nderefencing it in all the call sites.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36894" + }, + { + "url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19" + }, + { + "url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a" + }, + { + "url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb" + }, + { + "url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867" + }, + { + "url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14" + }, + { + "url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4" + }, + { + "url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd" + }, + { + "url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC. There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect. For a DWC3 based implementation, the callstack looks\nlike the following:\n\n DWC3 Gadget FFS Application\ndwc3_gadget_soft_disconnect() ...\n --> dwc3_stop_active_transfers()\n --> dwc3_gadget_giveback(-ESHUTDOWN)\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\n --> usb_ep_free_request() --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call. This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context. Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n consistently\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19\",\n \"https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a\",\n \"https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb\",\n \"https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867\",\n \"https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14\",\n \"https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4\",\n \"https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd\",\n \"https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\\n\\nFFS based applications can utilize the aio_cancel() callback to dequeue\\npending USB requests submitted to the UDC. There is a scenario where the\\nFFS application issues an AIO cancel call, while the UDC is handling a\\nsoft disconnect. For a DWC3 based implementation, the callstack looks\\nlike the following:\\n\\n DWC3 Gadget FFS Application\\ndwc3_gadget_soft_disconnect() ...\\n --> dwc3_stop_active_transfers()\\n --> dwc3_gadget_giveback(-ESHUTDOWN)\\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\\n --> usb_ep_free_request() --> usb_ep_dequeue()\\n\\nThere is currently no locking implemented between the AIO completion\\nhandler and AIO cancel, so the issue occurs if the completion routine is\\nrunning in parallel to an AIO cancel call coming from the FFS application.\\nAs the completion call frees the USB request (io_data->req) the FFS\\napplication is also referencing it for the usb_ep_dequeue() call. This can\\nlead to accessing a stale/hanging pointer.\\n\\ncommit b566d38857fc (\\\"usb: gadget: f_fs: use io_data->status consistently\\\")\\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\\nHowever, in order to properly implement locking to mitigate this issue, the\\nspinlock can't be added to ffs_epfile_async_io_complete(), as\\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\\nfunction driver's completion handler in the same context. Hence, leading\\ninto a deadlock.\\n\\nFix this issue by moving the usb_ep_free_request() back to\\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\\ncondition above, as the ffs_aio_cancel() routine will not continue\\nattempting to dequeue a request that has already been freed, or the\\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\\ndone referencing it.\\n\\nThis fix depends on\\n commit b566d38857fc (\\\"usb: gadget: f_fs: use io_data->status\\n consistently\\\")\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36898" + }, + { + "url": "https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5" + }, + { + "url": "https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2" + }, + { + "url": "https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e" + }, + { + "url": "https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix uninitialised kfifo\n\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked. This results in events being written to and read from an\nuninitialised kfifo. Read events are returned to userspace.\n\nInitialise the kfifo in the case where the software debounce is\nalready active.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5\",\n \"https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2\",\n \"https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e\",\n \"https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: fix uninitialised kfifo\\n\\nIf a line is requested with debounce, and that results in debouncing\\nin software, and the line is subsequently reconfigured to enable edge\\ndetection then the allocation of the kfifo to contain edge events is\\noverlooked. This results in events being written to and read from an\\nuninitialised kfifo. Read events are returned to userspace.\\n\\nInitialise the kfifo in the case where the software debounce is\\nalready active.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36899" + }, + { + "url": "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da" + }, + { + "url": "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a" + }, + { + "url": "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da\",\n \"https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a\",\n \"https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\\n\\nThe use-after-free issue occurs as follows: when the GPIO chip device file\\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\\nchip's lines is also in the release process and holds the notifier chain's\\nread rwsem. Consequently, a race condition leads to the use-after-free of\\nwatched_lines.\\n\\nHere is the typical stack when issue happened:\\n\\n[free]\\ngpio_chrdev_release()\\n --> bitmap_free(cdev->watched_lines) <-- freed\\n --> blocking_notifier_chain_unregister()\\n --> down_write(&nh->rwsem) <-- waiting rwsem\\n --> __down_write_common()\\n --> rwsem_down_write_slowpath()\\n --> schedule_preempt_disabled()\\n --> schedule()\\n\\n[use]\\nst54spi_gpio_dev_release()\\n --> gpio_free()\\n --> gpiod_free()\\n --> gpiod_free_commit()\\n --> gpiod_line_state_notify()\\n --> blocking_notifier_call_chain()\\n --> down_read(&nh->rwsem); <-- held rwsem\\n --> notifier_call_chain()\\n --> lineinfo_changed_notify()\\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\\n\\nThe side effect of the use-after-free issue is that a GPIO line event is\\nbeing generated for userspace where it shouldn't. However, since the chrdev\\nis being closed, userspace won't have the chance to read that event anyway.\\n\\nTo fix the issue, call the bitmap_free() function after the unregistration\\nof lineinfo_changed_nb notifier chain.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36900" + }, + { + "url": "https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095" + }, + { + "url": "https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd" + }, + { + "url": "https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\n\nThis patch fixes this by registering the devlink after\nhardware initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095\",\n \"https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd\",\n \"https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7\",\n \"https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash when devlink reload during initialization\\n\\nThe devlink reload process will access the hardware resources,\\nbut the register operation is done before the hardware is initialized.\\nSo, processing the devlink reload during initialization may lead to kernel\\ncrash.\\n\\nThis patch fixes this by registering the devlink after\\nhardware initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36901" + }, + { + "url": "https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579" + }, + { + "url": "https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a" + }, + { + "url": "https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488" + }, + { + "url": "https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de" + }, + { + "url": "https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0" + }, + { + "url": "https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579\",\n \"https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a\",\n \"https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488\",\n \"https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de\",\n \"https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0\",\n \"https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent NULL dereference in ip6_output()\\n\\nAccording to syzbot, there is a chance that ip6_dst_idev()\\nreturns NULL in ip6_output(). Most places in IPv6 stack\\ndeal with a NULL idev just fine, but not here.\\n\\nsyzbot reported:\\n\\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\\n sctp_connect net/sctp/socket.c:4819 [inline]\\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\\n __sys_connect_file net/socket.c:2048 [inline]\\n __sys_connect+0x2df/0x310 net/socket.c:2065\\n __do_sys_connect net/socket.c:2075 [inline]\\n __se_sys_connect net/socket.c:2072 [inline]\\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36902" + }, + { + "url": "https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09" + }, + { + "url": "https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95" + }, + { + "url": "https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa" + }, + { + "url": "https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290" + }, + { + "url": "https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0" + }, + { + "url": "https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747" + }, + { + "url": "https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa" + }, + { + "url": "https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09\",\n \"https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95\",\n \"https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa\",\n \"https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290\",\n \"https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0\",\n \"https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747\",\n \"https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa\",\n \"https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\\n\\nsyzbot is able to trigger the following crash [1],\\ncaused by unsafe ip6_dst_idev() use.\\n\\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\\n\\n[1]\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\\n ip6_route_output include/net/ip6_route.h:93 [inline]\\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\\n sctp_connect net/sctp/socket.c:4819 [inline]\\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\\n __sys_connect_file net/socket.c:2048 [inline]\\n __sys_connect+0x2df/0x310 net/socket.c:2065\\n __do_sys_connect net/socket.c:2075 [inline]\\n __se_sys_connect net/socket.c:2072 [inline]\\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36903" + }, + { + "url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3" + }, + { + "url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c" + }, + { + "url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3\",\n \"https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c\",\n \"https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: Fix potential uninit-value access in __ip6_make_skb()\\n\\nAs it was done in commit fc1092f51567 (\\\"ipv4: Fix uninit-value access in\\n__ip_make_skb()\\\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\\ninstead of testing HDRINCL on the socket to avoid a race condition which\\ncauses uninit-value access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36904" + }, + { + "url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446" + }, + { + "url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3" + }, + { + "url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34" + }, + { + "url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8" + }, + { + "url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc" + }, + { + "url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc" + }, + { + "url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9" + }, + { + "url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\",\n \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\",\n \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\",\n \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\",\n \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\",\n \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\",\n \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\",\n \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\\n\\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\\nwith nice analysis.\\n\\nSince commit ec94c2696f0b (\\\"tcp/dccp: avoid one atomic operation for\\ntimewait hashdance\\\"), inet_twsk_hashdance() sets TIME-WAIT socket's\\nsk_refcnt after putting it into ehash and releasing the bucket lock.\\n\\nThus, there is a small race window where other threads could try to\\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\\nfor the TIME-WAIT socket with zero refcnt.\\n\\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\\nand sock_put() will cause underflow, triggering a real use-after-free\\nsomewhere else.\\n\\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\\ntcp_twsk_unique() and give up on reusing the port if it returns false.\\n\\n[0]:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? refcount_warn_saturate+0xe5/0x110\\n ? __warn+0x81/0x130\\n ? refcount_warn_saturate+0xe5/0x110\\n ? report_bug+0x171/0x1a0\\n ? refcount_warn_saturate+0xe5/0x110\\n ? handle_bug+0x3c/0x80\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? refcount_warn_saturate+0xe5/0x110\\n tcp_twsk_unique+0x186/0x190\\n __inet_check_established+0x176/0x2d0\\n __inet_hash_connect+0x74/0x7d0\\n ? __pfx___inet_check_established+0x10/0x10\\n tcp_v4_connect+0x278/0x530\\n __inet_stream_connect+0x10f/0x3d0\\n inet_stream_connect+0x3a/0x60\\n __sys_connect+0xa8/0xd0\\n __x64_sys_connect+0x18/0x20\\n do_syscall_64+0x83/0x170\\n entry_SYSCALL_64_after_hwframe+0x78/0x80\\nRIP: 0033:0x7f62c11a885d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36905" + }, + { + "url": "https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4" + }, + { + "url": "https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270" + }, + { + "url": "https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1" + }, + { + "url": "https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485" + }, + { + "url": "https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f" + }, + { + "url": "https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf" + }, + { + "url": "https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214" + }, + { + "url": "https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4\",\n \"https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270\",\n \"https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1\",\n \"https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485\",\n \"https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f\",\n \"https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf\",\n \"https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214\",\n \"https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\\n\\nTCP_SYN_RECV state is really special, it is only used by\\ncross-syn connections, mostly used by fuzzers.\\n\\nIn the following crash [1], syzbot managed to trigger a divide\\nby zero in tcp_rcv_space_adjust()\\n\\nA socket makes the following state transitions,\\nwithout ever calling tcp_init_transfer(),\\nmeaning tcp_init_buffer_space() is also not called.\\n\\n TCP_CLOSE\\nconnect()\\n TCP_SYN_SENT\\n TCP_SYN_RECV\\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\\n TCP_FIN_WAIT1\\n\\nTo fix this issue, change tcp_shutdown() to not\\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\\nwhich makes no sense anyway.\\n\\nWhen tcp_rcv_state_process() later changes socket state\\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\\nand send a FIN packet from a sane socket state.\\n\\nThis means tcp_send_fin() can now be called from BH\\ncontext, and must use GFP_ATOMIC allocations.\\n\\n[1]\\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\\nCall Trace:\\n \\n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x109/0x280 net/socket.c:1068\\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\\n ___sys_recvmsg net/socket.c:2845 [inline]\\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\\n __sys_recvmmsg net/socket.c:3018 [inline]\\n __do_sys_recvmmsg net/socket.c:3041 [inline]\\n __se_sys_recvmmsg net/socket.c:3034 [inline]\\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7faeb6363db9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36906" + }, + { + "url": "https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726" + }, + { + "url": "https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab" + }, + { + "url": "https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e" + }, + { + "url": "https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af" + }, + { + "url": "https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9381/1: kasan: clear stale stack poison\n\nWe found below OOB crash:\n\n[ 33.452494] ==================================================================\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[ 33.455515]\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\n[ 33.456880] Hardware name: Generic DT based system\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\n[ 33.459863] print_report from kasan_report+0x9c/0x148\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[ 33.467397]\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\n[ 33.468493] and is located at offset 112 in frame:\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[ 33.469917]\n[ 33.470165] This frame has 2 objects:\n[ 33.470696] [32, 76) 'global_zone_diff'\n[ 33.470729] [112, 276) 'global_node_diff'\n[ 33.471294]\n[ 33.472095] The buggy address belongs to the physical page:\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[ 33.473944] flags: 0x1000(reserved|zone=0)\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[ 33.475656] raw: 00000000\n[ 33.476050] page dumped because: kasan: bad access detected\n[ 33.476816]\n[ 33.477061] Memory state around the buggy address:\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[ 33.480415] ^\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.482978] ==================================================================\n\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\n\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\n\nFrom cited commit [1] that explain the problem\n\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\n\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code. Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\n\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\n\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\n\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\n\nFrom cited commit [2]\n\nExtend to check for CONFIG_KASAN_STACK\n\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726\",\n \"https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab\",\n \"https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e\",\n \"https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af\",\n \"https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nARM: 9381/1: kasan: clear stale stack poison\\n\\nWe found below OOB crash:\\n\\n[ 33.452494] ==================================================================\\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\\n[ 33.455515]\\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\\n[ 33.456880] Hardware name: Generic DT based system\\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\\n[ 33.459863] print_report from kasan_report+0x9c/0x148\\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\\n[ 33.467397]\\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\\n[ 33.468493] and is located at offset 112 in frame:\\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\\n[ 33.469917]\\n[ 33.470165] This frame has 2 objects:\\n[ 33.470696] [32, 76) 'global_zone_diff'\\n[ 33.470729] [112, 276) 'global_node_diff'\\n[ 33.471294]\\n[ 33.472095] The buggy address belongs to the physical page:\\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\\n[ 33.473944] flags: 0x1000(reserved|zone=0)\\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\\n[ 33.475656] raw: 00000000\\n[ 33.476050] page dumped because: kasan: bad access detected\\n[ 33.476816]\\n[ 33.477061] Memory state around the buggy address:\\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\\n[ 33.480415] ^\\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 33.482978] ==================================================================\\n\\nWe find the root cause of this OOB is that arm does not clear stale stack\\npoison in the case of cpuidle.\\n\\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\\n\\nFrom cited commit [1] that explain the problem\\n\\nFunctions which the compiler has instrumented for KASAN place poison on\\nthe stack shadow upon entry and remove this poison prior to returning.\\n\\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\\nC code. Any instrumented functions on this critical path will leave\\nportions of the stack shadow poisoned.\\n\\nIf CPUs lose context and return to the kernel via a cold path, we\\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\\nwe never remove the poison they placed in the stack shadow area by\\nfunctions calls between this and the actual exit of the kernel.\\n\\nThus, (depending on stackframe layout) subsequent calls to instrumented\\nfunctions may hit this stale poison, resulting in (spurious) KASAN\\nsplats to the console.\\n\\nTo avoid this, clear any stale poison from the idle thread for a CPU\\nprior to bringing a CPU online.\\n\\nFrom cited commit [2]\\n\\nExtend to check for CONFIG_KASAN_STACK\\n\\n[1] commit 0d97e6d8024c (\\\"arm64: kasan: clear stale stack poison\\\")\\n[2] commit d56a9ef84bd0 (\\\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36907" + }, + { + "url": "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc" + }, + { + "url": "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a" + }, + { + "url": "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: add a missing rpc_stat for TCP TLS\n\nCommit 1548036ef120 (\"nfs: make the rpc_stat per net namespace\") added\nfunctionality to specify rpc_stats function but missed adding it to the\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\nthe following kernel oops.\n\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\nvirtual address 000000000000001c\n[ 128.985058] Mem abort info:\n[ 128.985372] ESR = 0x0000000096000004\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 128.986176] SET = 0, FnV = 0\n[ 128.986521] EA = 0, S1PTW = 0\n[ 128.986804] FSC = 0x04: level 0 translation fault\n[ 128.987229] Data abort info:\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\nip_set nf_tables nfnetlink qrtr vsock_loopback\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\nsg fuse\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\ntainted 6.8.0-rc6+ #12\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.000244] sp : ffff8000832b3a00\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\n[ 129.005824] Call trace:\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\n[ 129.008583] process_one_work+0x174/0x3c8\n[ 129.008813] worker_thread+0x2c8/0x3e0\n[ 129.009033] kthread+0x100/0x110\n[ 129.009225] ret_from_fork+0x10/0x20\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc\",\n \"https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a\",\n \"https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: add a missing rpc_stat for TCP TLS\\n\\nCommit 1548036ef120 (\\\"nfs: make the rpc_stat per net namespace\\\") added\\nfunctionality to specify rpc_stats function but missed adding it to the\\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\\nthe following kernel oops.\\n\\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\\nvirtual address 000000000000001c\\n[ 128.985058] Mem abort info:\\n[ 128.985372] ESR = 0x0000000096000004\\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 128.986176] SET = 0, FnV = 0\\n[ 128.986521] EA = 0, S1PTW = 0\\n[ 128.986804] FSC = 0x04: level 0 translation fault\\n[ 128.987229] Data abort info:\\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\\nip_set nf_tables nfnetlink qrtr vsock_loopback\\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\\nsg fuse\\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\\ntainted 6.8.0-rc6+ #12\\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\\n[ 129.000244] sp : ffff8000832b3a00\\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\\n[ 129.005824] Call trace:\\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\\n[ 129.008583] process_one_work+0x174/0x3c8\\n[ 129.008813] worker_thread+0x2c8/0x3e0\\n[ 129.009033] kthread+0x100/0x110\\n[ 129.009225] ret_from_fork+0x10/0x20\\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36908" + }, + { + "url": "https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6" + }, + { + "url": "https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e" + }, + { + "url": "https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: do not WARN if iocg was already offlined\n\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\n\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n Call trace:\n iocg_pay_debt+0x14c/0x190\n iocg_kick_waitq+0x438/0x4c0\n iocg_waitq_timer_fn+0xd8/0x130\n __run_hrtimer+0x144/0x45c\n __hrtimer_run_queues+0x16c/0x244\n hrtimer_interrupt+0x2cc/0x7b0\n\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\n\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6\",\n \"https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e\",\n \"https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-iocost: do not WARN if iocg was already offlined\\n\\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\\nis intended to confirm iocg is active when it has debt. However, warn\\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\\nis run at that time:\\n\\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\\n Call trace:\\n iocg_pay_debt+0x14c/0x190\\n iocg_kick_waitq+0x438/0x4c0\\n iocg_waitq_timer_fn+0xd8/0x130\\n __run_hrtimer+0x144/0x45c\\n __hrtimer_run_queues+0x16c/0x244\\n hrtimer_interrupt+0x2cc/0x7b0\\n\\nThe warn in this situation is meaningless. Since this iocg is being\\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\\niocg is freed after iocg_waitq_timer_fn() returns.\\n\\nTherefore, add the check if iocg was already offlined to avoid warn\\nwhen removing a blkcg or disk.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36909", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36909" + }, + { + "url": "https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039" + }, + { + "url": "https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48" + }, + { + "url": "https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0" + }, + { + "url": "https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36909 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36909", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus ring buffer code could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the struct\nvmbus_gpadl for the ring buffers to decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36909\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36909\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36909\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36909\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36909\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039\",\n \"https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48\",\n \"https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0\",\n \"https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe VMBus ring buffer code could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the struct\\nvmbus_gpadl for the ring buffers to decide whether to free the memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36909\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36910" + }, + { + "url": "https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7" + }, + { + "url": "https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9" + }, + { + "url": "https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54" + }, + { + "url": "https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus device UIO driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7\",\n \"https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9\",\n \"https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54\",\n \"https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nuio_hv_generic: Don't free decrypted memory\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe VMBus device UIO driver could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\\nto decide whether to free the memory.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36911" + }, + { + "url": "https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b" + }, + { + "url": "https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4" + }, + { + "url": "https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe netvsc driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b\",\n \"https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4\",\n \"https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhv_netvsc: Don't free decrypted memory\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe netvsc driver could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\\nto decide whether to free the memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36912" + }, + { + "url": "https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81" + }, + { + "url": "https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca" + }, + { + "url": "https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8" + }, + { + "url": "https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nIn order to make sure callers of vmbus_establish_gpadl() and\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\nallocators, add a field in struct vmbus_gpadl to keep track of the\ndecryption status of the buffers. This will allow the callers to\nknow if they should free or leak the pages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81\",\n \"https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca\",\n \"https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8\",\n \"https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nIn order to make sure callers of vmbus_establish_gpadl() and\\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\\nallocators, add a field in struct vmbus_gpadl to keep track of the\\ndecryption status of the buffers. This will allow the callers to\\nknow if they should free or leak the pages.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36913" + }, + { + "url": "https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a" + }, + { + "url": "https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6" + }, + { + "url": "https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a\",\n \"https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6\",\n \"https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\\nfails. Leak the pages if this happens.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36914" + }, + { + "url": "https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7" + }, + { + "url": "https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d" + }, + { + "url": "https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip on writeback when it's not applicable\n\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \"BUG: KASAN: slab-out-of-bounds\" as writeback connector does not\nsupport certain features which are not initialized.\n\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7\",\n \"https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d\",\n \"https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip on writeback when it's not applicable\\n\\n[WHY]\\ndynamic memory safety error detector (KASAN) catches and generates error\\nmessages \\\"BUG: KASAN: slab-out-of-bounds\\\" as writeback connector does not\\nsupport certain features which are not initialized.\\n\\n[HOW]\\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36915" + }, + { + "url": "https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8" + }, + { + "url": "https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107" + }, + { + "url": "https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\n\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\n\nUse copy_safe_from_sockptr() instead.\n\n[1]\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\n\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8\",\n \"https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107\",\n \"https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\\n\\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\\n\\nUse copy_safe_from_sockptr() instead.\\n\\n[1]\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\\n\\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfd/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\nRIP: 0033:0x7f7fac07fd89\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36916", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36916" + }, + { + "url": "https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b" + }, + { + "url": "https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5" + }, + { + "url": "https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1" + }, + { + "url": "https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d" + }, + { + "url": "https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86" + }, + { + "url": "https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36916 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36916", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n \n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36916\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36916\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36916\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36916\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36916\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b\",\n \"https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5\",\n \"https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1\",\n \"https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d\",\n \"https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86\",\n \"https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-iocost: avoid out of bounds shift\\n\\nUBSAN catches undefined behavior in blk-iocost, where sometimes\\niocg->delay is shifted right by a number that is too large,\\nresulting in undefined behavior on some architectures.\\n\\n[ 186.556576] ------------[ cut here ]------------\\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\\nCall Trace:\\n \\n dump_stack_lvl+0x8f/0xe0\\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\\n iocg_kick_delay+0x30b/0x310\\n ioc_timer_fn+0x2fb/0x1f80\\n __run_timer_base+0x1b6/0x250\\n...\\n\\nAvoid that undefined behavior by simply taking the\\n\\\"delay = 0\\\" branch if the shift is too large.\\n\\nI am not sure what the symptoms of an undefined value\\ndelay will be, but I suspect it could be more than a\\nlittle annoying to debug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36916\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36917", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36917" + }, + { + "url": "https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155" + }, + { + "url": "https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee" + }, + { + "url": "https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6" + }, + { + "url": "https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36917 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36917", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix overflow in blk_ioctl_discard()\n\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36917\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36917\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36917\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36917\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36917\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\",\n \"https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee\",\n \"https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6\",\n \"https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: fix overflow in blk_ioctl_discard()\\n\\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\\nHung task occurs if submit an discard ioctl with the following param:\\n start = 0x80000000000ff000, len = 0x8000000000fff000;\\nAdd the overflow validation now.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36917\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36918" + }, + { + "url": "https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c" + }, + { + "url": "https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687" + }, + { + "url": "https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d" + }, + { + "url": "https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36918", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check bloom filter map value size\n\nThis patch adds a missing check to bloom filter creating, rejecting\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\nmany other map types.\n\nThe lack of this protection can cause kernel crashes for value sizes\nthat overflow int's. Such a crash was caught by syzkaller. The next\npatch adds more guard-rails at a lower level.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c\",\n \"https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687\",\n \"https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d\",\n \"https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Check bloom filter map value size\\n\\nThis patch adds a missing check to bloom filter creating, rejecting\\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\\nmany other map types.\\n\\nThe lack of this protection can cause kernel crashes for value sizes\\nthat overflow int's. Such a crash was caught by syzkaller. The next\\npatch adds more guard-rails at a lower level.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36919", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36919" + }, + { + "url": "https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936" + }, + { + "url": "https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3" + }, + { + "url": "https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312" + }, + { + "url": "https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb" + }, + { + "url": "https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3" + }, + { + "url": "https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9" + }, + { + "url": "https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256" + }, + { + "url": "https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36919 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36919", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36919\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36919\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36919\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36919\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36919\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936\",\n \"https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3\",\n \"https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312\",\n \"https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb\",\n \"https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3\",\n \"https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9\",\n \"https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256\",\n \"https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\\n\\nThe session resources are used by FW and driver when session is offloaded,\\nonce session is uploaded these resources are not used. The lock is not\\nrequired as these fields won't be used any longer. The offload and upload\\ncalls are sequential, hence lock is not required.\\n\\nThis will suppress following BUG_ON():\\n\\n[ 449.843143] ------------[ cut here ]------------\\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\\nRebooting.\\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 449.993028] Call Trace:\\n[ 449.995756] __iommu_dma_free+0x96/0x100\\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\\n[ 450.023103] process_one_work+0x1e8/0x3c0\\n[ 450.027581] worker_thread+0x50/0x3b0\\n[ 450.031669] ? rescuer_thread+0x370/0x370\\n[ 450.036143] kthread+0x149/0x170\\n[ 450.039744] ? set_kthread_struct+0x40/0x40\\n[ 450.044411] ret_from_fork+0x22/0x30\\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36919\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36920", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36920" + }, + { + "url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0" + }, + { + "url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716" + }, + { + "url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa" + }, + { + "url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36920 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36920", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf->reply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number '1' from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36920\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36920\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36920\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36920\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36920\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0\",\n \"https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716\",\n \"https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa\",\n \"https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\\n\\nWhen the \\\"storcli2 show\\\" command is executed for eHBA-9600, mpi3mr driver\\nprints this WARNING message:\\n\\n memcpy: detected field-spanning write (size 128) of single field \\\"bsg_reply_buf->reply_buf\\\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\\n\\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \\\"__u8\\nreplay_buf[1]\\\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\\nto be a flexible length array, so the WARN is a false positive.\\n\\nTo suppress the WARN, remove the constant number '1' from the array\\ndeclaration and clarify that it has flexible length. Also, adjust the\\nmemory allocation size to match the change.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36920\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36921", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36921" + }, + { + "url": "https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f" + }, + { + "url": "https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294" + }, + { + "url": "https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36921 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36921", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\n\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\nresult in out-of-bounds array accesses. This prevents issues should the\ndriver get into a bad state during error handling.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36921\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36921\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36921\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36921\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36921\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f\",\n \"https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294\",\n \"https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\\n\\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\\nresult in out-of-bounds array accesses. This prevents issues should the\\ndriver get into a bad state during error handling.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36921\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36922" + }, + { + "url": "https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89" + }, + { + "url": "https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa" + }, + { + "url": "https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89\",\n \"https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa\",\n \"https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: read txq->read_ptr under lock\\n\\nIf we read txq->read_ptr without lock, we can read the same\\nvalue twice, then obtain the lock, and reclaim from there\\nto two different places, but crucially reclaim the same\\nentry twice, resulting in the WARN_ONCE() a little later.\\nFix that by reading txq->read_ptr under lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36923" + }, + { + "url": "https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd" + }, + { + "url": "https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36923 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36923", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix uninitialized values during inode evict\n\nIf an iget fails due to not being able to retrieve information\nfrom the server then the inode structure is only partially\ninitialized. When the inode gets evicted, references to\nuninitialized structures (like fscache cookies) were being\nmade.\n\nThis patch checks for a bad_inode before doing anything other\nthan clearing the inode from the cache. Since the inode is\nbad, it shouldn't have any state associated with it that needs\nto be written back (and there really isn't a way to complete\nthose anyways).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd\",\n \"https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/9p: fix uninitialized values during inode evict\\n\\nIf an iget fails due to not being able to retrieve information\\nfrom the server then the inode structure is only partially\\ninitialized. When the inode gets evicted, references to\\nuninitialized structures (like fscache cookies) were being\\nmade.\\n\\nThis patch checks for a bad_inode before doing anything other\\nthan clearing the inode from the cache. Since the inode is\\nbad, it shouldn't have any state associated with it that needs\\nto be written back (and there really isn't a way to complete\\nthose anyways).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36923\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36924", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36924" + }, + { + "url": "https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd" + }, + { + "url": "https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3" + }, + { + "url": "https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683" + }, + { + "url": "https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36924 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36924", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36924\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36924\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36924\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36924\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36924\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd\",\n \"https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3\",\n \"https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683\",\n \"https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\\n\\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\\nhbalock to avoid potential deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36924\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36927" + }, + { + "url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818" + }, + { + "url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e" + }, + { + "url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818\",\n \"https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e\",\n \"https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4: Fix uninit-value access in __ip_make_skb()\\n\\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\\nwhile __ip_make_skb() is running, the function will access icmphdr in the\\nskb even if it is not included. This causes the issue reported by KMSAN.\\n\\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\\non the socket.\\n\\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\\nare union in struct flowi4 and are implicitly initialized by\\nflowi4_init_output(), but we should not rely on specific union layout.\\n\\nInitialize these explicitly in raw_sendmsg().\\n\\n[1]\\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\\n ip_finish_skb include/net/ip.h:243 [inline]\\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36928" + }, + { + "url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6" + }, + { + "url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524" + }, + { + "url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494" + }, + { + "url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3" + }, + { + "url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n >0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6\",\n \"https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524\",\n \"https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494\",\n \"https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3\",\n \"https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/qeth: Fix kernel panic after setting hsuid\\n\\nSymptom:\\nWhen the hsuid attribute is set for the first time on an IQD Layer3\\ndevice while the corresponding network interface is already UP,\\nthe kernel will try to execute a napi function pointer that is NULL.\\n\\nExample:\\n---------------------------------------------------------------------------\\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\\n qdio ccwgroup pkey zcrypt\\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\\n >0000000000000002: 0000 illegal\\n 0000000000000004: 0000 illegal\\n 0000000000000006: 0000 illegal\\n 0000000000000008: 0000 illegal\\n 000000000000000a: 0000 illegal\\n 000000000000000c: 0000 illegal\\n 000000000000000e: 0000 illegal\\n[ 2057.572800] Call Trace:\\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\\n[ 2057.572843] Last Breaking-Event-Address:\\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\\n[ 2057.572846]\\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\\n-------------------------------------------------------------------------------------------\\n\\nAnalysis:\\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\\nThe napi.poll functions are set during qeth_open().\\n\\nSince\\ncommit 1cfef80d4c2b (\\\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\\\")\\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\\ndev_open(). So if qeth_free_qdio_queues() cleared\\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\\ncard was offline, they are not set again.\\n\\nReproduction:\\nchzdev -e $devno layer2=0\\nip link set dev $network_interface up\\necho 0 > /sys/bus/ccw\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36929" + }, + { + "url": "https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62" + }, + { + "url": "https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec" + }, + { + "url": "https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533" + }, + { + "url": "https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6" + }, + { + "url": "https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681" + }, + { + "url": "https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62\",\n \"https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec\",\n \"https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533\",\n \"https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6\",\n \"https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681\",\n \"https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\\n\\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\\ninvalid. Return NULL if such an skb is passed to skb_copy or\\nskb_copy_expand, in order to prevent a crash on a potential later\\ncall to skb_gso_segment.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36931" + }, + { + "url": "https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65" + }, + { + "url": "https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c" + }, + { + "url": "https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2" + }, + { + "url": "https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5" + }, + { + "url": "https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65\",\n \"https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c\",\n \"https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2\",\n \"https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5\",\n \"https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/cio: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36933", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36933" + }, + { + "url": "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a" + }, + { + "url": "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2" + }, + { + "url": "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c" + }, + { + "url": "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79" + }, + { + "url": "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a" + }, + { + "url": "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340" + }, + { + "url": "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9" + }, + { + "url": "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36933 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36933", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb->network_header\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb->mac_header\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb->protocol\n 7. push the NSH header\n 8. restore skb->mac_header\n 9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 & 7, skb->data points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb->data point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb->{mac_header,network_header} in 8 & 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb->mac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb->mac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36933\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36933\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36933\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36933\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36933\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a\",\n \"https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2\",\n \"https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c\",\n \"https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79\",\n \"https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a\",\n \"https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340\",\n \"https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9\",\n \"https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\\n\\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\\n\\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\\n\\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\\n\\nnsh_gso_segment() does the following for the original skb before\\ncalling skb_mac_gso_segment()\\n\\n 1. reset skb->network_header\\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\\n 3. pull the NSH header\\n 4. resets skb->mac_header\\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\\n\\nand does the following for the segmented skb\\n\\n 6. set ntohs(ETH_P_NSH) to skb->protocol\\n 7. push the NSH header\\n 8. restore skb->mac_header\\n 9. set skb->mac_header + mac_len to skb->network_header\\n 10. restore skb->mac_len\\n\\nThere are two problems in 6-7 and 8-9.\\n\\n (a)\\n After 6 & 7, skb->data points to the NSH header, so the outer header\\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\\n\\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\\n skb_pull() in the first nsh_gso_segment() will make skb->data point\\n to the middle of the outer NSH or Ethernet header because the Ethernet\\n header is not pulled by the second nsh_gso_segment().\\n\\n (b)\\n While restoring skb->{mac_header,network_header} in 8 & 9,\\n nsh_gso_segment() does not assume that the data in the linear\\n buffer is shifted.\\n\\n However, udp6_ufo_fragment() could shift the data and change\\n skb->mac_header accordingly as demonstrated by syzbot.\\n\\n If this happens, even the restored skb->mac_header points to\\n the middle of the outer header.\\n\\nIt seems nsh_gso_segment() has never worked with outer headers so far.\\n\\nAt the end of nsh_gso_segment(), the outer header must be restored for\\nthe segmented skb, instead of the NSH header.\\n\\nTo do that, let's calculate the outer header position relatively from\\nthe inner header and set skb->{data,mac_header,protocol} properly.\\n\\n[0]:\\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\\n xmit_one net/core/dev.c:3547 [inline]\\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3081 [inline]\\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n __sys_sendto+0x735/0xa10 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3819 [inline]\\n slab_alloc_node mm/slub.c:3860 [inline]\\n __do_kmalloc_node mm/slub.c:3980 [inline]\\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\\n __\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36933\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36934" + }, + { + "url": "https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32" + }, + { + "url": "https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9" + }, + { + "url": "https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35" + }, + { + "url": "https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4" + }, + { + "url": "https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd" + }, + { + "url": "https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f" + }, + { + "url": "https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147" + }, + { + "url": "https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32\",\n \"https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9\",\n \"https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35\",\n \"https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4\",\n \"https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd\",\n \"https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f\",\n \"https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147\",\n \"https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbna: ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\\ninstead of memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36937" + }, + { + "url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e" + }, + { + "url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc" + }, + { + "url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c" + }, + { + "url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553" + }, + { + "url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e\",\n \"https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc\",\n \"https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c\",\n \"https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553\",\n \"https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: use flags field to disambiguate broadcast redirect\\n\\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\\nup the redirect destination information in struct bpf_redirect_info (using\\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\\nfunction will read this information after the XDP program returns and pass\\nthe frame on to the right redirect destination.\\n\\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\\nbpf_redirect_info to point to the destination map to be broadcast. And\\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\\nit's dealing with a broadcast or a single-value redirect. However, if the\\ndestination map is being destroyed before xdp_do_redirect() is called, the\\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\\nto think that the redirect was to a single target, but the target pointer\\nis also NULL (since broadcast redirects don't have a single target), so\\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\\n\\nTo fix this, change xdp_do_redirect() to react directly to the presence of\\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\\nto disambiguate between a single-target and a broadcast redirect. And only\\nread the 'map' pointer if the broadcast flag is set, aborting if that has\\nbeen cleared out in the meantime. This prevents the crash, while keeping\\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\\nadding any more checks in the non-broadcast fast path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36938" + }, + { + "url": "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27" + }, + { + "url": "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d" + }, + { + "url": "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365" + }, + { + "url": "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80" + }, + { + "url": "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87" + }, + { + "url": "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27\",\n \"https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d\",\n \"https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365\",\n \"https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80\",\n \"https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87\",\n \"https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\\n\\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\\nsyzbot reported [1].\\n\\n[1]\\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\\n\\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\\n sk_psock_put include/linux/skmsg.h:459 [inline]\\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0x68/0x150 net/socket.c:1421\\n __fput+0x2c1/0x660 fs/file_table.c:422\\n __fput_sync+0x44/0x60 fs/file_table.c:507\\n __do_sys_close fs/open.c:1556 [inline]\\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\\n unix_read_skb net/unix/af_unix.c:2546 [inline]\\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x140/0x180 net/socket.c:745\\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\\n ___sys_sendmsg net/socket.c:2638 [inline]\\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\n\\nPrior to this, commit 4cd12c6065df (\\\"bpf, sockmap: Fix NULL pointer\\ndereference in sk_psock_verdict_data_ready()\\\") fixed one NULL pointer\\nsimilarly due to no protection of saved_data_ready. Here is another\\ndifferent caller causing the same issue because of the same reason. So\\nwe should protect it with sk_callback_lock read lock because the writer\\nside in the sk_psock_drop() uses \\\"write_lock_bh(&sk->sk_callback_lock);\\\".\\n\\nTo avoid errors that could happen in future, I move those two pairs of\\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36939" + }, + { + "url": "https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8" + }, + { + "url": "https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c" + }, + { + "url": "https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65" + }, + { + "url": "https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3" + }, + { + "url": "https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f" + }, + { + "url": "https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba" + }, + { + "url": "https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8\",\n \"https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c\",\n \"https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65\",\n \"https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3\",\n \"https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f\",\n \"https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba\",\n \"https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\\n\\nsyzkaller reported a warning [0] triggered while destroying immature\\nnetns.\\n\\nrpc_proc_register() was called in init_nfs_fs(), but its error\\nhas been ignored since at least the initial commit 1da177e4c3f4\\n(\\\"Linux-2.6.12-rc2\\\").\\n\\nRecently, commit d47151b79e32 (\\\"nfs: expose /proc/net/sunrpc/nfs\\nin net namespaces\\\") converted the procfs to per-netns and made\\nthe problem more visible.\\n\\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\\nand thus nfs_net_exit() will be called while destroying the netns.\\n\\nThen, remove_proc_entry() will be called for non-existing proc\\ndirectory and trigger the warning below.\\n\\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\\n\\n[0]:\\nname 'nfs'\\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\\nModules linked in:\\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\\n __do_sys_unshare kernel/fork.c:3393 [inline]\\n __se_sys_unshare kernel/fork.c:3391 [inline]\\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\nRIP: 0033:0x7f30d0febe5d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36940" + }, + { + "url": "https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068" + }, + { + "url": "https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca" + }, + { + "url": "https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79" + }, + { + "url": "https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c" + }, + { + "url": "https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d" + }, + { + "url": "https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e" + }, + { + "url": "https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd" + }, + { + "url": "https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068\",\n \"https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca\",\n \"https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79\",\n \"https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c\",\n \"https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d\",\n \"https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e\",\n \"https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd\",\n \"https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: core: delete incorrect free in pinctrl_enable()\\n\\nThe \\\"pctldev\\\" struct is allocated in devm_pinctrl_register_and_init().\\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\\nso freeing it in pinctrl_enable() will lead to a double free.\\n\\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\\nthe mutex as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36941" + }, + { + "url": "https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d" + }, + { + "url": "https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a" + }, + { + "url": "https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307" + }, + { + "url": "https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7" + }, + { + "url": "https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457" + }, + { + "url": "https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4" + }, + { + "url": "https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f" + }, + { + "url": "https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d\",\n \"https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a\",\n \"https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307\",\n \"https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7\",\n \"https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457\",\n \"https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4\",\n \"https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f\",\n \"https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: nl80211: don't free NULL coalescing rule\\n\\nIf the parsing fails, we can dereference a NULL pointer here.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36944" + }, + { + "url": "https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97" + }, + { + "url": "https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10" + }, + { + "url": "https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6" + }, + { + "url": "https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea" + }, + { + "url": "https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nReapply \"drm/qxl: simplify qxl_fence_wait\"\n\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\n\nStephen Rostedt reports:\n \"I went to run my tests on my VMs and the tests hung on boot up.\n Unfortunately, the most I ever got out was:\n\n [ 93.607888] Testing event system initcall: OK\n [ 93.667730] Running tests on all trace events:\n [ 93.669757] Testing all events: OK\n [ 95.631064] ------------[ cut here ]------------\n Timed out after 60 seconds\"\n\nand further debugging points to a possible circular locking dependency\nbetween the console_owner locking and the worker pool locking.\n\nReverting the commit allows Steve's VM to boot to completion again.\n\n[ This may obviously result in the \"[TTM] Buffer eviction failed\"\n messages again, which was the reason for that original revert. But at\n this point this seems preferable to a non-booting system... ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97\",\n \"https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10\",\n \"https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6\",\n \"https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea\",\n \"https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nReapply \\\"drm/qxl: simplify qxl_fence_wait\\\"\\n\\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\\n\\nStephen Rostedt reports:\\n \\\"I went to run my tests on my VMs and the tests hung on boot up.\\n Unfortunately, the most I ever got out was:\\n\\n [ 93.607888] Testing event system initcall: OK\\n [ 93.667730] Running tests on all trace events:\\n [ 93.669757] Testing all events: OK\\n [ 95.631064] ------------[ cut here ]------------\\n Timed out after 60 seconds\\\"\\n\\nand further debugging points to a possible circular locking dependency\\nbetween the console_owner locking and the worker pool locking.\\n\\nReverting the commit allows Steve's VM to boot to completion again.\\n\\n[ This may obviously result in the \\\"[TTM] Buffer eviction failed\\\"\\n messages again, which was the reason for that original revert. But at\\n this point this seems preferable to a non-booting system... ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36945" + }, + { + "url": "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06" + }, + { + "url": "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2" + }, + { + "url": "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff" + }, + { + "url": "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06\",\n \"https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2\",\n \"https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff\",\n \"https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\\n\\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\\nresolved by ip_route_output_flow() are not released or put before return.\\nIt may cause the refcount leak, so fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36946", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36946" + }, + { + "url": "https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4" + }, + { + "url": "https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe" + }, + { + "url": "https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137" + }, + { + "url": "https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7" + }, + { + "url": "https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7" + }, + { + "url": "https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a" + }, + { + "url": "https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00" + }, + { + "url": "https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36946 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36946", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36946\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36946\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36946\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36946\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36946\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4\",\n \"https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe\",\n \"https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137\",\n \"https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7\",\n \"https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7\",\n \"https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a\",\n \"https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00\",\n \"https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nphonet: fix rtm_phonet_notify() skb allocation\\n\\nfill_route() stores three components in the skb:\\n\\n- struct rtmsg\\n- RTA_DST (u8)\\n- RTA_OIF (u32)\\n\\nTherefore, rtm_phonet_notify() should use\\n\\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\\nnla_total_size(1) +\\nnla_total_size(4)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36946\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36947" + }, + { + "url": "https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8" + }, + { + "url": "https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee" + }, + { + "url": "https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb" + }, + { + "url": "https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00" + }, + { + "url": "https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix dentry leak\n\nsimple_recursive_removal() drops the pinning references to all positives\nin subtree. For the cases when its argument has been kept alive by\nthe pinning alone that's exactly the right thing to do, but here\nthe argument comes from dcache lookup, that needs to be balanced by\nexplicit dput().\n\nFucked-up-by: Al Viro ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8\",\n \"https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee\",\n \"https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb\",\n \"https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00\",\n \"https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nqibfs: fix dentry leak\\n\\nsimple_recursive_removal() drops the pinning references to all positives\\nin subtree. For the cases when its argument has been kept alive by\\nthe pinning alone that's exactly the right thing to do, but here\\nthe argument comes from dcache lookup, that needs to be balanced by\\nexplicit dput().\\n\\nFucked-up-by: Al Viro \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36948" + }, + { + "url": "https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717" + }, + { + "url": "https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\n\nAddressing potential overflow in result of multiplication of two lower\nprecision (u32) operands before widening it to higher precision\n(u64).\n\n-v2\nFix commit message and description. (Rodrigo)\n\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717\",\n \"https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\\n\\nAddressing potential overflow in result of multiplication of two lower\\nprecision (u32) operands before widening it to higher precision\\n(u64).\\n\\n-v2\\nFix commit message and description. (Rodrigo)\\n\\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36949", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36949" + }, + { + "url": "https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58" + }, + { + "url": "https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d" + }, + { + "url": "https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36949 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36949", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36949\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36949\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36949\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36949\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36949\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58\",\n \"https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d\",\n \"https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\namd/amdkfd: sync all devices to wait all processes being evicted\\n\\nIf there are more than one device doing reset in parallel, the first\\ndevice will call kfd_suspend_all_processes() to evict all processes\\non all devices, this call takes time to finish. other device will\\nstart reset and recover without waiting. if the process has not been\\nevicted before doing recover, it will be restored, then caused page\\nfault.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36949\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36950" + }, + { + "url": "https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec" + }, + { + "url": "https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420" + }, + { + "url": "https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0" + }, + { + "url": "https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d" + }, + { + "url": "https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9" + }, + { + "url": "https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61" + }, + { + "url": "https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130" + }, + { + "url": "https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec\",\n \"https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420\",\n \"https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0\",\n \"https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d\",\n \"https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9\",\n \"https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61\",\n \"https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130\",\n \"https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\\n\\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\\ncleared the interrupt.\\n\\nNormally, we always leave bus reset interrupts masked. We infer the bus\\nreset from the self-ID interrupt that happens shortly thereafter. A\\nscenario where we unmask bus reset interrupts was introduced in 2008 in\\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\\nwill unmask bus reset interrupts so we can log them.\\n\\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\\nreset event flag in irq_handler, because we won't service the event until\\nlater. irq_handler exits with the event flag still set. If the\\ncorresponding interrupt is still unmasked, the first bus reset will\\nusually freeze the system due to irq_handler being called again each\\ntime it exits. This freeze can be reproduced by loading firewire_ohci\\nwith \\\"modprobe firewire_ohci debug=-1\\\" (to enable all debugging output).\\nApparently there are also some cases where bus_reset_work will get called\\nsoon enough to clear the event, and operation will continue normally.\\n\\nThis freeze was first reported a few months after a007bb85 was committed,\\nbut until now it was never fixed. The debug level could safely be set\\nto -1 through sysfs after the module was loaded, but this would be\\nineffectual in logging bus reset interrupts since they were only\\nunmasked during initialization.\\n\\nirq_handler will now leave the event flag set but mask bus reset\\ninterrupts, so irq_handler won't be called again and there will be no\\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\\nunmask the interrupt after servicing the event, so future interrupts\\nwill be caught as desired.\\n\\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\\nenabled through sysfs in addition to during initial module loading.\\nHowever, when enabled through sysfs, logging of bus reset interrupts will\\nbe effective only starting with the second bus reset, after\\nbus_reset_work has executed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36951" + }, + { + "url": "https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d" + }, + { + "url": "https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2" + }, + { + "url": "https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d\",\n \"https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2\",\n \"https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: range check cp bad op exception interrupts\\n\\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\\nDo a range check so that the debugger and runtime do not receive garbage\\ncodes.\\nUpdate the user api to guard exception code type checking as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36952", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36952" + }, + { + "url": "https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3" + }, + { + "url": "https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c" + }, + { + "url": "https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278" + }, + { + "url": "https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0" + }, + { + "url": "https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36952 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36952", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3\",\n \"https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c\",\n \"https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278\",\n \"https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0\",\n \"https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\\n\\nThere are cases after NPIV deletion where the fabric switch still believes\\nthe NPIV is logged into the fabric. This occurs when a vport is\\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\\nfabric.\\n\\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\\nobject. This sometimes causes the race condition where the final DA_ID and\\nLOGO are skipped from being sent to the fabric switch.\\n\\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\\nand LOGO are sent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36952\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36953" + }, + { + "url": "https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487" + }, + { + "url": "https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f" + }, + { + "url": "https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80" + }, + { + "url": "https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728" + }, + { + "url": "https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb" + }, + { + "url": "https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487\",\n \"https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f\",\n \"https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80\",\n \"https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728\",\n \"https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb\",\n \"https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\\n\\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\\nthe user-provided CPUID, which (of course) may not be valid. If the ID\\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\\ngracefully.\\n\\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\\nactually returns something and fail the ioctl if not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36954" + }, + { + "url": "https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6" + }, + { + "url": "https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565" + }, + { + "url": "https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574" + }, + { + "url": "https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d" + }, + { + "url": "https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd" + }, + { + "url": "https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6\",\n \"https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae\",\n \"https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565\",\n \"https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c\",\n \"https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574\",\n \"https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d\",\n \"https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd\",\n \"https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix a possible memleak in tipc_buf_append\\n\\n__skb_linearize() doesn't free the skb when it fails, so move\\n'*buf = NULL' after __skb_linearize(), so that the skb can be\\nfreed on the err path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36955" + }, + { + "url": "https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e" + }, + { + "url": "https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf" + }, + { + "url": "https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07" + }, + { + "url": "https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377" + }, + { + "url": "https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\n\nThe documentation for device_get_named_child_node() mentions this\nimportant point:\n\n\"\nThe caller is responsible for calling fwnode_handle_put() on the\nreturned fwnode pointer.\n\"\n\nAdd fwnode_handle_put() to avoid a leaked reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e\",\n \"https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf\",\n \"https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07\",\n \"https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377\",\n \"https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\\n\\nThe documentation for device_get_named_child_node() mentions this\\nimportant point:\\n\\n\\\"\\nThe caller is responsible for calling fwnode_handle_put() on the\\nreturned fwnode pointer.\\n\\\"\\n\\nAdd fwnode_handle_put() to avoid a leaked reference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36957" + }, + { + "url": "https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7" + }, + { + "url": "https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67" + }, + { + "url": "https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e" + }, + { + "url": "https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f" + }, + { + "url": "https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878" + }, + { + "url": "https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7\",\n \"https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67\",\n \"https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e\",\n \"https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f\",\n \"https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878\",\n \"https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocteontx2-af: avoid off-by-one read from userspace\\n\\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\\ncount + 1). However, the userspace only provides buffer of count bytes and\\nonly these count bytes are verified to be okay to access. To ensure the\\ncopied buffer is NUL terminated, we use memdup_user_nul instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36959" + }, + { + "url": "https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec" + }, + { + "url": "https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1" + }, + { + "url": "https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274" + }, + { + "url": "https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f" + }, + { + "url": "https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6" + }, + { + "url": "https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d" + }, + { + "url": "https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404" + }, + { + "url": "https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\n\nIf we fail to allocate propname buffer, we need to drop the reference\ncount we just took. Because the pinctrl_dt_free_maps() includes the\ndroping operation, here we call it directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec\",\n \"https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1\",\n \"https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274\",\n \"https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f\",\n \"https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6\",\n \"https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d\",\n \"https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404\",\n \"https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\\n\\nIf we fail to allocate propname buffer, we need to drop the reference\\ncount we just took. Because the pinctrl_dt_free_maps() includes the\\ndroping operation, here we call it directly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36960" + }, + { + "url": "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b" + }, + { + "url": "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f" + }, + { + "url": "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36" + }, + { + "url": "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22" + }, + { + "url": "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c" + }, + { + "url": "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0" + }, + { + "url": "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9" + }, + { + "url": "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b\",\n \"https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f\",\n \"https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36\",\n \"https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22\",\n \"https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c\",\n \"https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0\",\n \"https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9\",\n \"https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix invalid reads in fence signaled events\\n\\nCorrectly set the length of the drm_event to the size of the structure\\nthat's actually used.\\n\\nThe length of the drm_event was set to the parent structure instead of\\nto the drm_vmw_event_fence which is supposed to be read. drm_read\\nuses the length parameter to copy the event to the user space thus\\nresuling in oob reads.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36964", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36964" + }, + { + "url": "https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02" + }, + { + "url": "https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c" + }, + { + "url": "https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32" + }, + { + "url": "https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8" + }, + { + "url": "https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b" + }, + { + "url": "https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96" + }, + { + "url": "https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3" + }, + { + "url": "https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36964 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36964", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36964\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36964\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36964\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36964\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36964\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02\",\n \"https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c\",\n \"https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32\",\n \"https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8\",\n \"https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b\",\n \"https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96\",\n \"https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3\",\n \"https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/9p: only translate RWX permissions for plain 9P2000\\n\\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\\nto be able to set (among others) the suid bit. This was presumably not\\nthe intent since the unix extended bits are handled explicitly and\\nconditionally on .u.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36964\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36965" + }, + { + "url": "https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf" + }, + { + "url": "https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2" + }, + { + "url": "https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e" + }, + { + "url": "https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42" + }, + { + "url": "https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9" + }, + { + "url": "https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf\",\n \"https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2\",\n \"https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e\",\n \"https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42\",\n \"https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9\",\n \"https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\\n\\nThe IPI buffer location is read from the firmware that we load to the\\nSystem Companion Processor, and it's not granted that both the SRAM\\n(L2TCM) size that is defined in the devicetree node is large enough\\nfor that, and while this is especially true for multi-core SCP, it's\\nstill useful to check on single-core variants as well.\\n\\nFailing to perform this check may make this driver perform R/W\\noperations out of the L2TCM boundary, resulting (at best) in a\\nkernel panic.\\n\\nTo fix that, check that the IPI buffer fits, otherwise return a\\nfailure and refuse to boot the relevant SCP core (or the SCP at\\nall, if this is single core).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36966" + }, + { + "url": "https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606" + }, + { + "url": "https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe" + }, + { + "url": "https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: reliably distinguish block based and fscache mode\n\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\nthat has never been allocated, triggering the following warning:\n\n============================================\nida_free called for id=0 which is not allocated.\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\nModules linked in:\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\nRIP: 0010:ida_free+0x134/0x140\nCall Trace:\n \n erofs_kill_sb+0x81/0x90\n deactivate_locked_super+0x35/0x80\n get_tree_bdev+0x136/0x1e0\n vfs_get_tree+0x2c/0xf0\n do_new_mount+0x190/0x2f0\n [...]\n============================================\n\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\ninitialised, so use sbi->fsid to distinguish between the two modes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606\",\n \"https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe\",\n \"https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerofs: reliably distinguish block based and fscache mode\\n\\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\\nthat has never been allocated, triggering the following warning:\\n\\n============================================\\nida_free called for id=0 which is not allocated.\\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\\nModules linked in:\\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\\nRIP: 0010:ida_free+0x134/0x140\\nCall Trace:\\n \\n erofs_kill_sb+0x81/0x90\\n deactivate_locked_super+0x35/0x80\\n get_tree_bdev+0x136/0x1e0\\n vfs_get_tree+0x2c/0xf0\\n do_new_mount+0x190/0x2f0\\n [...]\\n============================================\\n\\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\\ninitialised, so use sbi->fsid to distinguish between the two modes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36967" + }, + { + "url": "https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28" + }, + { + "url": "https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf" + }, + { + "url": "https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7" + }, + { + "url": "https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56" + }, + { + "url": "https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13" + }, + { + "url": "https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n'scratch' is never freed. Fix this by calling kfree() in the success, and\nin the error case.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28\",\n \"https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf\",\n \"https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7\",\n \"https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56\",\n \"https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13\",\n \"https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\\n\\n'scratch' is never freed. Fix this by calling kfree() in the success, and\\nin the error case.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36968", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36968" + }, + { + "url": "https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8" + }, + { + "url": "https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44" + }, + { + "url": "https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674" + }, + { + "url": "https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30" + }, + { + "url": "https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36968 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36968", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \nModules linked in:\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36968\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36968\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36968\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36968\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36968\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8\",\n \"https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44\",\n \"https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674\",\n \"https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30\",\n \"https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\\n\\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\\noverflow since hdev->le_mtu may not fall in the valid range.\\n\\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\\nprocess earlier if MTU is invalid.\\nAlso, add a missing validation in read_buffer_size() and make it return\\nan error value if the validation fails.\\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\\nkzalloc failure and invalid MTU value.\\n\\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nWorkqueue: hci0 hci_rx_work\\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\\n process_one_work kernel/workqueue.c:3254 [inline]\\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\\n kthread+0x2e3/0x380 kernel/kthread.c:388\\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n \\nModules linked in:\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36968\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36969" + }, + { + "url": "https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba" + }, + { + "url": "https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911" + }, + { + "url": "https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639" + }, + { + "url": "https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f" + }, + { + "url": "https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445" + }, + { + "url": "https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix division by zero in setup_dsc_config\n\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\n\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\n\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\n\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba\",\n \"https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911\",\n \"https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639\",\n \"https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f\",\n \"https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445\",\n \"https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix division by zero in setup_dsc_config\\n\\nWhen slice_height is 0, the division by slice_height in the calculation\\nof the number of slices will cause a division by zero driver crash. This\\nleaves the kernel in a state that requires a reboot. This patch adds a\\ncheck to avoid the division by zero.\\n\\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\\nwhen I rebooted the system with the monitor connected.\\n\\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\\n\\nAfter applying this patch, the driver no longer crashes when the monitor\\nis connected and the system is rebooted. I believe this is the same\\nissue reported for 3113.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36970" + }, + { + "url": "https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4" + }, + { + "url": "https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Use request_module_nowait\n\nThis appears to work around a deadlock regression that came in\nwith the LED merge in 6.9.\n\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\nit something like all worker threads are busy and some work that needs\nto complete cannot complete.\n\n[also remove unnecessary \"load_module\" var and now-wrong comment]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4\",\n \"https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: Use request_module_nowait\\n\\nThis appears to work around a deadlock regression that came in\\nwith the LED merge in 6.9.\\n\\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\\nit something like all worker threads are busy and some work that needs\\nto complete cannot complete.\\n\\n[also remove unnecessary \\\"load_module\\\" var and now-wrong comment]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36971", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36971" + }, + { + "url": "https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13" + }, + { + "url": "https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6" + }, + { + "url": "https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508" + }, + { + "url": "https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4" + }, + { + "url": "https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e" + }, + { + "url": "https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc" + }, + { + "url": "https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72" + }, + { + "url": "https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13\",\n \"https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6\",\n \"https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508\",\n \"https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4\",\n \"https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e\",\n \"https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc\",\n \"https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72\",\n \"https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix __dst_negative_advice() race\\n\\n__dst_negative_advice() does not enforce proper RCU rules when\\nsk->dst_cache must be cleared, leading to possible UAF.\\n\\nRCU rules are that we must first clear sk->sk_dst_cache,\\nthen call dst_release(old_dst).\\n\\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\\nwhile __dst_negative_advice() uses the wrong order.\\n\\nGiven that ip6_negative_advice() has special logic\\nagainst RTF_CACHE, this means each of the three ->negative_advice()\\nexisting methods must perform the sk_dst_reset() themselves.\\n\\nNote the check against NULL dst is centralized in\\n__dst_negative_advice(), there is no need to duplicate\\nit in various callbacks.\\n\\nMany thanks to Clement Lecigne for tracking this issue.\\n\\nThis old bug became visible after the blamed commit, using UDP sockets.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36972", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36972" + }, + { + "url": "https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3" + }, + { + "url": "https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1" + }, + { + "url": "https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1" + }, + { + "url": "https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2" + }, + { + "url": "https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \nModules linked in:\nCR2: 0000000000000008", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3\",\n \"https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1\",\n \"https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1\",\n \"https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2\",\n \"https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\\n\\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\\nqueue_oob().\\n\\n__unix_gc() tries to garbage-collect close()d inflight sockets,\\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\\nwill drop the reference and set NULL to it locklessly.\\n\\nHowever, the peer socket still can send MSG_OOB message and\\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\\nNULL pointer dereference. [0]\\n\\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\\n\\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\\nfalse-positive (See [1]).\\n\\n[0]:\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\n PF: supervisor write access in kernel mode\\n PF: error_code(0x0002) - not-present page\\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\\nOops: 0002 [#1] PREEMPT SMP PTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nWorkqueue: events delayed_fput\\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\\nPKRU: 55555554\\nCall Trace:\\n \\n unix_release_sock (net/unix/af_unix.c:654)\\n unix_release (net/unix/af_unix.c:1050)\\n __sock_release (net/socket.c:660)\\n sock_close (net/socket.c:1423)\\n __fput (fs/file_table.c:423)\\n delayed_fput (fs/file_table.c:444 (discriminator 3))\\n process_one_work (kernel/workqueue.c:3259)\\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\\n kthread (kernel/kthread.c:388)\\n ret_from_fork (arch/x86/kernel/process.c:153)\\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\\n \\nModules linked in:\\nCR2: 0000000000000008\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36974" + }, + { + "url": "https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c" + }, + { + "url": "https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b" + }, + { + "url": "https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404" + }, + { + "url": "https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2" + }, + { + "url": "https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec" + }, + { + "url": "https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923" + }, + { + "url": "https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c\",\n \"https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b\",\n \"https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404\",\n \"https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2\",\n \"https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec\",\n \"https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923\",\n \"https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\\n\\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\\ntaprio_parse_mqprio_opt() must validate it, or userspace\\ncan inject arbitrary data to the kernel, the second time\\ntaprio_change() is called.\\n\\nFirst call (with valid attributes) sets dev->num_tc\\nto a non zero value.\\n\\nSecond call (with arbitrary mqprio attributes)\\nreturns early from taprio_parse_mqprio_opt()\\nand bad things can happen.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36975", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36975" + }, + { + "url": "https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b" + }, + { + "url": "https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a" + }, + { + "url": "https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087" + }, + { + "url": "https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972" + }, + { + "url": "https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487" + }, + { + "url": "https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36975 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36975", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36975\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36975\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36975\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36975\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36975\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b\",\n \"https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a\",\n \"https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087\",\n \"https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972\",\n \"https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487\",\n \"https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKEYS: trusted: Do not use WARN when encode fails\\n\\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\\n\\n1. asn1_encode_sequence() is not an internal function (located\\n in lib/asn1_encode.c).\\n2. Location is known, which makes the stack trace useless.\\n3. Results a crash if panic_on_warn is set.\\n\\nIt is also noteworthy that the use of WARN is undocumented, and it\\nshould be avoided unless there is a carefully considered rationale to\\nuse it.\\n\\nReplace WARN with pr_err, and print the return value instead, which is\\nonly useful piece of information.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36975\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36978" + }, + { + "url": "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882" + }, + { + "url": "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f" + }, + { + "url": "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e" + }, + { + "url": "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3" + }, + { + "url": "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d" + }, + { + "url": "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d" + }, + { + "url": "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882\",\n \"https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f\",\n \"https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e\",\n \"https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3\",\n \"https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d\",\n \"https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d\",\n \"https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\\n\\nq->bands will be assigned to qopt->bands to execute subsequent code logic\\nafter kmalloc. So the old q->bands should not be used in kmalloc.\\nOtherwise, an out-of-bounds write will occur.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37021", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37021" + }, + { + "url": "https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad" + }, + { + "url": "https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9" + }, + { + "url": "https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37021 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37021", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37021\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37021\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37021\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37021\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37021\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad\",\n \"https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9\",\n \"https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: manager: add owner module and take its refcount\\n\\nThe current implementation of the fpga manager assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the manager if\\nthe parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_manager\\nstruct and use it to take the module's refcount. Modify the functions for\\nregistering the manager to take an additional owner module parameter and\\nrename them to avoid conflicts. Use the old function names for helper\\nmacros that automatically set the module that registers the manager as the\\nowner. This ensures compatibility with existing low-level control modules\\nand reduces the chances of registering a manager without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga manager.\\n\\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\\nmanager device is taken in these functions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37021\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37078", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37078" + }, + { + "url": "https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f" + }, + { + "url": "https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d" + }, + { + "url": "https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0" + }, + { + "url": "https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627" + }, + { + "url": "https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92" + }, + { + "url": "https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118" + }, + { + "url": "https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7" + }, + { + "url": "https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37078 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37078", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n \n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n kthread+0x2f0/0x390\n ret_from_fork+0x4b/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37078\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37078\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37078\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37078\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37078\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f\",\n \"https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d\",\n \"https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0\",\n \"https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627\",\n \"https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92\",\n \"https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118\",\n \"https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7\",\n \"https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\\n\\nDestructive writes to a block device on which nilfs2 is mounted can cause\\na kernel bug in the folio/page writeback start routine or writeback end\\nroutine (__folio_start_writeback in the log below):\\n\\n kernel BUG at mm/page-writeback.c:3070!\\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\\n ...\\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\\n ...\\n Call Trace:\\n \\n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\\n kthread+0x2f0/0x390\\n ret_from_fork+0x4b/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nThis is because when the log writer starts a writeback for segment summary\\nblocks or a super root block that use the backing device's page cache, it\\ndoes not wait for the ongoing folio/page writeback, resulting in an\\ninconsistent writeback state.\\n\\nFix this issue by waiting for ongoing writebacks when putting\\nfolios/pages on the backing device into writeback state.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37078\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37353", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37353" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37353 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37353", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37353\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37353\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37353\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37353\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37353\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37353\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37354", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37354" + }, + { + "url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428" + }, + { + "url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097" + }, + { + "url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b" + }, + { + "url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37354 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37354", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37354\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37354\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37354\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37354\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37354\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428\",\n \"https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097\",\n \"https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b\",\n \"https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\\n\\nWe have been seeing crashes on duplicate keys in\\nbtrfs_set_item_key_safe():\\n\\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\\n ------------[ cut here ]------------\\n kernel BUG at fs/btrfs/ctree.c:2620!\\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\\n\\nWith the following stack trace:\\n\\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\\n #8 vfs_fsync_range (fs/sync.c:188:9)\\n #9 vfs_fsync (fs/sync.c:202:9)\\n #10 do_fsync (fs/sync.c:212:9)\\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\\n\\nSo we're logging a changed extent from fsync, which is splitting an\\nextent in the log tree. But this split part already exists in the tree,\\ntriggering the BUG().\\n\\nThis is the state of the log tree at the time of the crash, dumped with\\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\\nto get more details than btrfs_print_leaf() gives us:\\n\\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\\\"eb\\\"])\\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\\n leaf 33439744 flags 0x100000000000000\\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\\n sequence 204 flags 0x10(PREALLOC)\\n atime 1716417703.220000000 (2024-05-22 15:41:43)\\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\\n index 195 namelen 3 name: 193\\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\\n location key (0 UNKNOWN.0 0) type XATTR\\n transid 7 data_len 1 name_len 6\\n name: user.a\\n data a\\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\\n generation 9 type 1 (regular)\\n extent data disk byte 303144960 nr 12288\\n extent data offset 0 nr 4096 ram 12288\\n extent compression 0 (none)\\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\\n generation 9 type 2 (prealloc)\\n prealloc data disk byte 303144960 nr 12288\\n prealloc data offset 4096 nr 8192\\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\\n generation 9 type 2 (prealloc)\\n prealloc data disk byte 303144960 nr 12288\\n prealloc data offset 8192 nr 4096\\n ...\\n\\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\\nitem 5 starts at i_size.\\n\\nHere is the state of \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37354\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37356", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37356" + }, + { + "url": "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c" + }, + { + "url": "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6" + }, + { + "url": "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd" + }, + { + "url": "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66" + }, + { + "url": "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf" + }, + { + "url": "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a" + }, + { + "url": "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be" + }, + { + "url": "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37356 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37356", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37356\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37356\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37356\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37356\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37356\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c\",\n \"https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6\",\n \"https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd\",\n \"https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66\",\n \"https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf\",\n \"https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a\",\n \"https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be\",\n \"https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\\n\\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\\nas follows:\\n\\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\\n ...\\n delivered_ce <<= (10 - dctcp_shift_g);\\n\\nIt seems syzkaller started fuzzing module parameters and triggered\\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\\n\\n memcpy((void*)0x20000080,\\n \\\"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\\\000\\\", 47);\\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\\n /*flags=*/2ul, /*mode=*/0ul);\\n memcpy((void*)0x20000000, \\\"100\\\\000\\\", 4);\\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\\n\\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\\n\\nWith this patch:\\n\\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n 10\\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n -bash: echo: write error: Invalid argument\\n\\n[0]:\\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n1.13.0-1ubuntu1.1 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\\n ubsan_epilogue lib/ubsan.c:231 [inline]\\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\\n sk_backlog_rcv include/net/sock.h:1106 [inline]\\n __release_sock+0x20f/0x350 net/core/sock.c:2983\\n release_sock+0x61/0x1f0 net/core/sock.c:3549\\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xc0/0x240 net/socket.c:1421\\n __fput+0x41b/0x890 fs/file_table.c:422\\n task_work_run+0x23b/0x300 kernel/task_work.c:180\\n exit_task_work include/linux/task_work.h:38 [inline]\\n do_exit+0x9c8/0x2540 kernel/exit.c:878\\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\\n __do_sys_exit_group kernel/exit.c:1038 [inline]\\n __se_sys_exit_group kernel/exit.c:1036 [inline]\\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\\nRIP: 0033:0x7f6c2b5005b6\\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37356\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38306", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38306" + }, + { + "url": "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b" + }, + { + "url": "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38306 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38306", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38306\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38306\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38306\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38306\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38306\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b\",\n \"https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: protect folio::private when attaching extent buffer folios\\n\\n[BUG]\\nSince v6.8 there are rare kernel crashes reported by various people,\\nthe common factor is bad page status error messages like this:\\n\\n BUG: Bad page state in process kswapd0 pfn:d6e840\\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\\n pfn:0xd6e840\\n aops:btree_aops ino:1\\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\\n page_type: 0xffffffff()\\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\\n page dumped because: non-NULL mapping\\n\\n[CAUSE]\\nCommit 09e6cef19c9f (\\\"btrfs: refactor alloc_extent_buffer() to\\nallocate-then-attach method\\\") changes the sequence when allocating a new\\nextent buffer.\\n\\nPreviously we always called grab_extent_buffer() under\\nmapping->i_private_lock, to ensure the safety on modification on\\nfolio::private (which is a pointer to extent buffer for regular\\nsectorsize).\\n\\nThis can lead to the following race:\\n\\nThread A is trying to allocate an extent buffer at bytenr X, with 4\\n4K pages, meanwhile thread B is trying to release the page at X + 4K\\n(the second page of the extent buffer at X).\\n\\n Thread A | Thread B\\n-----------------------------------+-------------------------------------\\n | btree_release_folio()\\n\\t\\t\\t\\t | | This is for the page at X + 4K,\\n\\t\\t\\t\\t | | Not page X.\\n\\t\\t\\t\\t | |\\nalloc_extent_buffer() | |- release_extent_buffer()\\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\\n| page at bytenr X (the first | | |\\n| page). | | |\\n| Which returned -EEXIST. | | |\\n| | | |\\n|- filemap_lock_folio() | | |\\n| Returned the first page locked. | | |\\n| | | |\\n|- grab_extent_buffer() | | |\\n| |- atomic_inc_not_zero() | | |\\n| | Returned false | | |\\n| |- folio_detach_private() | | |- folio_detach_private() for X\\n| |- folio_test_private() | | |- folio_test_private()\\n | Returned true | | | Returned true\\n |- folio_put() | |- folio_put()\\n\\nNow there are two puts on the same folio at folio X, leading to refcount\\nunderflow of the folio X, and eventually causing the BUG_ON() on the\\npage->mapping.\\n\\nThe condition is not that easy to hit:\\n\\n- The release must be triggered for the middle page of an eb\\n If the release is on the same first page of an eb, page lock would kick\\n in and prevent the race.\\n\\n- folio_detach_private() has a very small race window\\n It's only between folio_test_private() and folio_clear_private().\\n\\nThat's exactly when mapping->i_private_lock is used to prevent such race,\\nand commit 09e6cef19c9f (\\\"btrfs: refactor alloc_extent_buffer() to\\nallocate-then-attach method\\\") screwed that up.\\n\\nAt that time, I thought the page lock would kick in as\\nfilemap_release_folio() also requires the page to be locked, but forgot\\nthe filemap_release_folio() only locks one page, not all pages of an\\nextent buffer.\\n\\n[FIX]\\nMove all the code requiring i_private_lock into\\nattach_eb_folio_to_filemap(), so that everything is done with proper\\nlock protection.\\n\\nFurthermore to prevent future problems, add an extra\\nlockdep_assert_locked() to ensure we're holding the proper lock.\\n\\nTo reproducer that is able to hit the race (takes a few minutes with\\ninstrumented code inserting delays to alloc_extent_buffer()):\\n\\n #!/bin/sh\\n drop_caches () {\\n\\t while(true); do\\n\\t\\t echo 3 > /proc/sys/vm/drop_caches\\n\\t\\t echo 1 > /proc/sys/vm/compact_memory\\n\\t done\\n }\\n\\n run_tar () {\\n\\t while(true); do\\n\\t\\t for x in `seq 1 80` ; do\\n\\t\\t\\t tar cf /dev/zero /mnt > /dev/null &\\n\\t\\t done\\n\\t\\t wait\\n\\t done\\n }\\n\\n mkfs.btrfs -f -d single -m single\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38306\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38381", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38381" + }, + { + "url": "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c" + }, + { + "url": "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6" + }, + { + "url": "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619" + }, + { + "url": "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe" + }, + { + "url": "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed" + }, + { + "url": "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea" + }, + { + "url": "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3" + }, + { + "url": "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38381 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38381", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38381\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38381\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38381\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38381\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38381\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c\",\n \"https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6\",\n \"https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619\",\n \"https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe\",\n \"https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed\",\n \"https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea\",\n \"https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3\",\n \"https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: Fix uninit-value in nci_rx_work\\n\\nsyzbot reported the following uninit-value access issue [1]\\n\\nnci_rx_work() parses received packet from ndev->rx_q. It should be\\nvalidated header size, payload size and total packet size before\\nprocessing the packet. If an invalid packet is detected, it should be\\nsilently discarded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38381\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38538", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38538" + }, + { + "url": "https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5" + }, + { + "url": "https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2" + }, + { + "url": "https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a" + }, + { + "url": "https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc" + }, + { + "url": "https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38538 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38538", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38538\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38538\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38538\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38538\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38538\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5\",\n \"https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2\",\n \"https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a\",\n \"https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc\",\n \"https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: xmit: make sure we have at least eth header len bytes\\n\\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\\nwe can actually pull that amount instead of assuming.\\n\\nTested with dropwatch:\\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\\n origin: software\\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\\n protocol: 0x88a8\\n length: 2\\n original length: 2\\n drop reason: PKT_TOO_SMALL\\n\\n[1]\\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n __bpf_tx_skb net/core/filter.c:2136 [inline]\\n __bpf_redirect_common net/core/filter.c:2180 [inline]\\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\\n __bpf_prog_run include/linux/filter.h:657 [inline]\\n bpf_prog_run include/linux/filter.h:664 [inline]\\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38538\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38540", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38540" + }, + { + "url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc" + }, + { + "url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659" + }, + { + "url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753" + }, + { + "url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38540 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38540", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38540\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38540\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38540\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38540\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38540\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc\",\n \"https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659\",\n \"https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753\",\n \"https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\\n\\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\\nIn that case, \\\"roundup_pow_of_two(hwq_attr->aux_stride)\\\" gets called.\\nroundup_pow_of_two is documented as undefined for 0.\\n\\nFix it in the one caller that had this combination.\\n\\nThe undefined behavior was detected by UBSAN:\\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\\n Call Trace:\\n \\n dump_stack_lvl+0x5d/0x80\\n ubsan_epilogue+0x5/0x30\\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __kmalloc+0x1b6/0x4f0\\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\\n create_qp.part.0+0x128/0x1c0 [ib_core]\\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\\n create_mad_qp+0x8e/0xe0 [ib_core]\\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\\n ib_mad_init_device+0x2be/0x680 [ib_core]\\n add_client_context+0x10d/0x1a0 [ib_core]\\n enable_device_and_get+0xe0/0x1d0 [ib_core]\\n ib_register_device+0x53c/0x630 [ib_core]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\\n auxiliary_bus_probe+0x49/0x80\\n ? driver_sysfs_add+0x57/0xc0\\n really_probe+0xde/0x340\\n ? pm_runtime_barrier+0x54/0x90\\n ? __pfx___driver_attach+0x10/0x10\\n __driver_probe_device+0x78/0x110\\n driver_probe_device+0x1f/0xa0\\n __driver_attach+0xba/0x1c0\\n bus_for_each_dev+0x8f/0xe0\\n bus_add_driver+0x146/0x220\\n driver_register+0x72/0xd0\\n __auxiliary_driver_register+0x6e/0xd0\\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\\n do_one_initcall+0x5b/0x310\\n do_init_module+0x90/0x250\\n init_module_from_file+0x86/0xc0\\n idempotent_init_module+0x121/0x2b0\\n __x64_sys_finit_module+0x5e/0xb0\\n do_syscall_64+0x82/0x160\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? syscall_exit_to_user_mode+0x75/0x230\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? do_syscall_64+0x8e/0x160\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __count_memcg_events+0x69/0x100\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? count_memcg_events.constprop.0+0x1a/0x30\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? handle_mm_fault+0x1f0/0x300\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? do_user_addr_fault+0x34e/0x640\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n RIP: 0033:0x7f4e5132821d\\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\\n \\n ---[ end trace ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38540\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38541", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38541" + }, + { + "url": "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6" + }, + { + "url": "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252" + }, + { + "url": "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a" + }, + { + "url": "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38541 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38541", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38541\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38541\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38541\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38541\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38541\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6\",\n \"https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252\",\n \"https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a\",\n \"https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: module: add buffer overflow check in of_modalias()\\n\\nIn of_modalias(), if the buffer happens to be too small even for the 1st\\nsnprintf() call, the len parameter will become negative and str parameter\\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\\noverflow check after the 1st snprintf() call and fix such check after the\\nstrlen() call (accounting for the terminating NUL char).\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38541\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38543", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38543" + }, + { + "url": "https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64" + }, + { + "url": "https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc" + }, + { + "url": "https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33" + }, + { + "url": "https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3" + }, + { + "url": "https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38543 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38543", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38543\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38543\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38543\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38543\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38543\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64\",\n \"https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc\",\n \"https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33\",\n \"https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3\",\n \"https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\\n\\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\\ndereferenced, the null pointer dereference bug will happen.\\n\\nMoreover, the device is going away. If the kcalloc() fails, the pages\\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\\nkcalloc().\\n\\nFinally, as there is no need to have physically contiguous memory, Switch\\nkcalloc() to kvcalloc() in order to avoid failing allocations.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38543\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38544", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38544" + }, + { + "url": "https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794" + }, + { + "url": "https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6" + }, + { + "url": "https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb" + }, + { + "url": "https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc" + }, + { + "url": "https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38544 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38544", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38544\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38544\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38544\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38544\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38544\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794\",\n \"https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6\",\n \"https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb\",\n \"https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc\",\n \"https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\\n\\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\\nresp_pkts queue and then a decision is made whether to run the completer\\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\\nperformance counter. This is wrong because if the completer task is\\nalready running in a separate thread it may have already processed the skb\\nand freed it which can cause a seg fault. This has been observed\\ninfrequently in testing at high scale.\\n\\nThis patch fixes this by changing the order of enqueuing the packet until\\nafter the counter is accessed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38544\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38545", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38545" + }, + { + "url": "https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507" + }, + { + "url": "https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911" + }, + { + "url": "https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08" + }, + { + "url": "https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf" + }, + { + "url": "https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38545 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38545", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38545\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38545\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38545\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38545\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38545\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507\",\n \"https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911\",\n \"https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08\",\n \"https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf\",\n \"https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix UAF for cq async event\\n\\nThe refcount of CQ is not protected by locks. When CQ asynchronous\\nevents and CQ destruction are concurrent, CQ may have been released,\\nwhich will cause UAF.\\n\\nUse the xa_lock() to protect the CQ refcount.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38545\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38546", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38546" + }, + { + "url": "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31" + }, + { + "url": "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb" + }, + { + "url": "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5" + }, + { + "url": "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96" + }, + { + "url": "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49" + }, + { + "url": "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21" + }, + { + "url": "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38546 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38546", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38546\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38546\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38546\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38546\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38546\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31\",\n \"https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb\",\n \"https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5\",\n \"https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96\",\n \"https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49\",\n \"https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21\",\n \"https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: vc4: Fix possible null pointer dereference\\n\\nIn vc4_hdmi_audio_init() of_get_address() may return\\nNULL which is later dereferenced. Fix this bug by adding NULL check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38546\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38547", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38547" + }, + { + "url": "https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb" + }, + { + "url": "https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80" + }, + { + "url": "https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0" + }, + { + "url": "https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e" + }, + { + "url": "https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272" + }, + { + "url": "https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35" + }, + { + "url": "https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38547 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38547", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38547\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38547\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38547\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38547\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38547\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb\",\n \"https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80\",\n \"https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0\",\n \"https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e\",\n \"https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272\",\n \"https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35\",\n \"https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\\n\\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\\nis followed with a dereference of mycs->yuv_scaler_binary after the\\nfollowing call chain:\\n\\nsh_css_pipe_load_binaries()\\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\\n |\\n |-> sh_css_pipe_unload_binaries()\\n |-> unload_video_binaries()\\n\\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\\ndereference is triggered.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38547\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38548", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38548" + }, + { + "url": "https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da" + }, + { + "url": "https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79" + }, + { + "url": "https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3" + }, + { + "url": "https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896" + }, + { + "url": "https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a" + }, + { + "url": "https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965" + }, + { + "url": "https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38548 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38548", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38548\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38548\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38548\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38548\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38548\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da\",\n \"https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79\",\n \"https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3\",\n \"https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896\",\n \"https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a\",\n \"https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965\",\n \"https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\\n\\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\\nassigned to mhdp_state->current_mode, and there is a dereference of it in\\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate().\\n\\nFix this bug add a check of mhdp_state->current_mode.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38548\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38549", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38549" + }, + { + "url": "https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4" + }, + { + "url": "https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05" + }, + { + "url": "https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0" + }, + { + "url": "https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364" + }, + { + "url": "https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7" + }, + { + "url": "https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594" + }, + { + "url": "https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67" + }, + { + "url": "https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350" + }, + { + "url": "https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38549 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38549", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38549\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38549\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38549\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38549\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38549\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4\",\n \"https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05\",\n \"https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0\",\n \"https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364\",\n \"https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7\",\n \"https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594\",\n \"https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67\",\n \"https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350\",\n \"https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\\n\\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\\nof 0 bytes. Currently, no such check exists and the kernel will panic if\\na userspace application attempts to allocate a 0x0 GBM buffer.\\n\\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\\nverifying that we now return EINVAL.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38549\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38550", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38550" + }, + { + "url": "https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c" + }, + { + "url": "https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6" + }, + { + "url": "https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6" + }, + { + "url": "https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169" + }, + { + "url": "https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489" + }, + { + "url": "https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38550 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38550", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38550\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38550\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38550\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38550\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38550\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c\",\n \"https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6\",\n \"https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6\",\n \"https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169\",\n \"https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489\",\n \"https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: kirkwood: Fix potential NULL dereference\\n\\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\\nCONFIG_PLAT_ORION macro is not defined.\\nFix this bug by adding NULL check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38550\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38552", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38552" + }, + { + "url": "https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7" + }, + { + "url": "https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123" + }, + { + "url": "https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86" + }, + { + "url": "https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c" + }, + { + "url": "https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca" + }, + { + "url": "https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29" + }, + { + "url": "https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869" + }, + { + "url": "https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e" + }, + { + "url": "https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38552 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38552", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38552\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38552\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38552\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38552\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38552\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7\",\n \"https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123\",\n \"https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86\",\n \"https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c\",\n \"https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca\",\n \"https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29\",\n \"https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869\",\n \"https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e\",\n \"https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix potential index out of bounds in color transformation function\\n\\nFixes index out of bounds issue in the color transformation function.\\nThe issue could occur when the index 'i' exceeds the number of transfer\\nfunction points (TRANSFER_FUNC_POINTS).\\n\\nThe fix adds a check to ensure 'i' is within bounds before accessing the\\ntransfer function points. If 'i' is out of bounds, an error message is\\nlogged and the function returns false to indicate an error.\\n\\nReported by smatch:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38552\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38553", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38553" + }, + { + "url": "https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f" + }, + { + "url": "https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243" + }, + { + "url": "https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5" + }, + { + "url": "https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38553 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38553", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38553\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38553\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38553\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38553\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38553\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f\",\n \"https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243\",\n \"https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5\",\n \"https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\\n\\nThere is a deadlock issue found in sungem driver, please refer to the\\ncommit ac0a230f719b (\\\"eth: sungem: remove .ndo_poll_controller to avoid\\ndeadlocks\\\"). The root cause of the issue is that netpoll is in atomic\\ncontext and disable_irq() is called by .ndo_poll_controller interface\\nof sungem driver, however, disable_irq() might sleep. After analyzing\\nthe implementation of fec_poll_controller(), the fec driver should have\\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\\nso fec_poll_controller() can be safely removed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38553\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38554", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38554" + }, + { + "url": "https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2" + }, + { + "url": "https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad" + }, + { + "url": "https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a" + }, + { + "url": "https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b" + }, + { + "url": "https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38554 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38554", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38554\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38554\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38554\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38554\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38554\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2\",\n \"https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad\",\n \"https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a\",\n \"https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b\",\n \"https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix reference count leak issue of net_device\\n\\nThere is a reference count leak issue of the object \\\"net_device\\\" in\\nax25_dev_device_down(). When the ax25 device is shutting down, the\\nax25_dev_device_down() drops the reference count of net_device one\\nor zero times depending on if we goto unlock_put or not, which will\\ncause memory leak.\\n\\nIn order to solve the above issue, decrease the reference count of\\nnet_device after dev->ax25_ptr is set to null.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38554\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38555", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38555" + }, + { + "url": "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb" + }, + { + "url": "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7" + }, + { + "url": "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0" + }, + { + "url": "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a" + }, + { + "url": "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396" + }, + { + "url": "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40" + }, + { + "url": "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38555 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38555", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38555\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38555\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38555\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38555\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38555\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb\",\n \"https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7\",\n \"https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0\",\n \"https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a\",\n \"https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396\",\n \"https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40\",\n \"https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Discard command completions in internal error\\n\\nFix use after free when FW completion arrives while device is in\\ninternal error state. Avoid calling completion handler in this case,\\nsince the device will flush the command interface and trigger all\\ncompletions manually.\\n\\nKernel log:\\n------------[ cut here ]------------\\nrefcount_t: underflow; use-after-free.\\n...\\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\\n...\\nCall Trace:\\n\\n? __warn+0x79/0x120\\n? refcount_warn_saturate+0xd8/0xe0\\n? report_bug+0x17c/0x190\\n? handle_bug+0x3c/0x60\\n? exc_invalid_op+0x14/0x70\\n? asm_exc_invalid_op+0x16/0x20\\n? refcount_warn_saturate+0xd8/0xe0\\ncmd_ent_put+0x13b/0x160 [mlx5_core]\\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\\nnotifier_call_chain+0x35/0xb0\\natomic_notifier_call_chain+0x16/0x20\\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\\nnotifier_call_chain+0x35/0xb0\\natomic_notifier_call_chain+0x16/0x20\\nirq_int_handler+0x19/0x30 [mlx5_core]\\n__handle_irq_event_percpu+0x4b/0x160\\nhandle_irq_event+0x2e/0x80\\nhandle_edge_irq+0x98/0x230\\n__common_interrupt+0x3b/0xa0\\ncommon_interrupt+0x7b/0xa0\\n\\n\\nasm_common_interrupt+0x22/0x40\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38555\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38556", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38556" + }, + { + "url": "https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918" + }, + { + "url": "https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7" + }, + { + "url": "https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6" + }, + { + "url": "https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b" + }, + { + "url": "https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38556 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38556", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38556\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38556\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38556\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38556\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38556\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918\",\n \"https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7\",\n \"https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6\",\n \"https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b\",\n \"https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Add a timeout to acquire the command queue semaphore\\n\\nPrevent forced completion handling on an entry that has not yet been\\nassigned an index, causing an out of bounds access on idx = -22.\\nInstead of waiting indefinitely for the sem, blocking flow now waits for\\nindex to be allocated or a sem acquisition timeout before beginning the\\ntimer for FW completion.\\n\\nKernel log example:\\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38556\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38557", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38557" + }, + { + "url": "https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4" + }, + { + "url": "https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07" + }, + { + "url": "https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a" + }, + { + "url": "https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38557 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38557", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38557\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38557\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38557\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38557\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38557\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4\",\n \"https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07\",\n \"https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a\",\n \"https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Reload only IB representors upon lag disable/enable\\n\\nOn lag disable, the bond IB device along with all of its\\nrepresentors are destroyed, and then the slaves' representors get reloaded.\\n\\nIn case the slave IB representor load fails, the eswitch error flow\\nunloads all representors, including ethernet representors, where the\\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\\nas the lag driver is not responsible for loading/unloading ethernet\\nrepresentors. Furthermore, the flow described above begins by holding\\nlag lock to prevent bond changes during disable flow. However, when\\nreaching the ethernet representors detachment from lag, the lag lock is\\nrequired again, triggering the following deadlock:\\n\\nCall trace:\\n__switch_to+0xf4/0x148\\n__schedule+0x2c8/0x7d0\\nschedule+0x50/0xe0\\nschedule_preempt_disabled+0x18/0x28\\n__mutex_lock.isra.13+0x2b8/0x570\\n__mutex_lock_slowpath+0x1c/0x28\\nmutex_lock+0x4c/0x68\\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\\ngenl_rcv_msg+0xe4/0x220\\nnetlink_rcv_skb+0x44/0x108\\ngenl_rcv+0x40/0x58\\nnetlink_unicast+0x198/0x268\\nnetlink_sendmsg+0x1d4/0x418\\nsock_sendmsg+0x54/0x60\\n__sys_sendto+0xf4/0x120\\n__arm64_sys_sendto+0x30/0x40\\nel0_svc_common+0x8c/0x120\\ndo_el0_svc+0x30/0xa0\\nel0_svc+0x20/0x30\\nel0_sync_handler+0x90/0xb8\\nel0_sync+0x160/0x180\\n\\nThus, upon lag enable/disable, load and unload only the IB representors\\nof the slaves preventing the deadlock mentioned above.\\n\\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\\na static helper method for its internal logic, in symmetry with the\\nrepresentor unload design.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38557\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38558", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38558" + }, + { + "url": "https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5" + }, + { + "url": "https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120" + }, + { + "url": "https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3" + }, + { + "url": "https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982" + }, + { + "url": "https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11" + }, + { + "url": "https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd" + }, + { + "url": "https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56" + }, + { + "url": "https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6" + }, + { + "url": "https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38558 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38558", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38558\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38558\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38558\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38558\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38558\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5\",\n \"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120\",\n \"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3\",\n \"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982\",\n \"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11\",\n \"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd\",\n \"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56\",\n \"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6\",\n \"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\\n\\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\\n\\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\\nwith the metadata like conntrack state, input port, recirculation id,\\netc. Then the packet itself gets parsed to populate the rest of the\\nkeys from the packet headers.\\n\\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\\ninformation even if it is not an ND packet.\\n\\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\\nthe space between 'nd' and 'ct_orig' that holds the original tuple\\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\\n\\nND packets should not normally have conntrack state, so it's fine to\\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\\nICMPv6 can have the state attached and it should not be overwritten.\\n\\nThe issue results in all but the last 4 bytes of the destination\\naddress being wiped from the original conntrack tuple leading to\\nincorrect packet matching and potentially executing wrong actions\\nin case this packet recirculates within the datapath or goes back\\nto userspace.\\n\\nND fields should not be accessed in non-ND packets, so not clearing\\nthem should be fine. Executing memset() only for actual ND packets to\\navoid the issue.\\n\\nInitializing the whole thing before parsing is needed because ND packet\\nmay not contain all the options.\\n\\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\\naffect packets entering OVS datapath from network interfaces, because\\nin this case CT metadata is populated from skb after the packet is\\nalready parsed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38558\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38559" + }, + { + "url": "https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9" + }, + { + "url": "https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95" + }, + { + "url": "https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8" + }, + { + "url": "https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d" + }, + { + "url": "https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c" + }, + { + "url": "https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59" + }, + { + "url": "https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62" + }, + { + "url": "https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613" + }, + { + "url": "https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38559", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9\",\n \"https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95\",\n \"https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8\",\n \"https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d\",\n \"https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c\",\n \"https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59\",\n \"https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62\",\n \"https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613\",\n \"https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedf: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a count-sized kernel buffer and copy count from\\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\\ndon't ensure that the string is terminated inside the buffer, this can\\nlead to OOB read when using kstrtouint. Fix this issue by using\\nmemdup_user_nul instead of memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38560", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38560" + }, + { + "url": "https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a" + }, + { + "url": "https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3" + }, + { + "url": "https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf" + }, + { + "url": "https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35" + }, + { + "url": "https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462" + }, + { + "url": "https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2" + }, + { + "url": "https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143" + }, + { + "url": "https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c" + }, + { + "url": "https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38560 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38560", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38560\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38560\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38560\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38560\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38560\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a\",\n \"https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3\",\n \"https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf\",\n \"https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35\",\n \"https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462\",\n \"https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2\",\n \"https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143\",\n \"https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c\",\n \"https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: bfa: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\\nof memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38560\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38564", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38564" + }, + { + "url": "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7" + }, + { + "url": "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d" + }, + { + "url": "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd" + }, + { + "url": "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38564 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38564", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38564\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38564\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38564\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38564\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38564\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7\",\n \"https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d\",\n \"https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd\",\n \"https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\\n\\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\\nto properly verify prog_type <> attach_type association.\\n\\nAdd missing attach_type enforcement for the link_create case.\\nOtherwise, it's currently possible to attach cgroup_skb prog\\ntypes to other cgroup hooks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38564\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38565", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38565" + }, + { + "url": "https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72" + }, + { + "url": "https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff" + }, + { + "url": "https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f" + }, + { + "url": "https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603" + }, + { + "url": "https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d" + }, + { + "url": "https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5" + }, + { + "url": "https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70" + }, + { + "url": "https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850" + }, + { + "url": "https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38565 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38565", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38565\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38565\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38565\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38565\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38565\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72\",\n \"https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff\",\n \"https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f\",\n \"https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603\",\n \"https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d\",\n \"https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5\",\n \"https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70\",\n \"https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850\",\n \"https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ar5523: enable proper endpoint verification\\n\\nSyzkaller reports [1] hitting a warning about an endpoint in use\\nnot having an expected type to it.\\n\\nFix the issue by checking for the existence of all proper\\nendpoints with their according types intact.\\n\\nSadly, this patch has not been tested on real hardware.\\n\\n[1] Syzkaller report:\\n------------[ cut here ]------------\\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\\n...\\nCall Trace:\\n \\n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\\n call_driver_probe drivers/base/dd.c:560 [inline]\\n really_probe+0x249/0xb90 drivers/base/dd.c:639\\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\\n call_driver_probe drivers/base/dd.c:560 [inline]\\n really_probe+0x249/0xb90 drivers/base/dd.c:639\\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\\n port_event drivers/usb/core/hub.c:5653 [inline]\\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38565\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38567", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38567" + }, + { + "url": "https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd" + }, + { + "url": "https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f" + }, + { + "url": "https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c" + }, + { + "url": "https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582" + }, + { + "url": "https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7" + }, + { + "url": "https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d" + }, + { + "url": "https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0" + }, + { + "url": "https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38567 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38567", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38567\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38567\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38567\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38567\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38567\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd\",\n \"https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f\",\n \"https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c\",\n \"https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd\",\n \"https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582\",\n \"https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7\",\n \"https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d\",\n \"https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0\",\n \"https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: carl9170: add a proper sanity check for endpoints\\n\\nSyzkaller reports [1] hitting a warning which is caused by presence\\nof a wrong endpoint type at the URB sumbitting stage. While there\\nwas a check for a specific 4th endpoint, since it can switch types\\nbetween bulk and interrupt, other endpoints are trusted implicitly.\\nSimilar warning is triggered in a couple of other syzbot issues [2].\\n\\nFix the issue by doing a comprehensive check of all endpoints\\ntaking into account difference between high- and full-speed\\nconfiguration.\\n\\n[1] Syzkaller report:\\n...\\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\\n...\\nCall Trace:\\n \\n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n\\n[2] Related syzkaller crashes:\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38567\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38570", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38570" + }, + { + "url": "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37" + }, + { + "url": "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca" + }, + { + "url": "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73" + }, + { + "url": "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38570 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38570", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38570\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38570\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38570\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38570\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38570\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37\",\n \"https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca\",\n \"https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73\",\n \"https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix potential glock use-after-free on unmount\\n\\nWhen a DLM lockspace is released and there ares still locks in that\\nlockspace, DLM will unlock those locks automatically. Commit\\nfb6791d100d1b started exploiting this behavior to speed up filesystem\\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\\nrelease the lockspace. This didn't take the bast callbacks for\\nasynchronous lock contention notifications into account, which remain\\nactive until until a lock is unlocked or its lockspace is released.\\n\\nTo prevent those callbacks from accessing deallocated objects, put the\\nglocks that should not be unlocked on the sd_dead_glocks list, release\\nthe lockspace, and only then free those glocks.\\n\\nAs an additional measure, ignore unexpected ast and bast callbacks if\\nthe receiving glock is dead.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38570\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38571", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38571" + }, + { + "url": "https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653" + }, + { + "url": "https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f" + }, + { + "url": "https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad" + }, + { + "url": "https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278" + }, + { + "url": "https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f" + }, + { + "url": "https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38571 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38571", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38571\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38571\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38571\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38571\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38571\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653\",\n \"https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f\",\n \"https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad\",\n \"https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278\",\n \"https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f\",\n \"https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/tsens: Fix null pointer dereference\\n\\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\\nFix this bug by adding null pointer check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38571\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38573", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38573" + }, + { + "url": "https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5" + }, + { + "url": "https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618" + }, + { + "url": "https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf" + }, + { + "url": "https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe" + }, + { + "url": "https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4" + }, + { + "url": "https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38573 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38573", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38573\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38573\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38573\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38573\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38573\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5\",\n \"https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618\",\n \"https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf\",\n \"https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe\",\n \"https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4\",\n \"https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncppc_cpufreq: Fix possible null pointer dereference\\n\\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\\ndifferent places with various parameters. So cpufreq_cpu_get() can return\\nnull as 'policy' in some circumstances.\\nFix this bug by adding null return check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38573\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38577", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38577" + }, + { + "url": "https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222" + }, + { + "url": "https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7" + }, + { + "url": "https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec" + }, + { + "url": "https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697" + }, + { + "url": "https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38577 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38577", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38577\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38577\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38577\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38577\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38577\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222\",\n \"https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7\",\n \"https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec\",\n \"https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697\",\n \"https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\\n\\nThere is a possibility of buffer overflow in\\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\\nto sprintf() are huge. Counter numbers, needed for this\\nare unrealistically high, but buffer overflow is still\\npossible.\\n\\nUse snprintf() with buffer size instead of sprintf().\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38577\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38578", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38578" + }, + { + "url": "https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c" + }, + { + "url": "https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93" + }, + { + "url": "https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1" + }, + { + "url": "https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df" + }, + { + "url": "https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910" + }, + { + "url": "https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5" + }, + { + "url": "https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e" + }, + { + "url": "https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1" + }, + { + "url": "https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38578 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38578", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38578\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38578\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38578\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38578\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38578\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c\",\n \"https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93\",\n \"https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1\",\n \"https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df\",\n \"https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910\",\n \"https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5\",\n \"https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e\",\n \"https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1\",\n \"https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\necryptfs: Fix buffer size for tag 66 packet\\n\\nThe 'TAG 66 Packet Format' description is missing the cipher code and\\nchecksum fields that are packed into the message packet. As a result,\\nthe buffer allocated for the packet is 3 bytes too small and\\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\\nbuffer.\\n\\nFix this by increasing the size of the allocation so the whole packet\\nwill always fit in the buffer.\\n\\nThis fixes the below kasan slab-out-of-bounds bug:\\n\\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\\n\\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\\n Call Trace:\\n \\n dump_stack_lvl+0x4c/0x70\\n print_report+0xc5/0x610\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n ? kasan_complete_mode_report_info+0x44/0x210\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n kasan_report+0xc2/0x110\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n __asan_store1+0x62/0x80\\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\\n ? __alloc_pages+0x2e2/0x540\\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\\n ? dentry_open+0x8f/0xd0\\n ecryptfs_write_metadata+0x30a/0x550\\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\\n ? ecryptfs_get_lower_file+0x6b/0x190\\n ecryptfs_initialize_file+0x77/0x150\\n ecryptfs_create+0x1c2/0x2f0\\n path_openat+0x17cf/0x1ba0\\n ? __pfx_path_openat+0x10/0x10\\n do_filp_open+0x15e/0x290\\n ? __pfx_do_filp_open+0x10/0x10\\n ? __kasan_check_write+0x18/0x30\\n ? _raw_spin_lock+0x86/0xf0\\n ? __pfx__raw_spin_lock+0x10/0x10\\n ? __kasan_check_write+0x18/0x30\\n ? alloc_fd+0xf4/0x330\\n do_sys_openat2+0x122/0x160\\n ? __pfx_do_sys_openat2+0x10/0x10\\n __x64_sys_openat+0xef/0x170\\n ? __pfx___x64_sys_openat+0x10/0x10\\n do_syscall_64+0x60/0xd0\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n RIP: 0033:0x7f00a703fd67\\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\\n \\n\\n Allocated by task 181:\\n kasan_save_stack+0x2f/0x60\\n kasan_set_track+0x29/0x40\\n kasan_save_alloc_info+0x25/0x40\\n __kasan_kmalloc+0xc5/0xd0\\n __kmalloc+0x66/0x160\\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\\n ecryptfs_write_metadata+0x30a/0x550\\n ecryptfs_initialize_file+0x77/0x150\\n ecryptfs_create+0x1c2/0x2f0\\n path_openat+0x17cf/0x1ba0\\n do_filp_open+0x15e/0x290\\n do_sys_openat2+0x122/0x160\\n __x64_sys_openat+0xef/0x170\\n do_syscall_64+0x60/0xd0\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38578\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38579", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38579" + }, + { + "url": "https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9" + }, + { + "url": "https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57" + }, + { + "url": "https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd" + }, + { + "url": "https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5" + }, + { + "url": "https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434" + }, + { + "url": "https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd" + }, + { + "url": "https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0" + }, + { + "url": "https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b" + }, + { + "url": "https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38579 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38579", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38579\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38579\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38579\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38579\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38579\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9\",\n \"https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57\",\n \"https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd\",\n \"https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5\",\n \"https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434\",\n \"https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd\",\n \"https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0\",\n \"https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b\",\n \"https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: bcm - Fix pointer arithmetic\\n\\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\\ninstead of hash_iv_len which could lead to going beyond the\\nbuffer boundaries.\\nFix this bug by changing ciph_key_len to hash_iv_len.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38579\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38580", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38580" + }, + { + "url": "https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d" + }, + { + "url": "https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b" + }, + { + "url": "https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2" + }, + { + "url": "https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784" + }, + { + "url": "https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38580 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38580", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38580\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38580\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38580\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38580\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38580\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d\",\n \"https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b\",\n \"https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2\",\n \"https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784\",\n \"https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nepoll: be better about file lifetimes\\n\\nepoll can call out to vfs_poll() with a file pointer that may race with\\nthe last 'fput()'. That would make f_count go down to zero, and while\\nthe ep->mtx locking means that the resulting file pointer tear-down will\\nbe blocked until the poll returns, it means that f_count is already\\ndead, and any use of it won't actually get a reference to the file any\\nmore: it's dead regardless.\\n\\nMake sure we have a valid ref on the file pointer before we call down to\\nvfs_poll() from the epoll routines.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38580\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38582", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38582" + }, + { + "url": "https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd" + }, + { + "url": "https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0" + }, + { + "url": "https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b" + }, + { + "url": "https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830" + }, + { + "url": "https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a" + }, + { + "url": "https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b" + }, + { + "url": "https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f" + }, + { + "url": "https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e" + }, + { + "url": "https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38582 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38582", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38582\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38582\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38582\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38582\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38582\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd\",\n \"https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0\",\n \"https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b\",\n \"https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830\",\n \"https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a\",\n \"https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b\",\n \"https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f\",\n \"https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e\",\n \"https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential hang in nilfs_detach_log_writer()\\n\\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\\nduring nilfs2 unmount.\\n\\nAnalysis revealed that this is because nilfs_segctor_sync(), which\\nsynchronizes with the log writer thread, can be called after\\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\\nbelow:\\n\\nnilfs_detach_log_writer\\n nilfs_segctor_destroy\\n nilfs_segctor_kill_thread --> Shut down log writer thread\\n flush_work\\n nilfs_iput_work_func\\n nilfs_dispose_list\\n iput\\n nilfs_evict_inode\\n nilfs_transaction_commit\\n nilfs_construct_segment (if inode needs sync)\\n nilfs_segctor_sync --> Attempt to synchronize with\\n log writer thread\\n *** DEADLOCK ***\\n\\nFix this issue by changing nilfs_segctor_sync() so that the log writer\\nthread returns normally without synchronizing after it terminates, and by\\nforcing tasks that are already waiting to complete once after the thread\\nterminates.\\n\\nThe skipped inode metadata flushout will then be processed together in the\\nsubsequent cleanup work in nilfs_segctor_destroy().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38582\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38583", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38583" + }, + { + "url": "https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6" + }, + { + "url": "https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148" + }, + { + "url": "https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb" + }, + { + "url": "https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d" + }, + { + "url": "https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164" + }, + { + "url": "https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a" + }, + { + "url": "https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438" + }, + { + "url": "https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7" + }, + { + "url": "https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38583 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38583", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38583\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38583\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38583\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38583\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38583\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6\",\n \"https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148\",\n \"https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb\",\n \"https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d\",\n \"https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164\",\n \"https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a\",\n \"https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438\",\n \"https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7\",\n \"https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix use-after-free of timer for log writer thread\\n\\nPatch series \\\"nilfs2: fix log writer related issues\\\".\\n\\nThis bug fix series covers three nilfs2 log writer-related issues,\\nincluding a timer use-after-free issue and potential deadlock issue on\\nunmount, and a potential freeze issue in event synchronization found\\nduring their analysis. Details are described in each commit log.\\n\\n\\nThis patch (of 3):\\n\\nA use-after-free issue has been reported regarding the timer sc_timer on\\nthe nilfs_sc_info structure.\\n\\nThe problem is that even though it is used to wake up a sleeping log\\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\\nis about to be freed, and is used regardless of the thread's lifetime.\\n\\nFix this issue by limiting the use of sc_timer only while the log writer\\nthread is alive.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38583\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38586", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38586" + }, + { + "url": "https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6" + }, + { + "url": "https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d" + }, + { + "url": "https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479" + }, + { + "url": "https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27" + }, + { + "url": "https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1" + }, + { + "url": "https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd" + }, + { + "url": "https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38586 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38586", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38586\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38586\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38586\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38586\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38586\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6\",\n \"https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d\",\n \"https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479\",\n \"https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27\",\n \"https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1\",\n \"https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd\",\n \"https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\\n\\nAn issue was found on the RTL8125b when transmitting small fragmented\\npackets, whereby invalid entries were inserted into the transmit ring\\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\\naddress.\\n\\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\\nwhich may occur when small packets are padded (to work around hardware\\nquirks) in rtl8169_tso_csum_v2().\\n\\nTo fix this, postpone inspecting nr_frags until after any padding has been\\napplied.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38586\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38587", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38587" + }, + { + "url": "https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b" + }, + { + "url": "https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586" + }, + { + "url": "https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e" + }, + { + "url": "https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358" + }, + { + "url": "https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535" + }, + { + "url": "https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb" + }, + { + "url": "https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996" + }, + { + "url": "https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef" + }, + { + "url": "https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38587 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38587", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38587\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38587\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38587\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38587\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38587\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b\",\n \"https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586\",\n \"https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e\",\n \"https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358\",\n \"https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535\",\n \"https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb\",\n \"https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996\",\n \"https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef\",\n \"https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\\n\\nThe \\\"buf\\\" pointer is an array of u16 values. This code should be\\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\\notherwise it can the still got out of bounds.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38587\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38588", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38588" + }, + { + "url": "https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b" + }, + { + "url": "https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6" + }, + { + "url": "https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461" + }, + { + "url": "https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831" + }, + { + "url": "https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada" + }, + { + "url": "https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38588 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38588", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38588\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38588\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38588\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38588\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38588\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b\",\n \"https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6\",\n \"https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461\",\n \"https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831\",\n \"https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada\",\n \"https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nftrace: Fix possible use-after-free issue in ftrace_location()\\n\\nKASAN reports a bug:\\n\\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\\n Read of size 8 at addr ffff888141d40010 by task insmod/424\\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\\n [...]\\n Call Trace:\\n \\n dump_stack_lvl+0x68/0xa0\\n print_report+0xcf/0x610\\n kasan_report+0xb5/0xe0\\n ftrace_location+0x90/0x120\\n register_kprobe+0x14b/0xa40\\n kprobe_init+0x2d/0xff0 [kprobe_example]\\n do_one_initcall+0x8f/0x2d0\\n do_init_module+0x13a/0x3c0\\n load_module+0x3082/0x33d0\\n init_module_from_file+0xd2/0x130\\n __x64_sys_finit_module+0x306/0x440\\n do_syscall_64+0x68/0x140\\n entry_SYSCALL_64_after_hwframe+0x71/0x79\\n\\nThe root cause is that, in lookup_rec(), ftrace record of some address\\nis being searched in ftrace pages of some module, but those ftrace pages\\nat the same time is being freed in ftrace_release_mod() as the\\ncorresponding module is being deleted:\\n\\n CPU1 | CPU2\\n register_kprobes() { | delete_module() {\\n check_kprobe_address_safe() { |\\n arch_check_ftrace_location() { |\\n ftrace_location() { |\\n lookup_rec() // USE! | ftrace_release_mod() // Free!\\n\\nTo fix this issue:\\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\\n 2. Use ftrace_location_range() instead of lookup_rec() in\\n ftrace_location();\\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38588\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38589", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38589" + }, + { + "url": "https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691" + }, + { + "url": "https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7" + }, + { + "url": "https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5" + }, + { + "url": "https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3" + }, + { + "url": "https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5" + }, + { + "url": "https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de" + }, + { + "url": "https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d" + }, + { + "url": "https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6" + }, + { + "url": "https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38589 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38589", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38589\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38589\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38589\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38589\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38589\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691\",\n \"https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7\",\n \"https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5\",\n \"https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3\",\n \"https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5\",\n \"https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de\",\n \"https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d\",\n \"https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6\",\n \"https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetrom: fix possible dead-lock in nr_rt_ioctl()\\n\\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\\n\\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\\n\\n[1]\\nWARNING: possible circular locking dependency detected\\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\\n------------------------------------------------------\\nsyz-executor350/5129 is trying to acquire lock:\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\\n\\nbut task is already holding lock:\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (nr_node_list_lock){+...}-{2:2}:\\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\\n spin_lock_bh include/linux/spinlock.h:356 [inline]\\n nr_remove_node net/netrom/nr_route.c:299 [inline]\\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\\n spin_lock_bh include/linux/spinlock.h:356 [inline]\\n nr_node_lock include/net/netrom.h:152 [inline]\\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nother info that might help us debug this:\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(nr_node_list_lock);\\n lock(&nr_node->node_lock);\\n lock(nr_node_list_lock);\\n lock(&nr_node->node_lock);\\n\\n *** DEADLOCK ***\\n\\n1 lock held by syz-executor350/5129:\\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\\n #0: ffffffff8f70\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38589\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38590", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38590" + }, + { + "url": "https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990" + }, + { + "url": "https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c" + }, + { + "url": "https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43" + }, + { + "url": "https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b" + }, + { + "url": "https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b" + }, + { + "url": "https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55" + }, + { + "url": "https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38590 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38590", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38590\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38590\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38590\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38590\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38590\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990\",\n \"https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c\",\n \"https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43\",\n \"https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b\",\n \"https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b\",\n \"https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55\",\n \"https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Modify the print level of CQE error\\n\\nToo much print may lead to a panic in kernel. Change ibdev_err() to\\nibdev_err_ratelimited(), and change the printing level of cqe dump\\nto debug level.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38590\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38591", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38591" + }, + { + "url": "https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868" + }, + { + "url": "https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d" + }, + { + "url": "https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9" + }, + { + "url": "https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0" + }, + { + "url": "https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37" + }, + { + "url": "https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38591 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38591", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38591\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38591\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38591\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38591\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38591\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868\",\n \"https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d\",\n \"https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9\",\n \"https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0\",\n \"https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37\",\n \"https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix deadlock on SRQ async events.\\n\\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\\nxa_erase_irq() to avoid deadlock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38591\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38594", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38594" + }, + { + "url": "https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197" + }, + { + "url": "https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416" + }, + { + "url": "https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38594 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38594", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38594\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38594\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38594\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38594\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38594\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197\",\n \"https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416\",\n \"https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: stmmac: move the EST lock to struct stmmac_priv\\n\\nReinitialize the whole EST structure would also reset the mutex\\nlock which is embedded in the EST structure, and then trigger\\nthe following warning. To address this, move the lock to struct\\nstmmac_priv. We also need to reacquire the mutex lock when doing\\nthis initialization.\\n\\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\\n Modules linked in:\\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\\n Hardware name: NXP i.MX8MPlus EVK board (DT)\\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : __mutex_lock+0xd84/0x1068\\n lr : __mutex_lock+0xd84/0x1068\\n sp : ffffffc0864e3570\\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\\n Call trace:\\n __mutex_lock+0xd84/0x1068\\n mutex_lock_nested+0x28/0x34\\n tc_setup_taprio+0x118/0x68c\\n stmmac_setup_tc+0x50/0xf0\\n taprio_change+0x868/0xc9c\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38594\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38596", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38596" + }, + { + "url": "https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb" + }, + { + "url": "https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055" + }, + { + "url": "https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25" + }, + { + "url": "https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c" + }, + { + "url": "https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5" + }, + { + "url": "https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9" + }, + { + "url": "https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b" + }, + { + "url": "https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe" + }, + { + "url": "https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38596 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38596", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38596\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38596\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38596\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38596\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38596\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb\",\n \"https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055\",\n \"https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25\",\n \"https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c\",\n \"https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5\",\n \"https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9\",\n \"https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b\",\n \"https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe\",\n \"https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\\n\\nA data-race condition has been identified in af_unix. In one data path,\\nthe write function unix_release_sock() atomically writes to\\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\\nunix_stream_sendmsg() does not read it atomically. Consequently, this\\nissue is causing the following KCSAN splat to occur:\\n\\n\\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\\n\\n\\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\\n\\tunix_release_sock (net/unix/af_unix.c:640)\\n\\tunix_release (net/unix/af_unix.c:1050)\\n\\tsock_close (net/socket.c:659 net/socket.c:1421)\\n\\t__fput (fs/file_table.c:422)\\n\\t__fput_sync (fs/file_table.c:508)\\n\\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\\n\\t__x64_sys_close (fs/open.c:1541)\\n\\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\\n\\tdo_syscall_64 (arch/x86/entry/common.c:?)\\n\\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n\\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\\n\\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\\n\\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\\n\\t____sys_sendmsg (net/socket.c:2584)\\n\\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\\n\\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\\n\\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\\n\\tdo_syscall_64 (arch/x86/entry/common.c:?)\\n\\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n\\tvalue changed: 0x01 -> 0x03\\n\\nThe line numbers are related to commit dd5a440a31fa (\\\"Linux 6.9-rc7\\\").\\n\\nCommit e1d09c2c2f57 (\\\"af_unix: Fix data races around sk->sk_shutdown.\\\")\\naddressed a comparable issue in the past regarding sk->sk_shutdown.\\nHowever, it overlooked resolving this particular data path.\\nThis patch only offending unix_stream_sendmsg() function, since the\\nother reads seem to be protected by unix_state_lock() as discussed in\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38596\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38597", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38597" + }, + { + "url": "https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6" + }, + { + "url": "https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b" + }, + { + "url": "https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937" + }, + { + "url": "https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4" + }, + { + "url": "https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f" + }, + { + "url": "https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce" + }, + { + "url": "https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38597 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38597", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38597\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38597\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38597\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38597\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38597\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6\",\n \"https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b\",\n \"https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937\",\n \"https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4\",\n \"https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f\",\n \"https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce\",\n \"https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\\n\\nErhard reports netpoll warnings from sungem:\\n\\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\\n\\ngem_poll_controller() disables interrupts, which may sleep.\\nWe can't sleep in netpoll, it has interrupts disabled completely.\\nStrangely, gem_poll_controller() doesn't even poll the completions,\\nand instead acts as if an interrupt has fired so it just schedules\\nNAPI and exits. None of this has been necessary for years, since\\nnetpoll invokes NAPI directly.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38597\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38598", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38598" + }, + { + "url": "https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3" + }, + { + "url": "https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce" + }, + { + "url": "https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482" + }, + { + "url": "https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492" + }, + { + "url": "https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f" + }, + { + "url": "https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b" + }, + { + "url": "https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1" + }, + { + "url": "https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798" + }, + { + "url": "https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38598 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38598", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38598\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38598\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38598\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38598\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38598\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3\",\n \"https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce\",\n \"https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482\",\n \"https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492\",\n \"https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f\",\n \"https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b\",\n \"https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1\",\n \"https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798\",\n \"https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: fix resync softlockup when bitmap size is less than array size\\n\\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\\ntrigger following softlockup:\\n\\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\\nCall Trace:\\n \\n md_bitmap_start_sync+0x6b/0xf0\\n raid10_sync_request+0x25c/0x1b40 [raid10]\\n md_do_sync+0x64b/0x1020\\n md_thread+0xa7/0x170\\n kthread+0xcf/0x100\\n ret_from_fork+0x30/0x50\\n ret_from_fork_asm+0x1a/0x30\\n\\nAnd the detailed process is as follows:\\n\\nmd_do_sync\\n j = mddev->resync_min\\n while (j < max_sectors)\\n sectors = raid10_sync_request(mddev, j, &skipped)\\n if (!md_bitmap_start_sync(..., &sync_blocks))\\n // md_bitmap_start_sync set sync_blocks to 0\\n return sync_blocks + sectors_skippe;\\n // sectors = 0;\\n j += sectors;\\n // j never change\\n\\nRoot cause is that commit 301867b1c168 (\\\"md/raid10: check\\nslab-out-of-bounds in md_bitmap_get_counter\\\") return early from\\nmd_bitmap_get_counter(), without setting returned blocks.\\n\\nFix this problem by always set returned blocks from\\nmd_bitmap_get_counter\\\"(), as it used to be.\\n\\nNoted that this patch just fix the softlockup problem in kernel, the\\ncase that bitmap size doesn't match array size still need to be fixed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38598\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38599", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38599" + }, + { + "url": "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11" + }, + { + "url": "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df" + }, + { + "url": "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275" + }, + { + "url": "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07" + }, + { + "url": "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b" + }, + { + "url": "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb" + }, + { + "url": "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913" + }, + { + "url": "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098" + }, + { + "url": "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38599 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38599", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38599\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38599\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38599\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38599\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38599\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11\",\n \"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df\",\n \"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275\",\n \"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07\",\n \"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b\",\n \"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb\",\n \"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913\",\n \"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098\",\n \"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njffs2: prevent xattr node from overflowing the eraseblock\\n\\nAdd a check to make sure that the requested xattr node size is no larger\\nthan the eraseblock minus the cleanmarker.\\n\\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\\nand spread across multiple eraseblocks, which means that a xattr node\\nmust not occupy more than one eraseblock. If the requested xattr value is\\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\\nthe nodes and causing errors such as:\\n\\njffs2: argh. node added in wrong place at 0x0000b050(2)\\njffs2: nextblock 0x0000a000, expected at 0000b00c\\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\\nread=0xfc892c93, calc=0x000000\\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\\nend of the erase block\\njffs2: Perhaps the file system was created with the wrong erase size?\\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\\nat 0x00000010: 0x1044 instead\\n\\nThis breaks the filesystem and can lead to KASAN crashes such as:\\n\\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\\nRead of size 4 at addr ffff88802c31e914 by task repro/830\\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xc4/0x620\\n ? __virt_addr_valid+0x308/0x5b0\\n kasan_report+0xc1/0xf0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_flash_direct_writev+0xa8/0xd0\\n jffs2_flash_writev+0x9c9/0xef0\\n ? __x64_sys_setxattr+0xc4/0x160\\n ? do_syscall_64+0x69/0x140\\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n [...]\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38599\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38600", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38600" + }, + { + "url": "https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68" + }, + { + "url": "https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4" + }, + { + "url": "https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c" + }, + { + "url": "https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7" + }, + { + "url": "https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a" + }, + { + "url": "https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38600 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38600", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38600\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38600\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38600\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38600\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38600\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68\",\n \"https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4\",\n \"https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c\",\n \"https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7\",\n \"https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a\",\n \"https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: Fix deadlocks with kctl removals at disconnection\\n\\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\\ncall callbacks and do sync for card->power_ref_sleep waiters at the\\nend. The callback may delete a kctl element, and this can lead to a\\ndeadlock when the device was in the suspended state. Namely:\\n\\n* A process waits for the power up at snd_power_ref_and_wait() in\\n snd_ctl_info() or read/write() inside card->controls_rwsem.\\n\\n* The system gets disconnected meanwhile, and the driver tries to\\n delete a kctl via snd_ctl_remove*(); it tries to take\\n card->controls_rwsem again, but this is already locked by the\\n above. Since the sleeper isn't woken up, this deadlocks.\\n\\nAn easy fix is to wake up sleepers before processing the driver\\ndisconnect callbacks but right after setting the card->shutdown flag.\\nThen all sleepers will abort immediately, and the code flows again.\\n\\nSo, basically this patch moves the wait_event() call at the right\\ntiming. While we're at it, just to be sure, call wait_event_all()\\ninstead of wait_event(), although we don't use exclusive events on\\nthis queue for now.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38600\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38601", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38601" + }, + { + "url": "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b" + }, + { + "url": "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e" + }, + { + "url": "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb" + }, + { + "url": "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1" + }, + { + "url": "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87" + }, + { + "url": "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533" + }, + { + "url": "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e" + }, + { + "url": "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa" + }, + { + "url": "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38601 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38601", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38601\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38601\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38601\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38601\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38601\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b\",\n \"https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e\",\n \"https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb\",\n \"https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1\",\n \"https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87\",\n \"https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533\",\n \"https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e\",\n \"https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa\",\n \"https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Fix a race between readers and resize checks\\n\\nThe reader code in rb_get_reader_page() swaps a new reader page into the\\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\\nnew page. Following that, if the operation is successful,\\nold->list.next->prev gets updated too. This means the underlying\\ndoubly-linked list is temporarily inconsistent, page->prev->next or\\npage->next->prev might not be equal back to page for some page in the\\nring buffer.\\n\\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\\nIt calls rb_check_pages() which can detect the described inconsistency\\nand stop further tracing:\\n\\n[ 190.271762] ------------[ cut here ]------------\\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\\n[ 190.271789] Modules linked in: [...]\\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\\n[ 190.272023] Code: [...]\\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 190.272077] Call Trace:\\n[ 190.272098] \\n[ 190.272189] ring_buffer_resize+0x2ab/0x460\\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\\n[ 190.272216] tracing_entries_write+0x74/0xc0\\n[ 190.272225] vfs_write+0xf5/0x420\\n[ 190.272248] ksys_write+0x67/0xe0\\n[ 190.272256] do_syscall_64+0x82/0x170\\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n[ 190.272373] RIP: 0033:0x7f1bd657d263\\n[ 190.272381] Code: [...]\\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\\n[ 190.272412] \\n[ 190.272414] ---[ end trace 0000000000000000 ]---\\n\\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\\ntrace_buffer has recording disabled. Recent commit d78ab792705c\\n(\\\"tracing: Stop current tracer when resizing buffer\\\") causes that it is\\nnow always the case which makes it more likely to experience this issue.\\n\\nThe window to hit this race is nonetheless very small. To help\\nreproducing it, one can add a delay loop in rb_get_reader_page():\\n\\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\\n if (!ret)\\n \\tgoto spin;\\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\\n \\t__asm__ __volatile__ (\\\"\\\" : : : \\\"memory\\\");\\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\\n\\n.. \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38601\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38602", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38602" + }, + { + "url": "https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868" + }, + { + "url": "https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a" + }, + { + "url": "https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3" + }, + { + "url": "https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c" + }, + { + "url": "https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38602 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38602", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38602\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38602\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38602\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38602\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38602\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868\",\n \"https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a\",\n \"https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3\",\n \"https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c\",\n \"https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix reference count leak issues of ax25_dev\\n\\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\\ncount leak issue of the object \\\"ax25_dev\\\".\\n\\nMemory leak issue in ax25_addr_ax25dev():\\n\\nThe reference count of the object \\\"ax25_dev\\\" can be increased multiple\\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\\n\\nMemory leak issues in ax25_dev_device_down():\\n\\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\\nAs a result, the reference count of ax25_dev is 2. But when the device is\\nshutting down. The ax25_dev_device_down() drops the reference count once\\nor twice depending on if we goto unlock_put or not, which will cause\\nmemory leak.\\n\\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\\nafter it is removed from the ax25_dev_list.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38602\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38605", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38605" + }, + { + "url": "https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1" + }, + { + "url": "https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12" + }, + { + "url": "https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5" + }, + { + "url": "https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434" + }, + { + "url": "https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e" + }, + { + "url": "https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92" + }, + { + "url": "https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38605 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38605", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38605\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38605\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38605\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38605\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38605\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1\",\n \"https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12\",\n \"https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5\",\n \"https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434\",\n \"https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e\",\n \"https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92\",\n \"https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: core: Fix NULL module pointer assignment at card init\\n\\nThe commit 81033c6b584b (\\\"ALSA: core: Warn on empty module\\\")\\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\\nobject creation, and it also wraps the code around it with '#ifdef\\nMODULE'. This works in most cases, but the devils are always in\\ndetails. \\\"MODULE\\\" is defined when the target code (i.e. the sound\\ncore) is built as a module; but this doesn't mean that the caller is\\nalso built-in or not. Namely, when only the sound core is built-in\\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\\nthe passed module pointer is ignored even if it's non-NULL, and\\ncard->module remains as NULL. This would result in the missing module\\nreference up/down at the device open/close, leading to a race with the\\ncode execution after the module removal.\\n\\nFor addressing the bug, move the assignment of card->module again out\\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\\nmodule can be really NULL when all sound drivers are built-in.\\n\\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\\nlead to a false-positive NULL module check. Admittedly it won't catch\\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\\nreal problem as it's only for debugging, and the condition is pretty\\nrare.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38605\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38607", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38607" + }, + { + "url": "https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9" + }, + { + "url": "https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e" + }, + { + "url": "https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8" + }, + { + "url": "https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058" + }, + { + "url": "https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d" + }, + { + "url": "https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7" + }, + { + "url": "https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05" + }, + { + "url": "https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56" + }, + { + "url": "https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38607 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38607", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38607\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38607\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38607\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38607\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38607\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9\",\n \"https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e\",\n \"https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8\",\n \"https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058\",\n \"https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d\",\n \"https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7\",\n \"https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05\",\n \"https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56\",\n \"https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmacintosh/via-macii: Fix \\\"BUG: sleeping function called from invalid context\\\"\\n\\nThe via-macii ADB driver calls request_irq() after disabling hard\\ninterrupts. But disabling interrupts isn't necessary here because the\\nVIA shift register interrupt was masked during VIA1 initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38607\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38608", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38608" + }, + { + "url": "https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644" + }, + { + "url": "https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38608 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38608", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38608\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38608\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38608\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38608\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38608\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644\",\n \"https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix netif state handling\\n\\nmlx5e_suspend cleans resources only if netif_device_present() returns\\ntrue. However, mlx5e_resume changes the state of netif, via\\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\\nleaks:\\n\\nmlx5e_probe\\n _mlx5e_resume\\n mlx5e_attach_netdev\\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\\n register_netdev <-- failed for some reason.\\nERROR_FLOW:\\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\\n\\nHence, clean resources in this case as well.\\n\\n[1]\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\nPGD 0 P4D 0\\nOops: 0010 [#1] SMP\\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:0x0\\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\\nCall Trace:\\n \\n ? __die+0x20/0x60\\n ? page_fault_oops+0x14c/0x3c0\\n ? exc_page_fault+0x75/0x140\\n ? asm_exc_page_fault+0x22/0x30\\n notifier_call_chain+0x35/0xb0\\n blocking_notifier_call_chain+0x3d/0x60\\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\\n ? auxiliary_match_id+0x6a/0x90\\n auxiliary_bus_probe+0x38/0x80\\n ? driver_sysfs_add+0x51/0x80\\n really_probe+0xc9/0x3e0\\n ? driver_probe_device+0x90/0x90\\n __driver_probe_device+0x80/0x160\\n driver_probe_device+0x1e/0x90\\n __device_attach_driver+0x7d/0x100\\n bus_for_each_drv+0x80/0xd0\\n __device_attach+0xbc/0x1f0\\n bus_probe_device+0x86/0xa0\\n device_add+0x637/0x840\\n __auxiliary_device_add+0x3b/0xa0\\n add_adev+0xc9/0x140 [mlx5_core]\\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\\n mlx5_register_device+0x53/0xa0 [mlx5_core]\\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\\n mlx5_init_one+0x3b/0x60 [mlx5_core]\\n probe_one+0x44c/0x730 [mlx5_core]\\n local_pci_probe+0x3e/0x90\\n pci_device_probe+0xbf/0x210\\n ? kernfs_create_link+0x5d/0xa0\\n ? sysfs_do_create_link_sd+0x60/0xc0\\n really_probe+0xc9/0x3e0\\n ? driver_probe_device+0x90/0x90\\n __driver_probe_device+0x80/0x160\\n driver_probe_device+0x1e/0x90\\n __device_attach_driver+0x7d/0x100\\n bus_for_each_drv+0x80/0xd0\\n __device_attach+0xbc/0x1f0\\n pci_bus_add_device+0x54/0x80\\n pci_iov_add_virtfn+0x2e6/0x320\\n sriov_enable+0x208/0x420\\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\\n sriov_numvfs_store+0xae/0x1a0\\n kernfs_fop_write_iter+0x10c/0x1a0\\n vfs_write+0x291/0x3c0\\n ksys_write+0x5f/0xe0\\n do_syscall_64+0x3d/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n CR2: 0000000000000000\\n ---[ end trace 0000000000000000 ]---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38608\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38610", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38610" + }, + { + "url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb" + }, + { + "url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559" + }, + { + "url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4" + }, + { + "url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a" + }, + { + "url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32" + }, + { + "url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38610 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38610", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38610\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38610\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38610\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38610\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38610\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb\",\n \"https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559\",\n \"https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4\",\n \"https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a\",\n \"https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32\",\n \"https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\\n\\nPatch series \\\"mm: follow_pte() improvements and acrn follow_pte() fixes\\\".\\n\\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\\ncompiles, that's all I know. I'll appreciate some review and testing from\\nacrn folks.\\n\\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\\nmore sanity checks, and improving the documentation. Gave it a quick test\\non x86-64 using VM_PAT that ends up using follow_pte().\\n\\n\\nThis patch (of 3):\\n\\nWe currently miss handling various cases, resulting in a dangerous\\nfollow_pte() (previously follow_pfn()) usage.\\n\\n(1) We're not checking PTE write permissions.\\n\\nMaybe we should simply always require pte_write() like we do for\\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\\nACRN_MEM_ACCESS_WRITE for now.\\n\\n(2) We're not rejecting refcounted pages.\\n\\nAs we are not using MMU notifiers, messing with refcounted pages is\\ndangerous and can result in use-after-free. Let's make sure to reject them.\\n\\n(3) We are only looking at the first PTE of a bigger range.\\n\\nWe only lookup a single PTE, but memmap->len may span a larger area.\\nLet's loop over all involved PTEs and make sure the PFN range is\\nactually contiguous. Reject everything else: it couldn't have worked\\neither way, and rather made use access PFNs we shouldn't be accessing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38610\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38611", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38611" + }, + { + "url": "https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9" + }, + { + "url": "https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce" + }, + { + "url": "https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80" + }, + { + "url": "https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38611 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38611", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38611\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38611\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38611\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38611\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38611\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9\",\n \"https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce\",\n \"https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80\",\n \"https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\\n\\nUsing __exit for the remove function results in the remove callback\\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\\nunbound (e.g. using sysfs or hotplug), the driver is just removed\\nwithout the cleanup being performed. This results in resource leaks. Fix\\nit by compiling in the remove callback unconditionally.\\n\\nThis also fixes a W=1 modpost warning:\\n\\n\\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38611\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38612", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38612" + }, + { + "url": "https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c" + }, + { + "url": "https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7" + }, + { + "url": "https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45" + }, + { + "url": "https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01" + }, + { + "url": "https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66" + }, + { + "url": "https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4" + }, + { + "url": "https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a" + }, + { + "url": "https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4" + }, + { + "url": "https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38612 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38612", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38612\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38612\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38612\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38612\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38612\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c\",\n \"https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7\",\n \"https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45\",\n \"https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01\",\n \"https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66\",\n \"https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4\",\n \"https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a\",\n \"https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4\",\n \"https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix invalid unregister error path\\n\\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\\nis not defined. In that case if seg6_hmac_init() fails, the\\ngenl_unregister_family() isn't called.\\n\\nThis issue exist since commit 46738b1317e1 (\\\"ipv6: sr: add option to control\\nlwtunnel support\\\"), and commit 5559cea2d5aa (\\\"ipv6: sr: fix possible\\nuse-after-free and null-ptr-deref\\\") replaced unregister_pernet_subsys()\\nwith genl_unregister_family() in this error path.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38612\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38613", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38613" + }, + { + "url": "https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0" + }, + { + "url": "https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14" + }, + { + "url": "https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82" + }, + { + "url": "https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b" + }, + { + "url": "https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87" + }, + { + "url": "https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a" + }, + { + "url": "https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed" + }, + { + "url": "https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c" + }, + { + "url": "https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38613 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38613", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38613\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38613\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38613\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38613\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38613\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0\",\n \"https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14\",\n \"https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82\",\n \"https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b\",\n \"https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87\",\n \"https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a\",\n \"https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed\",\n \"https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c\",\n \"https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nm68k: Fix spinlock race in kernel thread creation\\n\\nContext switching does take care to retain the correct lock owner across\\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\\nremaining disabled for the entire duration of the switch.\\n\\nThis condition is guaranteed for normal process creation and context\\nswitching between already running processes, because both 'prev' and\\n'next' already have interrupts disabled in their saved copies of the\\nstatus register.\\n\\nThe situation is different for newly created kernel threads. The status\\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\\nUpon restoring the 'next' thread's status register in switch_to() aka\\nresume(), interrupts then become enabled prematurely. resume() then\\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\\nlock is released (see finish_task_switch() and finish_lock_switch()).\\n\\nA timer interrupt calling scheduler_tick() before the lock is released\\nin finish_task_switch() will find the lock already taken, with the\\ncurrent task as lock owner. This causes a spinlock recursion warning as\\nreported by Guenter Roeck.\\n\\nAs far as I can ascertain, this race has been opened in commit\\n533e6903bea0 (\\\"m68k: split ret_from_fork(), simplify kernel_thread()\\\")\\nbut I haven't done a detailed study of kernel history so it may well\\npredate that commit.\\n\\nInterrupts cannot be disabled in the saved status register copy for\\nkernel threads (init will complain about interrupts disabled when\\nfinally starting user space). Disable interrupts temporarily when\\nswitching the tasks' register sets in resume().\\n\\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\\n- this leaves enough of a race for the 'spinlock recursion' warning to\\nstill be observed.\\n\\nTested on ARAnyM and qemu (Quadra 800 emulation).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38613\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38615" + }, + { + "url": "https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6" + }, + { + "url": "https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378" + }, + { + "url": "https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c" + }, + { + "url": "https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273" + }, + { + "url": "https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d" + }, + { + "url": "https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872" + }, + { + "url": "https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce" + }, + { + "url": "https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38615", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6\",\n \"https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378\",\n \"https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c\",\n \"https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273\",\n \"https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d\",\n \"https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872\",\n \"https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce\",\n \"https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpufreq: exit() callback is optional\\n\\nThe exit() callback is optional and shouldn't be called without checking\\na valid pointer first.\\n\\nAlso, we must clear freq_table pointer even if the exit() callback isn't\\npresent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38618", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38618" + }, + { + "url": "https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3" + }, + { + "url": "https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e" + }, + { + "url": "https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f" + }, + { + "url": "https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1" + }, + { + "url": "https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e" + }, + { + "url": "https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd" + }, + { + "url": "https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab" + }, + { + "url": "https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38618 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38618", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38618\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38618\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38618\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38618\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38618\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3\",\n \"https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e\",\n \"https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f\",\n \"https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1\",\n \"https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e\",\n \"https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd\",\n \"https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab\",\n \"https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: timer: Set lower bound of start tick time\\n\\nCurrently ALSA timer doesn't have the lower limit of the start tick\\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\\nwhere the callback repeatedly queuing the expire update, as reported\\nby fuzzer.\\n\\nThis patch introduces a sanity check of the timer start tick time, so\\nthat the system returns an error when a too small start size is set.\\nAs of this patch, the lower limit is hard-coded to 100us, which is\\nsmall enough but can still work somehow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38618\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38619", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38619" + }, + { + "url": "https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30" + }, + { + "url": "https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4" + }, + { + "url": "https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1" + }, + { + "url": "https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd" + }, + { + "url": "https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15" + }, + { + "url": "https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8" + }, + { + "url": "https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361" + }, + { + "url": "https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38619 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38619", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38619\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38619\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38619\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38619\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38619\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30\",\n \"https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4\",\n \"https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1\",\n \"https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd\",\n \"https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15\",\n \"https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8\",\n \"https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361\",\n \"https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb-storage: alauda: Check whether the media is initialized\\n\\nThe member \\\"uzonesize\\\" of struct alauda_info will remain 0\\nif alauda_init_media() fails, potentially causing divide errors\\nin alauda_read_data() and alauda_write_lba().\\n- Add a member \\\"media_initialized\\\" to struct alauda_info.\\n- Change a condition in alauda_check_media() to ensure the\\n first initialization.\\n- Add an error check for the return value of alauda_init_media().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38619\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38621" + }, + { + "url": "https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd" + }, + { + "url": "https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261" + }, + { + "url": "https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7" + }, + { + "url": "https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52" + }, + { + "url": "https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808" + }, + { + "url": "https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200" + }, + { + "url": "https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a" + }, + { + "url": "https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd\",\n \"https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261\",\n \"https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7\",\n \"https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52\",\n \"https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808\",\n \"https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200\",\n \"https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a\",\n \"https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\\n\\nThe subtract in this condition is reversed. The ->length is the length\\nof the buffer. The ->bytesused is how many bytes we have copied thus\\nfar. When the condition is reversed that means the result of the\\nsubtraction is always negative but since it's unsigned then the result\\nis a very high positive value. That means the overflow check is never\\ntrue.\\n\\nAdditionally, the ->bytesused doesn't actually work for this purpose\\nbecause we're not writing to \\\"buf->mem + buf->bytesused\\\". Instead, the\\nmath to calculate the destination where we are writing is a bit\\ninvolved. You calculate the number of full lines already written,\\nmultiply by two, skip a line if necessary so that we start on an odd\\nnumbered line, and add the offset into the line.\\n\\nTo fix this buffer overflow, just take the actual destination where we\\nare writing, if the offset is already out of bounds print an error and\\nreturn. Otherwise, write up to buf->length bytes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38623", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38623" + }, + { + "url": "https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef" + }, + { + "url": "https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1" + }, + { + "url": "https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7" + }, + { + "url": "https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f" + }, + { + "url": "https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38623 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38623", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38623\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38623\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38623\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38623\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38623\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef\",\n \"https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1\",\n \"https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7\",\n \"https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f\",\n \"https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Use variable length array instead of fixed size\\n\\nShould fix smatch warning:\\n\\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38623\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38624", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38624" + }, + { + "url": "https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40" + }, + { + "url": "https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b" + }, + { + "url": "https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57" + }, + { + "url": "https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d" + }, + { + "url": "https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38624 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38624", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38624\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38624\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38624\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38624\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38624\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40\",\n \"https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b\",\n \"https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57\",\n \"https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d\",\n \"https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\\n\\nFor example, in the expression:\\n\\tvbo = 2 * vbo + skip\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38624\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38625", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38625" + }, + { + "url": "https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803" + }, + { + "url": "https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8" + }, + { + "url": "https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38625 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38625", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38625\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38625\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38625\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38625\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38625\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803\",\n \"https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8\",\n \"https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Check 'folio' pointer for NULL\\n\\nIt can be NULL if bmap is called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38625\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38627", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38627" + }, + { + "url": "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20" + }, + { + "url": "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459" + }, + { + "url": "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247" + }, + { + "url": "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931" + }, + { + "url": "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b" + }, + { + "url": "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36" + }, + { + "url": "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695" + }, + { + "url": "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38627 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38627", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38627\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38627\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38627\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38627\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38627\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20\",\n \"https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459\",\n \"https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247\",\n \"https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931\",\n \"https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b\",\n \"https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36\",\n \"https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695\",\n \"https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nstm class: Fix a double free in stm_register_device()\\n\\nThe put_device(&stm->dev) call will trigger stm_device_release() which\\nfrees \\\"stm\\\" so the vfree(stm) on the next line is a double free.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38627\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38628", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38628" + }, + { + "url": "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464" + }, + { + "url": "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0" + }, + { + "url": "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09" + }, + { + "url": "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38628 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38628", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38628\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38628\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38628\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38628\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38628\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464\",\n \"https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0\",\n \"https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09\",\n \"https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\\n\\nHang on to the control IDs instead of pointers since those are correctly\\nhandled with locks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38628\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38630", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38630" + }, + { + "url": "https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4" + }, + { + "url": "https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314" + }, + { + "url": "https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38630 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38630", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38630\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38630\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38630\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38630\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38630\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4\",\n \"https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314\",\n \"https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\\n\\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\\nde-activate the timer. If the timer handler is running, del_timer() could\\nnot stop it and will return directly. If the port region is released by\\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\\nto write into the region that is released, the use-after-free bug will\\nhappen.\\n\\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\\ncould be finished before the port region is released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38630\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38632" + }, + { + "url": "https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376" + }, + { + "url": "https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140" + }, + { + "url": "https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376\",\n \"https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140\",\n \"https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: fix potential memory leak in vfio_intx_enable()\\n\\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38633", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38633" + }, + { + "url": "https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b" + }, + { + "url": "https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752" + }, + { + "url": "https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec" + }, + { + "url": "https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003" + }, + { + "url": "https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00" + }, + { + "url": "https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762" + }, + { + "url": "https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72" + }, + { + "url": "https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38633 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38633", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b\",\n \"https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752\",\n \"https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec\",\n \"https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003\",\n \"https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00\",\n \"https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762\",\n \"https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72\",\n \"https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: max3100: Update uart_driver_registered on driver removal\\n\\nThe removal of the last MAX3100 device triggers the removal of\\nthe driver. However, code doesn't update the respective global\\nvariable and after insmod — rmmod — insmod cycle the kernel\\noopses:\\n\\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\\n BUG: kernel NULL pointer dereference, address: 0000000000000408\\n ...\\n RIP: 0010:serial_core_register_port+0xa0/0x840\\n ...\\n max3100_probe+0x1b6/0x280 [max3100]\\n spi_probe+0x8d/0xb0\\n\\nUpdate the actual state so next time UART driver will be registered\\nagain.\\n\\nHugo also noticed, that the error path in the probe also affected\\nby having the variable set, and not cleared. Instead of clearing it\\nmove the assignment after the successfull uart_register_driver() call.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38633\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38634" + }, + { + "url": "https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9" + }, + { + "url": "https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47" + }, + { + "url": "https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba" + }, + { + "url": "https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec" + }, + { + "url": "https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869" + }, + { + "url": "https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458" + }, + { + "url": "https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94" + }, + { + "url": "https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9\",\n \"https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47\",\n \"https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba\",\n \"https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec\",\n \"https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869\",\n \"https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458\",\n \"https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94\",\n \"https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\\n\\nuart_handle_cts_change() has to be called with port lock taken,\\nSince we run it in a separate work, the lock may not be taken at\\nthe time of running. Make sure that it's taken by explicitly doing\\nthat. Without it we got a splat:\\n\\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\\n ...\\n Workqueue: max3100-0 max3100_work [max3100]\\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\\n ...\\n max3100_handlerx+0xc5/0x110 [max3100]\\n max3100_work+0x12a/0x340 [max3100]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38635", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38635" + }, + { + "url": "https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089" + }, + { + "url": "https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567" + }, + { + "url": "https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785" + }, + { + "url": "https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021" + }, + { + "url": "https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91" + }, + { + "url": "https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078" + }, + { + "url": "https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38635 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38635", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38635\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38635\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38635\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38635\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38635\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089\",\n \"https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567\",\n \"https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785\",\n \"https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021\",\n \"https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91\",\n \"https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078\",\n \"https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoundwire: cadence: fix invalid PDI offset\\n\\nFor some reason, we add an offset to the PDI, presumably to skip the\\nPDI0 and PDI1 which are reserved for BPT.\\n\\nThis code is however completely wrong and leads to an out-of-bounds\\naccess. We were just lucky so far since we used only a couple of PDIs\\nand remained within the PDI array bounds.\\n\\nA Fixes: tag is not provided since there are no known platforms where\\nthe out-of-bounds would be accessed, and the initial code had problems\\nas well.\\n\\nA follow-up patch completely removes this useless offset.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38635\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38637", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38637" + }, + { + "url": "https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2" + }, + { + "url": "https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38" + }, + { + "url": "https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731" + }, + { + "url": "https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b" + }, + { + "url": "https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8" + }, + { + "url": "https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648" + }, + { + "url": "https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21" + }, + { + "url": "https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38637 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38637", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38637\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38637\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38637\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38637\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38637\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2\",\n \"https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38\",\n \"https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731\",\n \"https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b\",\n \"https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8\",\n \"https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648\",\n \"https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21\",\n \"https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngreybus: lights: check return of get_channel_from_mode\\n\\nIf channel for the given node is not found we return null from\\nget_channel_from_mode. Make sure we validate the return pointer\\nbefore using it in two of the missing places.\\n\\nThis was originally reported in [0]:\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\\n\\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38637\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38659", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38659" + }, + { + "url": "https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7" + }, + { + "url": "https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600" + }, + { + "url": "https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227" + }, + { + "url": "https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5" + }, + { + "url": "https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31" + }, + { + "url": "https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d" + }, + { + "url": "https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449" + }, + { + "url": "https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38659 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38659", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38659\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38659\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38659\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38659\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38659\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7\",\n \"https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600\",\n \"https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227\",\n \"https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5\",\n \"https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31\",\n \"https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d\",\n \"https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449\",\n \"https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nenic: Validate length of nl attributes in enic_set_vf_port\\n\\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\\nis of length PORT_PROFILE_MAX and that the nl attributes\\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\\nusing the policy is for the max size of the attributes and not on exact\\nsize so the length of these attributes might be less than the sizes that\\nenic_set_vf_port expects. This might cause an out of bands\\nread access in the memcpys of the data of these\\nattributes in enic_set_vf_port.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38659\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38661" + }, + { + "url": "https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558" + }, + { + "url": "https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056" + }, + { + "url": "https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9" + }, + { + "url": "https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0" + }, + { + "url": "https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05" + }, + { + "url": "https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6" + }, + { + "url": "https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad" + }, + { + "url": "https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558\",\n \"https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056\",\n \"https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9\",\n \"https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0\",\n \"https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05\",\n \"https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6\",\n \"https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad\",\n \"https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/ap: Fix crash in AP internal function modify_bitmap()\\n\\nA system crash like this\\n\\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\\n Fault in home space mode while using kernel ASCE.\\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\\n Modules linked in: mlx5_ib ...\\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\\n Hardware name: IBM 3931 A01 704 (LPAR)\\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\\n 0000014b75e7b600: 18b2 lr %r11,%r2\\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\\n 0000014b75e7b60c: a7680001 lhi %r6,1\\n 0000014b75e7b610: 187b lr %r7,%r11\\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\\n 0000014b75e7b616: 18e9 lr %r14,%r9\\n Call Trace:\\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\\n [<0000014b75e7b758>] apmask_store+0x68/0x140\\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\\n [<0000014b75598524>] vfs_write+0x1b4/0x448\\n [<0000014b7559894c>] ksys_write+0x74/0x100\\n [<0000014b7618a440>] __do_syscall+0x268/0x328\\n [<0000014b761a3558>] system_call+0x70/0x98\\n INFO: lockdep is turned off.\\n Last Breaking-Event-Address:\\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\\n Kernel panic - not syncing: Fatal exception: panic_on_oops\\n\\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\\n\\nThe fix is simple: use unsigned long values for the internal variables. The\\ncorrect checks are already in place in the function but a simple int for\\nthe internal variables was used with the possibility to overflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38662", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38662" + }, + { + "url": "https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1" + }, + { + "url": "https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9" + }, + { + "url": "https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d" + }, + { + "url": "https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e" + }, + { + "url": "https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d" + }, + { + "url": "https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38662 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38662", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38662\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38662\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38662\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38662\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38662\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1\",\n \"https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9\",\n \"https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d\",\n \"https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e\",\n \"https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d\",\n \"https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Allow delete from sockmap/sockhash only if update is allowed\\n\\nWe have seen an influx of syzkaller reports where a BPF program attached to\\na tracepoint triggers a locking rule violation by performing a map_delete\\non a sockmap/sockhash.\\n\\nWe don't intend to support this artificial use scenario. Extend the\\nexisting verifier allowed-program-type check for updating sockmap/sockhash\\nto also cover deleting from a map.\\n\\nFrom now on only BPF programs which were previously allowed to update\\nsockmap/sockhash can delete from these map types.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38662\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38667" + }, + { + "url": "https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80" + }, + { + "url": "https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44" + }, + { + "url": "https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af" + }, + { + "url": "https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80\",\n \"https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44\",\n \"https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af\",\n \"https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: prevent pt_regs corruption for secondary idle threads\\n\\nTop of the kernel thread stack should be reserved for pt_regs. However\\nthis is not the case for the idle threads of the secondary boot harts.\\nTheir stacks overlap with their pt_regs, so both may get corrupted.\\n\\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\\n(\\\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\\\").\\nHowever that fix was not propagated to the secondary harts. The problem\\nhas been noticed in some CPU hotplug tests with V enabled. The function\\nsmp_callin stored several registers on stack, corrupting top of pt_regs\\nstructure including status field. As a result, kernel attempted to save\\nor restore inexistent V context.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38780", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38780" + }, + { + "url": "https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed" + }, + { + "url": "https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a" + }, + { + "url": "https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a" + }, + { + "url": "https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e" + }, + { + "url": "https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878" + }, + { + "url": "https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef" + }, + { + "url": "https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8" + }, + { + "url": "https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38780 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38780", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38780\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38780\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38780\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38780\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38780\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed\",\n \"https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a\",\n \"https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a\",\n \"https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e\",\n \"https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878\",\n \"https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef\",\n \"https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8\",\n \"https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\\n\\nSince commit a6aa8fca4d79 (\\\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\\nknown context\\\") by error replaced spin_unlock_irqrestore() with\\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\\ninconsistent lock state warning.\\n\\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38780\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39276", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39276" + }, + { + "url": "https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21" + }, + { + "url": "https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e" + }, + { + "url": "https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb" + }, + { + "url": "https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483" + }, + { + "url": "https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16" + }, + { + "url": "https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577" + }, + { + "url": "https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8" + }, + { + "url": "https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39276 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39276", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39276\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39276\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39276\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39276\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39276\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21\",\n \"https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e\",\n \"https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb\",\n \"https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483\",\n \"https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16\",\n \"https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577\",\n \"https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8\",\n \"https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\\n\\nSyzbot reports a warning as follows:\\n\\n============================================\\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\\nModules linked in:\\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\\nCall Trace:\\n \\n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\\n kill_block_super+0x44/0x90 fs/super.c:1675\\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\\n[...]\\n============================================\\n\\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\\nin the __entry_find(), won't be put away, and eventually trigger the above\\nissue in mb_cache_destroy() due to reference count leakage.\\n\\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39276\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39277", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39277" + }, + { + "url": "https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f" + }, + { + "url": "https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41" + }, + { + "url": "https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464" + }, + { + "url": "https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13" + }, + { + "url": "https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39277 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39277", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39277\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39277\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39277\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39277\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39277\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f\",\n \"https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41\",\n \"https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464\",\n \"https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13\",\n \"https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\\n\\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\\nresulting in the following sanitizer report:\\n\\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\\nindex -1 is out of range for type 'cpumask [64][1]'\\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117)\\nubsan_epilogue (lib/ubsan.c:232)\\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\\n__x64_sys_ioctl (fs/ioctl.c:890)\\ndo_syscall_64 (arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\\nof a particular node.\\n\\nNote that the provided node id is checked inside map_benchmark_ioctl().\\nIt's just a NUMA_NO_NODE case which is not handled properly later.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39277\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39292", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39292" + }, + { + "url": "https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4" + }, + { + "url": "https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2" + }, + { + "url": "https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14" + }, + { + "url": "https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0" + }, + { + "url": "https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33" + }, + { + "url": "https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1" + }, + { + "url": "https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101" + }, + { + "url": "https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39292 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39292", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39292\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39292\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39292\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4\",\n \"https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2\",\n \"https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14\",\n \"https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0\",\n \"https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33\",\n \"https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1\",\n \"https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101\",\n \"https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\num: Add winch to winch_handlers before registering winch IRQ\\n\\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\\nadded to the winch_handlers list.\\n\\nIf that happens, register_winch_irq() adds to that list a winch that is\\nscheduled to be (or has already been) freed, causing a panic later in\\nwinch_cleanup().\\n\\nAvoid the race by adding the winch to the winch_handlers list before\\nregistering the IRQ, and rolling back if um_request_irq() fails.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39292\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39293", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39293" + }, + { + "url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5" + }, + { + "url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39293 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39293", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39293\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39293\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39293\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39293\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39293\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5\",\n \"https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"xsk: Support redirect to any socket bound to the same umem\\\"\\n\\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\\n\\nThis patch introduced a potential kernel crash when multiple napi instances\\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\\npossible for multiple napi instances to access the Rx ring at the same time,\\nwhich will result in a corrupted ring state which can lead to a crash when\\nflushing the rings in __xsk_flush(). This can happen when the linked list of\\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\\nis not possible, so let us revert this for now.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39293\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39298", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39298" + }, + { + "url": "https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b" + }, + { + "url": "https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd" + }, + { + "url": "https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad" + }, + { + "url": "https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39298 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39298", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n try_memory_failure_hugetlb\n me_huge_page\n __page_handle_poison\n dissolve_free_hugetlb_folio\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n take_page_off_buddy -- Failed as page is not in the \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39298\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39298\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39298\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39298\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39298\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b\",\n \"https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd\",\n \"https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad\",\n \"https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\\n\\nWhen I did memory failure tests recently, below panic occurs:\\n\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\\n------------[ cut here ]------------\\nkernel BUG at include/linux/page-flags.h:1009!\\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nRIP: 0010:__del_page_from_free_list+0x151/0x180\\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\\nCall Trace:\\n \\n __rmqueue_pcplist+0x23b/0x520\\n get_page_from_freelist+0x26b/0xe40\\n __alloc_pages_noprof+0x113/0x1120\\n __folio_alloc_noprof+0x11/0xb0\\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\\n __alloc_fresh_hugetlb_folio+0xe7/0x140\\n alloc_pool_huge_folio+0x68/0x100\\n set_max_huge_pages+0x13d/0x340\\n hugetlb_sysctl_handler_common+0xe8/0x110\\n proc_sys_call_handler+0x194/0x280\\n vfs_write+0x387/0x550\\n ksys_write+0x64/0xe0\\n do_syscall_64+0xc2/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7ff916114887\\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\\n \\nModules linked in: mce_inject hwpoison_inject\\n---[ end trace 0000000000000000 ]---\\n\\nAnd before the panic, there had an warning about bad page state:\\n\\nBUG: Bad page state in process page-types pfn:8cee00\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\\npage_type: 0xffffff7f(buddy)\\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\\npage dumped because: nonzero mapcount\\nModules linked in: mce_inject hwpoison_inject\\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\\nCall Trace:\\n \\n dump_stack_lvl+0x83/0xa0\\n bad_page+0x63/0xf0\\n free_unref_page+0x36e/0x5c0\\n unpoison_memory+0x50b/0x630\\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\\n debugfs_attr_write+0x42/0x60\\n full_proxy_write+0x5b/0x80\\n vfs_write+0xcd/0x550\\n ksys_write+0x64/0xe0\\n do_syscall_64+0xc2/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f189a514887\\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\\n \\n\\nThe root cause should be the below race:\\n\\n memory_failure\\n try_memory_failure_hugetlb\\n me_huge_page\\n __page_handle_poison\\n dissolve_free_hugetlb_folio\\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\\n take_page_off_buddy -- Failed as page is not in the \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39298\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39301", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39301" + }, + { + "url": "https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17" + }, + { + "url": "https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b" + }, + { + "url": "https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a" + }, + { + "url": "https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17" + }, + { + "url": "https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867" + }, + { + "url": "https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b" + }, + { + "url": "https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672" + }, + { + "url": "https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39301 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39301", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39301\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39301\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39301\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39301\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39301\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17\",\n \"https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b\",\n \"https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a\",\n \"https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17\",\n \"https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867\",\n \"https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b\",\n \"https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672\",\n \"https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/9p: fix uninit-value in p9_client_rpc()\\n\\nSyzbot with the help of KMSAN reported the following error:\\n\\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\\n path_mount+0x742/0x1f20 fs/namespace.c:3679\\n do_mount fs/namespace.c:3692 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\\n __alloc_pages_node include/linux/gfp.h:238 [inline]\\n alloc_pages_node include/linux/gfp.h:261 [inline]\\n alloc_slab_page mm/slub.c:2175 [inline]\\n allocate_slab mm/slub.c:2338 [inline]\\n new_slab+0x2de/0x1400 mm/slub.c:2391\\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\\n __slab_alloc mm/slub.c:3610 [inline]\\n __slab_alloc_node mm/slub.c:3663 [inline]\\n slab_alloc_node mm/slub.c:3835 [inline]\\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\\n p9_tag_alloc net/9p/client.c:278 [inline]\\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\\n path_mount+0x742/0x1f20 fs/namespace.c:3679\\n do_mount fs/namespace.c:3692 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\\nwill not be properly initialized. However, trace_9p_client_res()\\nends up trying to print it out anyway before p9_client_rpc()\\nfinishes.\\n\\nFix this issue by assigning default values to p9_fcall fields\\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\\nduring the tag allocation stage.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39301\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39362", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39362" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39362 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39362", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39362\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39362\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39362\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39362\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39362\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39362\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39463", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39463" + }, + { + "url": "https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409" + }, + { + "url": "https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456" + }, + { + "url": "https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5" + }, + { + "url": "https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39463 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39463", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39463\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39463\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39463\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39463\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39463\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409\",\n \"https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456\",\n \"https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5\",\n \"https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\n9p: add missing locking around taking dentry fid list\\n\\nFix a use-after-free on dentry's d_fsdata fid list when a thread\\nlooks up a fid through dentry while another thread unlinks it:\\n\\nUAF thread:\\nrefcount_t: addition on 0; use-after-free.\\n p9_fid_get linux/./include/net/9p/client.h:262\\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\\n\\nFreed by:\\n p9_fid_destroy (inlined)\\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\\n p9_fid_put linux/./include/net/9p/client.h:278\\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\\n\\nThe problem is that d_fsdata was not accessed under d_lock, because\\nd_release() normally is only called once the dentry is otherwise no\\nlonger accessible but since we also call it explicitly in v9fs_remove\\nthat lock is required:\\nmove the hlist out of the dentry under lock then unref its fids once\\nthey are no longer accessible.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39463\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39466", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39466" + }, + { + "url": "https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464" + }, + { + "url": "https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3" + }, + { + "url": "https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665" + }, + { + "url": "https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b" + }, + { + "url": "https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39466 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39466", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39466\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39466\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39466\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39466\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39466\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464\",\n \"https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3\",\n \"https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665\",\n \"https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b\",\n \"https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\\n\\nUp until now, the necessary scm availability check has not been\\nperformed, leading to possible null pointer dereferences (which did\\nhappen for me on RB1).\\n\\nFix that.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39466\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39467", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39467" + }, + { + "url": "https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98" + }, + { + "url": "https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717" + }, + { + "url": "https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57" + }, + { + "url": "https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff" + }, + { + "url": "https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0" + }, + { + "url": "https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba" + }, + { + "url": "https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39467 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39467", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39467\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39467\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39467\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39467\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39467\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98\",\n \"https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717\",\n \"https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57\",\n \"https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff\",\n \"https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0\",\n \"https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba\",\n \"https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\\n\\nsyzbot reports a kernel bug as below:\\n\\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\\n\\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\\n current_nat_addr fs/f2fs/node.h:213 [inline]\\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\\n ioctl_fiemap fs/ioctl.c:220 [inline]\\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\\n __do_sys_ioctl fs/ioctl.c:902 [inline]\\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nThe root cause is we missed to do sanity check on i_xattr_nid during\\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\\nkasan bug report, fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39467\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39468", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39468" + }, + { + "url": "https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15" + }, + { + "url": "https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720" + }, + { + "url": "https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a" + }, + { + "url": "https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47" + }, + { + "url": "https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261" + }, + { + "url": "https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39468 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39468", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39468\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39468\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39468\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39468\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39468\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15\",\n \"https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720\",\n \"https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a\",\n \"https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47\",\n \"https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261\",\n \"https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix deadlock in smb2_find_smb_tcon()\\n\\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\\ndeadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39468\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39469", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39469" + }, + { + "url": "https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd" + }, + { + "url": "https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82" + }, + { + "url": "https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428" + }, + { + "url": "https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3" + }, + { + "url": "https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5" + }, + { + "url": "https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c" + }, + { + "url": "https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1" + }, + { + "url": "https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39469 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39469", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39469\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39469\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39469\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39469\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39469\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd\",\n \"https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82\",\n \"https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428\",\n \"https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3\",\n \"https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5\",\n \"https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c\",\n \"https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1\",\n \"https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\\n\\nThe error handling in nilfs_empty_dir() when a directory folio/page read\\nfails is incorrect, as in the old ext2 implementation, and if the\\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\\ndetermine the directory as empty and corrupt the file system.\\n\\nIn addition, since nilfs_empty_dir() does not immediately return on a\\nfailed folio/page read, but continues to loop, this can cause a long loop\\nwith I/O if i_size of the directory's inode is also corrupted, causing the\\nlog writer thread to wait and hang, as reported by syzbot.\\n\\nFix these issues by making nilfs_empty_dir() immediately return a false\\nvalue (0) if it fails to get a directory folio/page.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39469\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39471", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39471" + }, + { + "url": "https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46" + }, + { + "url": "https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3" + }, + { + "url": "https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8" + }, + { + "url": "https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691" + }, + { + "url": "https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f" + }, + { + "url": "https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520" + }, + { + "url": "https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39471 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39471", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39471\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39471\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39471\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39471\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39471\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46\",\n \"https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3\",\n \"https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8\",\n \"https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691\",\n \"https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f\",\n \"https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520\",\n \"https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: add error handle to avoid out-of-bounds\\n\\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39471\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39472", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39472" + }, + { + "url": "https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a" + }, + { + "url": "https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f" + }, + { + "url": "https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5" + }, + { + "url": "https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39472 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39472", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39472\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39472\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39472\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39472\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39472\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a\",\n \"https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f\",\n \"https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5\",\n \"https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\\n\\nCommit a70f9fe52daa (\\\"xfs: detect and handle invalid iclog size set by\\nmkfs\\\") added a fixup for incorrect h_size values used for the initial\\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\\n(\\\"xfs: clean up calculation of LR header blocks\\\") cleaned up the log\\nreover buffer calculation, but stoped using the fixed up h_size value\\nto size the log recovery buffer, which can lead to an out of bounds\\naccess when the incorrect h_size does not come from the old mkfs\\ntool, but a fuzzer.\\n\\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\\ninto account for this calculation.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39472\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39475", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39475" + }, + { + "url": "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b" + }, + { + "url": "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089" + }, + { + "url": "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95" + }, + { + "url": "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339" + }, + { + "url": "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547" + }, + { + "url": "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8" + }, + { + "url": "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7" + }, + { + "url": "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39475 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39475", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39475\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39475\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39475\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39475\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39475\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b\",\n \"https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089\",\n \"https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95\",\n \"https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339\",\n \"https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547\",\n \"https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8\",\n \"https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7\",\n \"https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbdev: savage: Handle err return when savagefb_check_var failed\\n\\nThe commit 04e5eac8f3ab(\\\"fbdev: savage: Error out if pixclock equals zero\\\")\\nchecks the value of pixclock to avoid divide-by-zero error. However\\nthe function savagefb_probe doesn't handle the error return of\\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39475\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39476", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39476" + }, + { + "url": "https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a" + }, + { + "url": "https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa" + }, + { + "url": "https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b" + }, + { + "url": "https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4" + }, + { + "url": "https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787" + }, + { + "url": "https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347" + }, + { + "url": "https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447" + }, + { + "url": "https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39476 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39476", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39476\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39476\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39476\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39476\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39476\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a\",\n \"https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa\",\n \"https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b\",\n \"https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4\",\n \"https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787\",\n \"https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347\",\n \"https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447\",\n \"https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\\n\\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\\nsmall possibility, the root cause is exactly the same as commit\\nbed9e27baf52 (\\\"Revert \\\"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\\\"\\\")\\n\\nHowever, Dan reported another hang after that, and junxiao investigated\\nthe problem and found out that this is caused by plugged bio can't issue\\nfrom raid5d().\\n\\nCurrent implementation in raid5d() has a weird dependence:\\n\\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\\n MD_SB_CHANGE_PENDING;\\n2) raid5d() handles IO in a deadloop, until all IO are issued;\\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\\n\\nThis behaviour is introduce before v2.6, and for consequence, if other\\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\\n'reconfig_mutex' is released.\\n\\nRefer to the implementation from raid1 and raid10, fix this problem by\\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\\nis released. Meanwhile, the hang problem will be fixed as well.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39476\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39480", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39480" + }, + { + "url": "https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5" + }, + { + "url": "https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7" + }, + { + "url": "https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96" + }, + { + "url": "https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a" + }, + { + "url": "https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454" + }, + { + "url": "https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33" + }, + { + "url": "https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7" + }, + { + "url": "https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39480 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39480", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39480\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39480\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39480\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39480\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39480\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5\",\n \"https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7\",\n \"https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96\",\n \"https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a\",\n \"https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454\",\n \"https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33\",\n \"https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7\",\n \"https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkdb: Fix buffer overflow during tab-complete\\n\\nCurrently, when the user attempts symbol completion with the Tab key, kdb\\nwill use strncpy() to insert the completed symbol into the command buffer.\\nUnfortunately it passes the size of the source buffer rather than the\\ndestination to strncpy() with predictably horrible results. Most obviously\\nif the command buffer is already full but cp, the cursor position, is in\\nthe middle of the buffer, then we will write past the end of the supplied\\nbuffer.\\n\\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\\ncalls plus explicit boundary checks to make sure we have enough space\\nbefore we start moving characters around.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39480\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39482", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39482" + }, + { + "url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671" + }, + { + "url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b" + }, + { + "url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31" + }, + { + "url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023" + }, + { + "url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148" + }, + { + "url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39482 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39482", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39482\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39482\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39482\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39482\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39482\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671\",\n \"https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b\",\n \"https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31\",\n \"https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023\",\n \"https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148\",\n \"https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcache: fix variable length array abuse in btree_iter\\n\\nbtree_iter is used in two ways: either allocated on the stack with a\\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\\nspecific cache set. Previously, the struct had a fixed-length array of\\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\\niterators, which causes UBSAN to complain.\\n\\nThis patch uses the same approach as in bcachefs's sort_iter and splits\\nthe iterator into a btree_iter with a flexible array member and a\\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\\ndata array.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39482\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39484" + }, + { + "url": "https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584" + }, + { + "url": "https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3" + }, + { + "url": "https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e" + }, + { + "url": "https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4" + }, + { + "url": "https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb" + }, + { + "url": "https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584\",\n \"https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3\",\n \"https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e\",\n \"https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4\",\n \"https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb\",\n \"https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: davinci: Don't strip remove function when driver is builtin\\n\\nUsing __exit for the remove function results in the remove callback being\\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\\nusing sysfs or hotplug), the driver is just removed without the cleanup\\nbeing performed. This results in resource leaks. Fix it by compiling in the\\nremove callback unconditionally.\\n\\nThis also fixes a W=1 modpost warning:\\n\\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\\ndavinci_mmcsd_remove (section: .exit.text)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39487", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39487" + }, + { + "url": "https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e" + }, + { + "url": "https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1" + }, + { + "url": "https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b" + }, + { + "url": "https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da" + }, + { + "url": "https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8" + }, + { + "url": "https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9" + }, + { + "url": "https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f" + }, + { + "url": "https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39487 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39487", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39487\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39487\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39487\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39487\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39487\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e\",\n \"https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1\",\n \"https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b\",\n \"https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da\",\n \"https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8\",\n \"https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9\",\n \"https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f\",\n \"https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\\n\\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\\nempty string, newval->string+1 will point to the byte after the\\nstring, causing an out-of-bound read.\\n\\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:364 [inline]\\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\\n strlen+0x7d/0xa0 lib/string.c:418\\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\\n bond_option_arp_ip_targets_set+0xc2/0x910\\ndrivers/net/bonding/bond_options.c:1201\\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\\n call_write_iter include/linux/fs.h:2020 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x96a/0xd80 fs/read_write.c:584\\n ksys_write+0x122/0x250 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n---[ end trace ]---\\n\\nFix it by adding a check of string length before using it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39487\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39488", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39488" + }, + { + "url": "https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e" + }, + { + "url": "https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0" + }, + { + "url": "https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8" + }, + { + "url": "https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d" + }, + { + "url": "https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c" + }, + { + "url": "https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7" + }, + { + "url": "https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea" + }, + { + "url": "https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39488 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39488", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39488\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39488\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39488\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39488\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39488\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e\",\n \"https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0\",\n \"https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8\",\n \"https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d\",\n \"https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c\",\n \"https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7\",\n \"https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea\",\n \"https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\\n\\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\\nto bug_table entries, and as a result the last entry in a bug table will\\nbe ignored, potentially leading to an unexpected panic(). All prior\\nentries in the table will be handled correctly.\\n\\nThe arm64 ABI requires that struct fields of up to 8 bytes are\\nnaturally-aligned, with padding added within a struct such that struct\\nare suitably aligned within arrays.\\n\\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\\n\\n\\tstruct bug_entry {\\n\\t\\tsigned int bug_addr_disp;\\t// 4 bytes\\n\\t\\tsigned int file_disp;\\t// 4 bytes\\n\\t\\tunsigned short line;\\t\\t// 2 bytes\\n\\t\\tunsigned short flags;\\t\\t// 2 bytes\\n\\t}\\n\\n... with 12 bytes total, requiring 4-byte alignment.\\n\\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\\n\\n\\tstruct bug_entry {\\n\\t\\tsigned int bug_addr_disp;\\t// 4 bytes\\n\\t\\tunsigned short flags;\\t\\t// 2 bytes\\n\\t\\t< implicit padding >\\t\\t// 2 bytes\\n\\t}\\n\\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\\npadding, requiring 4-byte alginment.\\n\\nWhen we create a bug_entry in assembly, we align the start of the entry\\nto 4 bytes, which implicitly handles padding for any prior entries.\\nHowever, we do not align the end of the entry, and so when\\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\\nbytes.\\n\\nFor the main kernel image this is not a problem as find_bug() doesn't\\ndepend on the trailing padding bytes when searching for entries:\\n\\n\\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\\n\\t\\tif (bugaddr == bug_addr(bug))\\n\\t\\t\\treturn bug;\\n\\nHowever for modules, module_bug_finalize() depends on the trailing\\nbytes when calculating the number of entries:\\n\\n\\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\\n\\n... and as the last bug_entry lacks the necessary padding bytes, this entry\\nwill not be counted, e.g. in the case of a single entry:\\n\\n\\tsechdrs[i].sh_size == 6\\n\\tsizeof(struct bug_entry) == 8;\\n\\n\\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\\n\\nConsequently module_find_bug() will miss the last bug_entry when it does:\\n\\n\\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\\n\\t\\tif (bugaddr == bug_addr(bug))\\n\\t\\t\\tgoto out;\\n\\n... which can lead to a kenrel panic due to an unhandled bug.\\n\\nThis can be demonstrated with the following module:\\n\\n\\tstatic int __init buginit(void)\\n\\t{\\n\\t\\tWARN(1, \\\"hello\\\\n\\\");\\n\\t\\treturn 0;\\n\\t}\\n\\n\\tstatic void __exit bugexit(void)\\n\\t{\\n\\t}\\n\\n\\tmodule_init(buginit);\\n\\tmodule_exit(bugexit);\\n\\tMODULE_LICENSE(\\\"GPL\\\");\\n\\n... which will trigger a kernel panic when loaded:\\n\\n\\t------------[ cut here ]------------\\n\\thello\\n\\tUnexpected kernel BRK exception at EL1\\n\\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\\n\\tModules linked in: hello(O+)\\n\\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\\n\\tHardware name: linux,dummy-virt (DT)\\n\\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n\\tpc : buginit+0x18/0x1000 [hello]\\n\\tlr : buginit+0x18/0x1000 [hello]\\n\\tsp : ffff800080533ae0\\n\\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\\n\\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\\n\\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\\n\\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\\n\\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\\n\\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\\n\\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\\n\\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\\n\\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\\n\\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\\n\\tCall trace:\\n\\t buginit+0x18/0x1000 [hello]\\n\\t do_one_initcall+0x80/0x1c8\\n\\t do_init_module+0x60/0x218\\n\\t load_module+0x1ba4/0x1d70\\n\\t __do_sys_init_module+0x198/0x1d0\\n\\t __arm64_sys_init_module+0x1c/0x28\\n\\t invoke_syscall+0x48/0x114\\n\\t el0_svc\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39488\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39489", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39489" + }, + { + "url": "https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6" + }, + { + "url": "https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3" + }, + { + "url": "https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821" + }, + { + "url": "https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c" + }, + { + "url": "https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976" + }, + { + "url": "https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be" + }, + { + "url": "https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6" + }, + { + "url": "https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39489 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39489", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39489\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39489\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39489\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39489\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39489\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6\",\n \"https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3\",\n \"https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821\",\n \"https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c\",\n \"https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976\",\n \"https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be\",\n \"https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6\",\n \"https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix memleak in seg6_hmac_init_algo\\n\\nseg6_hmac_init_algo returns without cleaning up the previous allocations\\nif one fails, so it's going to leak all that memory and the crypto tfms.\\n\\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\\nreuse the code directly.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39489\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39490", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39490" + }, + { + "url": "https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9" + }, + { + "url": "https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864" + }, + { + "url": "https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a" + }, + { + "url": "https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8" + }, + { + "url": "https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39490 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39490", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix missing sk_buff release in seg6_input_core\n\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\n\nThis issue was introduced in commit af3b5158b89d (\"ipv6: sr: fix BUG due\nto headroom too small after SRH push\") and persists even after commit\n7a3f5b0de364 (\"netfilter: add netfilter hooks to SRv6 data plane\"),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\n\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39490\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39490\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39490\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39490\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39490\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9\",\n \"https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864\",\n \"https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a\",\n \"https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8\",\n \"https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix missing sk_buff release in seg6_input_core\\n\\nThe seg6_input() function is responsible for adding the SRH into a\\npacket, delegating the operation to the seg6_input_core(). This function\\nuses the skb_cow_head() to ensure that there is sufficient headroom in\\nthe sk_buff for accommodating the link-layer header.\\nIn the event that the skb_cow_header() function fails, the\\nseg6_input_core() catches the error but it does not release the sk_buff,\\nwhich will result in a memory leak.\\n\\nThis issue was introduced in commit af3b5158b89d (\\\"ipv6: sr: fix BUG due\\nto headroom too small after SRH push\\\") and persists even after commit\\n7a3f5b0de364 (\\\"netfilter: add netfilter hooks to SRv6 data plane\\\"),\\nwhere the entire seg6_input() code was refactored to deal with netfilter\\nhooks.\\n\\nThe proposed patch addresses the identified memory leak by requiring the\\nseg6_input_core() function to release the sk_buff in the event that\\nskb_cow_head() fails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39490\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39493", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39493" + }, + { + "url": "https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8" + }, + { + "url": "https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd" + }, + { + "url": "https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a" + }, + { + "url": "https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960" + }, + { + "url": "https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3" + }, + { + "url": "https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246" + }, + { + "url": "https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26" + }, + { + "url": "https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39493 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39493", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\n\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it's still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\n\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39493\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39493\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39493\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39493\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39493\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8\",\n \"https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd\",\n \"https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a\",\n \"https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960\",\n \"https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3\",\n \"https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246\",\n \"https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26\",\n \"https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\\n\\nUsing completion_done to determine whether the caller has gone\\naway only works after a complete call. Furthermore it's still\\npossible that the caller has not yet called wait_for_completion,\\nresulting in another potential UAF.\\n\\nFix this by making the caller use cancel_work_sync and then freeing\\nthe memory safely.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39493\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39494", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39494" + }, + { + "url": "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4" + }, + { + "url": "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c" + }, + { + "url": "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de" + }, + { + "url": "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39494 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39494", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39494\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39494\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39494\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39494\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39494\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4\",\n \"https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c\",\n \"https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de\",\n \"https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nima: Fix use-after-free on a dentry's dname.name\\n\\n->d_name.name can change on rename and the earlier value can be freed;\\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\\nrename_lock), but none of those are met at any of the sites. Take a stable\\nsnapshot of the name instead.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39494\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39495", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39495" + }, + { + "url": "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445" + }, + { + "url": "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea" + }, + { + "url": "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83" + }, + { + "url": "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce" + }, + { + "url": "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201" + }, + { + "url": "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc" + }, + { + "url": "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39495 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39495", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39495\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39495\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39495\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39495\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39495\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445\",\n \"https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea\",\n \"https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83\",\n \"https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce\",\n \"https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201\",\n \"https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc\",\n \"https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\\n\\nIn gb_interface_create, &intf->mode_switch_completion is bound with\\ngb_interface_mode_switch_work. Then it will be started by\\ngb_interface_request_mode_switch. Here is the relevant code.\\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\\n\\t...\\n}\\n\\nIf we call gb_interface_release to make cleanup, there may be an\\nunfinished work. This function will call kfree to free the object\\n\\\"intf\\\". However, if gb_interface_mode_switch_work is scheduled to\\nrun after kfree, it may cause use-after-free error as\\ngb_interface_mode_switch_work will use the object \\\"intf\\\".\\nThe possible execution flow that may lead to the issue is as follows:\\n\\nCPU0 CPU1\\n\\n | gb_interface_create\\n | gb_interface_request_mode_switch\\ngb_interface_release |\\nkfree(intf) (free) |\\n | gb_interface_mode_switch_work\\n | mutex_lock(&intf->mutex) (use)\\n\\nFix it by canceling the work before kfree.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39495\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39496", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39496" + }, + { + "url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9" + }, + { + "url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6" + }, + { + "url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43" + }, + { + "url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39496 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39496", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39496\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39496\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39496\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39496\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39496\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9\",\n \"https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6\",\n \"https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43\",\n \"https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: zoned: fix use-after-free due to race with dev replace\\n\\nWhile loading a zone's info during creation of a block group, we can race\\nwith a device replace operation and then trigger a use-after-free on the\\ndevice that was just replaced (source device of the replace operation).\\n\\nThis happens because at btrfs_load_zone_info() we extract a device from\\nthe chunk map into a local variable and then use the device while not\\nunder the protection of the device replace rwsem. So if there's a device\\nreplace operation happening when we extract the device and that device\\nis the source of the replace operation, we will trigger a use-after-free\\nif before we finish using the device the replace operation finishes and\\nfrees the device.\\n\\nFix this by enlarging the critical section under the protection of the\\ndevice replace rwsem so that all uses of the device are done inside the\\ncritical section.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39496\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39497", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39497" + }, + { + "url": "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86" + }, + { + "url": "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263" + }, + { + "url": "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39497 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39497", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39497\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39497\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39497\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39497\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39497\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86\",\n \"https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263\",\n \"https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\\n\\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\\n\\nReturn -EINVAL early if COW mapping is detected.\\n\\nThis bug affects all drm drivers using default shmem helpers.\\nIt can be reproduced by this simple example:\\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\\nptr[0] = 0;\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39497\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39499", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39499" + }, + { + "url": "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81" + }, + { + "url": "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd" + }, + { + "url": "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb" + }, + { + "url": "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4" + }, + { + "url": "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae" + }, + { + "url": "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee" + }, + { + "url": "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8" + }, + { + "url": "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39499 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39499", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39499\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39499\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39499\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39499\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39499\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81\",\n \"https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd\",\n \"https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb\",\n \"https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4\",\n \"https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae\",\n \"https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee\",\n \"https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8\",\n \"https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\\n\\nCoverity spotted that event_msg is controlled by user-space,\\nevent_msg->event_data.event is passed to event_deliver() and used\\nas an index without sanitization.\\n\\nThis change ensures that the event index is sanitized to mitigate any\\npossibility of speculative information leaks.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\\n\\nOnly compile tested, no access to HW.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39499\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39500", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39500" + }, + { + "url": "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073" + }, + { + "url": "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d" + }, + { + "url": "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0" + }, + { + "url": "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50" + }, + { + "url": "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39500 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39500", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n \n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39500\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39500\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39500\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39500\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39500\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073\",\n \"https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d\",\n \"https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0\",\n \"https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50\",\n \"https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsock_map: avoid race between sock_map_close and sk_psock_put\\n\\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\\nwill happen when the last call of sk_psock_put is done. However,\\nsk_psock_drop may not have finished yet, so the close callback will still\\npoint to sock_map_close despite psock being NULL.\\n\\nThis can be reproduced with a thread deleting an element from the sock map,\\nwhile the second one creates a socket, adds it to the map and closes it.\\n\\nThat will trigger the WARN_ON_ONCE:\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\\nModules linked in:\\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\\nCall Trace:\\n \\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xbe/0x240 net/socket.c:1421\\n __fput+0x42b/0x8a0 fs/file_table.c:422\\n __do_sys_close fs/open.c:1556 [inline]\\n __se_sys_close fs/open.c:1541 [inline]\\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7fb37d618070\\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n \\n\\nUse sk_psock, which will only check that the pointer is not been set to\\nNULL yet, which should only happen after the callbacks are restored. If,\\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\\npsock->work.\\n\\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\\nless convoluted.\\n\\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\\nanymore.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39500\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39501", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39501" + }, + { + "url": "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69" + }, + { + "url": "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c" + }, + { + "url": "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad" + }, + { + "url": "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6" + }, + { + "url": "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90" + }, + { + "url": "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080" + }, + { + "url": "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0" + }, + { + "url": "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39501", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: core: synchronize really_probe() and dev_uevent()\n\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\nThese can run in different threads, what can result in the following\nrace condition for dev->driver uninitialization:\n\nThread #1:\n==========\n\nreally_probe() {\n...\nprobe_failed:\n...\ndevice_unbind_cleanup(dev) {\n ...\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\n ...\n }\n...\n}\n\nThread #2:\n==========\n\ndev_uevent() {\n...\nif (dev->driver)\n // If dev->driver is NULLed from really_probe() from here on,\n // after above check, the system crashes\n add_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n...\n}\n\nreally_probe() holds the lock, already. So nothing needs to be done\nthere. dev_uevent() is called with lock held, often, too. But not\nalways. What implies that we can't add any locking in dev_uevent()\nitself. So fix this race by adding the lock to the non-protected\npath. This is the path where above race is observed:\n\n dev_uevent+0x235/0x380\n uevent_show+0x10c/0x1f0 <= Add lock here\n dev_attr_show+0x3a/0xa0\n sysfs_kf_seq_show+0x17c/0x250\n kernfs_seq_show+0x7c/0x90\n seq_read_iter+0x2d7/0x940\n kernfs_fop_read_iter+0xc6/0x310\n vfs_read+0x5bc/0x6b0\n ksys_read+0xeb/0x1b0\n __x64_sys_read+0x42/0x50\n x64_sys_call+0x27ad/0x2d30\n do_syscall_64+0xcd/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSimilar cases are reported by syzkaller in\n\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\n\nBut these are regarding the *initialization* of dev->driver\n\ndev->driver = drv;\n\nAs this switches dev->driver to non-NULL these reports can be considered\nto be false-positives (which should be \"fixed\" by this commit, as well,\nthough).\n\nThe same issue was reported and tried to be fixed back in 2015 in\n\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\n\nalready.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69\",\n \"https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c\",\n \"https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad\",\n \"https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6\",\n \"https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90\",\n \"https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080\",\n \"https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0\",\n \"https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrivers: core: synchronize really_probe() and dev_uevent()\\n\\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\\nThese can run in different threads, what can result in the following\\nrace condition for dev->driver uninitialization:\\n\\nThread #1:\\n==========\\n\\nreally_probe() {\\n...\\nprobe_failed:\\n...\\ndevice_unbind_cleanup(dev) {\\n ...\\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\\n ...\\n }\\n...\\n}\\n\\nThread #2:\\n==========\\n\\ndev_uevent() {\\n...\\nif (dev->driver)\\n // If dev->driver is NULLed from really_probe() from here on,\\n // after above check, the system crashes\\n add_uevent_var(env, \\\"DRIVER=%s\\\", dev->driver->name);\\n...\\n}\\n\\nreally_probe() holds the lock, already. So nothing needs to be done\\nthere. dev_uevent() is called with lock held, often, too. But not\\nalways. What implies that we can't add any locking in dev_uevent()\\nitself. So fix this race by adding the lock to the non-protected\\npath. This is the path where above race is observed:\\n\\n dev_uevent+0x235/0x380\\n uevent_show+0x10c/0x1f0 <= Add lock here\\n dev_attr_show+0x3a/0xa0\\n sysfs_kf_seq_show+0x17c/0x250\\n kernfs_seq_show+0x7c/0x90\\n seq_read_iter+0x2d7/0x940\\n kernfs_fop_read_iter+0xc6/0x310\\n vfs_read+0x5bc/0x6b0\\n ksys_read+0xeb/0x1b0\\n __x64_sys_read+0x42/0x50\\n x64_sys_call+0x27ad/0x2d30\\n do_syscall_64+0xcd/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nSimilar cases are reported by syzkaller in\\n\\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\\n\\nBut these are regarding the *initialization* of dev->driver\\n\\ndev->driver = drv;\\n\\nAs this switches dev->driver to non-NULL these reports can be considered\\nto be false-positives (which should be \\\"fixed\\\" by this commit, as well,\\nthough).\\n\\nThe same issue was reported and tried to be fixed back in 2015 in\\n\\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\\n\\nalready.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39502", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39502" + }, + { + "url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7" + }, + { + "url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5" + }, + { + "url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84" + }, + { + "url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13" + }, + { + "url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e" + }, + { + "url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e" + }, + { + "url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39502 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39502", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L rx 1 tx 1 combined 0\n ethtool -L rx 0 tx 0 combined 1\n ethtool -L rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39502\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39502\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39502\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39502\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39502\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7\",\n \"https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5\",\n \"https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84\",\n \"https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13\",\n \"https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e\",\n \"https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e\",\n \"https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nionic: fix use after netif_napi_del()\\n\\nWhen queues are started, netif_napi_add() and napi_enable() are called.\\nIf there are 4 queues and only 3 queues are used for the current\\nconfiguration, only 3 queues' napi should be registered and enabled.\\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\\nenabling only the using queue' napi. Unused queues' napi will not be\\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\\nBut it couldn't distinguish whether the napi was unregistered or not\\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\\nunregistered by netif_napi_del().\\n\\nReproducer:\\n ethtool -L rx 1 tx 1 combined 0\\n ethtool -L rx 0 tx 0 combined 1\\n ethtool -L rx 0 tx 0 combined 4\\n\\nSplat looks like:\\nkernel BUG at net/core/dev.c:6666!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\\nWorkqueue: events ionic_lif_deferred_work [ionic]\\nRIP: 0010:napi_enable+0x3b/0x40\\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? die+0x33/0x90\\n ? do_trap+0xd9/0x100\\n ? napi_enable+0x3b/0x40\\n ? do_error_trap+0x83/0xb0\\n ? napi_enable+0x3b/0x40\\n ? napi_enable+0x3b/0x40\\n ? exc_invalid_op+0x4e/0x70\\n ? napi_enable+0x3b/0x40\\n ? asm_exc_invalid_op+0x16/0x20\\n ? napi_enable+0x3b/0x40\\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n process_one_work+0x145/0x360\\n worker_thread+0x2bb/0x3d0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xcc/0x100\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x2d/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39502\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39503", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39503" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568" + }, + { + "url": "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702" + }, + { + "url": "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6" + }, + { + "url": "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10" + }, + { + "url": "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08" + }, + { + "url": "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83" + }, + { + "url": "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39503 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39503", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39503\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39503\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39503\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39503\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39503\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568\",\n \"https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702\",\n \"https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6\",\n \"https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10\",\n \"https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08\",\n \"https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83\",\n \"https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\\n\\nLion Ackermann reported that there is a race condition between namespace cleanup\\nin ipset and the garbage collection of the list:set type. The namespace\\ncleanup can destroy the list:set type of sets while the gc of the set type is\\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\\nthus leads use after free. The patch contains the following parts:\\n\\n- When destroying all sets, first remove the garbage collectors, then wait\\n if needed and then destroy the sets.\\n- Fix the badly ordered \\\"wait then remove gc\\\" for the destroy a single set\\n case.\\n- Fix the missing rcu locking in the list:set type in the userspace test\\n case.\\n- Use proper RCU list handlings in the list:set type.\\n\\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39503\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39505", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39505" + }, + { + "url": "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69" + }, + { + "url": "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622" + }, + { + "url": "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56" + }, + { + "url": "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe" + }, + { + "url": "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23" + }, + { + "url": "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0" + }, + { + "url": "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39505 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39505", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39505\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39505\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39505\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39505\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39505\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69\",\n \"https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622\",\n \"https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56\",\n \"https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe\",\n \"https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23\",\n \"https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0\",\n \"https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/komeda: check for error-valued pointer\\n\\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\\ncheck the pointer for negative or null value before dereferencing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39505\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39506", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39506" + }, + { + "url": "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2" + }, + { + "url": "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa" + }, + { + "url": "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c" + }, + { + "url": "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349" + }, + { + "url": "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347" + }, + { + "url": "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79" + }, + { + "url": "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee" + }, + { + "url": "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39506 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39506", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39506\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39506\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39506\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39506\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39506\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2\",\n \"https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa\",\n \"https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c\",\n \"https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349\",\n \"https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347\",\n \"https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79\",\n \"https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee\",\n \"https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\\n\\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\\nstrange and could lead to null pointer dereference.\\n\\nlio_vf_rep_copy_packet() call trace looks like:\\n\\tocteon_droq_process_packets\\n\\t octeon_droq_fast_process_packets\\n\\t octeon_droq_dispatch_pkt\\n\\t octeon_create_recv_info\\n\\t ...search in the dispatch_list...\\n\\t ->disp_fn(rdisp->rinfo, ...)\\n\\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\\nIn this path there is no code which sets pg_info->page to NULL.\\nSo this check looks unneeded and doesn't solve potential problem.\\nBut I guess the author had reason to add a check and I have no such card\\nand can't do real test.\\nIn addition, the code in the function liquidio_push_packet() in\\nliquidio/lio_core.c does exactly the same.\\n\\nBased on this, I consider the most acceptable compromise solution to\\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39506\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39507", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39507" + }, + { + "url": "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4" + }, + { + "url": "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48" + }, + { + "url": "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa" + }, + { + "url": "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63" + }, + { + "url": "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39507 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39507", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39507\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39507\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39507\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39507\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39507\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4\",\n \"https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48\",\n \"https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa\",\n \"https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63\",\n \"https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash problem in concurrent scenario\\n\\nWhen link status change, the nic driver need to notify the roce\\ndriver to handle this event, but at this time, the roce driver\\nmay uninit, then cause kernel crash.\\n\\nTo fix the problem, when link status change, need to check\\nwhether the roce registered, and when uninit, need to wait link\\nupdate finish.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39507\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39508", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39508" + }, + { + "url": "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf" + }, + { + "url": "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab" + }, + { + "url": "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39508 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39508", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39508\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39508\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39508\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39508\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39508\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf\",\n \"https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab\",\n \"https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\\n\\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\\nto address potential data races.\\n\\nThe structure io_worker->flags may be accessed through various data\\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\\ndata races occurring in io_worker_handle_work and\\nio_wq_activate_free_worker functions.\\n\\n\\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\\n\\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\\n\\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\\n\\t io_wq_worker (io_uring/io-wq.c:?)\\n\\n\\n\\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\\n\\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\\n\\t io_wq_enqueue (io_uring/io-wq.c:947)\\n\\t io_queue_iowq (io_uring/io_uring.c:524)\\n\\t io_req_task_submit (io_uring/io_uring.c:1511)\\n\\t io_handle_tw_list (io_uring/io_uring.c:1198)\\n\\n\\nLine numbers against commit 18daea77cca6 (\\\"Merge tag 'for-linus' of\\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\\\").\\n\\nThese races involve writes and reads to the same memory location by\\ndifferent tasks running on different CPUs. To mitigate this, refactor\\nthe code to use atomic operations such as set_bit(), test_bit(), and\\nclear_bit() instead of basic \\\"and\\\" and \\\"or\\\" operations. This ensures\\nthread-safe manipulation of worker flags.\\n\\nAlso, move `create_index` to avoid holes in the structure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39508\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39509", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39509" + }, + { + "url": "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f" + }, + { + "url": "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24" + }, + { + "url": "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5" + }, + { + "url": "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2" + }, + { + "url": "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26" + }, + { + "url": "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316" + }, + { + "url": "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd" + }, + { + "url": "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39509 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39509", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39509\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39509\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39509\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39509\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39509\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f\",\n \"https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24\",\n \"https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5\",\n \"https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2\",\n \"https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26\",\n \"https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316\",\n \"https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd\",\n \"https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: core: remove unnecessary WARN_ON() in implement()\\n\\nSyzkaller hit a warning [1] in a call to implement() when trying\\nto write a value into a field of smaller size in an output report.\\n\\nSince implement() already has a warn message printed out with the\\nhelp of hid_warn() and value in question gets trimmed with:\\n\\t...\\n\\tvalue &= m;\\n\\t...\\nWARN_ON may be considered superfluous. Remove it to suppress future\\nsyzkaller triggers.\\n\\n[1]\\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\\nModules linked in:\\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\\n...\\nCall Trace:\\n \\n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n...\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39509\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39510", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39510" + }, + { + "url": "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd" + }, + { + "url": "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d" + }, + { + "url": "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e" + }, + { + "url": "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39510 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39510", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39510\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39510\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39510\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39510\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39510\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd\",\n \"https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d\",\n \"https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e\",\n \"https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\\n\\nWe got the following issue in a fuzz test of randomly issuing the restore\\ncommand:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\\n\\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\\nCall Trace:\\n kasan_report+0x93/0xc0\\n cachefiles_ondemand_daemon_read+0xb41/0xb60\\n vfs_read+0x169/0xb50\\n ksys_read+0xf5/0x1e0\\n\\nAllocated by task 116:\\n kmem_cache_alloc+0x140/0x3a0\\n cachefiles_lookup_cookie+0x140/0xcd0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n\\nFreed by task 792:\\n kmem_cache_free+0xfe/0x390\\n cachefiles_put_object+0x241/0x480\\n fscache_cookie_state_machine+0x5c8/0x1230\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\ncachefiles_withdraw_cookie\\n cachefiles_ondemand_clean_object(object)\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n msg->object_id = req->object->ondemand->ondemand_id\\n ------ restore ------\\n cachefiles_ondemand_restore\\n xas_for_each(&xas, req, ULONG_MAX)\\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n copy_to_user(_buffer, msg, n)\\n xa_erase(&cache->reqs, id)\\n complete(&REQ_A->done)\\n ------ close(fd) ------\\n cachefiles_ondemand_fd_release\\n cachefiles_put_object\\n cachefiles_put_object\\n kmem_cache_free(cachefiles_object_jar, object)\\n REQ_A->object->ondemand->ondemand_id\\n // object UAF !!!\\n\\nWhen we see the request within xa_lock, req->object must not have been\\nfreed yet, so grab the reference count of object before xa_unlock to\\navoid the above issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39510\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40899" + }, + { + "url": "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc" + }, + { + "url": "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62" + }, + { + "url": "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0" + }, + { + "url": "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc\",\n \"https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62\",\n \"https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0\",\n \"https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\\n\\nWe got the following issue in a fuzz test of randomly issuing the restore\\ncommand:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\\n\\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\\nCall Trace:\\n kasan_report+0x94/0xc0\\n cachefiles_ondemand_daemon_read+0x609/0xab0\\n vfs_read+0x169/0xb50\\n ksys_read+0xf5/0x1e0\\n\\nAllocated by task 626:\\n __kmalloc+0x1df/0x4b0\\n cachefiles_ondemand_send_req+0x24d/0x690\\n cachefiles_create_tmpfile+0x249/0xb30\\n cachefiles_create_file+0x6f/0x140\\n cachefiles_look_up_object+0x29c/0xa60\\n cachefiles_lookup_cookie+0x37d/0xca0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n\\nFreed by task 626:\\n kfree+0xf1/0x2c0\\n cachefiles_ondemand_send_req+0x568/0x690\\n cachefiles_create_tmpfile+0x249/0xb30\\n cachefiles_create_file+0x6f/0x140\\n cachefiles_look_up_object+0x29c/0xa60\\n cachefiles_lookup_cookie+0x37d/0xca0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\n cachefiles_ondemand_init_object\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n cachefiles_ondemand_get_fd\\n copy_to_user(_buffer, msg, n)\\n process_open_req(REQ_A)\\n ------ restore ------\\n cachefiles_ondemand_restore\\n xas_for_each(&xas, req, ULONG_MAX)\\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n\\n write(devfd, (\\\"copen %u,%llu\\\", msg->msg_id, size));\\n cachefiles_ondemand_copen\\n xa_erase(&cache->reqs, id)\\n complete(&REQ_A->done)\\n kfree(REQ_A)\\n cachefiles_ondemand_get_fd(REQ_A)\\n fd = get_unused_fd_flags\\n file = anon_inode_getfile\\n fd_install(fd, file)\\n load = (void *)REQ_A->msg.data;\\n load->fd = fd;\\n // load UAF !!!\\n\\nThis issue is caused by issuing a restore command when the daemon is still\\nalive, which results in a request being processed multiple times thus\\ntriggering a UAF. So to avoid this problem, add an additional reference\\ncount to cachefiles_req, which is held while waiting and reading, and then\\nreleased when the waiting and reading is over.\\n\\nNote that since there is only one reference count for waiting, we need to\\navoid the same request being completed multiple times, so we can only\\ncomplete the request if it is successfully removed from the xarray.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40900" + }, + { + "url": "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013" + }, + { + "url": "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19" + }, + { + "url": "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598" + }, + { + "url": "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013\",\n \"https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19\",\n \"https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598\",\n \"https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: remove requests from xarray during flushing requests\\n\\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\\nfollowing concurrency the request may be used after it has been freed:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\n cachefiles_ondemand_init_object\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n // close dev fd\\n cachefiles_flush_reqs\\n complete(&REQ_A->done)\\n kfree(REQ_A)\\n xa_lock(&cache->reqs);\\n cachefiles_ondemand_select_req\\n req->msg.opcode != CACHEFILES_OP_READ\\n // req use-after-free !!!\\n xa_unlock(&cache->reqs);\\n xa_destroy(&cache->reqs)\\n\\nHence remove requests from cache->reqs when flushing them to avoid\\naccessing freed requests.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40901" + }, + { + "url": "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16" + }, + { + "url": "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674" + }, + { + "url": "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2" + }, + { + "url": "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41" + }, + { + "url": "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c" + }, + { + "url": "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801" + }, + { + "url": "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5" + }, + { + "url": "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16\",\n \"https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674\",\n \"https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2\",\n \"https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41\",\n \"https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c\",\n \"https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801\",\n \"https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5\",\n \"https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\\n\\nThere is a potential out-of-bounds access when using test_bit() on a single\\nword. The test_bit() and set_bit() functions operate on long values, and\\nwhen testing or setting a single word, they can exceed the word\\nboundary. KASAN detects this issue and produces a dump:\\n\\n\\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\\n\\n\\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\\n\\nFor full log, please look at [1].\\n\\nMake the allocation at least the size of sizeof(unsigned long) so that\\nset_bit() and test_bit() have sufficient room for read/write operations\\nwithout overwriting unallocated memory.\\n\\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40902" + }, + { + "url": "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a" + }, + { + "url": "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123" + }, + { + "url": "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69" + }, + { + "url": "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7" + }, + { + "url": "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f" + }, + { + "url": "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f" + }, + { + "url": "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f" + }, + { + "url": "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a\",\n \"https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123\",\n \"https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69\",\n \"https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7\",\n \"https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f\",\n \"https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f\",\n \"https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f\",\n \"https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: xattr: fix buffer overflow for invalid xattr\\n\\nWhen an xattr size is not what is expected, it is printed out to the\\nkernel log in hex format as a form of debugging. But when that xattr\\nsize is bigger than the expected size, printing it out can cause an\\naccess off the end of the buffer.\\n\\nFix this all up by properly restricting the size of the debug hex dump\\nin the kernel log.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40904" + }, + { + "url": "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94" + }, + { + "url": "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28" + }, + { + "url": "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56" + }, + { + "url": "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46" + }, + { + "url": "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879" + }, + { + "url": "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a" + }, + { + "url": "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c" + }, + { + "url": "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94\",\n \"https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28\",\n \"https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56\",\n \"https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46\",\n \"https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879\",\n \"https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a\",\n \"https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c\",\n \"https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\\n\\nThe syzbot fuzzer found that the interrupt-URB completion callback in\\nthe cdc-wdm driver was taking too long, and the driver's immediate\\nresubmission of interrupt URBs with -EPROTO status combined with the\\ndummy-hcd emulation to cause a CPU lockup:\\n\\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\\nCPU#0 Utilization every 4s during lockup:\\n\\t#1: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#2: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#3: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#4: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#5: 98% system,\\t 1% softirq,\\t 3% hardirq,\\t 0% idle\\nModules linked in:\\nirq event stamp: 73096\\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\n\\nTesting showed that the problem did not occur if the two error\\nmessages -- the first two lines above -- were removed; apparently adding\\nmaterial to the kernel log takes a surprisingly large amount of time.\\n\\nIn any case, the best approach for preventing these lockups and to\\navoid spamming the log with thousands of error messages per second is\\nto ratelimit the two dev_err() calls. Therefore we replace them with\\ndev_err_ratelimited().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40905" + }, + { + "url": "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914" + }, + { + "url": "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf" + }, + { + "url": "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef" + }, + { + "url": "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12" + }, + { + "url": "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f" + }, + { + "url": "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d" + }, + { + "url": "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914\",\n \"https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf\",\n \"https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef\",\n \"https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12\",\n \"https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f\",\n \"https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d\",\n \"https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix possible race in __fib6_drop_pcpu_from()\\n\\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\\n\\nIf compiler reads more than once (*ppcpu_rt),\\nsecond read could read NULL, if another cpu clears\\nthe value in rt6_get_pcpu_route().\\n\\nAdd a READ_ONCE() to prevent this race.\\n\\nAlso add rcu_read_lock()/rcu_read_unlock() because\\nwe rely on RCU protection while dereferencing pcpu_rt.\\n\\n[1]\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nWorkqueue: netns cleanup_net\\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\\n unregister_netdevice_many net/core/dev.c:11276 [inline]\\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\\n process_scheduled_works kernel/workqueue.c:3312 [inline]\\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40906" + }, + { + "url": "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a" + }, + { + "url": "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f" + }, + { + "url": "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a\",\n \"https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f\",\n \"https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8\",\n \"https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Always stop health timer during driver removal\\n\\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\\nteardown. This may lead to a UAF bug, which results in page fault\\nOops[1], since the health timer invokes after resources were freed.\\n\\nHence, stop the health monitor even if teardown_hca fails.\\n\\n[1]\\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: cleanup\\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\\nBUG: unable to handle page fault for address: ffffa26487064230\\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\\nRIP: 0010:ioread32be+0x34/0x60\\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x175/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n ? ioread32be+0x34/0x60\\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n poll_health+0x42/0x230 [mlx5_core]\\n ? __next_timer_interrupt+0xbc/0x110\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n call_timer_fn+0x21/0x130\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n __run_timers+0x222/0x2c0\\n run_timer_softirq+0x1d/0x40\\n __do_softirq+0xc9/0x2c8\\n __irq_exit_rcu+0xa6/0xc0\\n sysvec_apic_timer_interrupt+0x72/0x90\\n \\n \\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\\n ? cpuidle_enter_state+0xbd/0x440\\n cpuidle_enter+0x2d/0x40\\n do_idle+0x20d/0x270\\n cpu_startup_entry+0x2a/0x30\\n rest_init+0xd0/0xd0\\n arch_call_rest_init+0xe/0x30\\n start_kernel+0x709/0xa90\\n x86_64_start_reservations+0x18/0x30\\n x86_64_start_kernel+0x96/0xa0\\n secondary_startup_64_no_verify+0x18f/0x19b\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40908" + }, + { + "url": "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d" + }, + { + "url": "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2" + }, + { + "url": "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4" + }, + { + "url": "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c" + }, + { + "url": "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d\",\n \"https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2\",\n \"https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4\",\n \"https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c\",\n \"https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Set run context for rawtp test_run callback\\n\\nsyzbot reported crash when rawtp program executed through the\\ntest_run interface calls bpf_get_attach_cookie helper or any\\nother helper that touches task->bpf_ctx pointer.\\n\\nSetting the run context (task->bpf_ctx pointer) for test_run\\ncallback.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40910" + }, + { + "url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774" + }, + { + "url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3" + }, + { + "url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964" + }, + { + "url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n \n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774\",\n \"https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3\",\n \"https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964\",\n \"https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix refcount imbalance on inbound connections\\n\\nWhen releasing a socket in ax25_release(), we call netdev_put() to\\ndecrease the refcount on the associated ax.25 device. However, the\\nexecution path for accepting an incoming connection never calls\\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\\nto kernel crashes.\\n\\nA typical call trace for the above situation will start with one of the\\nfollowing errors:\\n\\n refcount_t: decrement hit 0; leaking memory.\\n refcount_t: underflow; use-after-free.\\n\\nAnd will then have a trace like:\\n\\n Call Trace:\\n \\n ? show_regs+0x64/0x70\\n ? __warn+0x83/0x120\\n ? refcount_warn_saturate+0xb2/0x100\\n ? report_bug+0x158/0x190\\n ? prb_read_valid+0x20/0x30\\n ? handle_bug+0x3e/0x70\\n ? exc_invalid_op+0x1c/0x70\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? refcount_warn_saturate+0xb2/0x100\\n ? refcount_warn_saturate+0xb2/0x100\\n ax25_release+0x2ad/0x360\\n __sock_release+0x35/0xa0\\n sock_close+0x19/0x20\\n [...]\\n\\nOn reboot (or any attempt to remove the interface), the kernel gets\\nstuck in an infinite loop:\\n\\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\\n\\nThis patch corrects these issues by ensuring that we call netdev_hold()\\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\\ncases we increment the refcount, which is ultimately decremented in\\nax25_release().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40911" + }, + { + "url": "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a" + }, + { + "url": "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba" + }, + { + "url": "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae" + }, + { + "url": "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76" + }, + { + "url": "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a\",\n \"https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba\",\n \"https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae\",\n \"https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76\",\n \"https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\\n\\nWiphy should be locked before calling rdev_get_station() (see lockdep\\nassert in ieee80211_get_station()).\\n\\nThis fixes the following kernel NULL dereference:\\n\\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\\n Mem abort info:\\n ESR = 0x0000000096000006\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x06: level 2 translation fault\\n Data abort info:\\n ISV = 0, ISS = 0x00000006\\n CM = 0, WnR = 0\\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\\n Internal error: Oops: 0000000096000006 [#1] SMP\\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\\n Hardware name: RPT (r1) (DT)\\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\\n lr : sta_set_sinfo+0xcc/0xbd4\\n sp : ffff000007b43ad0\\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\\n Call trace:\\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\\n sta_set_sinfo+0xcc/0xbd4\\n ieee80211_get_station+0x2c/0x44\\n cfg80211_get_station+0x80/0x154\\n batadv_v_elp_get_throughput+0x138/0x1fc\\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\\n process_one_work+0x1ec/0x414\\n worker_thread+0x70/0x46c\\n kthread+0xdc/0xe0\\n ret_from_fork+0x10/0x20\\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\\n\\nThis happens because STA has time to disconnect and reconnect before\\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\\nthis situation, ath10k_sta_state() can be in the middle of resetting\\narsta data when the work queue get chance to be scheduled and ends up\\naccessing it. Locking wiphy prevents that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40912" + }, + { + "url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932" + }, + { + "url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e" + }, + { + "url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81" + }, + { + "url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485" + }, + { + "url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb" + }, + { + "url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f" + }, + { + "url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e" + }, + { + "url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932\",\n \"https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e\",\n \"https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81\",\n \"https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485\",\n \"https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb\",\n \"https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f\",\n \"https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e\",\n \"https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\\n\\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\\ntake this same lock ending in deadlock. Below is an example of rcu stall\\nthat arises in such situation.\\n\\n rcu: INFO: rcu_sched self-detected stall on CPU\\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\\n Hardware name: RPT (r1) (DT)\\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : queued_spin_lock_slowpath+0x58/0x2d0\\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\\n sp : ffff00001ef64660\\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\\n Call trace:\\n queued_spin_lock_slowpath+0x58/0x2d0\\n ieee80211_tx+0x80/0x12c\\n ieee80211_tx_pending+0x110/0x278\\n tasklet_action_common.constprop.0+0x10c/0x144\\n tasklet_action+0x20/0x28\\n _stext+0x11c/0x284\\n ____do_softirq+0xc/0x14\\n call_on_irq_stack+0x24/0x34\\n do_softirq_own_stack+0x18/0x20\\n do_softirq+0x74/0x7c\\n __local_bh_enable_ip+0xa0/0xa4\\n _ieee80211_wake_txqs+0x3b0/0x4b8\\n __ieee80211_wake_queue+0x12c/0x168\\n ieee80211_add_pending_skbs+0xec/0x138\\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\\n ieee80211_mps_sta_status_update+0x18/0x24\\n sta_apply_parameters+0x3bc/0x4c0\\n ieee80211_change_station+0x1b8/0x2dc\\n nl80211_set_station+0x444/0x49c\\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\\n genl_rcv_msg+0x1b0/0x244\\n netlink_rcv_skb+0x38/0x10c\\n genl_rcv+0x34/0x48\\n netlink_unicast+0x254/0x2bc\\n netlink_sendmsg+0x190/0x3b4\\n ____sys_sendmsg+0x1e8/0x218\\n ___sys_sendmsg+0x68/0x8c\\n __sys_sendmsg+0x44/0x84\\n __arm64_sys_sendmsg+0x20/0x28\\n do_el0_svc+0x6c/0xe8\\n el0_svc+0x14/0x48\\n el0t_64_sync_handler+0xb0/0xb4\\n el0t_64_sync+0x14c/0x150\\n\\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\\non the same CPU that is holding the lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40914" + }, + { + "url": "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9" + }, + { + "url": "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af" + }, + { + "url": "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf" + }, + { + "url": "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794" + }, + { + "url": "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9\",\n \"https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af\",\n \"https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf\",\n \"https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794\",\n \"https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/huge_memory: don't unpoison huge_zero_folio\\n\\nWhen I did memory failure tests recently, below panic occurs:\\n\\n kernel BUG at include/linux/mm.h:1135!\\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\\n Call Trace:\\n \\n do_shrink_slab+0x14f/0x6a0\\n shrink_slab+0xca/0x8c0\\n shrink_node+0x2d0/0x7d0\\n balance_pgdat+0x33a/0x720\\n kswapd+0x1f3/0x410\\n kthread+0xd5/0x100\\n ret_from_fork+0x2f/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \\n Modules linked in: mce_inject hwpoison_inject\\n ---[ end trace 0000000000000000 ]---\\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\\n\\nThe root cause is that HWPoison flag will be set for huge_zero_folio\\nwithout increasing the folio refcnt. But then unpoison_memory() will\\ndecrease the folio refcnt unexpectedly as it appears like a successfully\\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\\nreleasing huge_zero_folio.\\n\\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \\nWe're not prepared to unpoison huge_zero_folio yet.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40915" + }, + { + "url": "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb" + }, + { + "url": "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876" + }, + { + "url": "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915" + }, + { + "url": "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x1c/0x24\n[] show_stack+0x2c/0x38\n[] dump_stack_lvl+0x5a/0x72\n[] dump_stack+0x14/0x1c\n[] __might_resched+0x104/0x10e\n[] __might_sleep+0x3e/0x62\n[] down_write+0x20/0x72\n[] __set_memory+0x82/0x2fa\n[] __kernel_map_pages+0x5a/0xd4\n[] __alloc_pages_bulk+0x3b2/0x43a\n[] __vmalloc_node_range+0x196/0x6ba\n[] copy_process+0x72c/0x17ec\n[] kernel_clone+0x60/0x2fe\n[] kernel_thread+0x82/0xa0\n[] kthreadd+0x14a/0x1be\n[] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb\",\n \"https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876\",\n \"https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915\",\n \"https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\\n\\n__kernel_map_pages() is a debug function which clears the valid bit in page\\ntable entry for deallocated pages to detect illegal memory accesses to\\nfreed pages.\\n\\nThis function set/clear the valid bit using __set_memory(). __set_memory()\\nacquires init_mm's semaphore, and this operation may sleep. This is\\nproblematic, because __kernel_map_pages() can be called in atomic context,\\nand thus is illegal to sleep. An example warning that this causes:\\n\\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\\npreempt_count: 2, expected: 0\\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\\nHardware name: riscv-virtio,qemu (DT)\\nCall Trace:\\n[] dump_backtrace+0x1c/0x24\\n[] show_stack+0x2c/0x38\\n[] dump_stack_lvl+0x5a/0x72\\n[] dump_stack+0x14/0x1c\\n[] __might_resched+0x104/0x10e\\n[] __might_sleep+0x3e/0x62\\n[] down_write+0x20/0x72\\n[] __set_memory+0x82/0x2fa\\n[] __kernel_map_pages+0x5a/0xd4\\n[] __alloc_pages_bulk+0x3b2/0x43a\\n[] __vmalloc_node_range+0x196/0x6ba\\n[] copy_process+0x72c/0x17ec\\n[] kernel_clone+0x60/0x2fe\\n[] kernel_thread+0x82/0xa0\\n[] kthreadd+0x14a/0x1be\\n[] ret_from_fork+0xe/0x1c\\n\\nRewrite this function with apply_to_existing_page_range(). It is fine to\\nnot have any locking, because __kernel_map_pages() works with pages being\\nallocated/deallocated and those pages are not changed by anyone else in the\\nmeantime.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40916", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40916" + }, + { + "url": "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f" + }, + { + "url": "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9" + }, + { + "url": "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632" + }, + { + "url": "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028" + }, + { + "url": "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab" + }, + { + "url": "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec" + }, + { + "url": "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40916 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40916", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40916\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40916\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40916\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40916\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40916\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f\",\n \"https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9\",\n \"https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632\",\n \"https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028\",\n \"https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab\",\n \"https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec\",\n \"https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\\n\\nWhen reading EDID fails and driver reports no modes available, the DRM\\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\\nable to drive such mode, so report a safe 640x480 mode instead of nothing\\nin case of the EDID reading failure.\\n\\nThis fixes the following issue observed on Trats2 board since commit\\n13d5b040363c (\\\"drm/exynos: do not return negative values from .get_modes()\\\"):\\n\\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\\n[CRTC:70:crtc-1] vblank wait timed out\\nModules linked in:\\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x68/0x88\\n dump_stack_lvl from __warn+0x7c/0x1c4\\n __warn from warn_slowpath_fmt+0x11c/0x1a8\\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\\n commit_tail from drm_atomic_helper_commit+0x168/0x190\\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\\n fbcon_init from visual_init+0xc0/0x108\\n visual_init from do_bind_con_driver+0x1b8/0x3a4\\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\\n drm_client_register from exynos_drm_bind+0x160/0x190\\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\\n __component_add from mixer_probe+0x74/0xcc\\n mixer_probe from platform_probe+0x5c/0xb8\\n platform_probe from really_probe+0xe0/0x3d8\\n really_probe from __driver_probe_device+0x9c/0x1e4\\n __driver_probe_device from driver_probe_device+0x30/0xc0\\n driver_probe_device from __device_attach_driver+0xa8/0x120\\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\\n bus_for_each_drv from __device_attach+0xac/0x1fc\\n __device_attach from bus_probe_device+0x8c/0x90\\n bus_probe_device from deferred_probe_work_func+0\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40916\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40918" + }, + { + "url": "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0" + }, + { + "url": "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49" + }, + { + "url": "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40918", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0\",\n \"https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49\",\n \"https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nparisc: Try to fix random segmentation faults in package builds\\n\\nPA-RISC systems with PA8800 and PA8900 processors have had problems\\nwith random segmentation faults for many years. Systems with earlier\\nprocessors are much more stable.\\n\\nSystems with PA8800 and PA8900 processors have a large L2 cache which\\nneeds per page flushing for decent performance when a large range is\\nflushed. The combined cache in these systems is also more sensitive to\\nnon-equivalent aliases than the caches in earlier systems.\\n\\nThe majority of random segmentation faults that I have looked at\\nappear to be memory corruption in memory allocated using mmap and\\nmalloc.\\n\\nMy first attempt at fixing the random faults didn't work. On\\nreviewing the cache code, I realized that there were two issues\\nwhich the existing code didn't handle correctly. Both relate\\nto cache move-in. Another issue is that the present bit in PTEs\\nis racy.\\n\\n1) PA-RISC caches have a mind of their own and they can speculatively\\nload data and instructions for a page as long as there is a entry in\\nthe TLB for the page which allows move-in. TLBs are local to each\\nCPU. Thus, the TLB entry for a page must be purged before flushing\\nthe page. This is particularly important on SMP systems.\\n\\nIn some of the flush routines, the flush routine would be called\\nand then the TLB entry would be purged. This was because the flush\\nroutine needed the TLB entry to do the flush.\\n\\n2) My initial approach to trying the fix the random faults was to\\ntry and use flush_cache_page_if_present for all flush operations.\\nThis actually made things worse and led to a couple of hardware\\nlockups. It finally dawned on me that some lines weren't being\\nflushed because the pte check code was racy. This resulted in\\nrandom inequivalent mappings to physical pages.\\n\\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\\nand it doesn't need the existing TLB entry. As long as we can find\\nthe pte pointer for the vm page, we can get the pfn and physical\\naddress of the page. We can also purge the TLB entry for the page\\nbefore doing the flush. Further, __flush_cache_page uses a special\\nTLB entry that inhibits cache move-in.\\n\\nWhen switching page mappings, we need to ensure that lines are\\nremoved from the cache. It is not sufficient to just flush the\\nlines to memory as they may come back.\\n\\nThis made it clear that we needed to implement all the required\\nflush operations using tmpalias routines. This includes flushes\\nfor user and kernel pages.\\n\\nAfter modifying the code to use tmpalias flushes, it became clear\\nthat the random segmentation faults were not fully resolved. The\\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\\nand systems with more CPUs (rp4440).\\n\\nThe warning that I added to flush_cache_page_if_present to detect\\npages that couldn't be flushed triggered frequently on some systems.\\n\\nHelge and I looked at the pages that couldn't be flushed and found\\nthat the PTE was either cleared or for a swap page. Ignoring pages\\nthat were swapped out seemed okay but pages with cleared PTEs seemed\\nproblematic.\\n\\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\\nThe default implementation just flushes the TLB entry. However, it was\\nobvious that on parisc we need to flush the cache page as well. If\\nwe don't flush the cache page, stale lines will be left in the cache\\nand cause random corruption. Once a PTE is cleared, there is no way\\nto find the physical address associated with the PTE and flush the\\nassociated page at a later time.\\n\\nI implemented an updated change with a parisc specific version of\\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\\nand rp3440, as well as on my c8000.\\n\\nAt this point, I realized that I could restore the code where we only\\nflush in flush_cache_page_if_present if the page has been accessed.\\nHowever, for this, we also need to flush the cache when the accessed\\nbit is cleared in\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40927" + }, + { + "url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228" + }, + { + "url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577" + }, + { + "url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a" + }, + { + "url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9" + }, + { + "url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228\",\n \"https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577\",\n \"https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a\",\n \"https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9\",\n \"https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: Handle TD clearing for multiple streams case\\n\\nWhen multiple streams are in use, multiple TDs might be in flight when\\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\\neach, to ensure everything is reset properly and the caches cleared.\\nChange the logic so that any N>1 TDs found active for different streams\\nare deferred until after the first one is processed, calling\\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\\nqueue another command until we are done with all of them. Also change\\nthe error/\\\"should never happen\\\" paths to ensure we at least clear any\\naffected TDs, even if we can't issue a command to clear the hardware\\ncache, and complain loudly with an xhci_warn() if this ever happens.\\n\\nThis problem case dates back to commit e9df17eb1408 (\\\"USB: xhci: Correct\\nassumptions about number of rings per endpoint.\\\") early on in the XHCI\\ndriver's life, when stream support was first added.\\nIt was then identified but not fixed nor made into a warning in commit\\n674f8438c121 (\\\"xhci: split handling halted endpoints into two steps\\\"),\\nwhich added a FIXME comment for the problem case (without materially\\nchanging the behavior as far as I can tell, though the new logic made\\nthe problem more obvious).\\n\\nThen later, in commit 94f339147fc3 (\\\"xhci: Fix failure to give back some\\ncached cancelled URBs.\\\"), it was acknowledged again.\\n\\n[Mathias: commit 94f339147fc3 (\\\"xhci: Fix failure to give back some cached\\ncancelled URBs.\\\") was a targeted regression fix to the previously mentioned\\npatch. Users reported issues with usb stuck after unmounting/disconnecting\\nUAS devices. This rolled back the TD clearing of multiple streams to its\\noriginal state.]\\n\\nApparently the commit author was aware of the problem (yet still chose\\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\\nadded to log the problem condition, and the remaining issue was mentioned\\nin the commit description. The choice of making the log type xhci_dbg()\\nfor what is, at this point, a completely unhandled and known broken\\ncondition is puzzling and unfortunate, as it guarantees that no actual\\nusers would see the log in production, thereby making it nigh\\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\\nreally hint at there being a problem at all).\\n\\nIt took me *months* of random xHC crashes to finally find a reliable\\nrepro and be able to do a deep dive debug session, which could all have\\nbeen avoided had this unhandled, broken condition been actually reported\\nwith a warning, as it should have been as a bug intentionally left in\\nunfixed (never mind that it shouldn't have been left in at all).\\n\\n> Another fix to solve clearing the caches of all stream rings with\\n> cancelled TDs is needed, but not as urgent.\\n\\n3 years after that statement and 14 years after the original bug was\\nintroduced, I think it's finally time to fix it. And maybe next time\\nlet's not leave bugs unfixed (that are actually worse than the original\\nbug), and let's actually get people to review kernel commits please.\\n\\nFixes xHC crashes and IOMMU faults with UAS devices when handling\\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\\nAt least in the case of JMicron controllers, the read errors end up\\nhaving to cancel two TDs (for two queued requests to different streams)\\nand the one that didn't get cleared properly ends up faulting the xHC\\nentirely when it tries to access DMA pages that have since been unmapped,\\nreferred to by the stale TDs. This normally happens quickly (after two\\nor three loops). After this fix, I left the `cat` in a loop running\\novernight and experienced no xHC failures, with all read errors\\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\\n(dwc3 host).\\n\\nOn systems without an IOMMU, this bug would instead silently corrupt\\nfreed memory, making this a\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40929" + }, + { + "url": "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a" + }, + { + "url": "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b" + }, + { + "url": "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281" + }, + { + "url": "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b" + }, + { + "url": "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614" + }, + { + "url": "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a\",\n \"https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b\",\n \"https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281\",\n \"https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b\",\n \"https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614\",\n \"https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\\n\\nIn some versions of cfg80211, the ssids poinet might be a valid one even\\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\\nout-of-bound access. Fix this by checking n_ssids first.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40931" + }, + { + "url": "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde" + }, + { + "url": "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726" + }, + { + "url": "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3" + }, + { + "url": "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce" + }, + { + "url": "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813" + }, + { + "url": "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde\",\n \"https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726\",\n \"https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3\",\n \"https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce\",\n \"https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813\",\n \"https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure snd_una is properly initialized on connect\\n\\nThis is strictly related to commit fb7a0d334894 (\\\"mptcp: ensure snd_nxt\\nis properly initialized on connect\\\"). It turns out that syzkaller can\\ntrigger the retransmit after fallback and before processing any other\\nincoming packet - so that snd_una is still left uninitialized.\\n\\nAddress the issue explicitly initializing snd_una together with snd_nxt\\nand write_seq.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40932", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40932" + }, + { + "url": "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003" + }, + { + "url": "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e" + }, + { + "url": "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819" + }, + { + "url": "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226" + }, + { + "url": "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224" + }, + { + "url": "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d" + }, + { + "url": "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1" + }, + { + "url": "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40932 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40932", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40932\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40932\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40932\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40932\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40932\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003\",\n \"https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e\",\n \"https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819\",\n \"https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226\",\n \"https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224\",\n \"https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d\",\n \"https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1\",\n \"https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/exynos/vidi: fix memory leak in .get_modes()\\n\\nThe duplicated EDID is never freed. Fix it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40932\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40934" + }, + { + "url": "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45" + }, + { + "url": "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98" + }, + { + "url": "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0" + }, + { + "url": "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213" + }, + { + "url": "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d" + }, + { + "url": "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3" + }, + { + "url": "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45\",\n \"https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98\",\n \"https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0\",\n \"https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213\",\n \"https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d\",\n \"https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3\",\n \"https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\\n\\nFix a memory leak on logi_dj_recv_send_report() error path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40937" + }, + { + "url": "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037" + }, + { + "url": "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e" + }, + { + "url": "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc" + }, + { + "url": "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50" + }, + { + "url": "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037\",\n \"https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e\",\n \"https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc\",\n \"https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50\",\n \"https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngve: Clear napi->skb before dev_kfree_skb_any()\\n\\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\\nto napi_get_frags returning a dangling pointer.\\n\\nFix this by clearing napi->skb before the skb is freed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40941" + }, + { + "url": "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c" + }, + { + "url": "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7" + }, + { + "url": "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4" + }, + { + "url": "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de" + }, + { + "url": "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805" + }, + { + "url": "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940" + }, + { + "url": "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d" + }, + { + "url": "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c\",\n \"https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7\",\n \"https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4\",\n \"https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de\",\n \"https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805\",\n \"https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940\",\n \"https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d\",\n \"https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\\n\\nIn case the firmware sends a notification that claims it has more data\\nthan it has, we will read past that was allocated for the notification.\\nRemove the print of the buffer, we won't see it by default. If needed,\\nwe can see the content with tracing.\\n\\nThis was reported by KFENCE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40942" + }, + { + "url": "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b" + }, + { + "url": "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0" + }, + { + "url": "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4" + }, + { + "url": "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3" + }, + { + "url": "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84" + }, + { + "url": "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc" + }, + { + "url": "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549" + }, + { + "url": "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b\",\n \"https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0\",\n \"https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4\",\n \"https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3\",\n \"https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84\",\n \"https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc\",\n \"https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549\",\n \"https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\\n\\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\\ngets deleted, ex mesh interface is removed, the entries in that list will\\nnever get cleaned. Fix this by flushing all corresponding items of the\\npreq_queue in mesh_path_flush_pending().\\n\\nThis should take care of KASAN reports like this:\\n\\nunreferenced object 0xffff00000668d800 (size 128):\\n comm \\\"kworker/u8:4\\\", pid 67, jiffies 4295419552 (age 1836.444s)\\n hex dump (first 32 bytes):\\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\\n backtrace:\\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\\n [<00000000b36425d1>] worker_thread+0x9c/0x634\\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\\n [<000000005fccd770>] ret_from_fork+0x10/0x20\\nunreferenced object 0xffff000009051f00 (size 128):\\n comm \\\"kworker/u8:4\\\", pid 67, jiffies 4295419553 (age 1836.440s)\\n hex dump (first 32 bytes):\\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\\n backtrace:\\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\\n [<00000000b36425d1>] worker_thread+0x9c/0x634\\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\\n [<000000005fccd770>] ret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40943", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40943" + }, + { + "url": "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e" + }, + { + "url": "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2" + }, + { + "url": "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25" + }, + { + "url": "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9" + }, + { + "url": "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1" + }, + { + "url": "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18" + }, + { + "url": "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f" + }, + { + "url": "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40943 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40943", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e\",\n \"https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2\",\n \"https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25\",\n \"https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9\",\n \"https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1\",\n \"https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18\",\n \"https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f\",\n \"https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix races between hole punching and AIO+DIO\\n\\nAfter commit \\\"ocfs2: return real error code in ocfs2_dio_wr_get_block\\\",\\nfstests/generic/300 become from always failed to sometimes failed:\\n\\n========================================================================\\n[ 473.293420 ] run fstests generic/300\\n\\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\\n[ 494.292018 ] OCFS2: File system is now read-only.\\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\\n=========================================================================\\n\\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\\nextents to a list. extents are also inserted into extent tree in\\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\\nhole at one of the unwritten extent. The extent at cpos was removed by\\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\\nfound there is no such extent at the cpos.\\n\\n T1 T2 T3\\n inode lock\\n ...\\n insert extents\\n ...\\n inode unlock\\nocfs2_fallocate\\n __ocfs2_change_file_space\\n inode lock\\n lock ip_alloc_sem\\n ocfs2_remove_inode_range inode\\n ocfs2_remove_btree_range\\n ocfs2_remove_extent\\n ^---remove the extent at cpos 78723\\n ...\\n unlock ip_alloc_sem\\n inode unlock\\n ocfs2_dio_end_io\\n ocfs2_dio_end_io_write\\n lock ip_alloc_sem\\n ocfs2_mark_extent_written\\n ocfs2_change_extent_flag\\n ocfs2_search_extent_list\\n ^---failed to find extent\\n ...\\n unlock ip_alloc_sem\\n\\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\\nso fix it by adding to wait for all dio before fallocate/punch_hole like\\next4.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40943\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40945" + }, + { + "url": "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998" + }, + { + "url": "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e" + }, + { + "url": "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8" + }, + { + "url": "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6" + }, + { + "url": "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e" + }, + { + "url": "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998\",\n \"https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e\",\n \"https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8\",\n \"https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6\",\n \"https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e\",\n \"https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Return right value in iommu_sva_bind_device()\\n\\niommu_sva_bind_device() should return either a sva bond handle or an\\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\\ncheck the return value with IS_ERR(). This could potentially lead to\\na kernel NULL pointer dereference issue if the function returns NULL\\ninstead of an error pointer.\\n\\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\\nat all.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40953" + }, + { + "url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb" + }, + { + "url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c" + }, + { + "url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60" + }, + { + "url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb\",\n \"https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c\",\n \"https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60\",\n \"https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\\n\\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\\nloads and stores are atomic. In the extremely unlikely scenario the\\ncompiler tears the stores, it's theoretically possible for KVM to attempt\\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\\n257 vCPUs:\\n\\n CPU0 CPU1\\n last_boosted_vcpu = 0xff;\\n\\n (last_boosted_vcpu = 0x100)\\n last_boosted_vcpu[15:8] = 0x01;\\n i = (last_boosted_vcpu = 0x1ff)\\n last_boosted_vcpu[7:0] = 0x00;\\n\\n vcpu = kvm->vcpu_array[0x1ff];\\n\\nAs detected by KCSAN:\\n\\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\\n\\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\\n\\t\\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\\n __x64_sys_ioctl (fs/ioctl.c:890)\\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\\n do_syscall_64 (arch/x86/entry/common.c:?)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\\n\\t\\t\\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\\n __x64_sys_ioctl (fs/ioctl.c:890)\\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\\n do_syscall_64 (arch/x86/entry/common.c:?)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n value changed: 0x00000012 -> 0x00000000\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40954" + }, + { + "url": "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5" + }, + { + "url": "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9" + }, + { + "url": "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2" + }, + { + "url": "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069" + }, + { + "url": "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5\",\n \"https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9\",\n \"https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2\",\n \"https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069\",\n \"https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: do not leave a dangling sk pointer, when socket creation fails\\n\\nIt is possible to trigger a use-after-free by:\\n * attaching an fentry probe to __sock_release() and the probe calling the\\n bpf_get_socket_cookie() helper\\n * running traceroute -I 1.1.1.1 on a freshly booted VM\\n\\nA KASAN enabled kernel will log something like below (decoded and stripped):\\n==================================================================\\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\\n\\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nkasan_report (mm/kasan/report.c:603)\\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\\nbpf_trampoline_6442506592+0x47/0xaf\\n__sock_release (net/socket.c:652)\\n__sock_create (net/socket.c:1601)\\n...\\nAllocated by task 299 on cpu 2 at 78.328492s:\\nkasan_save_stack (mm/kasan/common.c:48)\\nkasan_save_track (mm/kasan/common.c:68)\\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\\nsk_prot_alloc (net/core/sock.c:2075)\\nsk_alloc (net/core/sock.c:2134)\\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\\n__sock_create (net/socket.c:1572)\\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\\n__x64_sys_socket (net/socket.c:1718)\\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nFreed by task 299 on cpu 2 at 78.328502s:\\nkasan_save_stack (mm/kasan/common.c:48)\\nkasan_save_track (mm/kasan/common.c:68)\\nkasan_save_free_info (mm/kasan/generic.c:582)\\npoison_slab_object (mm/kasan/common.c:242)\\n__kasan_slab_free (mm/kasan/common.c:256)\\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\\n__sock_create (net/socket.c:1572)\\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\\n__x64_sys_socket (net/socket.c:1718)\\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nFix this by clearing the struct socket reference in sk_common_release() to cover\\nall protocol families create functions, which may already attached the\\nreference to the sk object with sock_init_data().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40956" + }, + { + "url": "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33" + }, + { + "url": "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5" + }, + { + "url": "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd" + }, + { + "url": "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7" + }, + { + "url": "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33\",\n \"https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5\",\n \"https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd\",\n \"https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7\",\n \"https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\\n\\nUse list_for_each_entry_safe() to allow iterating through the list and\\ndeleting the entry in the iteration process. The descriptor is freed via\\nidxd_desc_complete() and there's a slight chance may cause issue for\\nthe list iterator when the descriptor is reused by another thread\\nwithout it being deleted from the list.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40957" + }, + { + "url": "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c" + }, + { + "url": "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779" + }, + { + "url": "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d" + }, + { + "url": "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6" + }, + { + "url": "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c\",\n \"https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779\",\n \"https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d\",\n \"https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6\",\n \"https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\\n\\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\\ndereference, as below:\\n\\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\\n [74830.655633] #PF: supervisor read access in kernel mode\\n [74830.657888] #PF: error_code(0x0000) - not-present page\\n [74830.659500] PGD 0 P4D 0\\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\\n ...\\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\\n ...\\n [74830.689725] Call Trace:\\n [74830.690402] \\n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\\n [74830.694275] ? __die_body.cold+0x8/0xd\\n [74830.695205] ? page_fault_oops+0xac/0x140\\n [74830.696244] ? exc_page_fault+0x62/0x150\\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\\n [74830.700758] ? ip6_route_input+0x19d/0x240\\n [74830.701752] nf_hook_slow+0x3f/0xb0\\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\\n [74830.703735] ? input_action_end_t+0xe0/0xe0\\n [74830.704734] seg6_local_input_core+0x2d/0x60\\n [74830.705782] lwtunnel_input+0x5b/0xb0\\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\\n [74830.707825] process_backlog+0x99/0x140\\n [74830.709538] __napi_poll+0x2c/0x160\\n [74830.710673] net_rx_action+0x296/0x350\\n [74830.711860] __do_softirq+0xcb/0x2ac\\n [74830.713049] do_softirq+0x63/0x90\\n\\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\\n\\n static bool\\n rpfilter_is_loopback(const struct sk_buff *skb,\\n \\t const struct net_device *in)\\n {\\n // in is NULL\\n return skb->pkt_type == PACKET_LOOPBACK ||\\n \\t in->flags & IFF_LOOPBACK;\\n }\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40958" + }, + { + "url": "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef" + }, + { + "url": "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b" + }, + { + "url": "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55" + }, + { + "url": "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b" + }, + { + "url": "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940" + }, + { + "url": "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876" + }, + { + "url": "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef\",\n \"https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b\",\n \"https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55\",\n \"https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b\",\n \"https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940\",\n \"https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876\",\n \"https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetns: Make get_net_ns() handle zero refcount net\\n\\nSyzkaller hit a warning:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\\nModules linked in:\\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ? show_regs+0xa3/0xc0\\n ? __warn+0xa5/0x1c0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? report_bug+0x1fc/0x2d0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? handle_bug+0xa1/0x110\\n ? exc_invalid_op+0x3c/0xb0\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? __warn_printk+0xcc/0x140\\n ? __warn_printk+0xd5/0x140\\n ? refcount_warn_saturate+0xdf/0x1d0\\n get_net_ns+0xa4/0xc0\\n ? __pfx_get_net_ns+0x10/0x10\\n open_related_ns+0x5a/0x130\\n __tun_chr_ioctl+0x1616/0x2370\\n ? __sanitizer_cov_trace_switch+0x58/0xa0\\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\\n ? __pfx_tun_chr_ioctl+0x10/0x10\\n tun_chr_ioctl+0x2f/0x40\\n __x64_sys_ioctl+0x11b/0x160\\n x64_sys_call+0x1211/0x20d0\\n do_syscall_64+0x9e/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f5b28f165d7\\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\\n \\nKernel panic - not syncing: kernel: panic_on_warn set ...\\n\\nThis is trigger as below:\\n ns0 ns1\\ntun_set_iff() //dev is tun0\\n tun->dev = dev\\n//ip link set tun0 netns ns1\\n put_net() //ref is 0\\n__tun_chr_ioctl() //TUNGETDEVNETNS\\n net = dev_net(tun->dev);\\n open_related_ns(&net->ns, get_net_ns); //ns1\\n get_net_ns()\\n get_net() //addition on 0\\n\\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40959" + }, + { + "url": "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1" + }, + { + "url": "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf" + }, + { + "url": "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a" + }, + { + "url": "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08" + }, + { + "url": "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7" + }, + { + "url": "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3" + }, + { + "url": "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164" + }, + { + "url": "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1\",\n \"https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf\",\n \"https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a\",\n \"https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08\",\n \"https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7\",\n \"https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3\",\n \"https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164\",\n \"https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\\n\\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\\n\\nsyzbot reported:\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\\n process_scheduled_works kernel/workqueue.c:3312 [inline]\\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40960" + }, + { + "url": "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc" + }, + { + "url": "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2" + }, + { + "url": "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0" + }, + { + "url": "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b" + }, + { + "url": "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6" + }, + { + "url": "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37" + }, + { + "url": "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7" + }, + { + "url": "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc\",\n \"https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2\",\n \"https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0\",\n \"https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b\",\n \"https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6\",\n \"https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37\",\n \"https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7\",\n \"https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent possible NULL dereference in rt6_probe()\\n\\nsyzbot caught a NULL dereference in rt6_probe() [1]\\n\\nBail out if __in6_dev_get() returns NULL.\\n\\n[1]\\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\\n find_rr_leaf net/ipv6/route.c:853 [inline]\\n rt6_select net/ipv6/route.c:897 [inline]\\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\\n ksys_write+0x1f8/0x260 fs/read_write.c:643\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40961" + }, + { + "url": "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6" + }, + { + "url": "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade" + }, + { + "url": "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668" + }, + { + "url": "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4" + }, + { + "url": "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403" + }, + { + "url": "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727" + }, + { + "url": "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40961", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6\",\n \"https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade\",\n \"https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668\",\n \"https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4\",\n \"https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403\",\n \"https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727\",\n \"https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent possible NULL deref in fib6_nh_init()\\n\\nsyzbot reminds us that in6_dev_get() can return NULL.\\n\\nfib6_nh_init()\\n ip6_validate_gw( &idev )\\n ip6_route_check_nh( idev )\\n *idev = in6_dev_get(dev); // can be NULL\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:907 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f940f07cea9\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40963", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40963" + }, + { + "url": "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373" + }, + { + "url": "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52" + }, + { + "url": "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d" + }, + { + "url": "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085" + }, + { + "url": "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27" + }, + { + "url": "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf" + }, + { + "url": "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40963 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40963", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40963\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40963\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40963\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40963\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40963\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373\",\n \"https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52\",\n \"https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d\",\n \"https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085\",\n \"https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27\",\n \"https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf\",\n \"https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmips: bmips: BCM6358: make sure CBR is correctly set\\n\\nIt was discovered that some device have CBR address set to 0 causing\\nkernel panic when arch_sync_dma_for_cpu_all is called.\\n\\nThis was notice in situation where the system is booted from TP1 and\\nBMIPS_GET_CBR() returns 0 instead of a valid address and\\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\\n\\nThe current check whether RAC flush should be disabled or not are not\\nenough hence lets check if CBR is a valid address or not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40963\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40965" + }, + { + "url": "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e" + }, + { + "url": "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e\",\n \"https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\\n\\nInstead of repeatedly calling clk_get_rate for each transfer, lock\\nthe clock rate and cache the value.\\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\\nthe system. When this clock provider adds its clock, the clk mutex is\\nlocked already, it needs to access i2c, which in return needs the mutex\\nfor clk_get_rate as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40966" + }, + { + "url": "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409" + }, + { + "url": "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937" + }, + { + "url": "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86" + }, + { + "url": "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409\",\n \"https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937\",\n \"https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86\",\n \"https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: add the option to have a tty reject a new ldisc\\n\\n... and use it to limit the virtual terminals to just N_TTY. They are\\nkind of special, and in particular, the \\\"con_write()\\\" routine violates\\nthe \\\"writes cannot sleep\\\" rule that some ldiscs rely on.\\n\\nThis avoids the\\n\\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\\n\\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\\ncalls con_write() while holding a spinlock, and con_write() then tries\\nto get the console lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40967" + }, + { + "url": "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701" + }, + { + "url": "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7" + }, + { + "url": "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916" + }, + { + "url": "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44" + }, + { + "url": "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701\",\n \"https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7\",\n \"https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916\",\n \"https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44\",\n \"https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: imx: Introduce timeout when waiting on transmitter empty\\n\\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\\ndeadlock.\\n\\nIn case of the timeout, there is not much we can do, so we simply ignore\\nthe transmitter state and optimistically try to continue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40968", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40968" + }, + { + "url": "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0" + }, + { + "url": "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799" + }, + { + "url": "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7" + }, + { + "url": "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9" + }, + { + "url": "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee" + }, + { + "url": "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419" + }, + { + "url": "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a" + }, + { + "url": "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40968 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40968", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40968\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40968\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40968\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40968\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40968\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0\",\n \"https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799\",\n \"https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7\",\n \"https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9\",\n \"https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee\",\n \"https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419\",\n \"https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a\",\n \"https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nMIPS: Octeon: Add PCIe link status check\\n\\nThe standard PCIe configuration read-write interface is used to\\naccess the configuration space of the peripheral PCIe devices\\nof the mips processor after the PCIe link surprise down, it can\\ngenerate kernel panic caused by \\\"Data bus error\\\". So it is\\nnecessary to add PCIe link status check for system protection.\\nWhen the PCIe link is down or in training, assigning a value\\nof 0 to the configuration address can prevent read-write behavior\\nto the configuration space of peripheral PCIe devices, thereby\\npreventing kernel panic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40968\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40969" + }, + { + "url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a" + }, + { + "url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7" + }, + { + "url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a\",\n \"https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7\",\n \"https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: don't set RO when shutting down f2fs\\n\\nShutdown does not check the error of thaw_super due to readonly, which\\ncauses a deadlock like below.\\n\\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\\n - bdev_freeze\\n - freeze_super\\n - f2fs_stop_checkpoint()\\n - f2fs_handle_critical_error - sb_start_write\\n - set RO - waiting\\n - bdev_thaw\\n - thaw_super_locked\\n - return -EINVAL, if sb_rdonly()\\n - f2fs_stop_discard_thread\\n -> wait for kthread_stop(discard_thread);\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40970" + }, + { + "url": "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697" + }, + { + "url": "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5" + }, + { + "url": "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe" + }, + { + "url": "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e" + }, + { + "url": "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697\",\n \"https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5\",\n \"https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe\",\n \"https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e\",\n \"https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nAvoid hw_desc array overrun in dw-axi-dmac\\n\\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\\nkernel panic (hw_desc array will be overrun).\\n\\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\\naxi_desc_put() to handle the hw_desc array correctly.\\n\\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\\nthe transfer, since it was identified that unbalance can occur (started descriptors can\\nbe interrupted and transfer ignored due to DMA channel not being enabled).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40971" + }, + { + "url": "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71" + }, + { + "url": "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae" + }, + { + "url": "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4" + }, + { + "url": "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33" + }, + { + "url": "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66" + }, + { + "url": "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71\",\n \"https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae\",\n \"https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4\",\n \"https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33\",\n \"https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66\",\n \"https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: remove clear SB_INLINECRYPT flag in default_options\\n\\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\\nIf create new file or open file during this gap, these files\\nwill not use inlinecrypt. Worse case, it may lead to data\\ncorruption if wrappedkey_v0 is enable.\\n\\nThread A: Thread B:\\n\\n-f2fs_remount\\t\\t\\t\\t-f2fs_file_open or f2fs_new_inode\\n -default_options\\n\\t<- clear SB_INLINECRYPT flag\\n\\n -fscrypt_select_encryption_impl\\n\\n -parse_options\\n\\t<- set SB_INLINECRYPT again\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40972", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40972" + }, + { + "url": "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b" + }, + { + "url": "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752" + }, + { + "url": "https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b\",\n \"https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752\",\n \"https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: do not create EA inode under buffer lock\\n\\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\\non the external xattr block. This is problematic as it nests all the\\nallocation locking (which acquires locks on other buffers) under the\\nbuffer lock. This can even deadlock when the filesystem is corrupted and\\ne.g. quota file is setup to contain xattr block as data block. Move the\\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40973", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40973" + }, + { + "url": "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b" + }, + { + "url": "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b" + }, + { + "url": "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b\",\n \"https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b\",\n \"https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mtk-vcodec: potential null pointer deference in SCP\\n\\nThe return value of devm_kzalloc() needs to be checked to avoid\\nNULL pointer deference. This is similar to CVE-2022-3113.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40974" + }, + { + "url": "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca" + }, + { + "url": "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d" + }, + { + "url": "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048" + }, + { + "url": "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588" + }, + { + "url": "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c" + }, + { + "url": "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257" + }, + { + "url": "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18" + }, + { + "url": "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca\",\n \"https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d\",\n \"https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048\",\n \"https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588\",\n \"https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c\",\n \"https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257\",\n \"https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18\",\n \"https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Enforce hcall result buffer validity and size\\n\\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\\nprovide valid result buffers of certain minimum size. Currently this\\nis communicated only through comments in the code and the compiler has\\nno idea.\\n\\nFor example, if I write a bug like this:\\n\\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\\n\\nThis compiles with no diagnostics emitted, but likely results in stack\\ncorruption at runtime when plpar_hcall9() stores results past the end\\nof the array. (To be clear this is a contrived example and I have not\\nfound a real instance yet.)\\n\\nTo make this class of error less likely, we can use explicitly-sized\\narray parameters instead of pointers in the declarations for the hcall\\nAPIs. When compiled with -Warray-bounds[1], the code above now\\nprovokes a diagnostic like this:\\n\\nerror: array argument is too small;\\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\\n | ^ ~~~~~~\\n\\n[1] Enabled for LLVM builds but not GCC for now. See commit\\n 0da6e5fd6c37 (\\\"gcc: disable '-Warray-bounds' for gcc-13 too\\\") and\\n related changes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40975", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40975" + }, + { + "url": "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe" + }, + { + "url": "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40975 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40975", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40975\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40975\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40975\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40975\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40975\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe\",\n \"https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\\n\\nNot all subsystems support a device getting removed while there are\\nstill consumers of the device with a reference to the device.\\n\\nOne example of this is the regulator subsystem. If a regulator gets\\nunregistered while there are still drivers holding a reference\\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\\n\\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\\n RIP: 0010:regulator_unregister\\n Call Trace:\\n \\n regulator_unregister\\n devres_release_group\\n i2c_device_remove\\n device_release_driver_internal\\n bus_remove_device\\n device_del\\n device_unregister\\n x86_android_tablet_remove\\n\\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\\na 5V boost converter output for powering USB devices connected to the micro\\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\\n\\nOn the 830 (8\\\") and 1050 (\\\"10\\\") models this regulator is controlled by\\na platform_device and x86_android_tablet_remove() removes platform_device-s\\nbefore i2c_clients so the consumer gets removed first.\\n\\nBut on the 1380 (13\\\") model there is a lc824206xa micro-USB switch\\nconnected over I2C and the extcon driver for that controls the regulator.\\nThe bq24190 i2c-client *must* be registered first, because that creates\\nthe regulator with the lc824206xa listed as its consumer. If the regulator\\nhas not been registered yet the lc824206xa driver will end up getting\\na dummy regulator.\\n\\nSince in this case both the regulator provider and consumer are I2C\\ndevices, the only way to ensure that the consumer is unregistered first\\nis to unregister the I2C devices in reverse order of in which they were\\ncreated.\\n\\nFor consistency and to avoid similar problems in the future change\\nx86_android_tablet_remove() to unregister all device types in reverse\\norder.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40975\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40976" + }, + { + "url": "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a" + }, + { + "url": "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db" + }, + { + "url": "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a" + }, + { + "url": "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344" + }, + { + "url": "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14" + }, + { + "url": "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a\",\n \"https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db\",\n \"https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a\",\n \"https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344\",\n \"https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14\",\n \"https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/lima: mask irqs in timeout path before hard reset\\n\\nThere is a race condition in which a rendering job might take just long\\nenough to trigger the drm sched job timeout handler but also still\\ncomplete before the hard reset is done by the timeout handler.\\nThis runs into race conditions not expected by the timeout handler.\\nIn some very specific cases it currently may result in a refcount\\nimbalance on lima_pm_idle, with a stack dump such as:\\n\\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\\n...\\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\\n...\\n[10136.669628] Call trace:\\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\\n[10136.669679] handle_irq_event+0x4c/0xc0\\n\\nWe can prevent that race condition entirely by masking the irqs at the\\nbeginning of the timeout handler, at which point we give up on waiting\\nfor that job entirely.\\nThe irqs will be enabled again at the next hard reset which is already\\ndone as a recovery by the timeout handler.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40977" + }, + { + "url": "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08" + }, + { + "url": "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02" + }, + { + "url": "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9" + }, + { + "url": "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40977", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08\",\n \"https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02\",\n \"https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9\",\n \"https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\\n\\nDuring chip recovery (e.g. chip reset), there is a possible situation that\\nkernel worker reset_work is holding the lock and waiting for kernel thread\\nstat_worker to be parked, while stat_worker is waiting for the release of\\nthe same lock.\\nIt causes a deadlock resulting in the dumping of hung tasks messages and\\npossible rebooting of the device.\\n\\nThis patch prevents the execution of stat_worker during the chip recovery.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40978" + }, + { + "url": "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7" + }, + { + "url": "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901" + }, + { + "url": "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5" + }, + { + "url": "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b" + }, + { + "url": "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0" + }, + { + "url": "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75" + }, + { + "url": "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241" + }, + { + "url": "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7\",\n \"https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901\",\n \"https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5\",\n \"https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b\",\n \"https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0\",\n \"https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75\",\n \"https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241\",\n \"https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedi: Fix crash while reading debugfs attribute\\n\\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\\non a __user pointer, which results into the crash.\\n\\nTo fix this issue, use a small local stack buffer for sprintf() and then\\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\\ncall.\\n\\nBUG: unable to handle page fault for address: 00007f4801111000\\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\\nOops: 0002 [#1] PREEMPT SMP PTI\\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\\nRIP: 0010:memcpy_orig+0xcd/0x130\\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body+0x1a/0x60\\n ? page_fault_oops+0x183/0x510\\n ? exc_page_fault+0x69/0x150\\n ? asm_exc_page_fault+0x22/0x30\\n ? memcpy_orig+0xcd/0x130\\n vsnprintf+0x102/0x4c0\\n sprintf+0x51/0x80\\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\\n full_proxy_read+0x50/0x80\\n vfs_read+0xa5/0x2e0\\n ? folio_add_new_anon_rmap+0x44/0xa0\\n ? set_pte_at+0x15/0x30\\n ? do_pte_missing+0x426/0x7f0\\n ksys_read+0xa5/0xe0\\n do_syscall_64+0x58/0x80\\n ? __count_memcg_events+0x46/0x90\\n ? count_memcg_event_mm+0x3d/0x60\\n ? handle_mm_fault+0x196/0x2f0\\n ? do_user_addr_fault+0x267/0x890\\n ? exc_page_fault+0x69/0x150\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\nRIP: 0033:0x7f4800f20b4d\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40979" + }, + { + "url": "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28" + }, + { + "url": "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40979", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28\",\n \"https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: fix kernel crash during resume\\n\\nCurrently during resume, QMI target memory is not properly handled, resulting\\nin kernel crash in case DMA remap is not supported:\\n\\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\\npage dumped because: nonzero _refcount\\nCall Trace:\\n bad_page\\n free_page_is_bad_report\\n __free_pages_ok\\n __free_pages\\n dma_direct_free\\n dma_free_attrs\\n ath12k_qmi_free_target_mem_chunk\\n ath12k_qmi_msg_mem_request_cb\\n\\nThe reason is:\\nOnce ath12k module is loaded, firmware sends memory request to host. In case\\nDMA remap not supported, ath12k refuses the first request due to failure in\\nallocating with large segment size:\\n\\nath12k_pci 0000:04:00.0: qmi firmware request memory request\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\\nath12k_pci 0000:04:00.0: qmi firmware request memory request\\n\\nLater firmware comes back with more but small segments and allocation\\nsucceeds:\\n\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\n\\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\\nduring resume. As same as before, firmware requests two large segments at\\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\\nassigned:\\n\\n\\tab->qmi.mem_seg_count == 2\\n\\tab->qmi.target_mem[0].size == 7077888\\n\\tab->qmi.target_mem[1].size == 8454144\\n\\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\\nis called to free all allocated segments. Note the first segment is skipped\\nbecause its v.addr is cleared due to allocation failure:\\n\\n\\tchunk->v.addr = dma_alloc_coherent()\\n\\nAlso note that this leaks that segment because it has not been freed.\\n\\nWhile freeing the second segment, a size of 8454144 is passed to\\ndma_free_coherent(). However remember that this segment is allocated at\\nthe first time firmware is loaded, before suspend. So its real size is\\n524288, much smaller than 8454144. As a result kernel found we are freeing\\nsome memory which is in use and thus cras\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40980", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40980" + }, + { + "url": "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e" + }, + { + "url": "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334" + }, + { + "url": "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0" + }, + { + "url": "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5" + }, + { + "url": "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac" + }, + { + "url": "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195" + }, + { + "url": "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40980 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40980", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40980\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40980\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40980\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40980\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40980\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e\",\n \"https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334\",\n \"https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0\",\n \"https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5\",\n \"https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac\",\n \"https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195\",\n \"https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrop_monitor: replace spin_lock by raw_spin_lock\\n\\ntrace_drop_common() is called with preemption disabled, and it acquires\\na spin_lock. This is problematic for RT kernels because spin_locks are\\nsleeping locks in this configuration, which causes the following splat:\\n\\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\\npreempt_count: 1, expected: 0\\nRCU nest depth: 2, expected: 2\\n5 locks held by rcuc/47/449:\\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\\nirq event stamp: 139909\\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\\nPreemption disabled at:\\n[] rt_mutex_slowunlock+0xab/0x2e0\\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\\nCall Trace:\\n \\n dump_stack_lvl+0x8c/0xd0\\n dump_stack+0x14/0x20\\n __might_resched+0x21e/0x2f0\\n rt_spin_lock+0x5e/0x130\\n ? trace_drop_common.constprop.0+0xb5/0x290\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n trace_drop_common.constprop.0+0xb5/0x290\\n ? preempt_count_sub+0x1c/0xd0\\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\\n ? rt_mutex_slowunlock+0x26a/0x2e0\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n trace_kfree_skb_hit+0x15/0x20\\n trace_kfree_skb+0xe9/0x150\\n kfree_skb_reason+0x7b/0x110\\n skb_queue_purge_reason.part.0+0x1bf/0x230\\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\\n ? mark_lock.part.0+0x8a/0x520\\n...\\n\\ntrace_drop_common() also disables interrupts, but this is a minor issue\\nbecause we could easily replace it with a local_lock.\\n\\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\\ncontext.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40980\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40981", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40981" + }, + { + "url": "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2" + }, + { + "url": "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8" + }, + { + "url": "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0" + }, + { + "url": "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11" + }, + { + "url": "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030" + }, + { + "url": "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07" + }, + { + "url": "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a" + }, + { + "url": "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40981 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40981", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40981\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40981\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40981\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40981\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40981\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2\",\n \"https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8\",\n \"https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0\",\n \"https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11\",\n \"https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030\",\n \"https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07\",\n \"https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a\",\n \"https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\\n\\nMany syzbot reports are pointing to soft lockups in\\nbatadv_purge_orig_ref() [1]\\n\\nRoot cause is unknown, but we can avoid spending too much\\ntime there and perhaps get more interesting reports.\\n\\n[1]\\n\\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\\nModules linked in:\\nirq event stamp: 6182794\\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\nWorkqueue: bat_events batadv_purge_orig\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\\nsp : ffff800099007970\\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\\nCall trace:\\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\\n process_scheduled_works kernel/workqueue.c:2706 [inline]\\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\\n kthread+0x288/0x310 kernel/kthread.c:388\\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\\nSending NMI from CPU 0 to CPUs 1:\\nNMI backtrace for cpu 1\\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\\nsp : ffff800093a17d30\\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40981\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40982" + }, + { + "url": "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7" + }, + { + "url": "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56" + }, + { + "url": "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\n\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\nperforming the NULL check, potentially leading to a NULL pointer\ndereference if 'dev' is NULL.\n\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\nensuring that the pointer is valid before attempting to use it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7\",\n \"https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56\",\n \"https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\\n\\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\\nperforming the NULL check, potentially leading to a NULL pointer\\ndereference if 'dev' is NULL.\\n\\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\\nensuring that the pointer is valid before attempting to use it.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40983", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40983" + }, + { + "url": "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269" + }, + { + "url": "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8" + }, + { + "url": "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2" + }, + { + "url": "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930" + }, + { + "url": "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76" + }, + { + "url": "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40983 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40983", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40983\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40983\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40983\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40983\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40983\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269\",\n \"https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8\",\n \"https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2\",\n \"https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930\",\n \"https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76\",\n \"https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: force a dst refcount before doing decryption\\n\\nAs it says in commit 3bc07321ccc2 (\\\"xfrm: Force a dst refcount before\\nentering the xfrm type handlers\\\"):\\n\\n\\\"Crypto requests might return asynchronous. In this case we leave the\\n rcu protected region, so force a refcount on the skb's destination\\n entry before we enter the xfrm type input/output handlers.\\\"\\n\\nOn TIPC decryption path it has the same problem, and skb_dst_force()\\nshould be called before doing decryption to avoid a possible crash.\\n\\nShuang reported this issue when this warning is triggered:\\n\\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\\n [] Workqueue: crypto cryptd_queue_worker\\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\\n [] Call Trace:\\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\\n [] tipc_rcv+0xcf5/0x1060 [tipc]\\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\\n [] cryptd_aead_crypt+0xdb/0x190\\n [] cryptd_queue_worker+0xed/0x190\\n [] process_one_work+0x93d/0x17e0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40983\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40984" + }, + { + "url": "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3" + }, + { + "url": "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98" + }, + { + "url": "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d" + }, + { + "url": "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0" + }, + { + "url": "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c" + }, + { + "url": "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f" + }, + { + "url": "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239" + }, + { + "url": "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3\",\n \"https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98\",\n \"https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d\",\n \"https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0\",\n \"https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c\",\n \"https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f\",\n \"https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239\",\n \"https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPICA: Revert \\\"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\\\"\\n\\nUndo the modifications made in commit d410ee5109a1 (\\\"ACPICA: avoid\\n\\\"Info: mapping multiple BARs. Your kernel is fine.\\\"\\\"). The initial\\npurpose of this commit was to stop memory mappings for operation\\nregions from overlapping page boundaries, as it can trigger warnings\\nif different page attributes are present.\\n\\nHowever, it was found that when this situation arises, mapping\\ncontinues until the boundary's end, but there is still an attempt to\\nread/write the entire length of the map, leading to a NULL pointer\\ndeference. For example, if a four-byte mapping request is made but\\nonly one byte is mapped because it hits the current page boundary's\\nend, a four-byte read/write attempt is still made, resulting in a NULL\\npointer deference.\\n\\nInstead, map the entire length, as the ACPI specification does not\\nmandate that it must be within the same page boundary. It is\\npermissible for it to be mapped across different regions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40987", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40987" + }, + { + "url": "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4" + }, + { + "url": "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400" + }, + { + "url": "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc" + }, + { + "url": "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f" + }, + { + "url": "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f" + }, + { + "url": "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388" + }, + { + "url": "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6" + }, + { + "url": "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40987 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40987", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40987\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40987\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40987\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40987\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40987\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4\",\n \"https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400\",\n \"https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc\",\n \"https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f\",\n \"https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f\",\n \"https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388\",\n \"https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6\",\n \"https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\\n\\nAdds bounds check for sumo_vid_mapping_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40987\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40988" + }, + { + "url": "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b" + }, + { + "url": "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc" + }, + { + "url": "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42" + }, + { + "url": "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321" + }, + { + "url": "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad" + }, + { + "url": "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855" + }, + { + "url": "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447" + }, + { + "url": "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b\",\n \"https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc\",\n \"https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42\",\n \"https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321\",\n \"https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad\",\n \"https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855\",\n \"https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447\",\n \"https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: fix UBSAN warning in kv_dpm.c\\n\\nAdds bounds check for sumo_vid_mapping_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40989" + }, + { + "url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8" + }, + { + "url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76" + }, + { + "url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c" + }, + { + "url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8\",\n \"https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76\",\n \"https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c\",\n \"https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\\n\\nWhen tearing down a redistributor region, make sure we don't have\\nany dangling pointer to that region stored in a vcpu.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40990", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40990" + }, + { + "url": "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c" + }, + { + "url": "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d" + }, + { + "url": "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3" + }, + { + "url": "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511" + }, + { + "url": "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf" + }, + { + "url": "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40990 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40990", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40990\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40990\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40990\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40990\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40990\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c\",\n \"https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d\",\n \"https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3\",\n \"https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511\",\n \"https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf\",\n \"https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/mlx5: Add check for srq max_sge attribute\\n\\nmax_sge attribute is passed by the user, and is inserted and used\\nunchecked, so verify that the value doesn't exceed maximum allowed value\\nbefore using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40990\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40994", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40994" + }, + { + "url": "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e" + }, + { + "url": "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f" + }, + { + "url": "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0" + }, + { + "url": "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f" + }, + { + "url": "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40994 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40994", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40994\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40994\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40994\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40994\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40994\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e\",\n \"https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f\",\n \"https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0\",\n \"https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f\",\n \"https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nptp: fix integer overflow in max_vclocks_store\\n\\nOn 32bit systems, the \\\"4 * max\\\" multiply can overflow. Use kcalloc()\\nto do the allocation to prevent this.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40994\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40995" + }, + { + "url": "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74" + }, + { + "url": "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da" + }, + { + "url": "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2" + }, + { + "url": "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4" + }, + { + "url": "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335" + }, + { + "url": "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90" + }, + { + "url": "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40995", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74\",\n \"https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da\",\n \"https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2\",\n \"https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4\",\n \"https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335\",\n \"https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90\",\n \"https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\\n\\nsyzbot found hanging tasks waiting on rtnl_lock [1]\\n\\nA reproducer is available in the syzbot bug.\\n\\nWhen a request to add multiple actions with the same index is sent, the\\nsecond request will block forever on the first request. This holds\\nrtnl_lock, and causes tasks to hang.\\n\\nReturn -EAGAIN to prevent infinite looping, while keeping documented\\nbehavior.\\n\\n[1]\\n\\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\\n\\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\\nWorkqueue: events_power_efficient reg_check_chans_work\\nCall Trace:\\n\\ncontext_switch kernel/sched/core.c:5409 [inline]\\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\\n__schedule_loop kernel/sched/core.c:6823 [inline]\\nschedule+0xe7/0x350 kernel/sched/core.c:6838\\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\\nwiphy_lock include/net/cfg80211.h:5953 [inline]\\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40997", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40997" + }, + { + "url": "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd" + }, + { + "url": "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582" + }, + { + "url": "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40997 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40997", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40997\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40997\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40997\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40997\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40997\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd\",\n \"https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582\",\n \"https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\\n\\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\\nnot freed in the analogous exit function, so fix that.\\n\\n[ rjw: Subject and changelog edits ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40997\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40998", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40998" + }, + { + "url": "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c" + }, + { + "url": "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798" + }, + { + "url": "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40998 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40998", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40998\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40998\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40998\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40998\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40998\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c\",\n \"https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798\",\n \"https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\\n\\nIn the following concurrency we will access the uninitialized rs->lock:\\n\\next4_fill_super\\n ext4_register_sysfs\\n // sysfs registered msg_ratelimit_interval_ms\\n // Other processes modify rs->interval to\\n // non-zero via msg_ratelimit_interval_ms\\n ext4_orphan_cleanup\\n ext4_msg(sb, KERN_INFO, \\\"Errors on filesystem, \\\"\\n __ext4_msg\\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\\n if (!rs->interval) // do nothing if interval is 0\\n return 1;\\n raw_spin_trylock_irqsave(&rs->lock, flags)\\n raw_spin_trylock(lock)\\n _raw_spin_trylock\\n __raw_spin_trylock\\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\\n lock_acquire\\n __lock_acquire\\n register_lock_class\\n assign_lock_key\\n dump_stack();\\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\\n raw_spin_lock_init(&rs->lock);\\n // init rs->lock here\\n\\nand get the following dump_stack:\\n\\n=========================================================\\nINFO: trying to register non-static key.\\nThe code is fine but needs lockdep annotation, or maybe\\nyou didn't initialize this object before use?\\nturning off the locking correctness validator.\\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\\n[...]\\nCall Trace:\\n dump_stack_lvl+0xc5/0x170\\n dump_stack+0x18/0x30\\n register_lock_class+0x740/0x7c0\\n __lock_acquire+0x69/0x13a0\\n lock_acquire+0x120/0x450\\n _raw_spin_trylock+0x98/0xd0\\n ___ratelimit+0xf6/0x220\\n __ext4_msg+0x7f/0x160 [ext4]\\n ext4_orphan_cleanup+0x665/0x740 [ext4]\\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\\n ext4_fill_super+0x14d/0x360 [ext4]\\n[...]\\n=========================================================\\n\\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\\n___ratelimit() does nothing. But registering sysfs precedes initializing\\nrs->lock, so it is possible to change rs->interval to a non-zero value\\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\\nuninitialized, and then a call to ext4_msg triggers the problem by\\naccessing an uninitialized rs->lock. Therefore register sysfs after all\\ninitializations are complete to avoid such problems.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40998\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40999" + }, + { + "url": "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e" + }, + { + "url": "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e\",\n \"https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ena: Add validation for completion descriptors consistency\\n\\nValidate that `first` flag is set only for the first\\ndescriptor in multi-buffer packets.\\nIn case of an invalid descriptor, a reset will occur.\\nA new reset reason for RX data corruption has been added.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41000", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41000" + }, + { + "url": "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66" + }, + { + "url": "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e" + }, + { + "url": "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24" + }, + { + "url": "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9" + }, + { + "url": "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9" + }, + { + "url": "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] \n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66\",\n \"https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e\",\n \"https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24\",\n \"https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9\",\n \"https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9\",\n \"https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock/ioctl: prefer different overflow check\\n\\nRunning syzkaller with the newly reintroduced signed integer overflow\\nsanitizer shows this report:\\n\\n[ 62.982337] ------------[ cut here ]------------\\n[ 62.985692] cgroup: Invalid name\\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\\n[ 62.999369] random: crng reseeded on system resumption\\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[ 63.000682] Call Trace:\\n[ 63.000686] \\n[ 63.000731] dump_stack_lvl+0x93/0xd0\\n[ 63.000919] __get_user_pages+0x903/0xd30\\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\\n[ 63.001316] iomap_dio_rw+0x45/0xa0\\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\\n[ 63.001372] vfs_write+0x599/0xbd0\\n[ 63.001394] ksys_write+0xc8/0x190\\n[ 63.001403] do_syscall_64+0xd4/0x1b0\\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\\n...\\n[ 63.018142] ---[ end trace ]---\\n\\nHistorically, the signed integer overflow sanitizer did not work in the\\nkernel due to its interaction with `-fwrapv` but this has since been\\nchanged [1] in the newest version of Clang; It was re-enabled in the\\nkernel with Commit 557f8c582a9ba8ab (\\\"ubsan: Reintroduce signed overflow\\nsanitizer\\\").\\n\\nLet's rework this overflow checking logic to not actually perform an\\noverflow during the check itself, thus avoiding the UBSAN splat.\\n\\n[1]: https://github.com/llvm/llvm-project/pull/82432\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41001", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41001" + }, + { + "url": "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227" + }, + { + "url": "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667" + }, + { + "url": "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3" + }, + { + "url": "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41001 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41001", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41001\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41001\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41001\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41001\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41001\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227\",\n \"https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667\",\n \"https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3\",\n \"https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring/sqpoll: work around a potential audit memory leak\\n\\nkmemleak complains that there's a memory leak related to connect\\nhandling:\\n\\nunreferenced object 0xffff0001093bdf00 (size 128):\\ncomm \\\"iou-sqp-455\\\", pid 457, jiffies 4294894164\\nhex dump (first 32 bytes):\\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\nbacktrace (crc 2e481b1a):\\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\\n[<00000000d999b491>] ret_from_fork+0x10/0x20\\n\\nwhich can can happen if:\\n\\n1) The command type does something on the prep side that triggers an\\n audit call.\\n2) The thread hasn't done any operations before this that triggered\\n an audit call inside ->issue(), where we have audit_uring_entry()\\n and audit_uring_exit().\\n\\nWork around this by issuing a blanket NOP operation before the SQPOLL\\ndoes anything.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41001\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41002", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41002" + }, + { + "url": "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47" + }, + { + "url": "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6" + }, + { + "url": "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601" + }, + { + "url": "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2" + }, + { + "url": "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41002 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41002", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41002\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41002\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41002\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41002\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41002\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47\",\n \"https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6\",\n \"https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601\",\n \"https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2\",\n \"https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\\n\\nThe AIV is one of the SEC resources. When releasing resources,\\nit need to release the AIV resources at the same time.\\nOtherwise, memory leakage occurs.\\n\\nThe aiv resource release is added to the sec resource release\\nfunction.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41002\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41004", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41004" + }, + { + "url": "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3" + }, + { + "url": "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88" + }, + { + "url": "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45" + }, + { + "url": "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9" + }, + { + "url": "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3" + }, + { + "url": "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3\",\n \"https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88\",\n \"https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45\",\n \"https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9\",\n \"https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3\",\n \"https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Build event generation tests only as modules\\n\\nThe kprobes and synth event generation test modules add events and lock\\n(get a reference) those event file reference in module init function,\\nand unlock and delete it in module exit function. This is because those\\nare designed for playing as modules.\\n\\nIf we make those modules as built-in, those events are left locked in the\\nkernel, and never be removed. This causes kprobe event self-test failure\\nas below.\\n\\n[ 97.349708] ------------[ cut here ]------------\\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.357106] Modules linked in:\\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 97.391196] Call Trace:\\n[ 97.391967] \\n[ 97.392647] ? __warn+0xcc/0x180\\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.395181] ? report_bug+0xbd/0x150\\n[ 97.396234] ? handle_bug+0x3e/0x60\\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\\n[ 97.404972] do_one_initcall+0x112/0x240\\n[ 97.406113] do_initcall_level+0x95/0xb0\\n[ 97.407286] ? kernel_init+0x1a/0x1a0\\n[ 97.408401] do_initcalls+0x3f/0x70\\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\\n[ 97.410662] ? rest_init+0x1f0/0x1f0\\n[ 97.411738] kernel_init+0x1a/0x1a0\\n[ 97.412788] ret_from_fork+0x39/0x50\\n[ 97.413817] ? rest_init+0x1f0/0x1f0\\n[ 97.414844] ret_from_fork_asm+0x11/0x20\\n[ 97.416285] \\n[ 97.417134] irq event stamp: 13437323\\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\\n[ 97.428850] ---[ end trace 0000000000000000 ]---\\n\\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\\nfailed too.\\n\\nTo avoid these issues, build these tests only as modules.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41005" + }, + { + "url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d" + }, + { + "url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265" + }, + { + "url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c" + }, + { + "url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57" + }, + { + "url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916" + }, + { + "url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d\",\n \"https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265\",\n \"https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c\",\n \"https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57\",\n \"https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916\",\n \"https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetpoll: Fix race condition in netpoll_owner_active\\n\\nKCSAN detected a race condition in netpoll:\\n\\n\\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\\n\\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\\n\\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\\n\\n\\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\\n\\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\\n\\tnetpoll_send_udp (net/core/netpoll.c:?)\\n\\n\\tvalue changed: 0x0000000a -> 0xffffffff\\n\\nThis happens because netpoll_owner_active() needs to check if the\\ncurrent CPU is the owner of the lock, touching napi->poll_owner\\nnon atomically. The ->poll_owner field contains the current CPU holding\\nthe lock.\\n\\nUse an atomic read to check if the poll owner is the current CPU.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41006", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41006" + }, + { + "url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735" + }, + { + "url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937" + }, + { + "url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba" + }, + { + "url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b" + }, + { + "url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8" + }, + { + "url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712" + }, + { + "url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c" + }, + { + "url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41006 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41006", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41006\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41006\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41006\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41006\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41006\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735\",\n \"https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937\",\n \"https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba\",\n \"https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b\",\n \"https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8\",\n \"https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712\",\n \"https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c\",\n \"https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\\n\\nsyzbot reported a memory leak in nr_create() [0].\\n\\nCommit 409db27e3a2e (\\\"netrom: Fix use-after-free of a listening socket.\\\")\\nadded sock_hold() to the nr_heartbeat_expiry() function, where\\na) a socket has a SOCK_DESTROY flag or\\nb) a listening socket has a SOCK_DEAD flag.\\n\\nBut in the case \\\"a,\\\" when the SOCK_DESTROY flag is set, the file descriptor\\nhas already been closed and the nr_release() function has been called.\\nSo it makes no sense to hold the reference count because no one will\\ncall another nr_destroy_socket() and put it as in the case \\\"b.\\\"\\n\\nnr_connect\\n nr_establish_data_link\\n nr_start_heartbeat\\n\\nnr_release\\n switch (nr->state)\\n case NR_STATE_3\\n nr->state = NR_STATE_2\\n sock_set_flag(sk, SOCK_DESTROY);\\n\\n nr_rx_frame\\n nr_process_rx_frame\\n switch (nr->state)\\n case NR_STATE_2\\n nr_state2_machine()\\n nr_disconnect()\\n nr_sk(sk)->state = NR_STATE_0\\n sock_set_flag(sk, SOCK_DEAD)\\n\\n nr_heartbeat_expiry\\n switch (nr->state)\\n case NR_STATE_0\\n if (sock_flag(sk, SOCK_DESTROY) ||\\n (sk->sk_state == TCP_LISTEN\\n && sock_flag(sk, SOCK_DEAD)))\\n sock_hold() // ( !!! )\\n nr_destroy_socket()\\n\\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\\n\\nFound by InfoTeCS on behalf of Linux Verification Center\\n(linuxtesting.org) with Syzkaller.\\n\\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41006\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41007" + }, + { + "url": "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570" + }, + { + "url": "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982" + }, + { + "url": "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1" + }, + { + "url": "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4" + }, + { + "url": "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283" + }, + { + "url": "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969" + }, + { + "url": "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde" + }, + { + "url": "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41007", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570\",\n \"https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982\",\n \"https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1\",\n \"https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4\",\n \"https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283\",\n \"https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969\",\n \"https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde\",\n \"https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: avoid too many retransmit packets\\n\\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\\nretracted its window to zero, tcp_retransmit_timer() can\\nretransmit a packet every two jiffies (2 ms for HZ=1000),\\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\\n\\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\\nicsk->icsk_user_timeout into account.\\n\\nBefore blamed commit, the socket would not timeout after\\nicsk->icsk_user_timeout, but would use standard exponential\\nbackoff for the retransmits.\\n\\nAlso worth noting that before commit e89688e3e978 (\\\"net: tcp:\\nfix unexcepted socket die when snd_wnd is 0\\\"), the issue\\nwould last 2 minutes instead of 4.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41008" + }, + { + "url": "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm->task_info handling\n\nThis patch changes the handling and lifecycle of vm->task_info object.\nThe major changes are:\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm->task_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: change vm->task_info handling\\n\\nThis patch changes the handling and lifecycle of vm->task_info object.\\nThe major changes are:\\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\\n reference counted.\\n- introducing two new helper funcs for task_info lifecycle management\\n - amdgpu_vm_get_task_info: reference counts up task_info before\\n returning this info\\n - amdgpu_vm_put_task_info: reference counts down task_info\\n- last put to task_info() frees task_info from the vm.\\n\\nThis patch also does logistical changes required for existing usage\\nof vm->task_info.\\n\\nV2: Do not block all the prints when task_info not found (Felix)\\n\\nV3: Fixed review comments from Felix\\n - Fix wrong indentation\\n - No debug message for -ENOMEM\\n - Add NULL check for task_info\\n - Do not duplicate the debug messages (ti vs no ti)\\n - Get first reference of task_info in vm_init(), put last\\n in vm_fini()\\n\\nV4: Fixed review comments from Felix\\n - fix double reference increment in create_task_info\\n - change amdgpu_vm_get_task_info_pasid\\n - additional changes in amdgpu_gem.c while porting\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41009" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4" + }, + { + "url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225" + }, + { + "url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069" + }, + { + "url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f" + }, + { + "url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881" + }, + { + "url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk's\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We've tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4\",\n \"https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225\",\n \"https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069\",\n \"https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f\",\n \"https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881\",\n \"https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix overrunning reservations in ringbuf\\n\\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\\nconsumer counter to show which logical position the consumer consumed the\\ndata, and producer_pos which is the producer counter denoting the amount of\\ndata reserved by all producers.\\n\\nEach time a record is reserved, the producer that \\\"owns\\\" the record will\\nsuccessfully advance producer counter. In user space each time a record is\\nread, the consumer of the data advanced the consumer counter once it finished\\nprocessing. Both counters are stored in separate pages so that from user\\nspace, the producer counter is read-only and the consumer counter is read-write.\\n\\nOne aspect that simplifies and thus speeds up the implementation of both\\nproducers and consumers is how the data area is mapped twice contiguously\\nback-to-back in the virtual memory, allowing to not take any special measures\\nfor samples that have to wrap around at the end of the circular buffer data\\narea, because the next page after the last data page would be first data page\\nagain, and thus the sample will still appear completely contiguous in virtual\\nmemory.\\n\\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\\nbook-keeping the length and offset, and is inaccessible to the BPF program.\\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\\npossible to make a second allocated memory chunk overlapping with the first\\nchunk and as a result, the BPF program is now able to edit first chunk's\\nheader.\\n\\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\\npage and could cause a crash.\\n\\nFix it by calculating the oldest pending_pos and check whether the range\\nfrom the oldest outstanding record to the newest would span beyond the ring\\nbuffer size. If that is the case, then reject the request. We've tested with\\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\\nis still not significantly enough to matter.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41011", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41011" + }, + { + "url": "https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724" + }, + { + "url": "https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5" + }, + { + "url": "https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28" + }, + { + "url": "https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41011 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41011", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\n\nWe don't get the right offset in that case. The GPU has\nan unused 4K area of the register BAR space into which you can\nremap registers. We remap the HDP flush registers into this\nspace to allow userspace (CPU or GPU) to flush the HDP when it\nupdates VRAM. However, on systems with >4K pages, we end up\nexposing PAGE_SIZE of MMIO space.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41011\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41011\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41011\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41011\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41011\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724\",\n \"https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5\",\n \"https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28\",\n \"https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\\n\\nWe don't get the right offset in that case. The GPU has\\nan unused 4K area of the register BAR space into which you can\\nremap registers. We remap the HDP flush registers into this\\nspace to allow userspace (CPU or GPU) to flush the HDP when it\\nupdates VRAM. However, on systems with >4K pages, we end up\\nexposing PAGE_SIZE of MMIO space.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41011\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41012" + }, + { + "url": "https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9" + }, + { + "url": "https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22" + }, + { + "url": "https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240" + }, + { + "url": "https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763" + }, + { + "url": "https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224" + }, + { + "url": "https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250" + }, + { + "url": "https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235" + }, + { + "url": "https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can't corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9\",\n \"https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22\",\n \"https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240\",\n \"https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763\",\n \"https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224\",\n \"https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250\",\n \"https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235\",\n \"https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: Remove locks reliably when fcntl/close race is detected\\n\\nWhen fcntl_setlk() races with close(), it removes the created lock with\\ndo_lock_file_wait().\\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\\nSeparately, posix_lock_file() could also fail to\\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\\nin the middle).\\n\\nAfter the bug has been triggered, use-after-free reads will occur in\\nlock_get_status() when userspace reads /proc/locks. This can likely be used\\nto read arbitrary kernel memory, but can't corrupt kernel memory.\\n\\nFix it by calling locks_remove_posix() instead, which is designed to\\nreliably get rid of POSIX locks associated with the given file and\\nfiles_struct and is also used by filp_flush().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41013" + }, + { + "url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: don't walk off the end of a directory data block\\n\\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\\nto make sure don't stray beyond valid memory region. Before patching, the\\nloop simply checks that the start offset of the dup and dep is within the\\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\\nnext traversal, this space will be considered as dup or dep. We may\\nencounter an out of bound read when accessing the fixed members.\\n\\nIn the patch, we make sure that the remaining bytes large enough to hold\\nan unused entry before accessing xfs_dir2_data_unused and\\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\\nsure that the remaining bytes large enough to hold a dirent with a\\nsingle-byte name before accessing xfs_dir2_data_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41014" + }, + { + "url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: add bounds checking to xlog_recover_process_data\\n\\nThere is a lack of verification of the space occupied by fixed members\\nof xlog_op_header in the xlog_recover_process_data.\\n\\nWe can create a crafted image to trigger an out of bounds read by\\nfollowing these steps:\\n 1) Mount an image of xfs, and do some file operations to leave records\\n 2) Before umounting, copy the image for subsequent steps to simulate\\n abnormal exit. Because umount will ensure that tail_blk and\\n head_blk are the same, which will result in the inability to enter\\n xlog_recover_process_data\\n 3) Write a tool to parse and modify the copied image in step 2\\n 4) Make the end of the xlog_op_header entries only 1 byte away from\\n xlog_rec_header->h_size\\n 5) xlog_rec_header->h_num_logops++\\n 6) Modify xlog_rec_header->h_crc\\n\\nFix:\\nAdd a check to make sure there is sufficient space to access fixed members\\nof xlog_op_header.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41015" + }, + { + "url": "https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2" + }, + { + "url": "https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb" + }, + { + "url": "https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7" + }, + { + "url": "https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0" + }, + { + "url": "https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c" + }, + { + "url": "https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176" + }, + { + "url": "https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd" + }, + { + "url": "https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59" + }, + { + "url": "https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2\",\n \"https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb\",\n \"https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7\",\n \"https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0\",\n \"https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c\",\n \"https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176\",\n \"https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd\",\n \"https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59\",\n \"https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: add bounds checking to ocfs2_check_dir_entry()\\n\\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\\nocfs2_dir_entry don't stray beyond valid memory region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41016", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41016" + }, + { + "url": "https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\\n\\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\\nrequested. It's better to check if the memory is out of bound before\\nmemcmp, although this possibility mainly comes from crafted poisonous\\nimages.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41017" + }, + { + "url": "https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751" + }, + { + "url": "https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8" + }, + { + "url": "https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce" + }, + { + "url": "https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e" + }, + { + "url": "https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746" + }, + { + "url": "https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4" + }, + { + "url": "https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73" + }, + { + "url": "https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375" + }, + { + "url": "https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751\",\n \"https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8\",\n \"https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce\",\n \"https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e\",\n \"https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746\",\n \"https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4\",\n \"https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73\",\n \"https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375\",\n \"https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: don't walk off the end of ealist\\n\\nAdd a check before visiting the members of ea to\\nmake sure each ea stays within the ealist.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41019", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41019" + }, + { + "url": "https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0" + }, + { + "url": "https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06" + }, + { + "url": "https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4" + }, + { + "url": "https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a" + }, + { + "url": "https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440" + }, + { + "url": "https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41019 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41019", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41019\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41019\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41019\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41019\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41019\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0\",\n \"https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06\",\n \"https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4\",\n \"https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a\",\n \"https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440\",\n \"https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Validate ff offset\\n\\nThis adds sanity checks for ff offset. There is a check\\non rt->first_free at first, but walking through by ff\\nwithout any check. If the second ff is a large offset.\\nWe may encounter an out-of-bound read.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41019\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41020" + }, + { + "url": "https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f" + }, + { + "url": "https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2" + }, + { + "url": "https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02" + }, + { + "url": "https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c" + }, + { + "url": "https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860" + }, + { + "url": "https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d" + }, + { + "url": "https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4" + }, + { + "url": "https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca" + }, + { + "url": "https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f\",\n \"https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2\",\n \"https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02\",\n \"https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c\",\n \"https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860\",\n \"https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d\",\n \"https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4\",\n \"https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca\",\n \"https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: Fix fcntl/close race recovery compat path\\n\\nWhen I wrote commit 3cad1bc01041 (\\\"filelock: Remove locks reliably when\\nfcntl/close race is detected\\\"), I missed that there are two copies of the\\ncode I was patching: The normal version, and the version for 64-bit offsets\\non 32-bit kernels.\\nThanks to Greg KH for stumbling over this while doing the stable\\nbackport...\\n\\nApply exactly the same fix to the compat path for 32-bit kernels.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41022", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41022" + }, + { + "url": "https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06" + }, + { + "url": "https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287" + }, + { + "url": "https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2" + }, + { + "url": "https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a" + }, + { + "url": "https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7" + }, + { + "url": "https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d" + }, + { + "url": "https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41022 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41022", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41022\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41022\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41022\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41022\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41022\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3\",\n \"https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06\",\n \"https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287\",\n \"https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2\",\n \"https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a\",\n \"https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7\",\n \"https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d\",\n \"https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\\n\\nThe \\\"instance\\\" variable needs to be signed for the error handling to work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41022\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41023", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41023" + }, + { + "url": "https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4" + }, + { + "url": "https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41023 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41023", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41023\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41023\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41023\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41023\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41023\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4\",\n \"https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/deadline: Fix task_struct reference leak\\n\\nDuring the execution of the following stress test with linux-rt:\\n\\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\\n\\nkmemleak frequently reported a memory leak concerning the task_struct:\\n\\nunreferenced object 0xffff8881305b8000 (size 16136):\\n comm \\\"stress-ng\\\", pid 614, jiffies 4294883961 (age 286.412s)\\n object hex dump (first 32 bytes):\\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n debug hex dump (first 16 bytes):\\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\\n backtrace:\\n [<00000000046b6790>] dup_task_struct+0x30/0x540\\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\\n [<00000000ced59777>] kernel_clone+0xb0/0x770\\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nThe issue occurs in start_dl_timer(), which increments the task_struct\\nreference count and sets a timer. The timer callback, dl_task_timer,\\nis supposed to decrement the reference count upon expiration. However,\\nif enqueue_task_dl() is called before the timer expires and cancels it,\\nthe reference count is not decremented, leading to the leak.\\n\\nThis patch fixes the reference leak by ensuring the task_struct\\nreference count is properly decremented when the timer is canceled.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41023\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41027", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41027" + }, + { + "url": "https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6" + }, + { + "url": "https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694" + }, + { + "url": "https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7" + }, + { + "url": "https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384" + }, + { + "url": "https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41027 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41027", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41027\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41027\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41027\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41027\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41027\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6\",\n \"https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694\",\n \"https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7\",\n \"https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384\",\n \"https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nFix userfaultfd_api to return EINVAL as expected\\n\\nCurrently if we request a feature that is not set in the Kernel config we\\nfail silently and return all the available features. However, the man\\npage indicates we should return an EINVAL.\\n\\nWe need to fix this issue since we can end up with a Kernel warning should\\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\\nthe config not set with this feature.\\n\\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\\n [ 200.820738] Modules linked in:\\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41027\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41030", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41030" + }, + { + "url": "https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035" + }, + { + "url": "https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361" + }, + { + "url": "https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa" + }, + { + "url": "https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41030 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41030", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41030\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41030\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41030\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41030\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41030\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035\",\n \"https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361\",\n \"https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa\",\n \"https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: discard write access to the directory open\\n\\nmay_open() does not allow a directory to be opened with the write access.\\nHowever, some writing flags set by client result in adding write access\\non server, making ksmbd incompatible with FUSE file system. Simply, let's\\ndiscard the write access when opening a directory.\\n\\nlist_add corruption. next is NULL.\\n------------[ cut here ]------------\\nkernel BUG at lib/list_debug.c:26!\\npc : __list_add_valid+0x88/0xbc\\nlr : __list_add_valid+0x88/0xbc\\nCall trace:\\n__list_add_valid+0x88/0xbc\\nfuse_finish_open+0x11c/0x170\\nfuse_open_common+0x284/0x5e8\\nfuse_dir_open+0x14/0x24\\ndo_dentry_open+0x2a4/0x4e0\\ndentry_open+0x50/0x80\\nsmb2_open+0xbe4/0x15a4\\nhandle_ksmbd_work+0x478/0x5ec\\nprocess_one_work+0x1b4/0x448\\nworker_thread+0x25c/0x430\\nkthread+0x104/0x1d4\\nret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41030\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41031", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41031" + }, + { + "url": "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21" + }, + { + "url": "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972" + }, + { + "url": "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41031 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41031", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41031\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41031\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41031\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41031\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41031\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21\",\n \"https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972\",\n \"https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/filemap: skip to create PMD-sized page cache if needed\\n\\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\\nPMD-sized page cache can't be supported by xarray as the following error\\nmessages indicate.\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\\\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\\\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\\\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\\\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\\\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\\\\ndimlib virtio_mmio\\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\npc : xas_split_alloc+0xf8/0x128\\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\\nsp : ffff800087a4f6c0\\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\\nCall trace:\\n xas_split_alloc+0xf8/0x128\\n split_huge_page_to_list_to_order+0x1c4/0x720\\n truncate_inode_partial_folio+0xdc/0x160\\n truncate_inode_pages_range+0x1b4/0x4a8\\n truncate_pagecache_range+0x84/0xa0\\n xfs_flush_unmap_range+0x70/0x90 [xfs]\\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\\n vfs_fallocate+0x124/0x2e8\\n ksys_fallocate+0x4c/0xa0\\n __arm64_sys_fallocate+0x24/0x38\\n invoke_syscall.constprop.0+0x7c/0xd8\\n do_el0_svc+0xb4/0xd0\\n el0_svc+0x44/0x1d8\\n el0t_64_sync_handler+0x134/0x150\\n el0t_64_sync+0x17c/0x180\\n\\nFix it by skipping to allocate PMD-sized page cache when its size is\\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\\nregular path where the readahead window is determined by BDI's sysfs file\\n(read_ahead_kb).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41031\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41034", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41034" + }, + { + "url": "https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231" + }, + { + "url": "https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e" + }, + { + "url": "https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5" + }, + { + "url": "https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd" + }, + { + "url": "https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d" + }, + { + "url": "https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b" + }, + { + "url": "https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4" + }, + { + "url": "https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41034 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41034", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41034\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41034\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41034\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41034\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41034\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231\",\n \"https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e\",\n \"https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5\",\n \"https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd\",\n \"https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d\",\n \"https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b\",\n \"https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4\",\n \"https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix kernel bug on rename operation of broken directory\\n\\nSyzbot reported that in rename directory operation on broken directory on\\nnilfs2, __block_write_begin_int() called to prepare block write may fail\\nBUG_ON check for access exceeding the folio/page size.\\n\\nThis is because nilfs_dotdot(), which gets parent directory reference\\nentry (\\\"..\\\") of the directory to be moved or renamed, does not check\\nconsistency enough, and may return location exceeding folio/page size for\\nbroken directories.\\n\\nFix this issue by checking required directory entries (\\\".\\\" and \\\"..\\\") in\\nthe first chunk of the directory in nilfs_dotdot().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41034\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41035", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41035" + }, + { + "url": "https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188" + }, + { + "url": "https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7" + }, + { + "url": "https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78" + }, + { + "url": "https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64" + }, + { + "url": "https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646" + }, + { + "url": "https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47" + }, + { + "url": "https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf" + }, + { + "url": "https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41035 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41035", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41035\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41035\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41035\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41035\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41035\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188\",\n \"https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7\",\n \"https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78\",\n \"https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64\",\n \"https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646\",\n \"https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47\",\n \"https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf\",\n \"https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\\n\\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\\ncaused by our assumption that the reserved bits in an endpoint\\ndescriptor's bEndpointAddress field will always be 0. As a result of\\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\\nother routines as well) may believe that two descriptors are for\\ndistinct endpoints, even though they have the same direction and\\nendpoint number. This can lead to confusion, including the bug\\nidentified by syzbot (two descriptors with matching endpoint numbers\\nand directions, where one was interrupt and the other was bulk).\\n\\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\\nspecs say these bits are \\\"Reserved, reset to zero\\\".) This requires us\\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\\nuse the copy instead of the original when checking for duplicates.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41035\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41036", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41036" + }, + { + "url": "https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c" + }, + { + "url": "https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0" + }, + { + "url": "https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05" + }, + { + "url": "https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41036 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41036", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41036\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41036\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41036\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41036\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41036\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c\",\n \"https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0\",\n \"https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05\",\n \"https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ks8851: Fix deadlock with the SPI chip variant\\n\\nWhen SMP is enabled and spinlocks are actually functional then there is\\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\\nand ks8851_irq:\\n\\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\\n call trace:\\n queued_spin_lock_slowpath+0x100/0x284\\n do_raw_spin_lock+0x34/0x44\\n ks8851_start_xmit_spi+0x30/0xb8\\n ks8851_start_xmit+0x14/0x20\\n netdev_start_xmit+0x40/0x6c\\n dev_hard_start_xmit+0x6c/0xbc\\n sch_direct_xmit+0xa4/0x22c\\n __qdisc_run+0x138/0x3fc\\n qdisc_run+0x24/0x3c\\n net_tx_action+0xf8/0x130\\n handle_softirqs+0x1ac/0x1f0\\n __do_softirq+0x14/0x20\\n ____do_softirq+0x10/0x1c\\n call_on_irq_stack+0x3c/0x58\\n do_softirq_own_stack+0x1c/0x28\\n __irq_exit_rcu+0x54/0x9c\\n irq_exit_rcu+0x10/0x1c\\n el1_interrupt+0x38/0x50\\n el1h_64_irq_handler+0x18/0x24\\n el1h_64_irq+0x64/0x68\\n __netif_schedule+0x6c/0x80\\n netif_tx_wake_queue+0x38/0x48\\n ks8851_irq+0xb8/0x2c8\\n irq_thread_fn+0x2c/0x74\\n irq_thread+0x10c/0x1b0\\n kthread+0xc8/0xd8\\n ret_from_fork+0x10/0x20\\n\\nThis issue has not been identified earlier because tests were done on\\na device with SMP disabled and so spinlocks were actually NOPs.\\n\\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\\nof softirq work synchronously that would lead to a deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41036\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41040", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41040" + }, + { + "url": "https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3" + }, + { + "url": "https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f" + }, + { + "url": "https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae" + }, + { + "url": "https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932" + }, + { + "url": "https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55" + }, + { + "url": "https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41040 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41040", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n \n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n \n \n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41040\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41040\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41040\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41040\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41040\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3\",\n \"https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f\",\n \"https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae\",\n \"https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932\",\n \"https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55\",\n \"https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Fix UAF when resolving a clash\\n\\nKASAN reports the following UAF:\\n\\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\\n\\n Call Trace:\\n \\n dump_stack_lvl+0x48/0x70\\n print_address_description.constprop.0+0x33/0x3d0\\n print_report+0xc0/0x2b0\\n kasan_report+0xd0/0x120\\n __asan_load1+0x6c/0x80\\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\\n tcf_ct_act+0x886/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n __irq_exit_rcu+0x82/0xc0\\n irq_exit_rcu+0xe/0x20\\n common_interrupt+0xa1/0xb0\\n \\n \\n asm_common_interrupt+0x27/0x40\\n\\n Allocated by task 6469:\\n kasan_save_stack+0x38/0x70\\n kasan_set_track+0x25/0x40\\n kasan_save_alloc_info+0x1e/0x40\\n __kasan_krealloc+0x133/0x190\\n krealloc+0xaa/0x130\\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\\n tcf_ct_act+0x1095/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n\\n Freed by task 6469:\\n kasan_save_stack+0x38/0x70\\n kasan_set_track+0x25/0x40\\n kasan_save_free_info+0x2b/0x60\\n ____kasan_slab_free+0x180/0x1f0\\n __kasan_slab_free+0x12/0x30\\n slab_free_freelist_hook+0xd2/0x1a0\\n __kmem_cache_free+0x1a2/0x2f0\\n kfree+0x78/0x120\\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\\n tcf_ct_act+0x12ad/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n\\nThe ct may be dropped if a clash has been resolved but is still passed to\\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\\ncan be fixed by retrieving ct from skb again after confirming conntrack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41040\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41041", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41041" + }, + { + "url": "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0" + }, + { + "url": "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd" + }, + { + "url": "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940" + }, + { + "url": "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba" + }, + { + "url": "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6" + }, + { + "url": "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e" + }, + { + "url": "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41041 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41041", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41041\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41041\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41041\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41041\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41041\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0\",\n \"https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd\",\n \"https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940\",\n \"https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba\",\n \"https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6\",\n \"https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e\",\n \"https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\\n\\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\\n\\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\\nperiod.\\n\\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\\nwindow:\\n\\n CPU1 CPU2\\n ---- ----\\n udp_v4_early_demux() udp_lib_get_port()\\n | |- hlist_add_head_rcu()\\n |- sk = __udp4_lib_demux_lookup() |\\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\\n `- sock_set_flag(sk, SOCK_RCU_FREE)\\n\\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\\\"net:\\nset SOCK_RCU_FREE before inserting socket into hashtable\\\").\\n\\nLet's apply the same fix for UDP.\\n\\n[0]:\\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\\nModules linked in:\\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\\nPKRU: 55555554\\nCall Trace:\\n \\n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n NF_HOOK include/linux/netfilter.h:308 [inline]\\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\\n tun_rx_batched drivers/net/tun.c:1549 [inline]\\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\\n ksys_write+0xbf/0x190 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\nRIP: 0033:0x7fc44a68bc1f\\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\\nR\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41041\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41042", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41042" + }, + { + "url": "https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f" + }, + { + "url": "https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b" + }, + { + "url": "https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0" + }, + { + "url": "https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e" + }, + { + "url": "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae" + }, + { + "url": "https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe" + }, + { + "url": "https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24" + }, + { + "url": "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41042 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41042", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41042\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41042\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41042\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41042\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41042\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f\",\n \"https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b\",\n \"https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0\",\n \"https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e\",\n \"https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae\",\n \"https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe\",\n \"https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24\",\n \"https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: prefer nft_chain_validate\\n\\nnft_chain_validate already performs loop detection because a cycle will\\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\\n\\nIt also follows maps via ->validate callback in nft_lookup, so there\\nappears no reason to iterate the maps again.\\n\\nnf_tables_check_loops() and all its helper functions can be removed.\\nThis improves ruleset load time significantly, from 23s down to 12s.\\n\\nThis also fixes a crash bug. Old loop detection code can result in\\nunbounded recursion:\\n\\nBUG: TASK stack guard page was hit at ....\\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\\n[..]\\n\\nwith a suitable ruleset during validation of register stores.\\n\\nI can't see any actual reason to attempt to check for this from\\nnft_validate_register_store(), at this point the transaction is still in\\nprogress, so we don't have a full picture of the rule graph.\\n\\nFor nf-next it might make sense to either remove it or make this depend\\non table->validate_state in case we could catch an error earlier\\n(for improved error reporting to userspace).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41042\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41044", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41044" + }, + { + "url": "https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78" + }, + { + "url": "https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492" + }, + { + "url": "https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56" + }, + { + "url": "https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3" + }, + { + "url": "https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37" + }, + { + "url": "https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e" + }, + { + "url": "https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f" + }, + { + "url": "https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41044 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41044", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41044\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41044\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41044\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41044\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41044\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78\",\n \"https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492\",\n \"https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56\",\n \"https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3\",\n \"https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37\",\n \"https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e\",\n \"https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f\",\n \"https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppp: reject claimed-as-LCP but actually malformed packets\\n\\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\\nLCP packet has an actual body beyond PPP_LCP header bytes, and\\nreject claimed-as-LCP but actually malformed data otherwise.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41044\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41045", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41045" + }, + { + "url": "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1" + }, + { + "url": "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41045 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41045", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41045\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41045\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41045\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41045\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41045\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1\",\n \"https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Defer work in bpf_timer_cancel_and_free\\n\\nCurrently, the same case as previous patch (two timer callbacks trying\\nto cancel each other) can be invoked through bpf_map_update_elem as\\nwell, or more precisely, freeing map elements containing timers. Since\\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\\nsituation as the previous patch.\\n\\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\\nas the timer cannot be enqueued after async_cancel_and_free. Once\\nasync_cancel_and_free has been done, the timer must be reinitialized\\nbefore it can be armed again. The callback running in parallel trying to\\narm the timer will fail, and freeing bpf_hrtimer without waiting is\\nsufficient (given kfree_rcu), and bpf_timer_cb will return\\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\\n\\nHowever, there exists a UAF scenario where the callback arms the timer\\nbefore entering this function, such that if cancellation fails (due to\\ntimer callback invoking this routine, or the target timer callback\\nrunning concurrently). In such a case, if the timer expiration is\\nsignificantly far in the future, the RCU grace period expiration\\nhappening before it will free the bpf_hrtimer state and along with it\\nthe struct hrtimer, that is enqueued.\\n\\nHence, it is clear cancellation needs to occur after\\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\\n_different_ points of time, so can share space).\\n\\nUpdate existing code comments to reflect the new state of affairs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41045\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41046", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41046" + }, + { + "url": "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec" + }, + { + "url": "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1" + }, + { + "url": "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156" + }, + { + "url": "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f" + }, + { + "url": "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1" + }, + { + "url": "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54" + }, + { + "url": "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3" + }, + { + "url": "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41046 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41046", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41046\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41046\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41046\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41046\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41046\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec\",\n \"https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1\",\n \"https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156\",\n \"https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f\",\n \"https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1\",\n \"https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54\",\n \"https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3\",\n \"https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ethernet: lantiq_etop: fix double free in detach\\n\\nThe number of the currently released descriptor is never incremented\\nwhich results in the same skb being released multiple times.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41046\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41047", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41047" + }, + { + "url": "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc" + }, + { + "url": "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3" + }, + { + "url": "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff" + }, + { + "url": "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e" + }, + { + "url": "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41047 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41047", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] \n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] \n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41047\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41047\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41047\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41047\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41047\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc\",\n \"https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3\",\n \"https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff\",\n \"https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e\",\n \"https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Fix XDP program unloading while removing the driver\\n\\nThe commit 6533e558c650 (\\\"i40e: Fix reset path while removing\\nthe driver\\\") introduced a new PF state \\\"__I40E_IN_REMOVE\\\" to block\\nmodifying the XDP program while the driver is being removed.\\nUnfortunately, such a change is useful only if the \\\".ndo_bpf()\\\"\\ncallback was called out of the rmmod context because unloading the\\nexisting XDP program is also a part of driver removing procedure.\\nIn other words, from the rmmod context the driver is expected to\\nunload the XDP program without reporting any errors. Otherwise,\\nthe kernel warning with callstack is printed out to dmesg.\\n\\nExample failing scenario:\\n 1. Load the i40e driver.\\n 2. Load the XDP program.\\n 3. Unload the i40e driver (using \\\"rmmod\\\" command).\\n\\nThe example kernel warning log:\\n\\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\\n[...]\\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\\n[...]\\n[ +0.002726] Call Trace:\\n[ +0.002457] \\n[ +0.002119] ? __warn+0x80/0x120\\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\\n[ +0.005586] ? report_bug+0x164/0x190\\n[ +0.003678] ? handle_bug+0x3c/0x80\\n[ +0.003503] ? exc_invalid_op+0x17/0x70\\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\\n[ +0.004806] unregister_netdev+0x1c/0x30\\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\\n[ +0.004220] pci_device_remove+0x3f/0xb0\\n[ +0.003943] device_release_driver_internal+0x19f/0x200\\n[ +0.005243] driver_detach+0x48/0x90\\n[ +0.003586] bus_remove_driver+0x6d/0xf0\\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\\n[ +0.005153] do_syscall_64+0x85/0x170\\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\\n[ +0.004886] ? do_syscall_64+0x95/0x170\\n[ +0.003851] ? exc_page_fault+0x7e/0x180\\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\\n[ +0.007151] \\n[ +0.002204] ---[ end trace 0000000000000000 ]---\\n\\nFix this by checking if the XDP program is being loaded or unloaded.\\nThen, block only loading a new program while \\\"__I40E_IN_REMOVE\\\" is set.\\nAlso, move testing \\\"__I40E_IN_REMOVE\\\" flag to the beginning of XDP_SETUP\\ncallback to avoid unnecessary operations and checks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41047\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41048", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41048" + }, + { + "url": "https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632" + }, + { + "url": "https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc" + }, + { + "url": "https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b" + }, + { + "url": "https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97" + }, + { + "url": "https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41048 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41048", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41048\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41048\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41048\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41048\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41048\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632\",\n \"https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc\",\n \"https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b\",\n \"https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97\",\n \"https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nskmsg: Skip zero length skb in sk_msg_recvmsg\\n\\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\\nplatform, the following kernel panic occurs:\\n\\n [...]\\n Oops[#1]:\\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\\n ... ...\\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\\n PRMD: 0000000c (PPLV0 +PIE +PWE)\\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\\n BADV: 0000000000000040\\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\\n Stack : ...\\n Call Trace:\\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\\n [<9000000003731da4>] handle_syscall+0xc4/0x160\\n Code: ...\\n ---[ end trace 0000000000000000 ]---\\n Kernel panic - not syncing: Fatal exception\\n Kernel relocated by 0x3510000\\n .text @ 0x9000000003710000\\n .data @ 0x9000000004d70000\\n .bss @ 0x9000000006469400\\n ---[ end Kernel panic - not syncing: Fatal exception ]---\\n [...]\\n\\nThis crash happens every time when running sockmap_skb_verdict_shutdown\\nsubtest in sockmap_basic.\\n\\nThis crash is because a NULL pointer is passed to page_address() in the\\nsk_msg_recvmsg(). Due to the different implementations depending on the\\narchitecture, page_address(NULL) will trigger a panic on Loongarch\\nplatform but not on x86 platform. So this bug was hidden on x86 platform\\nfor a while, but now it is exposed on Loongarch platform. The root cause\\nis that a zero length skb (skb->len == 0) was put on the queue.\\n\\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\\ninvoked in test_sockmap_skb_verdict_shutdown():\\n\\n\\tshutdown(p1, SHUT_WR);\\n\\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\\nsge is queued into ingress_msg list.\\n\\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\\nto kmap_local_page() and to page_address(), then kernel panics.\\n\\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\\nif copy is zero, that means it's a zero length skb, skip invoking\\ncopy_page_to_iter(). We are using the EFAULT return triggered by\\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41048\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41049", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41049" + }, + { + "url": "https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967" + }, + { + "url": "https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2" + }, + { + "url": "https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92" + }, + { + "url": "https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197" + }, + { + "url": "https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a" + }, + { + "url": "https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0" + }, + { + "url": "https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41049 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41049", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41049\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41049\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41049\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41049\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41049\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967\",\n \"https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2\",\n \"https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92\",\n \"https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197\",\n \"https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a\",\n \"https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0\",\n \"https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: fix potential use-after-free in posix_lock_inode\\n\\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\\nThe request pointer had been changed earlier to point to a lock entry\\nthat was added to the inode's list. However, before the tracepoint could\\nfire, another task raced in and freed that lock.\\n\\nFix this by moving the tracepoint inside the spinlock, which should\\nensure that this doesn't happen.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41049\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41050", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41050" + }, + { + "url": "https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9" + }, + { + "url": "https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6" + }, + { + "url": "https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17" + }, + { + "url": "https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41050 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41050", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41050\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41050\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41050\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41050\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41050\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9\",\n \"https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6\",\n \"https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17\",\n \"https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: cyclic allocation of msg_id to avoid reuse\\n\\nReusing the msg_id after a maliciously completed reopen request may cause\\na read request to remain unprocessed and result in a hung, as shown below:\\n\\n t1 | t2 | t3\\n-------------------------------------------------\\ncachefiles_ondemand_select_req\\n cachefiles_ondemand_object_is_close(A)\\n cachefiles_ondemand_set_object_reopening(A)\\n queue_work(fscache_object_wq, &info->work)\\n ondemand_object_worker\\n cachefiles_ondemand_init_object(A)\\n cachefiles_ondemand_send_req(OPEN)\\n // get msg_id 6\\n wait_for_completion(&req_A->done)\\ncachefiles_ondemand_daemon_read\\n // read msg_id 6 req_A\\n cachefiles_ondemand_get_fd\\n copy_to_user\\n // Malicious completion msg_id 6\\n copen 6,-1\\n cachefiles_ondemand_copen\\n complete(&req_A->done)\\n // will not set the object to close\\n // because ondemand_id && fd is valid.\\n\\n // ondemand_object_worker() is done\\n // but the object is still reopening.\\n\\n // new open req_B\\n cachefiles_ondemand_init_object(B)\\n cachefiles_ondemand_send_req(OPEN)\\n // reuse msg_id 6\\nprocess_open_req\\n copen 6,A.size\\n // The expected failed copen was executed successfully\\n\\nExpect copen to fail, and when it does, it closes fd, which sets the\\nobject to close, and then close triggers reopen again. However, due to\\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\\nclosed until the daemon exits. Therefore read requests waiting for reopen\\nto complete may trigger hung task.\\n\\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\\nmsg_id for a very short duration of time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41050\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41055", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41055" + }, + { + "url": "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982" + }, + { + "url": "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7" + }, + { + "url": "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e" + }, + { + "url": "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509" + }, + { + "url": "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63" + }, + { + "url": "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41055 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41055", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41055\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41055\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41055\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41055\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41055\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982\",\n \"https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7\",\n \"https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e\",\n \"https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509\",\n \"https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63\",\n \"https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: prevent derefencing NULL ptr in pfn_section_valid()\\n\\nCommit 5ec8e8ea8b77 (\\\"mm/sparsemem: fix race in accessing\\nmemory_section->usage\\\") changed pfn_section_valid() to add a READ_ONCE()\\ncall around \\\"ms->usage\\\" to fix a race with section_deactivate() where\\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\\nto prevent NULL pointer dereference. We need to check its value before\\ndereferencing it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41055\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41057", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41057" + }, + { + "url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4" + }, + { + "url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1" + }, + { + "url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11" + }, + { + "url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41057 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41057", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41057\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41057\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41057\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41057\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41057\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4\",\n \"https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1\",\n \"https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11\",\n \"https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\\n\\nWe got the following issue in our fault injection stress test:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\\n\\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\\nCall Trace:\\n \\n kasan_report+0x93/0xc0\\n cachefiles_withdraw_cookie+0x4d9/0x600\\n fscache_cookie_state_machine+0x5c8/0x1230\\n fscache_cookie_worker+0x91/0x1c0\\n process_one_work+0x7fa/0x1800\\n [...]\\n\\nAllocated by task 117:\\n kmalloc_trace+0x1b3/0x3c0\\n cachefiles_acquire_volume+0xf3/0x9c0\\n fscache_create_volume_work+0x97/0x150\\n process_one_work+0x7fa/0x1800\\n [...]\\n\\nFreed by task 120301:\\n kfree+0xf1/0x2c0\\n cachefiles_withdraw_cache+0x3fa/0x920\\n cachefiles_put_unbind_pincount+0x1f6/0x250\\n cachefiles_daemon_release+0x13b/0x290\\n __fput+0x204/0xa00\\n task_work_run+0x139/0x230\\n do_exit+0x87a/0x29b0\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n p1 | p2\\n------------------------------------------------------------\\n fscache_begin_lookup\\n fscache_begin_volume_access\\n fscache_cache_is_live(fscache_cache)\\ncachefiles_daemon_release\\n cachefiles_put_unbind_pincount\\n cachefiles_daemon_unbind\\n cachefiles_withdraw_cache\\n fscache_withdraw_cache\\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\\n cachefiles_withdraw_objects(cache)\\n fscache_wait_for_objects(fscache)\\n atomic_read(&fscache_cache->object_count) == 0\\n fscache_perform_lookup\\n cachefiles_lookup_cookie\\n cachefiles_alloc_object\\n refcount_set(&object->ref, 1);\\n object->volume = volume\\n fscache_count_object(vcookie->cache);\\n atomic_inc(&fscache_cache->object_count)\\n cachefiles_withdraw_volumes\\n cachefiles_withdraw_volume\\n fscache_withdraw_volume\\n __cachefiles_free_volume\\n kfree(cachefiles_volume)\\n fscache_cookie_state_machine\\n cachefiles_withdraw_cookie\\n cache = object->volume->cache;\\n // cachefiles_volume UAF !!!\\n\\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\\nto complete first, and then wait for fscache_cache->object_count == 0 to\\navoid the cookie exiting after the volume has been freed and triggering\\nthe above issue. Therefore call fscache_withdraw_volume() before calling\\ncachefiles_withdraw_objects().\\n\\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\\ncases will occur:\\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\\n been executed before calling fscache_wait_for_objects().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41057\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41058", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41058" + }, + { + "url": "https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003" + }, + { + "url": "https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36" + }, + { + "url": "https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e" + }, + { + "url": "https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41058 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41058", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41058\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41058\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41058\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41058\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41058\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003\",\n \"https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36\",\n \"https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e\",\n \"https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\\n\\nWe got the following issue in our fault injection stress test:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\\n\\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\\nCall Trace:\\n kasan_check_range+0xf6/0x1b0\\n fscache_withdraw_volume+0x2e1/0x370\\n cachefiles_withdraw_volume+0x31/0x50\\n cachefiles_withdraw_cache+0x3ad/0x900\\n cachefiles_put_unbind_pincount+0x1f6/0x250\\n cachefiles_daemon_release+0x13b/0x290\\n __fput+0x204/0xa00\\n task_work_run+0x139/0x230\\n\\nAllocated by task 5820:\\n __kmalloc+0x1df/0x4b0\\n fscache_alloc_volume+0x70/0x600\\n __fscache_acquire_volume+0x1c/0x610\\n erofs_fscache_register_volume+0x96/0x1a0\\n erofs_fscache_register_fs+0x49a/0x690\\n erofs_fc_fill_super+0x6c0/0xcc0\\n vfs_get_super+0xa9/0x140\\n vfs_get_tree+0x8e/0x300\\n do_new_mount+0x28c/0x580\\n [...]\\n\\nFreed by task 5820:\\n kfree+0xf1/0x2c0\\n fscache_put_volume.part.0+0x5cb/0x9e0\\n erofs_fscache_unregister_fs+0x157/0x1b0\\n erofs_kill_sb+0xd9/0x1c0\\n deactivate_locked_super+0xa3/0x100\\n vfs_get_super+0x105/0x140\\n vfs_get_tree+0x8e/0x300\\n do_new_mount+0x28c/0x580\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount failed | daemon exit\\n------------------------------------------------------------\\n deactivate_locked_super cachefiles_daemon_release\\n erofs_kill_sb\\n erofs_fscache_unregister_fs\\n fscache_relinquish_volume\\n __fscache_relinquish_volume\\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\\n cachefiles_put_unbind_pincount\\n cachefiles_daemon_unbind\\n cachefiles_withdraw_cache\\n cachefiles_withdraw_volumes\\n list_del_init(&volume->cache_link)\\n fscache_free_volume(fscache_volume)\\n cache->ops->free_volume\\n cachefiles_free_volume\\n list_del_init(&cachefiles_volume->cache_link);\\n kfree(fscache_volume)\\n cachefiles_withdraw_volume\\n fscache_withdraw_volume\\n fscache_volume->n_accesses\\n // fscache_volume UAF !!!\\n\\nThe fscache_volume in cache->volumes must not have been freed yet, but its\\nreference count may be 0. So use the new fscache_try_get_volume() helper\\nfunction try to get its reference count.\\n\\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\\nfreeing it, so wait for it to be removed from cache->volumes.\\n\\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\\nreference count protection to avoid the above issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41058\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41059", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41059" + }, + { + "url": "https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d" + }, + { + "url": "https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c" + }, + { + "url": "https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0" + }, + { + "url": "https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335" + }, + { + "url": "https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2" + }, + { + "url": "https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4" + }, + { + "url": "https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70" + }, + { + "url": "https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41059 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41059", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41059\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41059\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41059\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41059\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41059\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d\",\n \"https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c\",\n \"https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0\",\n \"https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335\",\n \"https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2\",\n \"https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4\",\n \"https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70\",\n \"https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfsplus: fix uninit-value in copy_name\\n\\n[syzbot reported]\\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\\n sized_strscpy+0xc4/0x160\\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\\n vfs_listxattr fs/xattr.c:493 [inline]\\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\\n path_listxattr fs/xattr.c:864 [inline]\\n __do_sys_listxattr fs/xattr.c:876 [inline]\\n __se_sys_listxattr fs/xattr.c:873 [inline]\\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3877 [inline]\\n slab_alloc_node mm/slub.c:3918 [inline]\\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\\n kmalloc include/linux/slab.h:628 [inline]\\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\\n vfs_listxattr fs/xattr.c:493 [inline]\\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\\n path_listxattr fs/xattr.c:864 [inline]\\n __do_sys_listxattr fs/xattr.c:876 [inline]\\n __se_sys_listxattr fs/xattr.c:873 [inline]\\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n[Fix]\\nWhen allocating memory to strbuf, initialize memory to 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41059\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41060", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41060" + }, + { + "url": "https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536" + }, + { + "url": "https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af" + }, + { + "url": "https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3" + }, + { + "url": "https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342" + }, + { + "url": "https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41060 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41060", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41060\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41060\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41060\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41060\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41060\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536\",\n \"https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af\",\n \"https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3\",\n \"https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342\",\n \"https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: check bo_va->bo is non-NULL before using it\\n\\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\\nwe have to check it before dereferencing it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41060\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41061", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41061" + }, + { + "url": "https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03" + }, + { + "url": "https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41061 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41061", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41061\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41061\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41061\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41061\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41061\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03\",\n \"https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\\n\\n[Why]\\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\\narray can be greater than 1.\\n\\n[How]\\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\\nelements. Always use index 0 in the condition to avoid out of bounds access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41061\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41062", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41062" + }, + { + "url": "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629" + }, + { + "url": "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf" + }, + { + "url": "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe" + }, + { + "url": "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41062 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41062", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41062\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41062\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41062\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41062\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41062\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629\",\n \"https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf\",\n \"https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe\",\n \"https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbluetooth/l2cap: sync sock recv cb and release\\n\\nThe problem occurs between the system call to close the sock and hci_rx_work,\\nwhere the former releases the sock and the latter accesses it without lock protection.\\n\\n CPU0 CPU1\\n ---- ----\\n sock_close hci_rx_work\\n\\t l2cap_sock_release hci_acldata_packet\\n\\t l2cap_sock_kill l2cap_recv_frame\\n\\t sk_free l2cap_conless_channel\\n\\t l2cap_sock_recv_cb\\n\\nIf hci_rx_work processes the data that needs to be received before the sock is\\nclosed, then everything is normal; Otherwise, the work thread may access the\\nreleased sock when receiving data.\\n\\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\\nthe sock release and recv cb.\\n\\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41062\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41063", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41063" + }, + { + "url": "https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913" + }, + { + "url": "https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678" + }, + { + "url": "https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9" + }, + { + "url": "https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa" + }, + { + "url": "https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed" + }, + { + "url": "https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f" + }, + { + "url": "https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39" + }, + { + "url": "https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41063 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41063", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41063\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41063\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41063\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41063\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41063\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913\",\n \"https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678\",\n \"https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9\",\n \"https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa\",\n \"https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed\",\n \"https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f\",\n \"https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39\",\n \"https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\\n\\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\\ndestroy_workqueue(), for hci_error_reset() is called from\\nhdev->req_workqueue which destroy_workqueue() needs to flush.\\n\\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\\nqueued into hdev->req_workqueue are no longer running by the moment\\n\\n destroy_workqueue(hdev->workqueue);\\n destroy_workqueue(hdev->req_workqueue);\\n\\nare called from hci_release_dev().\\n\\nCall cancel_work_sync() on these work items from hci_unregister_dev()\\nas soon as hdev->list is removed from hci_dev_list.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41063\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41064", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41064" + }, + { + "url": "https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1" + }, + { + "url": "https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b" + }, + { + "url": "https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff" + }, + { + "url": "https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274" + }, + { + "url": "https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3" + }, + { + "url": "https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd" + }, + { + "url": "https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41064 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41064", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1\",\n \"https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b\",\n \"https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff\",\n \"https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274\",\n \"https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3\",\n \"https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd\",\n \"https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/eeh: avoid possible crash when edev->pdev changes\\n\\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\\nwill change and can cause a crash, hold the PCI rescan/remove lock\\nwhile taking a copy of edev->pdev->bus.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41064\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41065", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41065" + }, + { + "url": "https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4" + }, + { + "url": "https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586" + }, + { + "url": "https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2" + }, + { + "url": "https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd" + }, + { + "url": "https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6" + }, + { + "url": "https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a" + }, + { + "url": "https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41065 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41065", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41065\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41065\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41065\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41065\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41065\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4\",\n \"https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586\",\n \"https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2\",\n \"https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd\",\n \"https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6\",\n \"https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a\",\n \"https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\\n\\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\\nshown below.\\n\\n kernel BUG at mm/usercopy.c:102!\\n Oops: Exception in kernel mode, sig: 5 [#1]\\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\\n CFAR: c0000000001fdc80 IRQMASK: 0\\n [ ... GPRs omitted ... ]\\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\\n Call Trace:\\n usercopy_abort+0x74/0xb0 (unreliable)\\n __check_heap_object+0xf8/0x120\\n check_heap_object+0x218/0x240\\n __check_object_size+0x84/0x1a4\\n dtl_file_read+0x17c/0x2c4\\n full_proxy_read+0x8c/0x110\\n vfs_read+0xdc/0x3a0\\n ksys_read+0x84/0x144\\n system_call_exception+0x124/0x330\\n system_call_vectored_common+0x15c/0x2ec\\n --- interrupt: 3000 at 0x7fff81f3ab34\\n\\nCommit 6d07d1cd300f (\\\"usercopy: Restrict non-usercopy caches to size 0\\\")\\nrequires that only whitelisted areas in slab/slub objects can be copied to\\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\\nDtl contains hypervisor dispatch events which are expected to be read by\\nprivileged users. Hence mark this safe for user access.\\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\\nentire object.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41065\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41066", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41066" + }, + { + "url": "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561" + }, + { + "url": "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c" + }, + { + "url": "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06" + }, + { + "url": "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41066 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41066", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41066\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41066\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41066\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41066\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41066\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561\",\n \"https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c\",\n \"https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06\",\n \"https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nibmvnic: Add tx check to prevent skb leak\\n\\nBelow is a summary of how the driver stores a reference to an skb during\\ntransmit:\\n tx_buff[free_map[consumer_index]]->skb = new_skb;\\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\\n consumer_index ++;\\nWhere variable data looks like this:\\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\\n \\tconsumer_index^\\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\\n\\nThe driver has checks to ensure that free_map[consumer_index] pointed to\\na valid index but there was no check to ensure that this index pointed\\nto an unused/null skb address. So, if, by some chance, our free_map and\\ntx_buff lists become out of sync then we were previously risking an\\nskb memory leak. This could then cause tcp congestion control to stop\\nsending packets, eventually leading to ETIMEDOUT.\\n\\nTherefore, add a conditional to ensure that the skb address is null. If\\nnot then warn the user (because this is still a bug that should be\\npatched) and free the old pointer to prevent memleak/tcp problems.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41066\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41067", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41067" + }, + { + "url": "https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72" + }, + { + "url": "https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41067 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41067", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41067\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41067\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41067\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41067\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41067\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72\",\n \"https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: scrub: handle RST lookup error correctly\\n\\n[BUG]\\nWhen running btrfs/060 with forced RST feature, it would crash the\\nfollowing ASSERT() inside scrub_read_endio():\\n\\n\\tASSERT(sector_nr < stripe->nr_sectors);\\n\\nBefore that, we would have tree dump from\\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\\nthe range.\\n\\n[CAUSE]\\nInside scrub_submit_extent_sector_read() every time we allocated a new\\nbbio we immediately called btrfs_map_block() to make sure there was some\\nRST range covering the scrub target.\\n\\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\\nwhile the bbio is newly allocated, it's completely empty.\\n\\nThen inside scrub_read_endio(), we go through the bvecs to find\\nthe sector number (as bi_sector is no longer reliable if the bio is\\nsubmitted to lower layers).\\n\\nAnd since the bio is empty, such bvecs iteration would not find any\\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\\ntriggering the ASSERT().\\n\\n[FIX]\\nInstead of calling btrfs_map_block() after allocating a new bbio, call\\nbtrfs_map_block() first.\\n\\nSince our only objective of calling btrfs_map_block() is only to update\\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\\n\\nThis new timing would avoid the problem of handling empty bbio\\ncompletely, and in fact fixes a possible race window for the old code,\\nwhere if the submission thread is the only owner of the pending_io, the\\nscrub would never finish (since we didn't decrease the pending_io\\ncounter).\\n\\nAlthough the root cause of RST lookup failure still needs to be\\naddressed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41067\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41068", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41068" + }, + { + "url": "https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808" + }, + { + "url": "https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a" + }, + { + "url": "https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090" + }, + { + "url": "https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982" + }, + { + "url": "https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3" + }, + { + "url": "https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83" + }, + { + "url": "https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c" + }, + { + "url": "https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41068 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41068", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41068\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41068\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41068\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808\",\n \"https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a\",\n \"https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090\",\n \"https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982\",\n \"https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3\",\n \"https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83\",\n \"https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c\",\n \"https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/sclp: Fix sclp_init() cleanup on failure\\n\\nIf sclp_init() fails it only partially cleans up: if there are multiple\\nfailing calls to sclp_init() sclp_state_change_event will be added several\\ntimes to sclp_reg_list, which results in the following warning:\\n\\n------------[ cut here ]------------\\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\\n...\\nCall Trace:\\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\\n\\nFix this by removing sclp_state_change_event from sclp_reg_list when\\nsclp_init() fails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41068\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41069", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41069" + }, + { + "url": "https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1" + }, + { + "url": "https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d" + }, + { + "url": "https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2" + }, + { + "url": "https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41069 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41069", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41069\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41069\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41069\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41069\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41069\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1\",\n \"https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d\",\n \"https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2\",\n \"https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: topology: Fix references to freed memory\\n\\nMost users after parsing a topology file, release memory used by it, so\\nhaving pointer references directly into topology file contents is wrong.\\nUse devm_kmemdup(), to allocate memory as needed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41069\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41070", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41070" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0" + }, + { + "url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a" + }, + { + "url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf" + }, + { + "url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe" + }, + { + "url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63" + }, + { + "url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47" + }, + { + "url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41070 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41070", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41070\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41070\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41070\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41070\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41070\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0\",\n \"https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a\",\n \"https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf\",\n \"https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe\",\n \"https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63\",\n \"https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47\",\n \"https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\\n\\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\\n\\nIt looks up `stt` from tablefd, but then continues to use it after doing\\nfdput() on the returned fd. After the fdput() the tablefd is free to be\\nclosed by another thread. The close calls kvm_spapr_tce_release() and\\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\\n\\nAlthough there are calls to rcu_read_lock() in\\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\\nthe UAF, because `stt` is used outside the locked regions.\\n\\nWith an artifcial delay after the fdput() and a userspace program which\\ntriggers the race, KASAN detects the UAF:\\n\\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\\n Call Trace:\\n dump_stack_lvl+0xb4/0x108 (unreliable)\\n print_report+0x2b4/0x6ec\\n kasan_report+0x118/0x2b0\\n __asan_load4+0xb8/0xd0\\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\\n kvm_device_ioctl+0x144/0x240 [kvm]\\n sys_ioctl+0x62c/0x1810\\n system_call_exception+0x190/0x440\\n system_call_vectored_common+0x15c/0x2ec\\n ...\\n Freed by task 0:\\n ...\\n kfree+0xec/0x3e0\\n release_spapr_tce_table+0xd4/0x11c [kvm]\\n rcu_core+0x568/0x16a0\\n handle_softirqs+0x23c/0x920\\n do_softirq_own_stack+0x6c/0x90\\n do_softirq_own_stack+0x58/0x90\\n __irq_exit_rcu+0x218/0x2d0\\n irq_exit+0x30/0x80\\n arch_local_irq_restore+0x128/0x230\\n arch_local_irq_enable+0x1c/0x30\\n cpuidle_enter_state+0x134/0x5cc\\n cpuidle_enter+0x6c/0xb0\\n call_cpuidle+0x7c/0x100\\n do_idle+0x394/0x410\\n cpu_startup_entry+0x60/0x70\\n start_secondary+0x3fc/0x410\\n start_secondary_prolog+0x10/0x14\\n\\nFix it by delaying the fdput() until `stt` is no longer in use, which\\nis effectively the entire function. To keep the patch minimal add a call\\nto fdput() at each of the existing return paths. Future work can convert\\nthe function to goto or __cleanup style cleanup.\\n\\nWith the fix in place the test case no longer triggers the UAF.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41070\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41071", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41071" + }, + { + "url": "https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718" + }, + { + "url": "https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41071 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41071", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\n\nreq->n_channels must be set before req->channels[] can be used.\n\nThis patch fixes one of the issues encountered in [1].\n\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\n[...]\n[ 83.964264] Call Trace:\n[ 83.964267] \n[ 83.964269] dump_stack_lvl+0x3f/0xc0\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\n[ 83.964298] genl_rcv_msg+0x240/0x270\n[...]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41071\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41071\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41071\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41071\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41071\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718\",\n \"https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\\n\\nreq->n_channels must be set before req->channels[] can be used.\\n\\nThis patch fixes one of the issues encountered in [1].\\n\\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\\n[...]\\n[ 83.964264] Call Trace:\\n[ 83.964267] \\n[ 83.964269] dump_stack_lvl+0x3f/0xc0\\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\\n[ 83.964298] genl_rcv_msg+0x240/0x270\\n[...]\\n\\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41071\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41072", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41072" + }, + { + "url": "https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f" + }, + { + "url": "https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b" + }, + { + "url": "https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b" + }, + { + "url": "https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc" + }, + { + "url": "https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b" + }, + { + "url": "https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79" + }, + { + "url": "https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac" + }, + { + "url": "https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41072 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41072", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41072\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41072\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41072\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41072\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41072\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f\",\n \"https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b\",\n \"https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b\",\n \"https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc\",\n \"https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b\",\n \"https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79\",\n \"https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac\",\n \"https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\\n\\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41072\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41073", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41073" + }, + { + "url": "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b" + }, + { + "url": "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa" + }, + { + "url": "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057" + }, + { + "url": "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad" + }, + { + "url": "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41073 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41073", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41073\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41073\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41073\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41073\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41073\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b\",\n \"https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa\",\n \"https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057\",\n \"https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad\",\n \"https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: avoid double free special payload\\n\\nIf a discard request needs to be retried, and that retry may fail before\\na new special payload is added, a double free will result. Clear the\\nRQF_SPECIAL_LOAD when the request is cleaned.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41073\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41074", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41074" + }, + { + "url": "https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60" + }, + { + "url": "https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0" + }, + { + "url": "https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663" + }, + { + "url": "https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41074 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41074", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41074\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41074\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41074\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41074\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41074\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60\",\n \"https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0\",\n \"https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663\",\n \"https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: Set object to close if ondemand_id < 0 in copen\\n\\nIf copen is maliciously called in the user mode, it may delete the request\\ncorresponding to the random id. And the request may have not been read yet.\\n\\nNote that when the object is set to reopen, the open request will be done\\nwith the still reopen state in above case. As a result, the request\\ncorresponding to this object is always skipped in select_req function, so\\nthe read request is never completed and blocks other process.\\n\\nFix this issue by simply set object to close if its id < 0 in copen.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41074\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41075", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41075" + }, + { + "url": "https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539" + }, + { + "url": "https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a" + }, + { + "url": "https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a" + }, + { + "url": "https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41075 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41075", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41075\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41075\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41075\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41075\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41075\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539\",\n \"https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a\",\n \"https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a\",\n \"https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: add consistency check for copen/cread\\n\\nThis prevents malicious processes from completing random copen/cread\\nrequests and crashing the system. Added checks are listed below:\\n\\n * Generic, copen can only complete open requests, and cread can only\\n complete read requests.\\n * For copen, ondemand_id must not be 0, because this indicates that the\\n request has not been read by the daemon.\\n * For cread, the object corresponding to fd and req should be the same.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41075\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41076" + }, + { + "url": "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c" + }, + { + "url": "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68" + }, + { + "url": "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e" + }, + { + "url": "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c\",\n \"https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68\",\n \"https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e\",\n \"https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFSv4: Fix memory leak in nfs4_set_security_label\\n\\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41077", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41077" + }, + { + "url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7" + }, + { + "url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e" + }, + { + "url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1" + }, + { + "url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0" + }, + { + "url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053" + }, + { + "url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41077 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41077", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41077\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41077\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41077\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41077\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41077\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7\",\n \"https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e\",\n \"https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1\",\n \"https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0\",\n \"https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053\",\n \"https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnull_blk: fix validation of block size\\n\\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\\ncheck does not validate this, so update the check.\\n\\nWithout this patch, null_blk would Oops due to a null pointer deref when\\nloaded with bs=1536 [1].\\n\\n\\n[axboe: remove unnecessary braces and != 0 check]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41077\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41078", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41078" + }, + { + "url": "https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51" + }, + { + "url": "https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff" + }, + { + "url": "https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf" + }, + { + "url": "https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757" + }, + { + "url": "https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53" + }, + { + "url": "https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41078 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41078", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41078\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41078\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41078\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41078\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41078\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51\",\n \"https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff\",\n \"https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf\",\n \"https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757\",\n \"https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53\",\n \"https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: qgroup: fix quota root leak after quota disable failure\\n\\nIf during the quota disable we fail when cleaning the quota tree or when\\ndeleting the root from the root tree, we jump to the 'out' label without\\never dropping the reference on the quota root, resulting in a leak of the\\nroot since fs_info->quota_root is no longer pointing to the root (we have\\nset it to NULL just before those steps).\\n\\nFix this by always doing a btrfs_put_root() call under the 'out' label.\\nThis is a problem that exists since qgroups were first added in 2012 by\\ncommit bed92eae26cc (\\\"Btrfs: qgroup implementation and prototypes\\\"), but\\nback then we missed a kfree on the quota root and free_extent_buffer()\\ncalls on its root and commit root nodes, since back then roots were not\\nyet reference counted.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41078\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41079", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41079" + }, + { + "url": "https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319" + }, + { + "url": "https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d" + }, + { + "url": "https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2" + }, + { + "url": "https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41079 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41079", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41079\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41079\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41079\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41079\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41079\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319\",\n \"https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d\",\n \"https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2\",\n \"https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: always initialize cqe.result\\n\\nThe spec doesn't mandate that the first two double words (aka results)\\nfor the command queue entry need to be set to 0 when they are not\\nused (not specified). Though, the target implemention returns 0 for TCP\\nand FC but not for RDMA.\\n\\nLet's make RDMA behave the same and thus explicitly initializing the\\nresult field. This prevents leaking any data from the stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41079\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41080", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41080" + }, + { + "url": "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf" + }, + { + "url": "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41080 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41080", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41080\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41080\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41080\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41080\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41080\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf\",\n \"https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\\n\\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\\nwhich acquires the sqd->lock without releasing the uring_lock.\\nSimilar to the commit 009ad9f0c6ee (\\\"io_uring: drop ctx->uring_lock\\nbefore acquiring sqd->lock\\\"), this can lead to a potential deadlock\\nsituation.\\n\\nTo resolve this issue, the uring_lock is released before calling\\nio_put_sq_data(), and then it is re-acquired after the function call.\\n\\nThis change ensures that the locks are acquired in the correct\\norder, preventing the possibility of a deadlock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41080\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41081", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41081" + }, + { + "url": "https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316" + }, + { + "url": "https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da" + }, + { + "url": "https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a" + }, + { + "url": "https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c" + }, + { + "url": "https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a" + }, + { + "url": "https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f" + }, + { + "url": "https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c" + }, + { + "url": "https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41081 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41081", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41081\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41081\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41081\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41081\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41081\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316\",\n \"https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da\",\n \"https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a\",\n \"https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c\",\n \"https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a\",\n \"https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f\",\n \"https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c\",\n \"https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nila: block BH in ila_output()\\n\\nAs explained in commit 1378817486d6 (\\\"tipc: block BH\\nbefore using dst_cache\\\"), net/core/dst_cache.c\\nhelpers need to be called with BH disabled.\\n\\nila_output() is called from lwtunnel_output()\\npossibly from process context, and under rcu_read_lock().\\n\\nWe might be interrupted by a softirq, re-enter ila_output()\\nand corrupt dst_cache data structures.\\n\\nFix the race by using local_bh_disable().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41081\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41082" + }, + { + "url": "https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb" + }, + { + "url": "https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41082", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb\",\n \"https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-fabrics: use reserved tag for reg read/write command\\n\\nIn some scenarios, if too many commands are issued by nvme command in\\nthe same time by user tasks, this may exhaust all tags of admin_q. If\\na reset (nvme reset or IO timeout) occurs before these commands finish,\\nreconnect routine may fail to update nvme regs due to insufficient tags,\\nwhich will cause kernel hang forever. In order to workaround this issue,\\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\\ntags. This maybe safe for nvmf:\\n\\n1. For the disable ctrl path, we will not issue connect command\\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\\n are called serially.\\n\\nSo the reserved tags may still be enough while reg_xx() use reserved tags.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41087", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41087" + }, + { + "url": "https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe" + }, + { + "url": "https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3" + }, + { + "url": "https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2" + }, + { + "url": "https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f" + }, + { + "url": "https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047" + }, + { + "url": "https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5" + }, + { + "url": "https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76" + }, + { + "url": "https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41087 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41087", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\n\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41087\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41087\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41087\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41087\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41087\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe\",\n \"https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3\",\n \"https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2\",\n \"https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f\",\n \"https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047\",\n \"https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5\",\n \"https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76\",\n \"https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nata: libata-core: Fix double free on error\\n\\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\\nto the err_out label, which will call devres_release_group().\\ndevres_release_group() will trigger a call to ata_host_release().\\nata_host_release() calls kfree(host), so executing the kfree(host) in\\nata_host_alloc() will lead to a double free:\\n\\nkernel BUG at mm/slub.c:553!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\nRIP: 0010:kfree+0x2cf/0x2f0\\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body.cold+0x19/0x27\\n ? die+0x2e/0x50\\n ? do_trap+0xca/0x110\\n ? do_error_trap+0x6a/0x90\\n ? kfree+0x2cf/0x2f0\\n ? exc_invalid_op+0x50/0x70\\n ? kfree+0x2cf/0x2f0\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? ata_host_alloc+0xf5/0x120 [libata]\\n ? ata_host_alloc+0xf5/0x120 [libata]\\n ? kfree+0x2cf/0x2f0\\n ata_host_alloc+0xf5/0x120 [libata]\\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\\n ahci_init_one+0x6c9/0xd20 [ahci]\\n\\nEnsure that we will not call kfree(host) twice, by performing the kfree()\\nonly if the devres_open_group() call failed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41087\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41088", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41088" + }, + { + "url": "https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b" + }, + { + "url": "https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729" + }, + { + "url": "https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510" + }, + { + "url": "https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41088 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41088", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: fix infinite loop when xmit fails\n\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\n\nError messages:\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\n\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\n\nThe problem occurs because tx_ring->head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\n\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring->head, remove skb from the echo stack, and drop the message.\n\n[mkl: use more imperative wording in patch description]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41088\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41088\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41088\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b\",\n \"https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729\",\n \"https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510\",\n \"https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncan: mcp251xfd: fix infinite loop when xmit fails\\n\\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\\nprocessing messages, and the interrupt routine does not return,\\nrunning indefinitely even after killing the running application.\\n\\nError messages:\\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\\n... and repeat forever.\\n\\nThe issue can be triggered when multiple devices share the same SPI\\ninterface. And there is concurrent access to the bus.\\n\\nThe problem occurs because tx_ring->head increments even if\\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\\npackage while still expecting a response in\\nmcp251xfd_handle_tefif_one().\\n\\nResolve the issue by starting a workqueue to write the tx obj\\nsynchronously if err = -EBUSY. In case of another error, decrement\\ntx_ring->head, remove skb from the echo stack, and drop the message.\\n\\n[mkl: use more imperative wording in patch description]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41088\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41089", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41089" + }, + { + "url": "https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50" + }, + { + "url": "https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad" + }, + { + "url": "https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d" + }, + { + "url": "https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0" + }, + { + "url": "https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843" + }, + { + "url": "https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59" + }, + { + "url": "https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637" + }, + { + "url": "https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41089 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41089", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\n\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41089\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41089\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41089\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41089\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41089\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50\",\n \"https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad\",\n \"https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d\",\n \"https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0\",\n \"https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843\",\n \"https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59\",\n \"https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637\",\n \"https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\\n\\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\\nAdd a check to avoid null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41089\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41090", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41090" + }, + { + "url": "https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da" + }, + { + "url": "https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f" + }, + { + "url": "https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea" + }, + { + "url": "https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa" + }, + { + "url": "https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309" + }, + { + "url": "https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6" + }, + { + "url": "https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3" + }, + { + "url": "https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41090 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41090", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41090\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41090\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41090\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41090\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41090\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da\",\n \"https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f\",\n \"https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea\",\n \"https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa\",\n \"https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309\",\n \"https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6\",\n \"https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3\",\n \"https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntap: add missing verification for short frame\\n\\nThe cited commit missed to check against the validity of the frame length\\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\\nsent downstack. Even before the skb is transmitted, the\\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\\naccess beyond the actual length, or confuse the underlayer with incorrect\\nor inconsistent header length in the skb metadata.\\n\\nIn the alternative path, tap_get_user() already prohibits short frame which\\nhas the length less than Ethernet header size from being transmitted.\\n\\nThis is to drop any frame shorter than the Ethernet header size just like\\nhow tap_get_user() does.\\n\\nCVE: CVE-2024-41090\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41090\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41091", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41091" + }, + { + "url": "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3" + }, + { + "url": "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9" + }, + { + "url": "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2" + }, + { + "url": "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319" + }, + { + "url": "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5" + }, + { + "url": "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb" + }, + { + "url": "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146" + }, + { + "url": "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41091 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41091", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41091\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41091\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41091\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41091\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41091\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3\",\n \"https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9\",\n \"https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\",\n \"https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319\",\n \"https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5\",\n \"https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\",\n \"https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\",\n \"https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: add missing verification for short frame\\n\\nThe cited commit missed to check against the validity of the frame length\\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\\ndownstack. Even before the skb is transmitted, the\\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\\ncan be less than ETH_HLEN. Once transmitted, this could either cause\\nout-of-bound access beyond the actual length, or confuse the underlayer\\nwith incorrect or inconsistent header length in the skb metadata.\\n\\nIn the alternative path, tun_get_user() already prohibits short frame which\\nhas the length less than Ethernet header size from being transmitted for\\nIFF_TAP.\\n\\nThis is to drop any frame shorter than the Ethernet header size just like\\nhow tun_get_user() does.\\n\\nCVE: CVE-2024-41091\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41091\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41092", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41092" + }, + { + "url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7" + }, + { + "url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d" + }, + { + "url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc" + }, + { + "url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50" + }, + { + "url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6" + }, + { + "url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41092 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41092", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] \n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41092\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41092\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41092\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41092\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41092\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7\",\n \"https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d\",\n \"https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc\",\n \"https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50\",\n \"https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6\",\n \"https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\\n\\nCI has been sporadically reporting the following issue triggered by\\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\\n\\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\\n...\\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\\n...\\n<4>[ 609.603992] ------------[ cut here ]------------\\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\\n...\\n<4>[ 609.604271] Call Trace:\\n<4>[ 609.604273] \\n...\\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\\n...\\n\\nIn the past, there were similar failures reported by CI from other IGT\\ntests, observed on other platforms.\\n\\nBefore commit 63baf4f3d587 (\\\"drm/i915/gt: Only wait for GPU activity\\nbefore unbinding a GGTT fence\\\"), i915_vma_revoke_fence() was waiting for\\nidleness of vma->active via fence_update(). That commit introduced\\nvma->fence->active in order for the fence_update() to be able to wait\\nselectively on that one instead of vma->active since only idleness of\\nfence registers was needed. But then, another commit 0d86ee35097a\\n(\\\"drm/i915/gt: Make fence revocation unequivocal\\\") replaced the call to\\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\\nNo justification was provided on why we might then expect idleness of\\nvma->fence->active without first waiting on it.\\n\\nThe issue can be potentially caused by a race among revocation of fence\\nregisters on one side and sequential execution of signal callbacks invoked\\non completion of a request that was using them on the other, still\\nprocessed in parallel to revocation of those fence registers. Fix it by\\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\\n\\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41092\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41093", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41093" + }, + { + "url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800" + }, + { + "url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447" + }, + { + "url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc" + }, + { + "url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb" + }, + { + "url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41093 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41093", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41093\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41093\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41093\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41093\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41093\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800\",\n \"https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447\",\n \"https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc\",\n \"https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb\",\n \"https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: avoid using null object of framebuffer\\n\\nInstead of using state->fb->obj[0] directly, get object from framebuffer\\nby calling drm_gem_fb_get_obj() and return error code when object is\\nnull to avoid using null object of framebuffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41093\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41095" + }, + { + "url": "https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49" + }, + { + "url": "https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389" + }, + { + "url": "https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726" + }, + { + "url": "https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e" + }, + { + "url": "https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714" + }, + { + "url": "https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72" + }, + { + "url": "https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb" + }, + { + "url": "https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41095", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\n\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49\",\n \"https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389\",\n \"https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726\",\n \"https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e\",\n \"https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714\",\n \"https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72\",\n \"https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb\",\n \"https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\\n\\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41097" + }, + { + "url": "https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a" + }, + { + "url": "https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47" + }, + { + "url": "https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51" + }, + { + "url": "https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a" + }, + { + "url": "https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727" + }, + { + "url": "https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506" + }, + { + "url": "https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781" + }, + { + "url": "https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41097 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41097", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\n\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\n\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\n\nUnfortunately, this patch has not been tested on real hardware.\n\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41097\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41097\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41097\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a\",\n \"https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47\",\n \"https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51\",\n \"https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a\",\n \"https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727\",\n \"https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506\",\n \"https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781\",\n \"https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\\n\\nSyzbot is still reporting quite an old issue [1] that occurs due to\\nincomplete checking of present usb endpoints. As such, wrong\\nendpoints types may be used at urb sumbitting stage which in turn\\ntriggers a warning in usb_submit_urb().\\n\\nFix the issue by verifying that required endpoint types are present\\nfor both in and out endpoints, taking into account cmd endpoint type.\\n\\nUnfortunately, this patch has not been tested on real hardware.\\n\\n[1] Syzbot report:\\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\nModules linked in:\\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nWorkqueue: usb_hub_wq hub_event\\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\n...\\nCall Trace:\\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\\n call_driver_probe drivers/base/dd.c:517 [inline]\\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41097\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41098", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41098" + }, + { + "url": "https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28" + }, + { + "url": "https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e" + }, + { + "url": "https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41098 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41098", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix null pointer dereference on error\n\nIf the ata_port_alloc() call in ata_host_alloc() fails,\nata_host_release() will get called.\n\nHowever, the code in ata_host_release() tries to free ata_port struct\nmembers unconditionally, which can lead to the following:\n\nBUG: unable to handle page fault for address: 0000000000003990\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? ata_host_release.cold+0x2f/0x6e [libata]\n ? ata_host_release.cold+0x2f/0x6e [libata]\n release_nodes+0x35/0xb0\n devres_release_group+0x113/0x140\n ata_host_alloc+0xed/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nDo not access ata_port struct members unconditionally.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41098\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41098\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41098\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41098\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41098\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28\",\n \"https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e\",\n \"https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nata: libata-core: Fix null pointer dereference on error\\n\\nIf the ata_port_alloc() call in ata_host_alloc() fails,\\nata_host_release() will get called.\\n\\nHowever, the code in ata_host_release() tries to free ata_port struct\\nmembers unconditionally, which can lead to the following:\\n\\nBUG: unable to handle page fault for address: 0000000000003990\\nPGD 0 P4D 0\\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body.cold+0x19/0x27\\n ? page_fault_oops+0x15a/0x2f0\\n ? exc_page_fault+0x7e/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? ata_host_release.cold+0x2f/0x6e [libata]\\n ? ata_host_release.cold+0x2f/0x6e [libata]\\n release_nodes+0x35/0xb0\\n devres_release_group+0x113/0x140\\n ata_host_alloc+0xed/0x120 [libata]\\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\\n ahci_init_one+0x6c9/0xd20 [ahci]\\n\\nDo not access ata_port struct members unconditionally.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41098\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42063", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42063" + }, + { + "url": "https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12" + }, + { + "url": "https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5" + }, + { + "url": "https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf" + }, + { + "url": "https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42063 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42063", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\n\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\n\n==========\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\n==========\n\nThe reproducer should be in the interpreter mode.\n\nThe C reproducer is trying to run the following bpf prog:\n\n 0: (18) r0 = 0x0\n 2: (18) r1 = map[id:49]\n 4: (b7) r8 = 16777216\n 5: (7b) *(u64 *)(r10 -8) = r8\n 6: (bf) r2 = r10\n 7: (07) r2 += -229\n ^^^^^^^^^^\n\n 8: (b7) r3 = 8\n 9: (b7) r4 = 0\n 10: (85) call dev_map_lookup_elem#1543472\n 11: (95) exit\n\nIt is due to the \"void *key\" (r2) passed to the helper. bpf allows uninit\nstack memory access for bpf prog with the right privileges. This patch\nuses kmsan_unpoison_memory() to mark the stack as initialized.\n\nThis should address different syzbot reports on the uninit \"void *key\"\nargument during map_{lookup,delete}_elem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42063\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42063\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42063\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42063\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42063\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12\",\n \"https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5\",\n \"https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf\",\n \"https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\\n\\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\\n\\n==========\\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\\n==========\\n\\nThe reproducer should be in the interpreter mode.\\n\\nThe C reproducer is trying to run the following bpf prog:\\n\\n 0: (18) r0 = 0x0\\n 2: (18) r1 = map[id:49]\\n 4: (b7) r8 = 16777216\\n 5: (7b) *(u64 *)(r10 -8) = r8\\n 6: (bf) r2 = r10\\n 7: (07) r2 += -229\\n ^^^^^^^^^^\\n\\n 8: (b7) r3 = 8\\n 9: (b7) r4 = 0\\n 10: (85) call dev_map_lookup_elem#1543472\\n 11: (95) exit\\n\\nIt is due to the \\\"void *key\\\" (r2) passed to the helper. bpf allows uninit\\nstack memory access for bpf prog with the right privileges. This patch\\nuses kmsan_unpoison_memory() to mark the stack as initialized.\\n\\nThis should address different syzbot reports on the uninit \\\"void *key\\\"\\nargument during map_{lookup,delete}_elem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42063\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42064", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42064" + }, + { + "url": "https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0" + }, + { + "url": "https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42064 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42064", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip pipe if the pipe idx not set properly\n\n[why]\nDriver crashes when pipe idx not set properly\n\n[how]\nAdd code to skip the pipe that idx not set properly", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0\",\n \"https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip pipe if the pipe idx not set properly\\n\\n[why]\\nDriver crashes when pipe idx not set properly\\n\\n[how]\\nAdd code to skip the pipe that idx not set properly\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42064\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42065", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42065" + }, + { + "url": "https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74" + }, + { + "url": "https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42065 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42065", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42065\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42065\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42065\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42065\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42065\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74\",\n \"https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\\n\\nAdd an explicit check to ensure that the mgr is not NULL.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42065\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42066", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42066" + }, + { + "url": "https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b" + }, + { + "url": "https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42066 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42066", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix potential integer overflow in page size calculation\n\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\nprevent overflow when assigning to min_page_size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42066\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42066\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42066\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42066\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42066\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b\",\n \"https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Fix potential integer overflow in page size calculation\\n\\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\\nprevent overflow when assigning to min_page_size.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42066\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42067", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42067" + }, + { + "url": "https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a" + }, + { + "url": "https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7" + }, + { + "url": "https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730" + }, + { + "url": "https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42067 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42067", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\n\nset_memory_rox() can fail, leaving memory unprotected.\n\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42067\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42067\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42067\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42067\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42067\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a\",\n \"https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7\",\n \"https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730\",\n \"https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\\n\\nset_memory_rox() can fail, leaving memory unprotected.\\n\\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\\nan error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42067\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42068", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42068" + }, + { + "url": "https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a" + }, + { + "url": "https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8" + }, + { + "url": "https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03" + }, + { + "url": "https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89" + }, + { + "url": "https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720" + }, + { + "url": "https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42068 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42068", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\n\nset_memory_ro() can fail, leaving memory unprotected.\n\nCheck its return and take it into account as an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42068\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42068\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42068\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a\",\n \"https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8\",\n \"https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03\",\n \"https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89\",\n \"https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720\",\n \"https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\\n\\nset_memory_ro() can fail, leaving memory unprotected.\\n\\nCheck its return and take it into account as an error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42068\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42070", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42070" + }, + { + "url": "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4" + }, + { + "url": "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f" + }, + { + "url": "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f" + }, + { + "url": "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8" + }, + { + "url": "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf" + }, + { + "url": "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c" + }, + { + "url": "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564" + }, + { + "url": "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42070 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42070", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42070\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42070\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42070\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42070\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42070\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4\",\n \"https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f\",\n \"https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f\",\n \"https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8\",\n \"https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf\",\n \"https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c\",\n \"https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564\",\n \"https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\\n\\nregister store validation for NFT_DATA_VALUE is conditional, however,\\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\\nonly requires a new helper function to infer the register type from the\\nset datatype so this conditional check can be removed. Otherwise,\\npointer to chain object can be leaked through the registers.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42070\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42076" + }, + { + "url": "https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f" + }, + { + "url": "https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf" + }, + { + "url": "https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4" + }, + { + "url": "https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f" + }, + { + "url": "https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134" + }, + { + "url": "https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298" + }, + { + "url": "https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: Initialize unused data in j1939_send_one()\n\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1313 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\n\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f\",\n \"https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf\",\n \"https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4\",\n \"https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f\",\n \"https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134\",\n \"https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298\",\n \"https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: can: j1939: Initialize unused data in j1939_send_one()\\n\\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\\ncreates full frame including unused data, but it doesn't initialize\\nit. This causes the kernel-infoleak issue. Fix this by initializing\\nunused data.\\n\\n[1]\\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n copy_to_user_iter lib/iov_iter.c:24 [inline]\\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n copy_to_iter include/linux/uio.h:196 [inline]\\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\\n __sys_recvmmsg net/socket.c:3018 [inline]\\n __do_sys_recvmmsg net/socket.c:3041 [inline]\\n __se_sys_recvmmsg net/socket.c:3034 [inline]\\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1313 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\\n __sys_sendmsg net/socket.c:2667 [inline]\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nBytes 12-15 of 16 are uninitialized\\nMemory access of size 16 starts at ffff888120969690\\nData copied to user address 00000000200017c0\\n\\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42077", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42077" + }, + { + "url": "https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a" + }, + { + "url": "https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6" + }, + { + "url": "https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4" + }, + { + "url": "https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687" + }, + { + "url": "https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36" + }, + { + "url": "https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42077 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42077", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix DIO failure due to insufficient transaction credits\n\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits(). This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\n\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases. For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents. Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error. This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\n\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\n\nHeming Zhao said:\n\n------\nPANIC: \"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\"\n\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \"SubmitThread-CA\"\n #0 machine_kexec at ffffffff8c069932\n #1 __crash_kexec at ffffffff8c1338fa\n #2 panic at ffffffff8c1d69b9\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42077\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42077\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42077\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42077\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42077\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a\",\n \"https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6\",\n \"https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4\",\n \"https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687\",\n \"https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36\",\n \"https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix DIO failure due to insufficient transaction credits\\n\\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\\ntransaction credits using ocfs2_calc_extend_credits(). This however does\\nnot take into account that the IO could be arbitrarily large and can\\ncontain arbitrary number of extents.\\n\\nExtent tree manipulations do often extend the current transaction but not\\nin all of the cases. For example if we have only single block extents in\\nthe tree, ocfs2_mark_extent_written() will end up calling\\nocfs2_replace_extent_rec() all the time and we will never extend the\\ncurrent transaction and eventually exhaust all the transaction credits if\\nthe IO contains many single block extents. Once that happens a\\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\\nthis error. This was actually triggered by one of our customers on a\\nheavily fragmented OCFS2 filesystem.\\n\\nTo fix the issue make sure the transaction always has enough credits for\\none extent insert before each call of ocfs2_mark_extent_written().\\n\\nHeming Zhao said:\\n\\n------\\nPANIC: \\\"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\\\"\\n\\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \\\"SubmitThread-CA\\\"\\n #0 machine_kexec at ffffffff8c069932\\n #1 __crash_kexec at ffffffff8c1338fa\\n #2 panic at ffffffff8c1d69b9\\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\\n#11 dio_complete at ffffffff8c2b9fa7\\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\\n#14 generic_file_direct_write at ffffffff8c1dcf14\\n#15 __generic_file_write_iter at ffffffff8c1dd07b\\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\\n#17 aio_write at ffffffff8c2cc72e\\n#18 kmem_cache_alloc at ffffffff8c248dde\\n#19 do_io_submit at ffffffff8c2ccada\\n#20 do_syscall_64 at ffffffff8c004984\\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42077\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42079", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42079" + }, + { + "url": "https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce" + }, + { + "url": "https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828" + }, + { + "url": "https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42079 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42079", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\ngfs2_log_flush).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42079\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42079\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42079\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42079\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42079\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce\",\n \"https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828\",\n \"https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\\n\\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\\nlock to provide exclusion against gfs2_log_flush().\\n\\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\\ndereferencing it. Otherwise, we could run into a NULL pointer\\ndereference when outstanding glock work races with an unmount\\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\\ngfs2_log_flush).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42079\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42080", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42080" + }, + { + "url": "https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d" + }, + { + "url": "https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5" + }, + { + "url": "https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9" + }, + { + "url": "https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8" + }, + { + "url": "https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42080 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42080", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Fix potential invalid address access\n\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\nin ib_create_cq(), while if the module exited but forgot del this\nrdma_restrack_entry, it would cause a invalid address access in\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\n\nThese code is used to help find one forgotten PD release in one of the\nULPs. But it is not needed anymore, so delete them.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42080\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42080\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42080\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42080\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42080\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d\",\n \"https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5\",\n \"https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9\",\n \"https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8\",\n \"https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/restrack: Fix potential invalid address access\\n\\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\\nin ib_create_cq(), while if the module exited but forgot del this\\nrdma_restrack_entry, it would cause a invalid address access in\\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\\n\\nThese code is used to help find one forgotten PD release in one of the\\nULPs. But it is not needed anymore, so delete them.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42080\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42082" + }, + { + "url": "https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0" + }, + { + "url": "https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c" + }, + { + "url": "https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54" + }, + { + "url": "https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2" + }, + { + "url": "https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4" + }, + { + "url": "https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42082", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: Remove WARN() from __xdp_reg_mem_model()\n\nsyzkaller reports a warning in __xdp_reg_mem_model().\n\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\nreturns the error in two cases:\n\n 1. memory allocation fails;\n 2. rhashtable_init() fails when some fields of rhashtable_params\n struct are not initialized properly.\n\nThe second case cannot happen since there is a static const rhashtable_params\nstruct with valid fields. So, warning is only triggered when there is a\nproblem with memory allocation.\n\nThus, there is no sense in using WARN() to handle this error and it can be\nsafely removed.\n\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCall Trace:\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0\",\n \"https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c\",\n \"https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54\",\n \"https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2\",\n \"https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4\",\n \"https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: Remove WARN() from __xdp_reg_mem_model()\\n\\nsyzkaller reports a warning in __xdp_reg_mem_model().\\n\\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\\nreturns the error in two cases:\\n\\n 1. memory allocation fails;\\n 2. rhashtable_init() fails when some fields of rhashtable_params\\n struct are not initialized properly.\\n\\nThe second case cannot happen since there is a static const rhashtable_params\\nstruct with valid fields. So, warning is only triggered when there is a\\nproblem with memory allocation.\\n\\nThus, there is no sense in using WARN() to handle this error and it can be\\nsafely removed.\\n\\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\\n\\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\\n\\nCall Trace:\\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42084", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42084" + }, + { + "url": "https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0" + }, + { + "url": "https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa" + }, + { + "url": "https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a" + }, + { + "url": "https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a" + }, + { + "url": "https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27" + }, + { + "url": "https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9" + }, + { + "url": "https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007" + }, + { + "url": "https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42084 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42084", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nftruncate: pass a signed offset\n\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\n\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\n\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42084\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42084\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42084\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42084\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42084\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0\",\n \"https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa\",\n \"https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a\",\n \"https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a\",\n \"https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27\",\n \"https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9\",\n \"https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007\",\n \"https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nftruncate: pass a signed offset\\n\\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\\nextension when called in compat mode on 64-bit architectures. As a\\nresult, passing a negative length accidentally succeeds in truncating\\nto file size between 2GiB and 4GiB.\\n\\nChanging the type of the compat syscall to the signed compat_off_t\\nchanges the behavior so it instead returns -EINVAL.\\n\\nThe native entry point, the truncate() syscall and the corresponding\\nloff_t based variants are all correct already and do not suffer\\nfrom this mistake.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42084\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42085", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42085" + }, + { + "url": "https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649" + }, + { + "url": "https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c" + }, + { + "url": "https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136" + }, + { + "url": "https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63" + }, + { + "url": "https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42085 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42085", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\n\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\nto enter suspend status with below command:\necho mem > /sys/power/state\nThere will be a deadlock issue occurring. Detailed invoking path as\nbelow:\ndwc3_suspend_common()\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\n dwc3_gadget_suspend(dwc);\n dwc3_gadget_soft_disconnect(dwc);\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\nThis issue is exposed by commit c7ebd8149ee5 (\"usb: dwc3: gadget: Fix\nNULL pointer dereference in dwc3_gadget_suspend\") that removes the code\nof checking whether dwc->gadget_driver is NULL or not. It causes the\nfollowing code is executed and deadlock occurs when trying to get the\nspinlock. In fact, the root cause is the commit 5265397f9442(\"usb: dwc3:\nRemove DWC3 locking during gadget suspend/resume\") that forgot to remove\nthe lock of otg mode. So, remove the redundant lock of otg mode during\ngadget suspend/resume.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42085\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42085\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42085\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42085\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42085\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649\",\n \"https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c\",\n \"https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136\",\n \"https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63\",\n \"https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\\n\\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\\nto enter suspend status with below command:\\necho mem > /sys/power/state\\nThere will be a deadlock issue occurring. Detailed invoking path as\\nbelow:\\ndwc3_suspend_common()\\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\\n dwc3_gadget_suspend(dwc);\\n dwc3_gadget_soft_disconnect(dwc);\\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\\nThis issue is exposed by commit c7ebd8149ee5 (\\\"usb: dwc3: gadget: Fix\\nNULL pointer dereference in dwc3_gadget_suspend\\\") that removes the code\\nof checking whether dwc->gadget_driver is NULL or not. It causes the\\nfollowing code is executed and deadlock occurs when trying to get the\\nspinlock. In fact, the root cause is the commit 5265397f9442(\\\"usb: dwc3:\\nRemove DWC3 locking during gadget suspend/resume\\\") that forgot to remove\\nthe lock of otg mode. So, remove the redundant lock of otg mode during\\ngadget suspend/resume.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42085\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42086", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42086" + }, + { + "url": "https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e" + }, + { + "url": "https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e" + }, + { + "url": "https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9" + }, + { + "url": "https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb" + }, + { + "url": "https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e" + }, + { + "url": "https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a" + }, + { + "url": "https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517" + }, + { + "url": "https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42086 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42086", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: bme680: Fix overflows in compensate() functions\n\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\"iio:\nchemical: Add support for Bosch BME680 sensor\").\n\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42086\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42086\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42086\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42086\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42086\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e\",\n \"https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e\",\n \"https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9\",\n \"https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb\",\n \"https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e\",\n \"https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a\",\n \"https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517\",\n \"https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niio: chemical: bme680: Fix overflows in compensate() functions\\n\\nThere are cases in the compensate functions of the driver that\\nthere could be overflows of variables due to bit shifting ops.\\nThese implications were initially discussed here [1] and they\\nwere mentioned in log message of Commit 1b3bd8592780 (\\\"iio:\\nchemical: Add support for Bosch BME680 sensor\\\").\\n\\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42086\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42087", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42087" + }, + { + "url": "https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60" + }, + { + "url": "https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044" + }, + { + "url": "https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9" + }, + { + "url": "https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a" + }, + { + "url": "https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b" + }, + { + "url": "https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0" + }, + { + "url": "https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47" + }, + { + "url": "https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42087 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42087", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\n\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42087\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42087\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42087\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42087\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42087\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60\",\n \"https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044\",\n \"https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9\",\n \"https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a\",\n \"https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b\",\n \"https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0\",\n \"https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47\",\n \"https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\\n\\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\\ngpiod_set_value() function. This complains loudly when the GPIO\\ncontroller needs to sleep. As the caller can sleep, use\\ngpiod_set_value_cansleep() to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42087\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42089", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42089" + }, + { + "url": "https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed" + }, + { + "url": "https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9" + }, + { + "url": "https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a" + }, + { + "url": "https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6" + }, + { + "url": "https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a" + }, + { + "url": "https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac" + }, + { + "url": "https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245" + }, + { + "url": "https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42089 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42089", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl-asoc-card: set priv->pdev before using it\n\npriv->pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\n\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv->dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won't crash\nprobably due to compiler optimisations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42089\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42089\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42089\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42089\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42089\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed\",\n \"https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9\",\n \"https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a\",\n \"https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6\",\n \"https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a\",\n \"https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac\",\n \"https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245\",\n \"https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: fsl-asoc-card: set priv->pdev before using it\\n\\npriv->pdev pointer was set after being used in\\nfsl_asoc_card_audmux_init().\\nMove this assignment at the start of the probe function, so\\nsub-functions can correctly use pdev through priv.\\n\\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\\ndev struct, used with dev_err macros.\\nAs priv is zero-initialised, there would be a NULL pointer dereference.\\nNote that if priv->dev is dereferenced before assignment but never used,\\nfor example if there is no error to be printed, the driver won't crash\\nprobably due to compiler optimisations.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42089\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42090", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42090" + }, + { + "url": "https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e" + }, + { + "url": "https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc" + }, + { + "url": "https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0" + }, + { + "url": "https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd" + }, + { + "url": "https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1" + }, + { + "url": "https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6" + }, + { + "url": "https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b" + }, + { + "url": "https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42090 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42090", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\n\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\n\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42090\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42090\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42090\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42090\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42090\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e\",\n \"https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc\",\n \"https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0\",\n \"https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd\",\n \"https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1\",\n \"https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6\",\n \"https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b\",\n \"https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\\n\\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\\na potential deadlock.\\n\\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\\ncalling pinctrl_free(), preventing the deadlock.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42090\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42091", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42091" + }, + { + "url": "https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb" + }, + { + "url": "https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42091 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42091", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Check pat.ops before dumping PAT settings\n\nWe may leave pat.ops unset when running on brand new platform or\nwhen running as a VF. While the former is unlikely, the latter\nis valid (future) use case and will cause NPD when someone will\ntry to dump PAT settings by debugfs.\n\nIt's better to check pointer to pat.ops instead of specific .dump\nhook, as we have this hook always defined for every .ops variant.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42091\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42091\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42091\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42091\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42091\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb\",\n \"https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Check pat.ops before dumping PAT settings\\n\\nWe may leave pat.ops unset when running on brand new platform or\\nwhen running as a VF. While the former is unlikely, the latter\\nis valid (future) use case and will cause NPD when someone will\\ntry to dump PAT settings by debugfs.\\n\\nIt's better to check pointer to pat.ops instead of specific .dump\\nhook, as we have this hook always defined for every .ops variant.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42091\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42092", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42092" + }, + { + "url": "https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782" + }, + { + "url": "https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b" + }, + { + "url": "https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164" + }, + { + "url": "https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d" + }, + { + "url": "https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684" + }, + { + "url": "https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470" + }, + { + "url": "https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd" + }, + { + "url": "https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42092 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42092", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: davinci: Validate the obtained number of IRQs\n\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips->irqs array boundaries access in\ndavinci_gpio_probe().\n\nValidate the obtained nirq value so that it won't exceed the maximum\nnumber of IRQs per bank.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42092\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42092\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42092\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42092\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42092\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782\",\n \"https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b\",\n \"https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164\",\n \"https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d\",\n \"https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684\",\n \"https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470\",\n \"https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd\",\n \"https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: davinci: Validate the obtained number of IRQs\\n\\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\\nDT due to any error this value can be any. Without this value validation\\nthere can be out of chips->irqs array boundaries access in\\ndavinci_gpio_probe().\\n\\nValidate the obtained nirq value so that it won't exceed the maximum\\nnumber of IRQs per bank.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42092\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42093", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42093" + }, + { + "url": "https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0" + }, + { + "url": "https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527" + }, + { + "url": "https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2" + }, + { + "url": "https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509" + }, + { + "url": "https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d" + }, + { + "url": "https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1" + }, + { + "url": "https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42093 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42093", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42093\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42093\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42093\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42093\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42093\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0\",\n \"https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527\",\n \"https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2\",\n \"https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509\",\n \"https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d\",\n \"https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1\",\n \"https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\\n\\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\\nvariable on stack is not recommended since it can cause potential stack\\noverflow.\\n\\nInstead, kernel code should always use *cpumask_var API(s) to allocate\\ncpumask var in config-neutral way, leaving allocation strategy to\\nCONFIG_CPUMASK_OFFSTACK.\\n\\nUse *cpumask_var API(s) to address it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42093\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42094", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42094" + }, + { + "url": "https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53" + }, + { + "url": "https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d" + }, + { + "url": "https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959" + }, + { + "url": "https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756" + }, + { + "url": "https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a" + }, + { + "url": "https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71" + }, + { + "url": "https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9" + }, + { + "url": "https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42094 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42094", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42094\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42094\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42094\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42094\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42094\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53\",\n \"https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d\",\n \"https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959\",\n \"https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756\",\n \"https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a\",\n \"https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71\",\n \"https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9\",\n \"https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/iucv: Avoid explicit cpumask var allocation on stack\\n\\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\\nvariable on stack is not recommended since it can cause potential stack\\noverflow.\\n\\nInstead, kernel code should always use *cpumask_var API(s) to allocate\\ncpumask var in config-neutral way, leaving allocation strategy to\\nCONFIG_CPUMASK_OFFSTACK.\\n\\nUse *cpumask_var API(s) to address it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42094\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42095" + }, + { + "url": "https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e" + }, + { + "url": "https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b" + }, + { + "url": "https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0" + }, + { + "url": "https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826" + }, + { + "url": "https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de" + }, + { + "url": "https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42095", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_omap: Implementation of Errata i2310\n\nAs per Errata i2310[0], Erroneous timeout can be triggered,\nif this Erroneous interrupt is not cleared then it may leads\nto storm of interrupts, therefore apply Errata i2310 solution.\n\n[0] https://www.ti.com/lit/pdf/sprz536 page 23", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e\",\n \"https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b\",\n \"https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0\",\n \"https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826\",\n \"https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de\",\n \"https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: 8250_omap: Implementation of Errata i2310\\n\\nAs per Errata i2310[0], Erroneous timeout can be triggered,\\nif this Erroneous interrupt is not cleared then it may leads\\nto storm of interrupts, therefore apply Errata i2310 solution.\\n\\n[0] https://www.ti.com/lit/pdf/sprz536 page 23\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42096" + }, + { + "url": "https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca" + }, + { + "url": "https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b" + }, + { + "url": "https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92" + }, + { + "url": "https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29" + }, + { + "url": "https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77" + }, + { + "url": "https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4" + }, + { + "url": "https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e" + }, + { + "url": "https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42096", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: stop playing stack games in profile_pc()\n\nThe 'profile_pc()' function is used for timer-based profiling, which\nisn't really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren't necessarily\nvalid.\n\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit's not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\n\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases. We've lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\n\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\n\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\n\n\tEflags always has bits 22 and up cleared unlike kernel addresses\n\nbut that basic stack layout assumption assumes that there isn't any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\n\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\n\nWith no real practical reason for this any more, just remove the code.\n\nJust for historical interest, here's some background commits relating to\nthis code from 2006:\n\n 0cb91a229364 (\"i386: Account spinlocks to the caller during profiling for !FP kernels\")\n 31679f38d886 (\"Simplify profile_pc on x86-64\")\n\nand a code unification from 2009:\n\n ef4512882dbe (\"x86: time_32/64.c unify profile_pc\")\n\nbut the basics of this thing actually goes back to before the git tree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca\",\n \"https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b\",\n \"https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92\",\n \"https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29\",\n \"https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77\",\n \"https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4\",\n \"https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e\",\n \"https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86: stop playing stack games in profile_pc()\\n\\nThe 'profile_pc()' function is used for timer-based profiling, which\\nisn't really all that relevant any more to begin with, but it also ends\\nup making assumptions based on the stack layout that aren't necessarily\\nvalid.\\n\\nBasically, the code tries to account the time spent in spinlocks to the\\ncaller rather than the spinlock, and while I support that as a concept,\\nit's not worth the code complexity or the KASAN warnings when no serious\\nprofiling is done using timers anyway these days.\\n\\nAnd the code really does depend on stack layout that is only true in the\\nsimplest of cases. We've lost the comment at some point (I think when\\nthe 32-bit and 64-bit code was unified), but it used to say:\\n\\n\\tAssume the lock function has either no stack frame or a copy\\n\\tof eflags from PUSHF.\\n\\nwhich explains why it just blindly loads a word or two straight off the\\nstack pointer and then takes a minimal look at the values to just check\\nif they might be eflags or the return pc:\\n\\n\\tEflags always has bits 22 and up cleared unlike kernel addresses\\n\\nbut that basic stack layout assumption assumes that there isn't any lock\\ndebugging etc going on that would complicate the code and cause a stack\\nframe.\\n\\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\\nothers [2].\\n\\nWith no real practical reason for this any more, just remove the code.\\n\\nJust for historical interest, here's some background commits relating to\\nthis code from 2006:\\n\\n 0cb91a229364 (\\\"i386: Account spinlocks to the caller during profiling for !FP kernels\\\")\\n 31679f38d886 (\\\"Simplify profile_pc on x86-64\\\")\\n\\nand a code unification from 2009:\\n\\n ef4512882dbe (\\\"x86: time_32/64.c unify profile_pc\\\")\\n\\nbut the basics of this thing actually goes back to before the git tree.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42097" + }, + { + "url": "https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab" + }, + { + "url": "https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3" + }, + { + "url": "https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69" + }, + { + "url": "https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14" + }, + { + "url": "https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f" + }, + { + "url": "https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e" + }, + { + "url": "https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6" + }, + { + "url": "https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42097 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42097", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emux: improve patch ioctl data validation\n\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\n\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42097\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42097\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42097\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab\",\n \"https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3\",\n \"https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69\",\n \"https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14\",\n \"https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f\",\n \"https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e\",\n \"https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6\",\n \"https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: emux: improve patch ioctl data validation\\n\\nIn load_data(), make the validation of and skipping over the main info\\nblock match that in load_guspatch().\\n\\nIn load_guspatch(), add checking that the specified patch length matches\\nthe actually supplied data, like load_data() already did.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42097\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42098", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42098" + }, + { + "url": "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8" + }, + { + "url": "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9" + }, + { + "url": "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975" + }, + { + "url": "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df" + }, + { + "url": "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42098 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42098", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42098\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42098\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42098\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42098\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42098\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8\",\n \"https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9\",\n \"https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975\",\n \"https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df\",\n \"https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: ecdh - explicitly zeroize private_key\\n\\nprivate_key is overwritten with the key parameter passed in by the\\ncaller (if present), or alternatively a newly generated private key.\\nHowever, it is possible that the caller provides a key (or the newly\\ngenerated key) which is shorter than the previous key. In that\\nscenario, some key material from the previous key would not be\\noverwritten. The easiest solution is to explicitly zeroize the entire\\nprivate_key array first.\\n\\nNote that this patch slightly changes the behavior of this function:\\npreviously, if the ecc_gen_privkey failed, the old private_key would\\nremain. Now, the private_key is always zeroized. This behavior is\\nconsistent with the case where params.key is set and ecc_is_key_valid\\nfails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42098\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42101", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42101" + }, + { + "url": "https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef" + }, + { + "url": "https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d" + }, + { + "url": "https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9" + }, + { + "url": "https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e" + }, + { + "url": "https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4" + }, + { + "url": "https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e" + }, + { + "url": "https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a" + }, + { + "url": "https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42101 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42101", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\n\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42101\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42101\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42101\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42101\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42101\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef\",\n \"https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d\",\n \"https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9\",\n \"https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e\",\n \"https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4\",\n \"https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e\",\n \"https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a\",\n \"https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\\n\\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a possible NULL pointer\\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42101\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42102", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42102" + }, + { + "url": "https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec" + }, + { + "url": "https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c" + }, + { + "url": "https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807" + }, + { + "url": "https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a" + }, + { + "url": "https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59" + }, + { + "url": "https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63" + }, + { + "url": "https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00" + }, + { + "url": "https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42102 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42102", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\"\n\nPatch series \"mm: Avoid possible overflows in dirty throttling\".\n\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits. This patch series makes sure this is true (see patch 2/2 for\nmore details).\n\n\nThis patch (of 2):\n\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\n\nThe commit is broken in several ways. Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this). Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42102\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42102\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42102\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42102\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42102\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec\",\n \"https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c\",\n \"https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807\",\n \"https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a\",\n \"https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59\",\n \"https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63\",\n \"https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00\",\n \"https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\\\"\\n\\nPatch series \\\"mm: Avoid possible overflows in dirty throttling\\\".\\n\\nDirty throttling logic assumes dirty limits in page units fit into\\n32-bits. This patch series makes sure this is true (see patch 2/2 for\\nmore details).\\n\\n\\nThis patch (of 2):\\n\\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\\n\\nThe commit is broken in several ways. Firstly, the removed (u64) cast\\nfrom the multiplication will introduce a multiplication overflow on 32-bit\\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\\ndefault settings with 4GB of RAM will trigger this). Secondly, the\\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\\nblow up in many other spectacular ways anyway so trying to fix one\\npossible overflow is just moot.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42102\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42104", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42104" + }, + { + "url": "https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95" + }, + { + "url": "https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180" + }, + { + "url": "https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf" + }, + { + "url": "https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7" + }, + { + "url": "https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d" + }, + { + "url": "https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131" + }, + { + "url": "https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458" + }, + { + "url": "https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42104 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42104", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: add missing check for inode numbers on directory entries\n\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\n\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\n\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\n\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\n\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42104\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42104\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42104\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42104\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42104\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95\",\n \"https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180\",\n \"https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf\",\n \"https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7\",\n \"https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d\",\n \"https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131\",\n \"https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458\",\n \"https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: add missing check for inode numbers on directory entries\\n\\nSyzbot reported that mounting and unmounting a specific pattern of\\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\\nfile inodes, which triggers a kernel bug in lru_add_fn().\\n\\nAs Jan Kara pointed out, this is because the link count of a metadata file\\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\\ntries to delete that inode (ifile inode in this case).\\n\\nThe inconsistency occurs because directories containing the inode numbers\\nof these metadata files that should not be visible in the namespace are\\nread without checking.\\n\\nFix this issue by treating the inode numbers of these internal files as\\nerrors in the sanity check helper when reading directory folios/pages.\\n\\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\\nanalysis.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42104\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42105", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42105" + }, + { + "url": "https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4" + }, + { + "url": "https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a" + }, + { + "url": "https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987" + }, + { + "url": "https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476" + }, + { + "url": "https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5" + }, + { + "url": "https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783" + }, + { + "url": "https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4" + }, + { + "url": "https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42105 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42105", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2's internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs->ns_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs->ns_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42105\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42105\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42105\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42105\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42105\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4\",\n \"https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a\",\n \"https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987\",\n \"https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476\",\n \"https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5\",\n \"https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783\",\n \"https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4\",\n \"https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix inode number range checks\\n\\nPatch series \\\"nilfs2: fix potential issues related to reserved inodes\\\".\\n\\nThis series fixes one use-after-free issue reported by syzbot, caused by\\nnilfs2's internal inode being exposed in the namespace on a corrupted\\nfilesystem, and a couple of flaws that cause problems if the starting\\nnumber of non-reserved inodes written in the on-disk super block is\\nintentionally (or corruptly) changed from its default value. \\n\\n\\nThis patch (of 3):\\n\\nIn the current implementation of nilfs2, \\\"nilfs->ns_first_ino\\\", which\\ngives the first non-reserved inode number, is read from the superblock,\\nbut its lower limit is not checked.\\n\\nAs a result, if a number that overlaps with the inode number range of\\nreserved inodes such as the root directory or metadata files is set in the\\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\\nNILFS_VALID_INODE) will not function properly.\\n\\nIn addition, these test macros use left bit-shift calculations using with\\nthe inode number as the shift count via the BIT macro, but the result of a\\nshift calculation that exceeds the bit width of an integer is undefined in\\nthe C specification, so if \\\"ns_first_ino\\\" is set to a large value other\\nthan the default value NILFS_USER_INO (=11), the macros may potentially\\nmalfunction depending on the environment.\\n\\nFix these issues by checking the lower bound of \\\"nilfs->ns_first_ino\\\" and\\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\\nconstant in the inode number test macros.\\n\\nAlso, change the type of \\\"ns_first_ino\\\" from signed integer to unsigned\\ninteger to avoid the need for type casting in comparisons such as the\\nlower bound check introduced this time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42105\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42106", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42106" + }, + { + "url": "https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2" + }, + { + "url": "https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f" + }, + { + "url": "https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9" + }, + { + "url": "https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c" + }, + { + "url": "https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4" + }, + { + "url": "https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a" + }, + { + "url": "https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb" + }, + { + "url": "https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42106 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42106", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: Initialize pad field in struct inet_diag_req_v2\n\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\n\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\n\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42106\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42106\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42106\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42106\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42106\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2\",\n \"https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f\",\n \"https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9\",\n \"https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c\",\n \"https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4\",\n \"https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a\",\n \"https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb\",\n \"https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninet_diag: Initialize pad field in struct inet_diag_req_v2\\n\\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\\nsockets uses the pad field in struct inet_diag_req_v2 for the\\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\\nfield in struct inet_diag_req_raw.\\n\\ninet_diag_get_exact_compat() converts inet_diag_req to\\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\\n\\nFix this by initializing the pad field in\\ninet_diag_get_exact_compat(). Also, do the same fix in\\ninet_diag_dump_compat() to avoid the similar issue in the future.\\n\\n[1]\\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\\n inet_diag_cmd_exact+0x7d9/0x980\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\\n __sys_sendmsg net/socket.c:2668 [inline]\\n __do_sys_sendmsg net/socket.c:2677 [inline]\\n __se_sys_sendmsg net/socket.c:2675 [inline]\\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was stored to memory at:\\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\\n inet_diag_cmd_exact+0x7d9/0x980\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\\n __sys_sendmsg net/socket.c:2668 [inline]\\n __do_sys_sendmsg net/socket.c:2677 [inline]\\n __se_sys_sendmsg net/socket.c:2675 [inline]\\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nLocal variable req.i created at:\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n\\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42106\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42107", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42107" + }, + { + "url": "https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b" + }, + { + "url": "https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42107 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42107", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't process extts if PTP is disabled\n\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\nresult in a NULL pointer dereference which leads to a kernel panic.\n\nPanic occurs because the ice_ptp_extts_event() function calls\nptp_clock_event() with a NULL pointer. The ice driver has already\nreleased the PTP clock by the time the interrupt for the next external\ntimestamp event occurs.\n\nTo fix this, modify the ice_ptp_extts_event() function to check the\nPTP state and bail early if PTP is not ready.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42107\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42107\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42107\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42107\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42107\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b\",\n \"https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Don't process extts if PTP is disabled\\n\\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\\nresult in a NULL pointer dereference which leads to a kernel panic.\\n\\nPanic occurs because the ice_ptp_extts_event() function calls\\nptp_clock_event() with a NULL pointer. The ice driver has already\\nreleased the PTP clock by the time the interrupt for the next external\\ntimestamp event occurs.\\n\\nTo fix this, modify the ice_ptp_extts_event() function to check the\\nPTP state and bail early if PTP is not ready.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42107\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42109", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42109" + }, + { + "url": "https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e" + }, + { + "url": "https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4" + }, + { + "url": "https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c" + }, + { + "url": "https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1" + }, + { + "url": "https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42109 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42109", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally flush pending work before notifier\n\nsyzbot reports:\n\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\n[..]\nWorkqueue: events nf_tables_trans_destroy_work\nCall Trace:\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\n\nProblem is that the notifier does a conditional flush, but its possible\nthat the table-to-be-removed is still referenced by transactions being\nprocessed by the worker, so we need to flush unconditionally.\n\nWe could make the flush_work depend on whether we found a table to delete\nin nf-next to avoid the flush for most cases.\n\nAFAICS this problem is only exposed in nf-next, with\ncommit e169285f8c56 (\"netfilter: nf_tables: do not store nft_ctx in transaction objects\"),\nwith this commit applied there is an unconditional fetch of\ntable->family which is whats triggering the above splat.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42109\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42109\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42109\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42109\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42109\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e\",\n \"https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4\",\n \"https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c\",\n \"https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1\",\n \"https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: unconditionally flush pending work before notifier\\n\\nsyzbot reports:\\n\\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\\n[..]\\nWorkqueue: events nf_tables_trans_destroy_work\\nCall Trace:\\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\\n\\nProblem is that the notifier does a conditional flush, but its possible\\nthat the table-to-be-removed is still referenced by transactions being\\nprocessed by the worker, so we need to flush unconditionally.\\n\\nWe could make the flush_work depend on whether we found a table to delete\\nin nf-next to avoid the flush for most cases.\\n\\nAFAICS this problem is only exposed in nf-next, with\\ncommit e169285f8c56 (\\\"netfilter: nf_tables: do not store nft_ctx in transaction objects\\\"),\\nwith this commit applied there is an unconditional fetch of\\ntable->family which is whats triggering the above splat.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42109\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42110", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42110" + }, + { + "url": "https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f" + }, + { + "url": "https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3" + }, + { + "url": "https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf" + }, + { + "url": "https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42110 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42110", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\n\nThe following is emitted when using idxd (DSA) dmanegine as the data\nmover for ntb_transport that ntb_netdev uses.\n\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\n[74412.556784] caller is netif_rx_internal+0x42/0x130\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\n[74412.581699] Call Trace:\n[74412.584514] \n[74412.586933] dump_stack_lvl+0x55/0x70\n[74412.591129] check_preemption_disabled+0xc8/0xf0\n[74412.596374] netif_rx_internal+0x42/0x130\n[74412.600957] __netif_rx+0x20/0xd0\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\n[74412.634046] irq_thread_fn+0x21/0x60\n[74412.638134] ? irq_thread+0xa8/0x290\n[74412.642218] irq_thread+0x1a0/0x290\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\n[74412.660686] kthread+0x100/0x130\n[74412.664384] ? __pfx_kthread+0x10/0x10\n[74412.668639] ret_from_fork+0x31/0x50\n[74412.672716] ? __pfx_kthread+0x10/0x10\n[74412.676978] ret_from_fork_asm+0x1a/0x30\n[74412.681457] \n\nThe cause is due to the idxd driver interrupt completion handler uses\nthreaded interrupt and the threaded handler is not hard or soft interrupt\ncontext. However __netif_rx() can only be called from interrupt context.\nChange the call to netif_rx() in order to allow completion via normal\ncontext for dmaengine drivers that utilize threaded irq handling.\n\nWhile the following commit changed from netif_rx() to __netif_rx(),\nbaebdf48c360 (\"net: dev: Makes sure netif_rx() can be invoked in any context.\"),\nthe change should've been a noop instead. However, the code precedes this\nfix should've been using netif_rx_ni() or netif_rx_any_context().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42110\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42110\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42110\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42110\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42110\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f\",\n \"https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3\",\n \"https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf\",\n \"https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\\n\\nThe following is emitted when using idxd (DSA) dmanegine as the data\\nmover for ntb_transport that ntb_netdev uses.\\n\\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\\n[74412.556784] caller is netif_rx_internal+0x42/0x130\\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\\n[74412.581699] Call Trace:\\n[74412.584514] \\n[74412.586933] dump_stack_lvl+0x55/0x70\\n[74412.591129] check_preemption_disabled+0xc8/0xf0\\n[74412.596374] netif_rx_internal+0x42/0x130\\n[74412.600957] __netif_rx+0x20/0xd0\\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\\n[74412.634046] irq_thread_fn+0x21/0x60\\n[74412.638134] ? irq_thread+0xa8/0x290\\n[74412.642218] irq_thread+0x1a0/0x290\\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\\n[74412.660686] kthread+0x100/0x130\\n[74412.664384] ? __pfx_kthread+0x10/0x10\\n[74412.668639] ret_from_fork+0x31/0x50\\n[74412.672716] ? __pfx_kthread+0x10/0x10\\n[74412.676978] ret_from_fork_asm+0x1a/0x30\\n[74412.681457] \\n\\nThe cause is due to the idxd driver interrupt completion handler uses\\nthreaded interrupt and the threaded handler is not hard or soft interrupt\\ncontext. However __netif_rx() can only be called from interrupt context.\\nChange the call to netif_rx() in order to allow completion via normal\\ncontext for dmaengine drivers that utilize threaded irq handling.\\n\\nWhile the following commit changed from netif_rx() to __netif_rx(),\\nbaebdf48c360 (\\\"net: dev: Makes sure netif_rx() can be invoked in any context.\\\"),\\nthe change should've been a noop instead. However, the code precedes this\\nfix should've been using netif_rx_ni() or netif_rx_any_context().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42110\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42114", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42114" + }, + { + "url": "https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22" + }, + { + "url": "https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec" + }, + { + "url": "https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53" + }, + { + "url": "https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa" + }, + { + "url": "https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993" + }, + { + "url": "https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42114 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42114", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\n\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\n\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __list_del include/linux/list.h:195 [inline]\n pc : __list_del_entry include/linux/list.h:218 [inline]\n pc : list_move_tail include/linux/list.h:310 [inline]\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n lr : __list_del_entry include/linux/list.h:218 [inline]\n lr : list_move_tail include/linux/list.h:310 [inline]\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n __list_del include/linux/list.h:195 [inline]\n __list_del_entry include/linux/list.h:218 [inline]\n list_move_tail include/linux/list.h:310 [inline]\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_fini\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42114\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42114\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42114\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42114\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42114\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22\",\n \"https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec\",\n \"https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53\",\n \"https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa\",\n \"https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993\",\n \"https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\\n\\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\\nto 2^31.\\n\\nWe had a similar issue in sch_fq, fixed with commit\\nd9e15a273306 (\\\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\\\")\\n\\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\\nModules linked in:\\nirq event stamp: 131135\\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nWorkqueue: mld mld_ifc_work\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : __list_del include/linux/list.h:195 [inline]\\n pc : __list_del_entry include/linux/list.h:218 [inline]\\n pc : list_move_tail include/linux/list.h:310 [inline]\\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\\n lr : __list_del_entry include/linux/list.h:218 [inline]\\n lr : list_move_tail include/linux/list.h:310 [inline]\\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\\nsp : ffff800093d36700\\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\\nCall trace:\\n __list_del include/linux/list.h:195 [inline]\\n __list_del_entry include/linux/list.h:218 [inline]\\n list_move_tail include/linux/list.h:310 [inline]\\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\\n neigh_output include/net/neighbour.h:542 [inline]\\n ip6_fini\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42114\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42115", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42115" + }, + { + "url": "https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c" + }, + { + "url": "https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67" + }, + { + "url": "https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65" + }, + { + "url": "https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789" + }, + { + "url": "https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc" + }, + { + "url": "https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830" + }, + { + "url": "https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8" + }, + { + "url": "https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42115 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42115", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Fix potential illegal address access in jffs2_free_inode\n\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829] ESR = 0x96000004\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564] SET = 0, FnV = 0\n[ 2430.650795] EA = 0, S1PTW = 0\n[ 2430.651032] FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683] ISV = 0, ISS = 0x00000004\n[ 2430.652001] CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528] kfree+0x78/0x348\n[ 2430.664855] jffs2_free_inode+0x24/0x48\n[ 2430.665233] i_callback+0x24/0x50\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\n[ 2430.665892] rcu_core+0x28c/0x3c8\n[ 2430.666151] rcu_core_si+0x18/0x28\n[ 2430.666473] __do_softirq+0x138/0x3cc\n[ 2430.666781] irq_exit+0xf0/0x110\n[ 2430.667065] handle_domain_irq+0x6c/0x98\n[ 2430.667447] gic_handle_irq+0xac/0xe8\n[ 2430.667739] call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\n\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\n\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42115\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42115\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42115\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42115\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42115\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c\",\n \"https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67\",\n \"https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65\",\n \"https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789\",\n \"https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc\",\n \"https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830\",\n \"https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8\",\n \"https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njffs2: Fix potential illegal address access in jffs2_free_inode\\n\\nDuring the stress testing of the jffs2 file system,the following\\nabnormal printouts were found:\\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\\n[ 2430.649622] Mem abort info:\\n[ 2430.649829] ESR = 0x96000004\\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 2430.650564] SET = 0, FnV = 0\\n[ 2430.650795] EA = 0, S1PTW = 0\\n[ 2430.651032] FSC = 0x04: level 0 translation fault\\n[ 2430.651446] Data abort info:\\n[ 2430.651683] ISV = 0, ISS = 0x00000004\\n[ 2430.652001] CM = 0, WnR = 0\\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 2430.656142] pc : kfree+0x78/0x348\\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\\n[ 2430.657051] sp : ffff800009eebd10\\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\\n[ 2430.664217] Call trace:\\n[ 2430.664528] kfree+0x78/0x348\\n[ 2430.664855] jffs2_free_inode+0x24/0x48\\n[ 2430.665233] i_callback+0x24/0x50\\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\\n[ 2430.665892] rcu_core+0x28c/0x3c8\\n[ 2430.666151] rcu_core_si+0x18/0x28\\n[ 2430.666473] __do_softirq+0x138/0x3cc\\n[ 2430.666781] irq_exit+0xf0/0x110\\n[ 2430.667065] handle_domain_irq+0x6c/0x98\\n[ 2430.667447] gic_handle_irq+0xac/0xe8\\n[ 2430.667739] call_on_irq_stack+0x28/0x54\\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\\nfunction jffs2_i_init_once, while other members are initialized in\\nthe function jffs2_init_inode_info.\\n\\nThe function jffs2_init_inode_info is called after iget_locked,\\nbut in the iget_locked function, the destroy_inode process is triggered,\\nwhich releases the inode and consequently, the target member of the inode\\nis not initialized.In concurrent high pressure scenarios, iget_locked\\nmay enter the destroy_inode branch as described in the code.\\n\\nSince the destroy_inode functionality of jffs2 only releases the target,\\nthe fix method is to set target to NULL in jffs2_i_init_once.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42115\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42116", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42116" + }, + { + "url": "https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b" + }, + { + "url": "https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6" + }, + { + "url": "https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79" + }, + { + "url": "https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda" + }, + { + "url": "https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42116 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42116", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix a log entry using uninitialized netdev\n\nDuring successful probe, igc logs this:\n\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nThe reason is that igc_ptp_init() is called very early, even before\nregister_netdev() has been called. So the netdev_info() call works\non a partially uninitialized netdev.\n\nFix this by calling igc_ptp_init() after register_netdev(), right\nafter the media autosense check, just as in igb. Add a comment,\njust as in igb.\n\nNow the log message is fine:\n\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42116\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42116\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42116\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42116\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42116\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b\",\n \"https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6\",\n \"https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79\",\n \"https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda\",\n \"https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nigc: fix a log entry using uninitialized netdev\\n\\nDuring successful probe, igc logs this:\\n\\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\\nThe reason is that igc_ptp_init() is called very early, even before\\nregister_netdev() has been called. So the netdev_info() call works\\non a partially uninitialized netdev.\\n\\nFix this by calling igc_ptp_init() after register_netdev(), right\\nafter the media autosense check, just as in igb. Add a comment,\\njust as in igb.\\n\\nNow the log message is fine:\\n\\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42116\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42117", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42117" + }, + { + "url": "https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765" + }, + { + "url": "https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42117 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42117", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\n\n[WHY]\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\nan array index and they return -1 when not found; however, -1 is not a\nvalid index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a positive number (which is\nfewer than callers' array size) instead.\n\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42117\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42117\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42117\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42117\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42117\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765\",\n \"https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\\n\\n[WHY]\\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\\nan array index and they return -1 when not found; however, -1 is not a\\nvalid index number.\\n\\n[HOW]\\nWhen this happens, call ASSERT(), and return a positive number (which is\\nfewer than callers' array size) instead.\\n\\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42117\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42118", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42118" + }, + { + "url": "https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57" + }, + { + "url": "https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42118 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42118", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not return negative stream id for array\n\n[WHY]\nresource_stream_to_stream_idx returns an array index and it return -1\nwhen not found; however, -1 is not a valid array index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a zero instead.\n\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42118\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42118\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42118\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42118\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42118\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57\",\n \"https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Do not return negative stream id for array\\n\\n[WHY]\\nresource_stream_to_stream_idx returns an array index and it return -1\\nwhen not found; however, -1 is not a valid array index number.\\n\\n[HOW]\\nWhen this happens, call ASSERT(), and return a zero instead.\\n\\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42118\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42119", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42119" + }, + { + "url": "https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3" + }, + { + "url": "https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca" + }, + { + "url": "https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14" + }, + { + "url": "https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879" + }, + { + "url": "https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9" + }, + { + "url": "https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488" + }, + { + "url": "https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18" + }, + { + "url": "https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42119 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42119", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip finding free audio for unknown engine_id\n\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\n\n[HOW]\nSkip and return NULL.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42119\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42119\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42119\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42119\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42119\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3\",\n \"https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca\",\n \"https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14\",\n \"https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879\",\n \"https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9\",\n \"https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488\",\n \"https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18\",\n \"https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip finding free audio for unknown engine_id\\n\\n[WHY]\\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\\nalso means it is uninitialized and does not need free audio.\\n\\n[HOW]\\nSkip and return NULL.\\n\\nThis fixes 2 OVERRUN issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42119\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42120", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42120" + }, + { + "url": "https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329" + }, + { + "url": "https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6" + }, + { + "url": "https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1" + }, + { + "url": "https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6" + }, + { + "url": "https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4" + }, + { + "url": "https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42120 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42120", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check pipe offset before setting vblank\n\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\n\nThis fixes an OVERRUN issue reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42120\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42120\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42120\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42120\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42120\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329\",\n \"https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6\",\n \"https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1\",\n \"https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6\",\n \"https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4\",\n \"https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check pipe offset before setting vblank\\n\\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\\nthe array.\\n\\nThis fixes an OVERRUN issue reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42120\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42121", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42121" + }, + { + "url": "https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03" + }, + { + "url": "https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb" + }, + { + "url": "https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e" + }, + { + "url": "https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4" + }, + { + "url": "https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567" + }, + { + "url": "https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42121 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42121", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index msg_id before read or write\n\n[WHAT]\nmsg_id is used as an array index and it cannot be a negative value, and\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\n\n[HOW]\nCheck whether msg_id is valid before reading and setting.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42121\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42121\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42121\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42121\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42121\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03\",\n \"https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb\",\n \"https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e\",\n \"https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4\",\n \"https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567\",\n \"https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check index msg_id before read or write\\n\\n[WHAT]\\nmsg_id is used as an array index and it cannot be a negative value, and\\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\\n\\n[HOW]\\nCheck whether msg_id is valid before reading and setting.\\n\\nThis fixes 4 OVERRUN issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42121\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42122", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42122" + }, + { + "url": "https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70" + }, + { + "url": "https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42122 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42122", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42122\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42122\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42122\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42122\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42122\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70\",\n \"https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL pointer check for kzalloc\\n\\n[Why & How]\\nCheck return pointer of kzalloc before using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42122\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42123", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42123" + }, + { + "url": "https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d" + }, + { + "url": "https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42123 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42123", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix double free err_addr pointer warnings\n\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\nwill be run many times so that double free err_addr in some special case.\nSo set the err_addr to NULL to avoid the warnings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42123\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42123\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42123\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42123\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42123\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d\",\n \"https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix double free err_addr pointer warnings\\n\\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\\nwill be run many times so that double free err_addr in some special case.\\nSo set the err_addr to NULL to avoid the warnings.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42123\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42124", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42124" + }, + { + "url": "https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920" + }, + { + "url": "https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec" + }, + { + "url": "https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea" + }, + { + "url": "https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748" + }, + { + "url": "https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b" + }, + { + "url": "https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062" + }, + { + "url": "https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42124 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42124", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\n\nStop calling smp_processor_id() from preemptible code in\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\n\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42124\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42124\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42124\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42124\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42124\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920\",\n \"https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec\",\n \"https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea\",\n \"https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748\",\n \"https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b\",\n \"https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062\",\n \"https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\\n\\nStop calling smp_processor_id() from preemptible code in\\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\\n\\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42124\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42125", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42125" + }, + { + "url": "https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9" + }, + { + "url": "https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42125 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42125", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\n\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\nto avoid crash.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42125\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42125\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42125\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42125\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42125\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9\",\n \"https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\\n\\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\\nto avoid crash.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42125\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42126", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42126" + }, + { + "url": "https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70" + }, + { + "url": "https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e" + }, + { + "url": "https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8" + }, + { + "url": "https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252" + }, + { + "url": "https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057" + }, + { + "url": "https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42126 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42126", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\n\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\n\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\n\nWith kernel command line \"percpu_alloc=page\" we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\n\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[ 1.215719] --- interrupt: 200\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\n\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42126\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42126\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42126\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42126\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42126\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70\",\n \"https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e\",\n \"https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8\",\n \"https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252\",\n \"https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057\",\n \"https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\\n\\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\\ninterrupt handler) if percpu allocation comes from vmalloc area.\\n\\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\\npercpu allocation is from the embedded first chunk. However with\\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\\nallocation can come from the vmalloc area.\\n\\nWith kernel command line \\\"percpu_alloc=page\\\" we can force percpu allocation\\nto come from vmalloc area and can see kernel crash in machine_check_early:\\n\\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\\n[ 1.215719] --- interrupt: 200\\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\\n\\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\\nfirst chunk is not embedded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42126\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42127", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42127" + }, + { + "url": "https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770" + }, + { + "url": "https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9" + }, + { + "url": "https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13" + }, + { + "url": "https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af" + }, + { + "url": "https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8" + }, + { + "url": "https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e" + }, + { + "url": "https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42127 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42127", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix shared irq handling on driver remove\n\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42127\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42127\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42127\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42127\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42127\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770\",\n \"https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9\",\n \"https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13\",\n \"https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af\",\n \"https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8\",\n \"https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e\",\n \"https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/lima: fix shared irq handling on driver remove\\n\\nlima uses a shared interrupt, so the interrupt handlers must be prepared\\nto be called at any time. At driver removal time, the clocks are\\ndisabled early and the interrupts stay registered until the very end of\\nthe remove process due to the devm usage.\\nThis is potentially a bug as the interrupts access device registers\\nwhich assumes clocks are enabled. A crash can be triggered by removing\\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\\nThis patch frees the interrupts at each lima device finishing callback\\nso that the handlers are already unregistered by the time we fully\\ndisable clocks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42127\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42128", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42128" + }, + { + "url": "https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8" + }, + { + "url": "https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077" + }, + { + "url": "https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42128 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42128", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: an30259a: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42128\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42128\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42128\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42128\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42128\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8\",\n \"https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077\",\n \"https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: an30259a: Use devm_mutex_init() for mutex initialization\\n\\nIn this driver LEDs are registered using devm_led_classdev_register()\\nso they are automatically unregistered after module's remove() is done.\\nled_classdev_unregister() calls module's led_set_brightness() to turn off\\nthe LEDs and that callback uses mutex which was destroyed already\\nin module's remove() so use devm API instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42128\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42129", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42129" + }, + { + "url": "https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51" + }, + { + "url": "https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42129 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42129", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42129\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42129\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42129\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42129\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42129\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51\",\n \"https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\\n\\nIn this driver LEDs are registered using devm_led_classdev_register()\\nso they are automatically unregistered after module's remove() is done.\\nled_classdev_unregister() calls module's led_set_brightness() to turn off\\nthe LEDs and that callback uses mutex which was destroyed already\\nin module's remove() so use devm API instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42129\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42130", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42130" + }, + { + "url": "https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a" + }, + { + "url": "https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979" + }, + { + "url": "https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08" + }, + { + "url": "https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42" + }, + { + "url": "https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42130 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42130", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc/nci: Add the inconsistency check between the input data length and count\n\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\"610501\"], 0xf)\n\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\nof 15, which passed too little data to meet the basic requirements of the function\nnci_rf_intf_activated_ntf_packet().\n\nTherefore, increasing the comparison between data length and count value to avoid\nproblems caused by inconsistent data length and count.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42130\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42130\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42130\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42130\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42130\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a\",\n \"https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979\",\n \"https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08\",\n \"https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42\",\n \"https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc/nci: Add the inconsistency check between the input data length and count\\n\\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\\\"610501\\\"], 0xf)\\n\\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\\nof 15, which passed too little data to meet the basic requirements of the function\\nnci_rf_intf_activated_ntf_packet().\\n\\nTherefore, increasing the comparison between data length and count value to avoid\\nproblems caused by inconsistent data length and count.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42130\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42131", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42131" + }, + { + "url": "https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff" + }, + { + "url": "https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2" + }, + { + "url": "https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a" + }, + { + "url": "https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290" + }, + { + "url": "https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805" + }, + { + "url": "https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2" + }, + { + "url": "https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0" + }, + { + "url": "https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42131 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42131", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42131\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42131\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42131\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42131\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42131\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff\",\n \"https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2\",\n \"https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a\",\n \"https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290\",\n \"https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805\",\n \"https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2\",\n \"https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0\",\n \"https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: avoid overflows in dirty throttling logic\\n\\nThe dirty throttling logic is interspersed with assumptions that dirty\\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\\nfit into 64-bits). If limits end up being larger, we will hit overflows,\\npossible divisions by 0 etc. Fix these problems by never allowing so\\nlarge dirty limits as they have dubious practical value anyway. For\\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\\nsimple as the dirty limit is computed from the amount of available memory\\nwhich can change due to memory hotplug etc. So when converting dirty\\nlimits from ratios to numbers of pages, we just don't allow the result to\\nexceed UINT_MAX.\\n\\nThis is root-only triggerable problem which occurs when the operator\\nsets dirty limits to >16 TB.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42131\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42134", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42134" + }, + { + "url": "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106" + }, + { + "url": "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42134 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42134", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev->is_avq.\n\n[fix]\nCheck whether it is vp_dev->is_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42134\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42134\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42134\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42134\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42134\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106\",\n \"https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio-pci: Check if is_avq is NULL\\n\\n[bug]\\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\\n may be empty. For installations, virtio_pci_legacy does not assign a value\\n to vp_dev->is_avq.\\n\\n[fix]\\nCheck whether it is vp_dev->is_avq before use.\\n\\n[test]\\nTest with virsh Attach device\\nBefore this patch, the following command would crash the guest system\\n\\nAfter applying the patch, everything seems to be working fine.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42134\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42135", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42135" + }, + { + "url": "https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af" + }, + { + "url": "https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233" + }, + { + "url": "https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42135 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42135", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_task: Handle SIGKILL by flushing work and exiting\n\nInstead of lingering until the device is closed, this has us handle\nSIGKILL by:\n\n1. marking the worker as killed so we no longer try to use it with\n new virtqueues and new flush operations.\n2. setting the virtqueue to worker mapping so no new works are queued.\n3. running all the exiting works.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42135\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42135\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42135\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42135\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42135\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af\",\n \"https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233\",\n \"https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvhost_task: Handle SIGKILL by flushing work and exiting\\n\\nInstead of lingering until the device is closed, this has us handle\\nSIGKILL by:\\n\\n1. marking the worker as killed so we no longer try to use it with\\n new virtqueues and new flush operations.\\n2. setting the virtqueue to worker mapping so no new works are queued.\\n3. running all the exiting works.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42135\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42136", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42136" + }, + { + "url": "https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b" + }, + { + "url": "https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3" + }, + { + "url": "https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c" + }, + { + "url": "https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42136 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42136", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42136\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42136\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42136\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42136\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42136\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b\",\n \"https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3\",\n \"https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c\",\n \"https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncdrom: rearrange last_media_change check to avoid unintentional overflow\\n\\nWhen running syzkaller with the newly reintroduced signed integer wrap\\nsanitizer we encounter this splat:\\n\\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[ 366.027518] Call Trace:\\n[ 366.027523] \\n[ 366.027533] dump_stack_lvl+0x93/0xd0\\n[ 366.027899] handle_overflow+0x171/0x1b0\\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\\n[ 366.077642] blkdev_ioctl+0x419/0x500\\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\\n...\\n\\nHistorically, the signed integer overflow sanitizer did not work in the\\nkernel due to its interaction with `-fwrapv` but this has since been\\nchanged [1] in the newest version of Clang. It was re-enabled in the\\nkernel with Commit 557f8c582a9ba8ab (\\\"ubsan: Reintroduce signed overflow\\nsanitizer\\\").\\n\\nLet's rearrange the check to not perform any arithmetic, thus not\\ntripping the sanitizer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42136\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42137", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42137" + }, + { + "url": "https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb" + }, + { + "url": "https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11" + }, + { + "url": "https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26" + }, + { + "url": "https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b" + }, + { + "url": "https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5" + }, + { + "url": "https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42137 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42137", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42137\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42137\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42137\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42137\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42137\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb\",\n \"https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11\",\n \"https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26\",\n \"https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b\",\n \"https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5\",\n \"https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\\n\\nCommit 272970be3dab (\\\"Bluetooth: hci_qca: Fix driver shutdown on closed\\nserdev\\\") will cause below regression issue:\\n\\nBT can't be enabled after below steps:\\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\\n\\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\\nby adding condition to avoid the serdev is flushed or wrote after closed\\nbut also introduces this regression issue regarding above steps since the\\nVSC is not sent to reset controller during warm reboot.\\n\\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\\nonce BT was ever enabled, and the use-after-free issue is also fixed by\\nthis change since the serdev is still opened before it is flushed or wrote.\\n\\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\\nkernel commits:\\ncommit e00fc2700a3f (\\\"Bluetooth: btusb: Fix triggering coredump\\nimplementation for QCA\\\") of bluetooth-next tree.\\ncommit b23d98d46d28 (\\\"Bluetooth: btusb: Fix triggering coredump\\nimplementation for QCA\\\") of linus mainline tree.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42137\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42139", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42139" + }, + { + "url": "https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc" + }, + { + "url": "https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42139 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42139", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper extts handling\n\nExtts events are disabled and enabled by the application ts2phc.\nHowever, in case where the driver is removed when the application is\nrunning, a specific extts event remains enabled and can cause a kernel\ncrash.\nAs a side effect, when the driver is reloaded and application is started\nagain, remaining extts event for the channel from a previous run will\nkeep firing and the message \"extts on unexpected channel\" might be\nprinted to the user.\n\nTo avoid that, extts events shall be disabled when PTP is released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42139\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42139\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42139\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42139\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42139\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc\",\n \"https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Fix improper extts handling\\n\\nExtts events are disabled and enabled by the application ts2phc.\\nHowever, in case where the driver is removed when the application is\\nrunning, a specific extts event remains enabled and can cause a kernel\\ncrash.\\nAs a side effect, when the driver is reloaded and application is started\\nagain, remaining extts event for the channel from a previous run will\\nkeep firing and the message \\\"extts on unexpected channel\\\" might be\\nprinted to the user.\\n\\nTo avoid that, extts events shall be disabled when PTP is released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42139\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42140", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42140" + }, + { + "url": "https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692" + }, + { + "url": "https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c" + }, + { + "url": "https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155" + }, + { + "url": "https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d" + }, + { + "url": "https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42140 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42140", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kexec: Avoid deadlock in kexec crash path\n\nIf the kexec crash code is called in the interrupt context, the\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\nirq_set_irqchip_state() function.\n\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\nwithout any use. So we simply remove it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42140\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42140\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42140\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42140\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42140\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692\",\n \"https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c\",\n \"https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155\",\n \"https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d\",\n \"https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: kexec: Avoid deadlock in kexec crash path\\n\\nIf the kexec crash code is called in the interrupt context, the\\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\\nirq_set_irqchip_state() function.\\n\\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\\nwithout any use. So we simply remove it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42140\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42143", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42143" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42143 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42143", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42143\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42143\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42143\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42143\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42143\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42143\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42144", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42144" + }, + { + "url": "https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9" + }, + { + "url": "https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d" + }, + { + "url": "https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42144 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42144", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42144\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42144\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42144\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42144\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42144\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9\",\n \"https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d\",\n \"https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\\n\\nVerify that lvts_data is not NULL before using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42144\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42145", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42145" + }, + { + "url": "https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb" + }, + { + "url": "https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f" + }, + { + "url": "https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa" + }, + { + "url": "https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4" + }, + { + "url": "https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b" + }, + { + "url": "https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6" + }, + { + "url": "https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894" + }, + { + "url": "https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42145 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42145", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Implement a limit on UMAD receive List\n\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\n\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\n\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42145\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42145\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42145\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42145\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42145\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb\",\n \"https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f\",\n \"https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa\",\n \"https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4\",\n \"https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b\",\n \"https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6\",\n \"https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894\",\n \"https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/core: Implement a limit on UMAD receive List\\n\\nThe existing behavior of ib_umad, which maintains received MAD\\npackets in an unbounded list, poses a risk of uncontrolled growth.\\nAs user-space applications extract packets from this list, the rate\\nof extraction may not match the rate of incoming packets, leading\\nto potential list overflow.\\n\\nTo address this, we introduce a limit to the size of the list. After\\nconsidering typical scenarios, such as OpenSM processing, which can\\nhandle approximately 100k packets per second, and the 1-second retry\\ntimeout for most packets, we set the list size limit to 200k. Packets\\nreceived beyond this limit are dropped, assuming they are likely timed\\nout by the time they are handled by user-space.\\n\\nNotably, packets queued on the receive list due to reasons like\\ntimed-out sends are preserved even when the list is full.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42145\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42146", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42146" + }, + { + "url": "https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994" + }, + { + "url": "https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42146 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42146", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\n\nAny kunit doing any memory access should get their own runtime_pm\nouter references since they don't use the standard driver API\nentries. In special this dma_buf from the same driver.\n\nFound by pre-merge CI on adding WARN calls for unprotected\ninner callers:\n\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\n<4> [318.639957] ------------[ cut here ]------------\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42146\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42146\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42146\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42146\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42146\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994\",\n \"https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\\n\\nAny kunit doing any memory access should get their own runtime_pm\\nouter references since they don't use the standard driver API\\nentries. In special this dma_buf from the same driver.\\n\\nFound by pre-merge CI on adding WARN calls for unprotected\\ninner callers:\\n\\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\\n<4> [318.639957] ------------[ cut here ]------------\\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42146\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42147", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42147" + }, + { + "url": "https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e" + }, + { + "url": "https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739" + }, + { + "url": "https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3" + }, + { + "url": "https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42147 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42147", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\n\nDuring the zip probe process, the debugfs failure does not stop\nthe probe. When debugfs initialization fails, jumping to the\nerror branch will also release regs, in addition to its own\nrollback operation.\n\nAs a result, it may be released repeatedly during the regs\nuninit process. Therefore, the null check needs to be added to\nthe regs uninit process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42147\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42147\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42147\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42147\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42147\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e\",\n \"https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739\",\n \"https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3\",\n \"https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\\n\\nDuring the zip probe process, the debugfs failure does not stop\\nthe probe. When debugfs initialization fails, jumping to the\\nerror branch will also release regs, in addition to its own\\nrollback operation.\\n\\nAs a result, it may be released repeatedly during the regs\\nuninit process. Therefore, the null check needs to be added to\\nthe regs uninit process.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42147\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42148", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42148" + }, + { + "url": "https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b" + }, + { + "url": "https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7" + }, + { + "url": "https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f" + }, + { + "url": "https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce" + }, + { + "url": "https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d" + }, + { + "url": "https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f" + }, + { + "url": "https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e" + }, + { + "url": "https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42148 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42148", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\n\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\n\nCurrently there is a read/write out of bounds that occurs on the array\n\"struct stats_query_entry query\" present inside the \"bnx2x_fw_stats_req\"\nstruct in \"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\".\nLooking at the definition of the \"struct stats_query_entry query\" array:\n\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n BNX2X_FIRST_QUEUE_QUERY_IDX];\n\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \"struct stats_query_entry query\" are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\n\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\n\n/*\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n * control by the number of fast-path status blocks supported by the\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n * status block represents an independent interrupts context that can\n * serve a regular L2 networking queue. However special L2 queues such\n * as the FCoE queue do not require a FP-SB and other components like\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\n *\n * If the maximum number of FP-SB available is X then:\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n * regular L2 queues is Y=X-1\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\n * is Y+1\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\n * FP interrupt context for the CNIC).\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\n */\n\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\"bnx2x: Add 57712 support\").\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \"stats_query_entry query\" was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\n\nThis patch increases the size of the \"stats_query_entry query\" array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\n\nStack traces:\n\nUBSAN: array-index-out-of-bounds in\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type 'stats_query_entry [19]'\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42148\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42148\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42148\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42148\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42148\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b\",\n \"https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7\",\n \"https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f\",\n \"https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce\",\n \"https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d\",\n \"https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f\",\n \"https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e\",\n \"https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\\n\\nFix UBSAN warnings that occur when using a system with 32 physical\\ncpu cores or more, or when the user defines a number of Ethernet\\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\\nmodule parameter.\\n\\nCurrently there is a read/write out of bounds that occurs on the array\\n\\\"struct stats_query_entry query\\\" present inside the \\\"bnx2x_fw_stats_req\\\"\\nstruct in \\\"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\\\".\\nLooking at the definition of the \\\"struct stats_query_entry query\\\" array:\\n\\nstruct stats_query_entry query[FP_SB_MAX_E1x+\\n BNX2X_FIRST_QUEUE_QUERY_IDX];\\n\\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\\nmeaning the array has a total size of 19.\\nSince accesses to \\\"struct stats_query_entry query\\\" are offset-ted by\\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\\nis reserved for FCOE and thus the number of Ethernet queues should be set\\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\\nit is not.\\n\\nThis is also described in a comment in the source code in\\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\\nfor this patch\\n\\n/*\\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\\n * control by the number of fast-path status blocks supported by the\\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\\n * status block represents an independent interrupts context that can\\n * serve a regular L2 networking queue. However special L2 queues such\\n * as the FCoE queue do not require a FP-SB and other components like\\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\\n *\\n * If the maximum number of FP-SB available is X then:\\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\\n * regular L2 queues is Y=X-1\\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\\n * is Y+1\\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\\n * FP interrupt context for the CNIC).\\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\\n */\\n\\nHowever this driver also supports NICs that use the E2 controller which can\\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\\nLooking at the commits when the E2 support was added, it was originally\\nusing the E1x parameters: commit f2e0899f0f27 (\\\"bnx2x: Add 57712 support\\\").\\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\\nwas later updated to take full advantage of the E2 instead of having it be\\nlimited to the capabilities of the E1x. But as far as we can tell, the\\narray \\\"stats_query_entry query\\\" was still limited to using the FP-SB\\navailable to the E1x cards as part of an oversignt when the driver was\\nupdated to take full advantage of the E2, and now with the driver being\\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\\nwarnings seen in the stack traces below.\\n\\nThis patch increases the size of the \\\"stats_query_entry query\\\" array by\\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\\nboth types of NICs.\\n\\nStack traces:\\n\\nUBSAN: array-index-out-of-bounds in\\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\\nindex 20 is out of range for type 'stats_query_entry [19]'\\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\\n\\t #202405052133\\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42148\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42151", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42151" + }, + { + "url": "https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d" + }, + { + "url": "https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42151 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42151", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\n\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\nparameter of the test_1() function. Mark this parameter as nullable to\nmake verifier aware of such possibility.\nOtherwise, NULL check in the test_1() code:\n\n SEC(\"struct_ops/test_1\")\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\n {\n if (!state)\n return ...;\n\n ... access state ...\n }\n\nMight be removed by verifier, thus triggering NULL pointer dereference\nunder certain conditions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42151\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42151\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42151\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42151\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42151\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d\",\n \"https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\\n\\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\\nparameter of the test_1() function. Mark this parameter as nullable to\\nmake verifier aware of such possibility.\\nOtherwise, NULL check in the test_1() code:\\n\\n SEC(\\\"struct_ops/test_1\\\")\\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\\n {\\n if (!state)\\n return ...;\\n\\n ... access state ...\\n }\\n\\nMight be removed by verifier, thus triggering NULL pointer dereference\\nunder certain conditions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42151\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42152", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42152" + }, + { + "url": "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa" + }, + { + "url": "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1" + }, + { + "url": "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33" + }, + { + "url": "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da" + }, + { + "url": "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5" + }, + { + "url": "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42152 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42152", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42152\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42152\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42152\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42152\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42152\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa\",\n \"https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1\",\n \"https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33\",\n \"https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da\",\n \"https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5\",\n \"https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\\n\\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\\nknow that a ctrl was allocated (in the admin connect request handler)\\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\\n(for nvme-loop primarily), and drop the final reference on the ctrl.\\n\\nHowever, a small window is possible where nvmet_sq_destroy starts (as\\na result of the client giving up and disconnecting) concurrently with\\nthe nvme admin connect cmd (which may be in an early stage). But *before*\\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\\nlive reference). In this case, sq->ctrl was allocated however after it was\\ncaptured in a local variable in nvmet_sq_destroy.\\nThis prevented the final reference drop on the ctrl.\\n\\nSolve this by re-capturing the sq->ctrl after all inflight request has\\ncompleted, where for sure sq->ctrl reference is final, and move forward\\nbased on that.\\n\\nThis issue was observed in an environment with many hosts connecting\\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\\nleading up to this race window.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42152\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42153", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42153" + }, + { + "url": "https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289" + }, + { + "url": "https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2" + }, + { + "url": "https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176" + }, + { + "url": "https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f" + }, + { + "url": "https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3" + }, + { + "url": "https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6" + }, + { + "url": "https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af" + }, + { + "url": "https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42153 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42153", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\n\nWhen del_timer_sync() is called in an interrupt context it throws a warning\nbecause of potential deadlock. The timer is used only to exit from\nwait_for_completion() after a timeout so replacing the call with\nwait_for_completion_timeout() allows to remove the problematic timer and\nits related functions altogether.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42153\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42153\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42153\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42153\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42153\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289\",\n \"https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2\",\n \"https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176\",\n \"https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f\",\n \"https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3\",\n \"https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6\",\n \"https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af\",\n \"https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\\n\\nWhen del_timer_sync() is called in an interrupt context it throws a warning\\nbecause of potential deadlock. The timer is used only to exit from\\nwait_for_completion() after a timeout so replacing the call with\\nwait_for_completion_timeout() allows to remove the problematic timer and\\nits related functions altogether.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42153\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42154", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42154" + }, + { + "url": "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9" + }, + { + "url": "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c" + }, + { + "url": "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3" + }, + { + "url": "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321" + }, + { + "url": "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff" + }, + { + "url": "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99" + }, + { + "url": "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98" + }, + { + "url": "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42154 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42154", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn't have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42154\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42154\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42154\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42154\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42154\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9\",\n \"https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c\",\n \"https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3\",\n \"https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321\",\n \"https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff\",\n \"https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99\",\n \"https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98\",\n \"https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp_metrics: validate source addr length\\n\\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\\nis at least 4 bytes long, and the policy doesn't have an entry\\nfor this attribute at all (neither does it for IPv6 but v6 is\\nmanually validated).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42154\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42155", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42155" + }, + { + "url": "https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b" + }, + { + "url": "https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42155 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42155", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of protected- and secure-keys\n\nAlthough the clear-key of neither protected- nor secure-keys is\naccessible, this key material should only be visible to the calling\nprocess. So wipe all copies of protected- or secure-keys from stack,\neven in case of an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42155\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42155\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42155\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42155\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42155\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b\",\n \"https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe copies of protected- and secure-keys\\n\\nAlthough the clear-key of neither protected- nor secure-keys is\\naccessible, this key material should only be visible to the calling\\nprocess. So wipe all copies of protected- or secure-keys from stack,\\neven in case of an error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 1.9,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42155\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42156", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42156" + }, + { + "url": "https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d" + }, + { + "url": "https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42156 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42156", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of clear-key structures on failure\n\nWipe all sensitive data from stack for all IOCTLs, which convert a\nclear-key into a protected- or secure-key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42156\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42156\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42156\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42156\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42156\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d\",\n \"https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe copies of clear-key structures on failure\\n\\nWipe all sensitive data from stack for all IOCTLs, which convert a\\nclear-key into a protected- or secure-key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42156\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42157", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42157" + }, + { + "url": "https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9" + }, + { + "url": "https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581" + }, + { + "url": "https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02" + }, + { + "url": "https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487" + }, + { + "url": "https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad" + }, + { + "url": "https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250" + }, + { + "url": "https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575" + }, + { + "url": "https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42157 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42157", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe sensitive data on failure\n\nWipe sensitive data from stack also if the copy_to_user() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42157\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42157\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42157\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42157\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42157\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9\",\n \"https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581\",\n \"https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02\",\n \"https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487\",\n \"https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad\",\n \"https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250\",\n \"https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575\",\n \"https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe sensitive data on failure\\n\\nWipe sensitive data from stack also if the copy_to_user() fails.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42157\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42158", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42158" + }, + { + "url": "https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694" + }, + { + "url": "https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42158 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42158", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\n\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\nwarnings reported by Coccinelle:\n\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42158\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42158\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42158\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42158\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42158\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694\",\n \"https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\\n\\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\\nwarnings reported by Coccinelle:\\n\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42158\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42160" + }, + { + "url": "https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e" + }, + { + "url": "https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77" + }, + { + "url": "https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d" + }, + { + "url": "https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42160 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42160", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42160\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42160\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42160\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e\",\n \"https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77\",\n \"https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d\",\n \"https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\\n\\n- It missed to check validation of fault attrs in parse_options(),\\nlet's fix to add check condition in f2fs_build_fault_attr().\\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42160\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42161", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42161" + }, + { + "url": "https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db" + }, + { + "url": "https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3" + }, + { + "url": "https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f" + }, + { + "url": "https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff" + }, + { + "url": "https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6" + }, + { + "url": "https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42161 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42161", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\n\n[Changes from V1:\n - Use a default branch in the switch statement to initialize `val'.]\n\nGCC warns that `val' may be used uninitialized in the\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\n\n\t[...]\n\tunsigned long long val;\t\t\t\t\t\t \\\n\t[...]\t\t\t\t\t\t\t\t \\\n\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\t\t\t \\\n\tcase 1: val = *(const unsigned char *)p; break;\t\t\t \\\n\tcase 2: val = *(const unsigned short *)p; break;\t\t \\\n\tcase 4: val = *(const unsigned int *)p; break;\t\t\t \\\n\tcase 8: val = *(const unsigned long long *)p; break;\t\t \\\n } \t\t\t\t\t\t\t \\\n\t[...]\n\tval;\t\t\t\t\t\t\t\t \\\n\t}\t\t\t\t\t\t\t\t \\\n\nThis patch adds a default entry in the switch statement that sets\n`val' to zero in order to avoid the warning, and random values to be\nused in case __builtin_preserve_field_info returns unexpected values\nfor BPF_FIELD_BYTE_SIZE.\n\nTested in bpf-next master.\nNo regressions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42161\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42161\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42161\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42161\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42161\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db\",\n \"https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3\",\n \"https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f\",\n \"https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff\",\n \"https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6\",\n \"https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\\n\\n[Changes from V1:\\n - Use a default branch in the switch statement to initialize `val'.]\\n\\nGCC warns that `val' may be used uninitialized in the\\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\\n\\n\\t[...]\\n\\tunsigned long long val;\\t\\t\\t\\t\\t\\t \\\\\\n\\t[...]\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\\t\\t\\t \\\\\\n\\tcase 1: val = *(const unsigned char *)p; break;\\t\\t\\t \\\\\\n\\tcase 2: val = *(const unsigned short *)p; break;\\t\\t \\\\\\n\\tcase 4: val = *(const unsigned int *)p; break;\\t\\t\\t \\\\\\n\\tcase 8: val = *(const unsigned long long *)p; break;\\t\\t \\\\\\n } \\t\\t\\t\\t\\t\\t\\t \\\\\\n\\t[...]\\n\\tval;\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\t}\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\nThis patch adds a default entry in the switch statement that sets\\n`val' to zero in order to avoid the warning, and random values to be\\nused in case __builtin_preserve_field_info returns unexpected values\\nfor BPF_FIELD_BYTE_SIZE.\\n\\nTested in bpf-next master.\\nNo regressions.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42161\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42223", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42223" + }, + { + "url": "https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8" + }, + { + "url": "https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd" + }, + { + "url": "https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07" + }, + { + "url": "https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce" + }, + { + "url": "https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a" + }, + { + "url": "https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1" + }, + { + "url": "https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af" + }, + { + "url": "https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42223 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42223", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: tda10048: Fix integer overflow\n\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\n\nCreate a new 64 bit variable to hold the calculations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42223\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42223\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42223\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42223\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42223\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8\",\n \"https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd\",\n \"https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07\",\n \"https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce\",\n \"https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a\",\n \"https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1\",\n \"https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af\",\n \"https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: dvb-frontends: tda10048: Fix integer overflow\\n\\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\\nwhen multiplied by pll_mfactor.\\n\\nCreate a new 64 bit variable to hold the calculations.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42223\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42224", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42224" + }, + { + "url": "https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5" + }, + { + "url": "https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618" + }, + { + "url": "https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d" + }, + { + "url": "https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee" + }, + { + "url": "https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b" + }, + { + "url": "https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114" + }, + { + "url": "https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89" + }, + { + "url": "https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42224 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42224", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Correct check for empty list\n\nSince commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\") mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\n\nThis appears to be intended to guard against the list chip->mdios being\nempty. However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\n\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\n\nFlagged by Smatch.\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42224\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42224\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42224\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42224\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42224\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5\",\n \"https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618\",\n \"https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d\",\n \"https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee\",\n \"https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b\",\n \"https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114\",\n \"https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89\",\n \"https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: mv88e6xxx: Correct check for empty list\\n\\nSince commit a3c53be55c95 (\\\"net: dsa: mv88e6xxx: Support multiple MDIO\\nbusses\\\") mv88e6xxx_default_mdio_bus() has checked that the\\nreturn value of list_first_entry() is non-NULL.\\n\\nThis appears to be intended to guard against the list chip->mdios being\\nempty. However, it is not the correct check as the implementation of\\nlist_first_entry is not designed to return NULL for empty lists.\\n\\nInstead, use list_first_entry_or_null() which does return NULL if the\\nlist is empty.\\n\\nFlagged by Smatch.\\nCompile tested only.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42224\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42225", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42225" + }, + { + "url": "https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657" + }, + { + "url": "https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074" + }, + { + "url": "https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578" + }, + { + "url": "https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2" + }, + { + "url": "https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42225 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42225", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42225\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42225\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42225\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42225\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42225\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657\",\n \"https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074\",\n \"https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578\",\n \"https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2\",\n \"https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mt76: replace skb_put with skb_put_zero\\n\\nAvoid potentially reusing uninitialized data\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42225\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42226", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42226" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42226 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42226", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42226\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42226\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42226\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42226\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42226\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42226\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42228", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42228" + }, + { + "url": "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef" + }, + { + "url": "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944" + }, + { + "url": "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42228 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42228", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42228\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42228\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42228\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42228\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42228\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef\",\n \"https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944\",\n \"https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\\n\\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\\nV2: To really improve the handling we would actually\\n need to have a separate value of 0xffffffff.(Christian)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42228\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42229", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42229" + }, + { + "url": "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210" + }, + { + "url": "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534" + }, + { + "url": "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d" + }, + { + "url": "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133" + }, + { + "url": "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb" + }, + { + "url": "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42229 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42229", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42229\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42229\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42229\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42229\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42229\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210\",\n \"https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534\",\n \"https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d\",\n \"https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133\",\n \"https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb\",\n \"https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: aead,cipher - zeroize key buffer after use\\n\\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\\ncryptographic information should be zeroized once they are no longer\\nneeded. Accomplish this by using kfree_sensitive for buffers that\\npreviously held the private key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42229\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42230", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42230" + }, + { + "url": "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011" + }, + { + "url": "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3" + }, + { + "url": "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c" + }, + { + "url": "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42230 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42230", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn't easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42230\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42230\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42230\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42230\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42230\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011\",\n \"https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3\",\n \"https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c\",\n \"https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Fix scv instruction crash with kexec\\n\\nkexec on pseries disables AIL (reloc_on_exc), required for scv\\ninstruction support, before other CPUs have been shut down. This means\\nthey can execute scv instructions after AIL is disabled, which causes an\\ninterrupt at an unexpected entry location that crashes the kernel.\\n\\nChange the kexec sequence to disable AIL after other CPUs have been\\nbrought down.\\n\\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\\nfixed-location head code probably couldn't easily deal with implementing\\nsuch high addresses so it was just decided not to support that interrupt\\nat all.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42230\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42232", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42232" + }, + { + "url": "https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf" + }, + { + "url": "https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7" + }, + { + "url": "https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a" + }, + { + "url": "https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e" + }, + { + "url": "https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c" + }, + { + "url": "https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea" + }, + { + "url": "https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883" + }, + { + "url": "https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42232 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42232", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting(). Both of\nthese can requeue the delayed work which wouldn't be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn't mess with the delayed work in order\nto avoid interfering with the hunting interval logic. This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon < 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc->auth and monc->monmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc->cur_mon and monc->hunting as part of closing the session\n in ceph_monc_stop()\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\n- call cancel_delayed_work_sync() after the session is closed", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42232\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42232\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42232\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42232\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42232\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf\",\n \"https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7\",\n \"https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a\",\n \"https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e\",\n \"https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c\",\n \"https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea\",\n \"https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883\",\n \"https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlibceph: fix race between delayed_work() and ceph_monc_stop()\\n\\nThe way the delayed work is handled in ceph_monc_stop() is prone to\\nraces with mon_fault() and possibly also finish_hunting(). Both of\\nthese can requeue the delayed work which wouldn't be canceled by any of\\nthe following code in case that happens after cancel_delayed_work_sync()\\nruns -- __close_session() doesn't mess with the delayed work in order\\nto avoid interfering with the hunting interval logic. This part was\\nmissed in commit b5d91704f53e (\\\"libceph: behave in mon_fault() if\\ncur_mon < 0\\\") and use-after-free can still ensue on monc and objects\\nthat hang off of it, with monc->auth and monc->monmap being\\nparticularly susceptible to quickly being reused.\\n\\nTo fix this:\\n\\n- clear monc->cur_mon and monc->hunting as part of closing the session\\n in ceph_monc_stop()\\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\\n- call cancel_delayed_work_sync() after the session is closed\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42232\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42236", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42236" + }, + { + "url": "https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70" + }, + { + "url": "https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0" + }, + { + "url": "https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce" + }, + { + "url": "https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0" + }, + { + "url": "https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa" + }, + { + "url": "https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a" + }, + { + "url": "https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490" + }, + { + "url": "https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42236 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42236", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\n\nUserspace provided string 's' could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == '\\n') followed closely by an OOB write in the form\n`str[0 - 1] = '\\0'`.\n\nThere is already a validating check to catch strings that are too long.\nLet's supply an additional check for invalid strings that are too short.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42236\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42236\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42236\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42236\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42236\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70\",\n \"https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0\",\n \"https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce\",\n \"https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0\",\n \"https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa\",\n \"https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a\",\n \"https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490\",\n \"https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\\n\\nUserspace provided string 's' could trivially have the length zero. Left\\nunchecked this will firstly result in an OOB read in the form\\n`if (str[0 - 1] == '\\\\n') followed closely by an OOB write in the form\\n`str[0 - 1] = '\\\\0'`.\\n\\nThere is already a validating check to catch strings that are too long.\\nLet's supply an additional check for invalid strings that are too short.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42236\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42239", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42239" + }, + { + "url": "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a" + }, + { + "url": "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7" + }, + { + "url": "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42239 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42239", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42239\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42239\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42239\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42239\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42239\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a\",\n \"https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7\",\n \"https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fail bpf_timer_cancel when callback is being cancelled\\n\\nGiven a schedule:\\n\\ntimer1 cb\\t\\t\\ttimer2 cb\\n\\nbpf_timer_cancel(timer2);\\tbpf_timer_cancel(timer1);\\n\\nBoth bpf_timer_cancel calls would wait for the other callback to finish\\nexecuting, introducing a lockup.\\n\\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\\ntrack of all in-flight cancellation requests for a given BPF timer.\\nWhenever cancelling a BPF timer, we must check if we have outstanding\\ncancellation requests, and if so, we must fail the operation with an\\nerror (-EDEADLK) since cancellation is synchronous and waits for the\\ncallback to finish executing. This implies that we can enter a deadlock\\nsituation involving two or more timer callbacks executing in parallel\\nand attempting to cancel one another.\\n\\nNote that we avoid incrementing the cancelling counter for the target\\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\\na callback, to avoid spurious errors. The whole point of detecting\\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\\n(which may or may not lead to a lockup). This does not apply in case the\\ncaller is in a non-callback context, the other side can continue to\\ncancel as it sees fit without running into errors.\\n\\nBackground on prior attempts:\\n\\nEarlier versions of this patch used a bool 'cancelling' bit and used the\\nfollowing pattern under timer->lock to publish cancellation status.\\n\\nlock(t->lock);\\nt->cancelling = true;\\nmb();\\nif (cur->cancelling)\\n\\treturn -EDEADLK;\\nunlock(t->lock);\\nhrtimer_cancel(t->timer);\\nt->cancelling = false;\\n\\nThe store outside the critical section could overwrite a parallel\\nrequests t->cancelling assignment to true, to ensure the parallely\\nexecuting callback observes its cancellation status.\\n\\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\\nis done, but lack of serialization introduced races. Another option was\\nexplored where bpf_timer_start would clear the bit when (re)starting the\\ntimer under timer->lock. This would ensure serialized access to the\\ncancelling bit, but may allow it to be cleared before in-flight\\nhrtimer_cancel has finished executing, such that lockups can occur\\nagain.\\n\\nThus, we choose an atomic counter to keep track of all outstanding\\ncancellation requests and use it to prevent lockups in case callbacks\\nattempt to cancel each other while executing in parallel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42239\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42240", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42240" + }, + { + "url": "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513" + }, + { + "url": "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364" + }, + { + "url": "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0" + }, + { + "url": "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf" + }, + { + "url": "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42240 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42240", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n <#DB>\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \n \n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \n\n [ bp: Massage commit message. ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513\",\n \"https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364\",\n \"https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0\",\n \"https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf\",\n \"https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\\n\\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\\nentry_SYSENTER_compat() function.\\n\\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\\nafter making sure the TF flag is cleared.\\n\\nThe problem can be reproduced with the following sequence:\\n\\n $ cat sysenter_step.c\\n int main()\\n { asm(\\\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\\\"); }\\n\\n $ gcc -o sysenter_step sysenter_step.c\\n\\n $ ./sysenter_step\\n Segmentation fault (core dumped)\\n\\nThe program is expected to crash, and the #DB handler will issue a warning.\\n\\nKernel log:\\n\\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\\n ...\\n RIP: 0010:exc_debug_kernel+0xd2/0x160\\n ...\\n Call Trace:\\n <#DB>\\n ? show_regs+0x68/0x80\\n ? __warn+0x8c/0x140\\n ? exc_debug_kernel+0xd2/0x160\\n ? report_bug+0x175/0x1a0\\n ? handle_bug+0x44/0x90\\n ? exc_invalid_op+0x1c/0x70\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? exc_debug_kernel+0xd2/0x160\\n exc_debug+0x43/0x50\\n asm_exc_debug+0x1e/0x40\\n RIP: 0010:clear_bhb_loop+0x0/0xb0\\n ...\\n \\n \\n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\\n \\n\\n [ bp: Massage commit message. ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42240\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42243", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42243" + }, + { + "url": "https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b" + }, + { + "url": "https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a" + }, + { + "url": "https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42243 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42243", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can't support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc > 1 && !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd < 0) {\n\t\tfprintf(stderr, \"Unable to open <%s>\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42243\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42243\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42243\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42243\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42243\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b\",\n \"https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a\",\n \"https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\\n\\nPatch series \\\"mm/filemap: Limit page cache size to that supported by\\nxarray\\\", v2.\\n\\nCurrently, xarray can't support arbitrary page cache size. More details\\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\\nwhere the base page size is 64KB and huge page size is 512MB. The issue\\nwas reported long time ago and some discussions on it can be found here\\n[1].\\n\\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\\n\\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\\nsupported by xarray and avoid PMD-sized page cache if needed. The code\\nchanges are suggested by David Hildenbrand.\\n\\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\\n\\nTest program\\n============\\n# cat test.c\\n#define _GNU_SOURCE\\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n\\n#define TEST_XFS_FILENAME\\t\\\"/tmp/data\\\"\\n#define TEST_SHMEM_FILENAME\\t\\\"/dev/shm/data\\\"\\n#define TEST_MEM_SIZE\\t\\t0x20000000\\n\\nint main(int argc, char **argv)\\n{\\n\\tconst char *filename;\\n\\tint fd = 0;\\n\\tvoid *buf = (void *)-1, *p;\\n\\tint pgsize = getpagesize();\\n\\tint ret;\\n\\n\\tif (pgsize != 0x10000) {\\n\\t\\tfprintf(stderr, \\\"64KB base page size is required\\\\n\\\");\\n\\t\\treturn -EPERM;\\n\\t}\\n\\n\\tsystem(\\\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\\\");\\n\\tsystem(\\\"rm -fr /tmp/data\\\");\\n\\tsystem(\\\"rm -fr /dev/shm/data\\\");\\n\\tsystem(\\\"echo 1 > /proc/sys/vm/drop_caches\\\");\\n\\n\\t/* Open xfs or shmem file */\\n\\tfilename = TEST_XFS_FILENAME;\\n\\tif (argc > 1 && !strcmp(argv[1], \\\"shmem\\\"))\\n\\t\\tfilename = TEST_SHMEM_FILENAME;\\n\\n\\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\\n\\tif (fd < 0) {\\n\\t\\tfprintf(stderr, \\\"Unable to open <%s>\\\\n\\\", filename);\\n\\t\\treturn -EIO;\\n\\t}\\n\\n\\t/* Extend file size */\\n\\tret = ftruncate(fd, TEST_MEM_SIZE);\\n\\tif (ret) {\\n\\t\\tfprintf(stderr, \\\"Error %d to ftruncate()\\\\n\\\", ret);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Create VMA */\\n\\tbuf = mmap(NULL, TEST_MEM_SIZE,\\n\\t\\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\\n\\tif (buf == (void *)-1) {\\n\\t\\tfprintf(stderr, \\\"Unable to mmap <%s>\\\\n\\\", filename);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\tfprintf(stdout, \\\"mapped buffer at 0x%p\\\\n\\\", buf);\\n\\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\\n if (ret) {\\n\\t\\tfprintf(stderr, \\\"Unable to madvise(MADV_HUGEPAGE)\\\\n\\\");\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Populate VMA */\\n\\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\\n\\tif (ret) {\\n\\t\\tfprintf(stderr, \\\"Error %d to madvise(MADV_POPULATE_WRITE)\\\\n\\\", ret);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Punch the file to enforce xarray split */\\n\\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\\n \\t\\tTEST_MEM_SIZE - pgsize, pgsize);\\n\\tif (ret)\\n\\t\\tfprintf(stderr, \\\"Error %d to fallocate()\\\\n\\\", ret);\\n\\ncleanup:\\n\\tif (buf != (void *)-1)\\n\\t\\tmunmap(buf, TEST_MEM_SIZE);\\n\\tif (fd > 0)\\n\\t\\tclose(fd);\\n\\n\\treturn 0;\\n}\\n\\n# gcc test.c -o test\\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\\nKernelPageSize: 64 kB\\n# ./test shmem\\n :\\n------------[ cut here ]------------\\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\\\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\\\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\\\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\\\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\\\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\\\\ndimlib virtio_mmio\\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42243\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42244", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42244" + }, + { + "url": "https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856" + }, + { + "url": "https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4" + }, + { + "url": "https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348" + }, + { + "url": "https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33" + }, + { + "url": "https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4" + }, + { + "url": "https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42244 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42244", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42244\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42244\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42244\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42244\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42244\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856\",\n \"https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4\",\n \"https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348\",\n \"https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33\",\n \"https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4\",\n \"https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: serial: mos7840: fix crash on resume\\n\\nSince commit c49cfa917025 (\\\"USB: serial: use generic method if no\\nalternative is provided in usb serial layer\\\"), USB serial core calls the\\ngeneric resume implementation when the driver has not provided one.\\n\\nThis can trigger a crash on resume with mos7840 since support for\\nmultiple read URBs was added back in 2011. Specifically, both port read\\nURBs are now submitted on resume for open ports, but the context pointer\\nof the second URB is left set to the core rather than mos7840 port\\nstructure.\\n\\nFix this by implementing dedicated suspend and resume functions for\\nmos7840.\\n\\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\\n\\n[ johan: analyse crash and rewrite commit message; set busy flag on\\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42244\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42246", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42246" + }, + { + "url": "https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde" + }, + { + "url": "https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414" + }, + { + "url": "https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6" + }, + { + "url": "https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42246 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42246", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\n\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\nthe kernel to potentially freeze up.\n\nNeil suggested:\n\n This will propagate -EPERM up into other layers which might not be ready\n to handle it. It might be safer to map EPERM to an error we would be more\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\n\nECONNREFUSED as error seems reasonable. For programs setting a different error\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\nwhich do not have f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err\ninstead of allow boolean\"), thus given that it is better to simply remap for\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42246\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42246\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42246\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42246\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42246\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde\",\n \"https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414\",\n \"https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6\",\n \"https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\\n\\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\\nthe kernel to potentially freeze up.\\n\\nNeil suggested:\\n\\n This will propagate -EPERM up into other layers which might not be ready\\n to handle it. It might be safer to map EPERM to an error we would be more\\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\\n\\nECONNREFUSED as error seems reasonable. For programs setting a different error\\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\\nwhich do not have f10d05966196 (\\\"bpf: Make BPF_PROG_RUN_ARRAY return -err\\ninstead of allow boolean\\\"), thus given that it is better to simply remap for\\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42246\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42247" + }, + { + "url": "https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801" + }, + { + "url": "https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf" + }, + { + "url": "https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74" + }, + { + "url": "https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8" + }, + { + "url": "https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75" + }, + { + "url": "https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42247", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\n\nOn the parisc platform, the kernel issues kernel warnings because\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\nmemory location:\n\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\n\nAvoid such unaligned memory accesses by instead using the\nget_unaligned_be64() helper macro.\n\n[Jason: replace src[8] in original patch with src+8]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801\",\n \"https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf\",\n \"https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74\",\n \"https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8\",\n \"https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75\",\n \"https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\\n\\nOn the parisc platform, the kernel issues kernel warnings because\\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\\nmemory location:\\n\\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\\n\\nAvoid such unaligned memory accesses by instead using the\\nget_unaligned_be64() helper macro.\\n\\n[Jason: replace src[8] in original patch with src+8]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42252", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42252" + }, + { + "url": "https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812" + }, + { + "url": "https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42252 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42252", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclosures: Change BUG_ON() to WARN_ON()\n\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\n\nFor reference, this has popped up once in the CI, and we'll need more\ninfo to debug it:\n\n03240 ------------[ cut here ]------------\n03240 kernel BUG at lib/closure.c:21!\n03240 kernel BUG at lib/closure.c:21!\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n03240 Modules linked in:\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\n03240 Hardware name: linux,dummy-virt (DT)\n03240 Workqueue: btree_update btree_interior_update_work\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n03240 pc : closure_put+0x224/0x2a0\n03240 lr : closure_put+0x24/0x2a0\n03240 sp : ffff0000d12071c0\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\n03240 Call trace:\n03240 closure_put+0x224/0x2a0\n03240 bch2_check_for_deadlock+0x910/0x1028\n03240 bch2_six_check_for_deadlock+0x1c/0x30\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\n03240 six_lock_ip_waiter+0xa8/0xf8\n03240 __bch2_btree_node_lock_write+0x14c/0x298\n03240 bch2_trans_lock_write+0x6d4/0xb10\n03240 __bch2_trans_commit+0x135c/0x5520\n03240 btree_interior_update_work+0x1248/0x1c10\n03240 process_scheduled_works+0x53c/0xd90\n03240 worker_thread+0x370/0x8c8\n03240 kthread+0x258/0x2e8\n03240 ret_from_fork+0x10/0x20\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\n03240 ---[ end trace 0000000000000000 ]---\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\n03240 SMP: stopping secondary CPUs\n03241 SMP: failed to stop secondary CPUs 13,15\n03241 Kernel Offset: disabled\n03241 CPU features: 0x00,00000003,80000008,4240500b\n03241 Memory Limit: none\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42252\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42252\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42252\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42252\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42252\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812\",\n \"https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclosures: Change BUG_ON() to WARN_ON()\\n\\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\\n\\nFor reference, this has popped up once in the CI, and we'll need more\\ninfo to debug it:\\n\\n03240 ------------[ cut here ]------------\\n03240 kernel BUG at lib/closure.c:21!\\n03240 kernel BUG at lib/closure.c:21!\\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\\n03240 Modules linked in:\\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\\n03240 Hardware name: linux,dummy-virt (DT)\\n03240 Workqueue: btree_update btree_interior_update_work\\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\\n03240 pc : closure_put+0x224/0x2a0\\n03240 lr : closure_put+0x24/0x2a0\\n03240 sp : ffff0000d12071c0\\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\\n03240 Call trace:\\n03240 closure_put+0x224/0x2a0\\n03240 bch2_check_for_deadlock+0x910/0x1028\\n03240 bch2_six_check_for_deadlock+0x1c/0x30\\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\\n03240 six_lock_ip_waiter+0xa8/0xf8\\n03240 __bch2_btree_node_lock_write+0x14c/0x298\\n03240 bch2_trans_lock_write+0x6d4/0xb10\\n03240 __bch2_trans_commit+0x135c/0x5520\\n03240 btree_interior_update_work+0x1248/0x1c10\\n03240 process_scheduled_works+0x53c/0xd90\\n03240 worker_thread+0x370/0x8c8\\n03240 kthread+0x258/0x2e8\\n03240 ret_from_fork+0x10/0x20\\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\\n03240 ---[ end trace 0000000000000000 ]---\\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\\n03240 SMP: stopping secondary CPUs\\n03241 SMP: failed to stop secondary CPUs 13,15\\n03241 Kernel Offset: disabled\\n03241 CPU features: 0x00,00000003,80000008,4240500b\\n03241 Memory Limit: none\\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42252\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42253", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42253" + }, + { + "url": "https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34" + }, + { + "url": "https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904" + }, + { + "url": "https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41" + }, + { + "url": "https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42253 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42253", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\n\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\npca953x_irq_bus_sync_unlock() in order to avoid races.\n\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\nlock is held before calling pca953x_write_regs().\n\nThe problem occurred when a request raced against irq_bus_sync_unlock()\napproximately once per thousand reboots on an i.MX8MP based system.\n\n * Normal case\n\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n\n * Race case\n\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42253\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42253\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42253\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42253\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42253\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34\",\n \"https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904\",\n \"https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41\",\n \"https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\\n\\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\\npca953x_irq_bus_sync_unlock() in order to avoid races.\\n\\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\\nlock is held before calling pca953x_write_regs().\\n\\nThe problem occurred when a request raced against irq_bus_sync_unlock()\\napproximately once per thousand reboots on an i.MX8MP based system.\\n\\n * Normal case\\n\\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\\n\\n * Race case\\n\\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42253\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42259", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42259" + }, + { + "url": "https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60" + }, + { + "url": "https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d" + }, + { + "url": "https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab" + }, + { + "url": "https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3" + }, + { + "url": "https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7" + }, + { + "url": "https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39" + }, + { + "url": "https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b" + }, + { + "url": "https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42259 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42259", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\n\nCalculating the size of the mapped area as the lesser value\nbetween the requested size and the actual size does not consider\nthe partial mapping offset. This can cause page fault access.\n\nFix the calculation of the starting and ending addresses, the\ntotal size is now deduced from the difference between the end and\nstart addresses.\n\nAdditionally, the calculations have been rewritten in a clearer\nand more understandable form.\n\n[Joonas: Add Requires: tag]\nRequires: 60a2066c5005 (\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\")\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42259\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42259\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42259\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42259\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42259\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60\",\n \"https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d\",\n \"https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab\",\n \"https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3\",\n \"https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7\",\n \"https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39\",\n \"https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b\",\n \"https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\\n\\nCalculating the size of the mapped area as the lesser value\\nbetween the requested size and the actual size does not consider\\nthe partial mapping offset. This can cause page fault access.\\n\\nFix the calculation of the starting and ending addresses, the\\ntotal size is now deduced from the difference between the end and\\nstart addresses.\\n\\nAdditionally, the calculations have been rewritten in a clearer\\nand more understandable form.\\n\\n[Joonas: Add Requires: tag]\\nRequires: 60a2066c5005 (\\\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\\\")\\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42259\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42267", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42267" + }, + { + "url": "https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40" + }, + { + "url": "https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864" + }, + { + "url": "https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146" + }, + { + "url": "https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f" + }, + { + "url": "https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2" + }, + { + "url": "https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42267 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42267", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\n\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\nkill the process and we don't BUG() the kernel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42267\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42267\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42267\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42267\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42267\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40\",\n \"https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864\",\n \"https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146\",\n \"https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f\",\n \"https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2\",\n \"https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\\n\\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\\nkill the process and we don't BUG() the kernel.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42267\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42269", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42269" + }, + { + "url": "https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e" + }, + { + "url": "https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226" + }, + { + "url": "https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601" + }, + { + "url": "https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34" + }, + { + "url": "https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42269 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42269", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\n\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\nbut the function is exposed to user space before the entry is allocated\nvia register_pernet_subsys().\n\nLet's call register_pernet_subsys() before xt_register_template().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42269\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42269\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42269\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42269\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42269\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e\",\n \"https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226\",\n \"https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601\",\n \"https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34\",\n \"https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\\n\\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\\nbut the function is exposed to user space before the entry is allocated\\nvia register_pernet_subsys().\\n\\nLet's call register_pernet_subsys() before xt_register_template().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42269\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42270", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42270" + }, + { + "url": "https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc" + }, + { + "url": "https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d" + }, + { + "url": "https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626" + }, + { + "url": "https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b" + }, + { + "url": "https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42270 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42270", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42270\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42270\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42270\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42270\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42270\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc\",\n \"https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d\",\n \"https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626\",\n \"https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b\",\n \"https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\\n\\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\\nat boot time. [0]\\n\\nThe problem is that iptable_nat_table_init() is exposed to user space\\nbefore the kernel fully initialises netns.\\n\\nIn the small race window, a user could call iptable_nat_table_init()\\nthat accesses net_generic(net, iptable_nat_net_id), which is available\\nonly after registering iptable_nat_net_ops.\\n\\nLet's call register_pernet_subsys() before xt_register_template().\\n\\n[0]:\\nbpfilter: Loaded bpfilter_umh pid 11702\\nStarted bpfilter\\nBUG: kernel NULL pointer dereference, address: 0000000000000013\\n PF: supervisor write access in kernel mode\\n PF: error_code(0x0002) - not-present page\\nPGD 0 P4D 0\\nPREEMPT SMP NOPTI\\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\\n ? page_fault_oops (arch/x86/mm/fault.c:727)\\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\\n get_info (net/ipv4/netfilter/ip_tables.c:965)\\n ? security_capable (security/security.c:809 (discriminator 13))\\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\\n __sys_getsockopt (net/socket.c:2327)\\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\\nRIP: 0033:0x7f62844685ee\\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\\nR13: 00007f6284\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42270\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42271", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42271" + }, + { + "url": "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84" + }, + { + "url": "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0" + }, + { + "url": "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d" + }, + { + "url": "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01" + }, + { + "url": "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876" + }, + { + "url": "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5" + }, + { + "url": "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895" + }, + { + "url": "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42271 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42271", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv->path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42271\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42271\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42271\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42271\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42271\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84\",\n \"https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0\",\n \"https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d\",\n \"https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01\",\n \"https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876\",\n \"https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5\",\n \"https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895\",\n \"https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/iucv: fix use after free in iucv_sock_close()\\n\\niucv_sever_path() is called from process context and from bh context.\\niucv->path is used as indicator whether somebody else is taking care of\\nsevering the path (or it is already removed / never existed).\\nThis needs to be done with atomic compare and swap, otherwise there is a\\nsmall window where iucv_sock_close() will try to work with a path that has\\nalready been severed and freed by iucv_callback_connrej() called by\\niucv_tasklet_fn().\\n\\nExample:\\n[452744.123844] Call Trace:\\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\\n[452744.125319] Last Breaking-Event-Address:\\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\\n[452744.125324]\\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\\n\\nNote that bh_lock_sock() is not serializing the tasklet context against\\nprocess context, because the check for sock_owned_by_user() and\\ncorresponding handling is missing.\\n\\nIdeas for a future clean-up patch:\\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\\nRe-enqueue, if needed. This may require adding return values to the\\ntasklet functions and thus changes to all users of iucv.\\n\\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42271\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42272", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42272" + }, + { + "url": "https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738" + }, + { + "url": "https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab" + }, + { + "url": "https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2" + }, + { + "url": "https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee" + }, + { + "url": "https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64" + }, + { + "url": "https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42272 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42272", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42272\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42272\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42272\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42272\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42272\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738\",\n \"https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab\",\n \"https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2\",\n \"https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee\",\n \"https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64\",\n \"https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched: act_ct: take care of padding in struct zones_ht_key\\n\\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\\nbecause zones_ht_key got a struct net pointer.\\n\\nMake sure rhashtable_lookup() is not using the padding bytes\\nwhich are not initialized.\\n\\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\\n tcf_action_add net/sched/act_api.c:2061 [inline]\\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\\n __sys_sendmsg net/socket.c:2680 [inline]\\n __do_sys_sendmsg net/socket.c:2689 [inline]\\n __se_sys_sendmsg net/socket.c:2687 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nLocal variable key created at:\\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42272\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42273", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42273" + }, + { + "url": "https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791" + }, + { + "url": "https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439" + }, + { + "url": "https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1" + }, + { + "url": "https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42273 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42273", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\n\nmkdir /mnt/test/comp\nf2fs_io setflags compression /mnt/test/comp\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\ntruncate --size 13 /mnt/test/comp/testfile\n\nIn the above scenario, we can get a BUG_ON.\n kernel BUG at fs/f2fs/segment.c:3589!\n Call Trace:\n do_write_page+0x78/0x390 [f2fs]\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\n do_writepages+0xcf/0x270\n __writeback_single_inode+0x44/0x350\n writeback_sb_inodes+0x242/0x530\n __writeback_inodes_wb+0x54/0xf0\n wb_writeback+0x192/0x310\n wb_workfn+0x30d/0x400\n\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\npage was set the gcing flag by set_cluster_dirty().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42273\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42273\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42273\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42273\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42273\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791\",\n \"https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439\",\n \"https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1\",\n \"https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\\n\\nmkdir /mnt/test/comp\\nf2fs_io setflags compression /mnt/test/comp\\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\\ntruncate --size 13 /mnt/test/comp/testfile\\n\\nIn the above scenario, we can get a BUG_ON.\\n kernel BUG at fs/f2fs/segment.c:3589!\\n Call Trace:\\n do_write_page+0x78/0x390 [f2fs]\\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\\n do_writepages+0xcf/0x270\\n __writeback_single_inode+0x44/0x350\\n writeback_sb_inodes+0x242/0x530\\n __writeback_inodes_wb+0x54/0xf0\\n wb_writeback+0x192/0x310\\n wb_workfn+0x30d/0x400\\n\\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\\npage was set the gcing flag by set_cluster_dirty().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42273\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42274", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42274" + }, + { + "url": "https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef" + }, + { + "url": "https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323" + }, + { + "url": "https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1" + }, + { + "url": "https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9" + }, + { + "url": "https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42274 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42274", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elapse event in process context\"\n\nCommit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period elapse event\nin process context\") removed the process context workqueue from\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\nits overhead.\n\nWith RME Fireface 800, this lead to a regression since\nKernels 5.14.0, causing an AB/BA deadlock competition for the\nsubstream lock with eventual system freeze under ALSA operation:\n\nthread 0:\n * (lock A) acquire substream lock by\n\tsnd_pcm_stream_lock_irq() in\n\tsnd_pcm_status64()\n * (lock B) wait for tasklet to finish by calling\n \ttasklet_unlock_spin_wait() in\n\ttasklet_disable_in_atomic() in\n\tohci_flush_iso_completions() of ohci.c\n\nthread 1:\n * (lock B) enter tasklet\n * (lock A) attempt to acquire substream lock,\n \twaiting for it to be released:\n\tsnd_pcm_stream_lock_irqsave() in\n \tsnd_pcm_period_elapsed() in\n\tupdate_pcm_pointers() in\n\tprocess_ctx_payloads() in\n\tprocess_rx_packets() of amdtp-stream.c\n\n? tasklet_unlock_spin_wait\n \n \nohci_flush_iso_completions firewire_ohci\namdtp_domain_stream_pcm_pointer snd_firewire_lib\nsnd_pcm_update_hw_ptr0 snd_pcm\nsnd_pcm_status64 snd_pcm\n\n? native_queued_spin_lock_slowpath\n \n \n_raw_spin_lock_irqsave\nsnd_pcm_period_elapsed snd_pcm\nprocess_rx_packets snd_firewire_lib\nirq_target_callback snd_firewire_lib\nhandle_it_packet firewire_ohci\ncontext_tasklet firewire_ohci\n\nRestore the process context work queue to prevent deadlock\nAB/BA deadlock competition for ALSA substream lock of\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\n\nrevert commit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period\nelapse event in process context\")\n\nReplace inline description to prevent future deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42274\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42274\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42274\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42274\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42274\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef\",\n \"https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323\",\n \"https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1\",\n \"https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9\",\n \"https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"ALSA: firewire-lib: operate for period elapse event in process context\\\"\\n\\nCommit 7ba5ca32fe6e (\\\"ALSA: firewire-lib: operate for period elapse event\\nin process context\\\") removed the process context workqueue from\\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\\nits overhead.\\n\\nWith RME Fireface 800, this lead to a regression since\\nKernels 5.14.0, causing an AB/BA deadlock competition for the\\nsubstream lock with eventual system freeze under ALSA operation:\\n\\nthread 0:\\n * (lock A) acquire substream lock by\\n\\tsnd_pcm_stream_lock_irq() in\\n\\tsnd_pcm_status64()\\n * (lock B) wait for tasklet to finish by calling\\n \\ttasklet_unlock_spin_wait() in\\n\\ttasklet_disable_in_atomic() in\\n\\tohci_flush_iso_completions() of ohci.c\\n\\nthread 1:\\n * (lock B) enter tasklet\\n * (lock A) attempt to acquire substream lock,\\n \\twaiting for it to be released:\\n\\tsnd_pcm_stream_lock_irqsave() in\\n \\tsnd_pcm_period_elapsed() in\\n\\tupdate_pcm_pointers() in\\n\\tprocess_ctx_payloads() in\\n\\tprocess_rx_packets() of amdtp-stream.c\\n\\n? tasklet_unlock_spin_wait\\n \\n \\nohci_flush_iso_completions firewire_ohci\\namdtp_domain_stream_pcm_pointer snd_firewire_lib\\nsnd_pcm_update_hw_ptr0 snd_pcm\\nsnd_pcm_status64 snd_pcm\\n\\n? native_queued_spin_lock_slowpath\\n \\n \\n_raw_spin_lock_irqsave\\nsnd_pcm_period_elapsed snd_pcm\\nprocess_rx_packets snd_firewire_lib\\nirq_target_callback snd_firewire_lib\\nhandle_it_packet firewire_ohci\\ncontext_tasklet firewire_ohci\\n\\nRestore the process context work queue to prevent deadlock\\nAB/BA deadlock competition for ALSA substream lock of\\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\\n\\nrevert commit 7ba5ca32fe6e (\\\"ALSA: firewire-lib: operate for period\\nelapse event in process context\\\")\\n\\nReplace inline description to prevent future deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42274\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42276", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42276" + }, + { + "url": "https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec" + }, + { + "url": "https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7" + }, + { + "url": "https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83" + }, + { + "url": "https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c" + }, + { + "url": "https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba" + }, + { + "url": "https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd" + }, + { + "url": "https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42276 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42276", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: add missing condition check for existence of mapped data\n\nnvme_map_data() is called when request has physical segments, hence\nthe nvme_unmap_data() should have same condition to avoid dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42276\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42276\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42276\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42276\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42276\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec\",\n \"https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7\",\n \"https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83\",\n \"https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c\",\n \"https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba\",\n \"https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd\",\n \"https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-pci: add missing condition check for existence of mapped data\\n\\nnvme_map_data() is called when request has physical segments, hence\\nthe nvme_unmap_data() should have same condition to avoid dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42276\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42277", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42277" + }, + { + "url": "https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8" + }, + { + "url": "https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922" + }, + { + "url": "https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb" + }, + { + "url": "https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c" + }, + { + "url": "https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42277 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42277", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\n\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\ndom->sdev is equal to NULL, which leads to null dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42277\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42277\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42277\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42277\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42277\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8\",\n \"https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922\",\n \"https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb\",\n \"https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c\",\n \"https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\\n\\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\\ndom->sdev is equal to NULL, which leads to null dereference.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42277\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42280", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42280" + }, + { + "url": "https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80" + }, + { + "url": "https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402" + }, + { + "url": "https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803" + }, + { + "url": "https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0" + }, + { + "url": "https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629" + }, + { + "url": "https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2" + }, + { + "url": "https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3" + }, + { + "url": "https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42280 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42280", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix a use after free in hfcmulti_tx()\n\nDon't dereference *sp after calling dev_kfree_skb(*sp).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42280\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42280\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42280\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42280\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42280\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80\",\n \"https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402\",\n \"https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803\",\n \"https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0\",\n \"https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629\",\n \"https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2\",\n \"https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3\",\n \"https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmISDN: Fix a use after free in hfcmulti_tx()\\n\\nDon't dereference *sp after calling dev_kfree_skb(*sp).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42280\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42281", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42281" + }, + { + "url": "https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2" + }, + { + "url": "https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc" + }, + { + "url": "https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf" + }, + { + "url": "https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a" + }, + { + "url": "https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733" + }, + { + "url": "https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be" + }, + { + "url": "https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42281 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42281", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a segment issue when downgrading gso_size\n\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42281\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42281\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42281\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42281\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42281\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2\",\n \"https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc\",\n \"https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf\",\n \"https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a\",\n \"https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733\",\n \"https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be\",\n \"https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix a segment issue when downgrading gso_size\\n\\nLinearize the skb when downgrading gso_size because it may trigger a\\nBUG_ON() later when the skb is segmented as described in [1,2].\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42281\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42283", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42283" + }, + { + "url": "https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b" + }, + { + "url": "https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8" + }, + { + "url": "https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2" + }, + { + "url": "https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb" + }, + { + "url": "https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0" + }, + { + "url": "https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96" + }, + { + "url": "https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42283 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42283", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n # ip nexthop add id 1 dev lo\n # ip nexthop add id 101 group 1\n # strace -e recvmsg ip nexthop get id 101\n ...\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42283\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42283\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42283\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42283\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42283\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b\",\n \"https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8\",\n \"https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2\",\n \"https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb\",\n \"https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0\",\n \"https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96\",\n \"https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nexthop: Initialize all fields in dumped nexthops\\n\\nstruct nexthop_grp contains two reserved fields that are not initialized by\\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\\nstrace (edited for clarity):\\n\\n # ip nexthop add id 1 dev lo\\n # ip nexthop add id 101 group 1\\n # strace -e recvmsg ip nexthop get id 101\\n ...\\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\\n\\nThe fields are reserved and therefore not currently used. But as they are, they\\nleak kernel memory, and the fact they are not just zero complicates repurposing\\nof the fields for new ends. Initialize the full structure.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42283\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42284", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42284" + }, + { + "url": "https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f" + }, + { + "url": "https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a" + }, + { + "url": "https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69" + }, + { + "url": "https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813" + }, + { + "url": "https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28" + }, + { + "url": "https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b" + }, + { + "url": "https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8" + }, + { + "url": "https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42284 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42284", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Return non-zero value from tipc_udp_addr2str() on error\n\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42284\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42284\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42284\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42284\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42284\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f\",\n \"https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a\",\n \"https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69\",\n \"https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813\",\n \"https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28\",\n \"https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b\",\n \"https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8\",\n \"https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: Return non-zero value from tipc_udp_addr2str() on error\\n\\ntipc_udp_addr2str() should return non-zero value if the UDP media\\naddress is invalid. Otherwise, a buffer overflow access can occur in\\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\\nmedia address.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42284\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42285", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42285" + }, + { + "url": "https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6" + }, + { + "url": "https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574" + }, + { + "url": "https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79" + }, + { + "url": "https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4" + }, + { + "url": "https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6" + }, + { + "url": "https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5" + }, + { + "url": "https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae" + }, + { + "url": "https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42285 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42285", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n conn_id->cm_id.iw = cm_id;\n cm_id->context = conn_id;\n cm_id->cm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42285\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42285\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42285\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42285\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42285\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6\",\n \"https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574\",\n \"https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79\",\n \"https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4\",\n \"https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6\",\n \"https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5\",\n \"https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae\",\n \"https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\\n\\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\\nan existing struct iw_cm_id (cm_id) as follows:\\n\\n conn_id->cm_id.iw = cm_id;\\n cm_id->context = conn_id;\\n cm_id->cm_handler = cma_iw_handler;\\n\\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\\nsure that cm_work_handler() does not trigger a use-after-free by only\\nfreeing of the struct rdma_id_private after all pending work has finished.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42285\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42286", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42286" + }, + { + "url": "https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b" + }, + { + "url": "https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430" + }, + { + "url": "https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e" + }, + { + "url": "https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c" + }, + { + "url": "https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f" + }, + { + "url": "https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c" + }, + { + "url": "https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9" + }, + { + "url": "https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42286 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42286", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: validate nvme_local_port correctly\n\nThe driver load failed with error message,\n\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\n\nand with a kernel crash,\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\n\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\n\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\n\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\n\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\n\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\n\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\n\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\n\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\n\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\n\tCall Trace:\n\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\n\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\n\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\n\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\n\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\nfails and correctly validate nvme_local_port.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42286\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42286\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42286\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b\",\n \"https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430\",\n \"https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e\",\n \"https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c\",\n \"https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f\",\n \"https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c\",\n \"https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9\",\n \"https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: validate nvme_local_port correctly\\n\\nThe driver load failed with error message,\\n\\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\\n\\nand with a kernel crash,\\n\\n\\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\\n\\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\\n\\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\\n\\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\\n\\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\\n\\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\\n\\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\\n\\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\\n\\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\\n\\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\\n\\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n\\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\\n\\tCall Trace:\\n\\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\\n\\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\\n\\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\\n\\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\\n\\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\\nfails and correctly validate nvme_local_port.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42286\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42287", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42287" + }, + { + "url": "https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232" + }, + { + "url": "https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb" + }, + { + "url": "https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3" + }, + { + "url": "https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553" + }, + { + "url": "https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee" + }, + { + "url": "https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6" + }, + { + "url": "https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42287 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42287", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Complete command early within lock\n\nA crash was observed while performing NPIV and FW reset,\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x16f/0x4a0\n ? do_user_addr_fault+0x174/0x7f0\n ? exc_page_fault+0x69/0x1a0\n ? asm_exc_page_fault+0x22/0x30\n ? dma_direct_unmap_sg+0x51/0x1e0\n ? preempt_count_sub+0x96/0xe0\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\n\nThe command completion was done early while aborting the commands in driver\nunload path but outside lock to avoid the WARN_ON condition of performing\ndma_free_attr within the lock. However this caused race condition while\ncommand completion via multiple paths causing system crash.\n\nHence complete the command early in unload path but within the lock to\navoid race condition.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42287\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42287\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42287\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42287\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42287\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232\",\n \"https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb\",\n \"https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3\",\n \"https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553\",\n \"https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee\",\n \"https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6\",\n \"https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Complete command early within lock\\n\\nA crash was observed while performing NPIV and FW reset,\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000001c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n \\n ? __die_body+0x1a/0x60\\n ? page_fault_oops+0x16f/0x4a0\\n ? do_user_addr_fault+0x174/0x7f0\\n ? exc_page_fault+0x69/0x1a0\\n ? asm_exc_page_fault+0x22/0x30\\n ? dma_direct_unmap_sg+0x51/0x1e0\\n ? preempt_count_sub+0x96/0xe0\\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\\n\\nThe command completion was done early while aborting the commands in driver\\nunload path but outside lock to avoid the WARN_ON condition of performing\\ndma_free_attr within the lock. However this caused race condition while\\ncommand completion via multiple paths causing system crash.\\n\\nHence complete the command early in unload path but within the lock to\\navoid race condition.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42287\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42288", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42288" + }, + { + "url": "https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e" + }, + { + "url": "https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b" + }, + { + "url": "https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b" + }, + { + "url": "https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d" + }, + { + "url": "https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce" + }, + { + "url": "https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a" + }, + { + "url": "https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42288 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42288", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix for possible memory corruption\n\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42288\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42288\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42288\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42288\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42288\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e\",\n \"https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b\",\n \"https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b\",\n \"https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d\",\n \"https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce\",\n \"https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a\",\n \"https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix for possible memory corruption\\n\\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42288\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42289", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42289" + }, + { + "url": "https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe" + }, + { + "url": "https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52" + }, + { + "url": "https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2" + }, + { + "url": "https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7" + }, + { + "url": "https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef" + }, + { + "url": "https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede" + }, + { + "url": "https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313" + }, + { + "url": "https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42289 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42289", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: During vport delete send async logout explicitly\n\nDuring vport delete, it is observed that during unload we hit a crash\nbecause of stale entries in outstanding command array. For all these stale\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\nI/Os could not complete while vport delete is in process of deleting.\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\n Call Trace:\n \n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\n ? qla2x00_status_entry+0x768/0x2830\n ? newidle_balance+0x2f0/0x430\n ? dequeue_entity+0x100/0x3c0\n ? qla24xx_process_response_queue+0x6a1/0x19e0\n ? __schedule+0x2d5/0x1140\n ? qla_do_work+0x47/0x60\n ? process_one_work+0x267/0x440\n ? process_one_work+0x440/0x440\n ? worker_thread+0x2d/0x3d0\n ? process_one_work+0x440/0x440\n ? kthread+0x156/0x180\n ? set_kthread_struct+0x50/0x50\n ? ret_from_fork+0x22/0x30\n \n\nSend out async logout explicitly for all the ports during vport delete.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42289\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42289\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42289\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42289\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42289\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe\",\n \"https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52\",\n \"https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2\",\n \"https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7\",\n \"https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef\",\n \"https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede\",\n \"https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313\",\n \"https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: During vport delete send async logout explicitly\\n\\nDuring vport delete, it is observed that during unload we hit a crash\\nbecause of stale entries in outstanding command array. For all these stale\\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\\nI/Os could not complete while vport delete is in process of deleting.\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000001c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\\n Call Trace:\\n \\n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\\n ? qla2x00_status_entry+0x768/0x2830\\n ? newidle_balance+0x2f0/0x430\\n ? dequeue_entity+0x100/0x3c0\\n ? qla24xx_process_response_queue+0x6a1/0x19e0\\n ? __schedule+0x2d5/0x1140\\n ? qla_do_work+0x47/0x60\\n ? process_one_work+0x267/0x440\\n ? process_one_work+0x440/0x440\\n ? worker_thread+0x2d/0x3d0\\n ? process_one_work+0x440/0x440\\n ? kthread+0x156/0x180\\n ? set_kthread_struct+0x50/0x50\\n ? ret_from_fork+0x22/0x30\\n \\n\\nSend out async logout explicitly for all the ports during vport delete.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42289\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42290", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42290" + }, + { + "url": "https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565" + }, + { + "url": "https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea" + }, + { + "url": "https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1" + }, + { + "url": "https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894" + }, + { + "url": "https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9" + }, + { + "url": "https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44" + }, + { + "url": "https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42290 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42290", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/imx-irqsteer: Handle runtime power management correctly\n\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\ncontext switch path during device probing:\n\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n __schedule_bug+0x54/0x6c\n __schedule+0x7f0/0xa94\n schedule+0x5c/0xc4\n schedule_preempt_disabled+0x24/0x40\n __mutex_lock.constprop.0+0x2c0/0x540\n __mutex_lock_slowpath+0x14/0x20\n mutex_lock+0x48/0x54\n clk_prepare_lock+0x44/0xa0\n clk_prepare+0x20/0x44\n imx_irqsteer_resume+0x28/0xe0\n pm_generic_runtime_resume+0x2c/0x44\n __genpd_runtime_resume+0x30/0x80\n genpd_runtime_resume+0xc8/0x2c0\n __rpm_callback+0x48/0x1d8\n rpm_callback+0x6c/0x78\n rpm_resume+0x490/0x6b4\n __pm_runtime_resume+0x50/0x94\n irq_chip_pm_get+0x2c/0xa0\n __irq_do_set_handler+0x178/0x24c\n irq_set_chained_handler_and_data+0x60/0xa4\n mxc_gpio_probe+0x160/0x4b0\n\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\n\n[ tglx: Rewrote change log, added Fixes tag ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42290\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42290\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42290\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42290\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42290\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565\",\n \"https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea\",\n \"https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1\",\n \"https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894\",\n \"https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9\",\n \"https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44\",\n \"https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/imx-irqsteer: Handle runtime power management correctly\\n\\nThe power domain is automatically activated from clk_prepare(). However, on\\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\\ncontext switch path during device probing:\\n\\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\\n Call trace:\\n __schedule_bug+0x54/0x6c\\n __schedule+0x7f0/0xa94\\n schedule+0x5c/0xc4\\n schedule_preempt_disabled+0x24/0x40\\n __mutex_lock.constprop.0+0x2c0/0x540\\n __mutex_lock_slowpath+0x14/0x20\\n mutex_lock+0x48/0x54\\n clk_prepare_lock+0x44/0xa0\\n clk_prepare+0x20/0x44\\n imx_irqsteer_resume+0x28/0xe0\\n pm_generic_runtime_resume+0x2c/0x44\\n __genpd_runtime_resume+0x30/0x80\\n genpd_runtime_resume+0xc8/0x2c0\\n __rpm_callback+0x48/0x1d8\\n rpm_callback+0x6c/0x78\\n rpm_resume+0x490/0x6b4\\n __pm_runtime_resume+0x50/0x94\\n irq_chip_pm_get+0x2c/0xa0\\n __irq_do_set_handler+0x178/0x24c\\n irq_set_chained_handler_and_data+0x60/0xa4\\n mxc_gpio_probe+0x160/0x4b0\\n\\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\\ncallbacks and handle power management in them as they are invoked from\\nnon-atomic context.\\n\\n[ tglx: Rewrote change log, added Fixes tag ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42290\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42291", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42291" + }, + { + "url": "https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f" + }, + { + "url": "https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97" + }, + { + "url": "https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559" + }, + { + "url": "https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42291 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42291", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add a per-VF limit on number of FDIR filters\n\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\nfilters that the VF can request, a malicious VF driver can request more\nthan that and exhaust the resources for other VFs.\n\nAdd a similar limit in ice.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42291\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42291\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42291\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42291\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42291\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f\",\n \"https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97\",\n \"https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559\",\n \"https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Add a per-VF limit on number of FDIR filters\\n\\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\\nfilters that the VF can request, a malicious VF driver can request more\\nthan that and exhaust the resources for other VFs.\\n\\nAdd a similar limit in ice.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42291\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42292", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42292" + }, + { + "url": "https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762" + }, + { + "url": "https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2" + }, + { + "url": "https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168" + }, + { + "url": "https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d" + }, + { + "url": "https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90" + }, + { + "url": "https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5" + }, + { + "url": "https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d" + }, + { + "url": "https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42292 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42292", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject_uevent: Fix OOB access within zap_modalias_env()\n\nzap_modalias_env() wrongly calculates size of memory block to move, so\nwill cause OOB memory access issue if variable MODALIAS is not the last\none within its @env parameter, fixed by correcting size to memmove.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42292\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42292\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42292\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762\",\n \"https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2\",\n \"https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168\",\n \"https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d\",\n \"https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90\",\n \"https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5\",\n \"https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d\",\n \"https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkobject_uevent: Fix OOB access within zap_modalias_env()\\n\\nzap_modalias_env() wrongly calculates size of memory block to move, so\\nwill cause OOB memory access issue if variable MODALIAS is not the last\\none within its @env parameter, fixed by correcting size to memmove.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42292\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42294", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42294" + }, + { + "url": "https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9" + }, + { + "url": "https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b" + }, + { + "url": "https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42294 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42294", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between sd_remove & sd_release\n\nOur test report the following hung task:\n\n[ 2538.459400] INFO: task \"kworker/0:0\":7 blocked for more than 188 seconds.\n[ 2538.459427] Call trace:\n[ 2538.459430] __switch_to+0x174/0x338\n[ 2538.459436] __schedule+0x628/0x9c4\n[ 2538.459442] schedule+0x7c/0xe8\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\n[ 2538.459459] mutex_lock+0x30/0xd8\n[ 2538.459462] del_gendisk+0xdc/0x350\n[ 2538.459466] sd_remove+0x30/0x60\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459474] device_release_driver+0x18/0x28\n[ 2538.459478] bus_remove_device+0x15c/0x174\n[ 2538.459483] device_del+0x1d0/0x358\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\n[ 2538.459493] scsi_forget_host+0x50/0x70\n[ 2538.459497] scsi_remove_host+0x80/0x180\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459514] device_release_driver+0x18/0x28\n[ 2538.459518] bus_remove_device+0x15c/0x174\n[ 2538.459523] device_del+0x1d0/0x358\n[ 2538.459528] usb_disable_device+0x84/0x194\n[ 2538.459532] usb_disconnect+0xec/0x300\n[ 2538.459537] hub_event+0xb80/0x1870\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\n[ 2538.459545] worker_thread+0x244/0x334\n[ 2538.459549] kthread+0x114/0x1bc\n\n[ 2538.461001] INFO: task \"fsck.\":15415 blocked for more than 188 seconds.\n[ 2538.461014] Call trace:\n[ 2538.461016] __switch_to+0x174/0x338\n[ 2538.461021] __schedule+0x628/0x9c4\n[ 2538.461025] schedule+0x7c/0xe8\n[ 2538.461030] blk_queue_enter+0xc4/0x160\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\n[ 2538.461051] sd_release+0x50/0x94\n[ 2538.461054] blkdev_put+0x190/0x28c\n[ 2538.461058] blkdev_release+0x28/0x40\n[ 2538.461063] __fput+0xf8/0x2a8\n[ 2538.461066] __fput_sync+0x28/0x5c\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\n[ 2538.461073] invoke_syscall+0x58/0x114\n[ 2538.461078] el0_svc_common+0xac/0xe0\n[ 2538.461082] do_el0_svc+0x1c/0x28\n[ 2538.461087] el0_svc+0x38/0x68\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\n\n T1:\t\t\t\tT2:\n sd_remove\n del_gendisk\n __blk_mark_disk_dead\n blk_freeze_queue_start\n ++q->mq_freeze_depth\n \t\t\t\tbdev_release\n \t\t\t\tmutex_lock(&disk->open_mutex)\n \t\t\t\tsd_release\n \t\t\t\tscsi_execute_cmd\n \t\t\t\tblk_queue_enter\n \t\t\t\twait_event(!q->mq_freeze_depth)\n mutex_lock(&disk->open_mutex)\n\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\nmake sure we don't try to acquire disk->open_mutex after freezing\nthe queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42294\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42294\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42294\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42294\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42294\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9\",\n \"https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b\",\n \"https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: fix deadlock between sd_remove & sd_release\\n\\nOur test report the following hung task:\\n\\n[ 2538.459400] INFO: task \\\"kworker/0:0\\\":7 blocked for more than 188 seconds.\\n[ 2538.459427] Call trace:\\n[ 2538.459430] __switch_to+0x174/0x338\\n[ 2538.459436] __schedule+0x628/0x9c4\\n[ 2538.459442] schedule+0x7c/0xe8\\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\\n[ 2538.459459] mutex_lock+0x30/0xd8\\n[ 2538.459462] del_gendisk+0xdc/0x350\\n[ 2538.459466] sd_remove+0x30/0x60\\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\\n[ 2538.459474] device_release_driver+0x18/0x28\\n[ 2538.459478] bus_remove_device+0x15c/0x174\\n[ 2538.459483] device_del+0x1d0/0x358\\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\\n[ 2538.459493] scsi_forget_host+0x50/0x70\\n[ 2538.459497] scsi_remove_host+0x80/0x180\\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\\n[ 2538.459514] device_release_driver+0x18/0x28\\n[ 2538.459518] bus_remove_device+0x15c/0x174\\n[ 2538.459523] device_del+0x1d0/0x358\\n[ 2538.459528] usb_disable_device+0x84/0x194\\n[ 2538.459532] usb_disconnect+0xec/0x300\\n[ 2538.459537] hub_event+0xb80/0x1870\\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\\n[ 2538.459545] worker_thread+0x244/0x334\\n[ 2538.459549] kthread+0x114/0x1bc\\n\\n[ 2538.461001] INFO: task \\\"fsck.\\\":15415 blocked for more than 188 seconds.\\n[ 2538.461014] Call trace:\\n[ 2538.461016] __switch_to+0x174/0x338\\n[ 2538.461021] __schedule+0x628/0x9c4\\n[ 2538.461025] schedule+0x7c/0xe8\\n[ 2538.461030] blk_queue_enter+0xc4/0x160\\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\\n[ 2538.461051] sd_release+0x50/0x94\\n[ 2538.461054] blkdev_put+0x190/0x28c\\n[ 2538.461058] blkdev_release+0x28/0x40\\n[ 2538.461063] __fput+0xf8/0x2a8\\n[ 2538.461066] __fput_sync+0x28/0x5c\\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\\n[ 2538.461073] invoke_syscall+0x58/0x114\\n[ 2538.461078] el0_svc_common+0xac/0xe0\\n[ 2538.461082] do_el0_svc+0x1c/0x28\\n[ 2538.461087] el0_svc+0x38/0x68\\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\\n\\n T1:\\t\\t\\t\\tT2:\\n sd_remove\\n del_gendisk\\n __blk_mark_disk_dead\\n blk_freeze_queue_start\\n ++q->mq_freeze_depth\\n \\t\\t\\t\\tbdev_release\\n \\t\\t\\t\\tmutex_lock(&disk->open_mutex)\\n \\t\\t\\t\\tsd_release\\n \\t\\t\\t\\tscsi_execute_cmd\\n \\t\\t\\t\\tblk_queue_enter\\n \\t\\t\\t\\twait_event(!q->mq_freeze_depth)\\n mutex_lock(&disk->open_mutex)\\n\\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\\nmake sure we don't try to acquire disk->open_mutex after freezing\\nthe queue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42294\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42295", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42295" + }, + { + "url": "https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2" + }, + { + "url": "https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44" + }, + { + "url": "https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62" + }, + { + "url": "https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a" + }, + { + "url": "https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787" + }, + { + "url": "https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e" + }, + { + "url": "https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899" + }, + { + "url": "https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42295 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42295", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\n\nSyzbot reported that a buffer state inconsistency was detected in\nnilfs_btnode_create_block(), triggering a kernel bug.\n\nIt is not appropriate to treat this inconsistency as a bug; it can occur\nif the argument block address (the buffer index of the newly created\nblock) is a virtual block number and has been reallocated due to\ncorruption of the bitmap used to manage its allocation state.\n\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\npossible filesystem error, rather than triggering a kernel bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42295\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42295\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42295\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42295\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42295\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2\",\n \"https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44\",\n \"https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62\",\n \"https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a\",\n \"https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787\",\n \"https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e\",\n \"https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899\",\n \"https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\\n\\nSyzbot reported that a buffer state inconsistency was detected in\\nnilfs_btnode_create_block(), triggering a kernel bug.\\n\\nIt is not appropriate to treat this inconsistency as a bug; it can occur\\nif the argument block address (the buffer index of the newly created\\nblock) is a virtual block number and has been reallocated due to\\ncorruption of the bitmap used to manage its allocation state.\\n\\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\\npossible filesystem error, rather than triggering a kernel bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42295\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42296", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42296" + }, + { + "url": "https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5" + }, + { + "url": "https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8" + }, + { + "url": "https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2" + }, + { + "url": "https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b" + }, + { + "url": "https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42296 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42296", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_convert_inline_inode()\n\nIf device is readonly, make f2fs_convert_inline_inode()\nreturn EROFS instead of zero, otherwise it may trigger\npanic during writeback of inline inode's dirty page as\nbelow:\n\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\n generic_write_sync include/linux/fs.h:2806 [inline]\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\n call_write_iter include/linux/fs.h:2114 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42296\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42296\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42296\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42296\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42296\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5\",\n \"https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8\",\n \"https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2\",\n \"https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b\",\n \"https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix return value of f2fs_convert_inline_inode()\\n\\nIf device is readonly, make f2fs_convert_inline_inode()\\nreturn EROFS instead of zero, otherwise it may trigger\\npanic during writeback of inline inode's dirty page as\\nbelow:\\n\\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\\n generic_write_sync include/linux/fs.h:2806 [inline]\\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\\n call_write_iter include/linux/fs.h:2114 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xa72/0xc90 fs/read_write.c:590\\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42296\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42297", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42297" + }, + { + "url": "https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8" + }, + { + "url": "https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3" + }, + { + "url": "https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf" + }, + { + "url": "https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915" + }, + { + "url": "https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6" + }, + { + "url": "https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4" + }, + { + "url": "https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5" + }, + { + "url": "https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42297 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42297", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't dirty inode for readonly filesystem\n\nsyzbot reports f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n - __f2fs_find_entry\n - f2fs_i_depth_write\n - f2fs_mark_inode_dirty_sync\n - f2fs_dirty_inode\n - set_inode_flag(inode, FI_DIRTY_INODE)\n\n- umount\n - kill_f2fs_super\n - kill_block_super\n - generic_shutdown_super\n - sync_filesystem\n : sb is readonly, skip sync_filesystem()\n - evict_inodes\n - iput\n - f2fs_evict_inode\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n : trigger kernel panic\n\nWhen we try to repair i_current_depth in readonly filesystem, let's\nskip dirty inode to avoid panic in later f2fs_evict_inode().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42297\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42297\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42297\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42297\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42297\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8\",\n \"https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3\",\n \"https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf\",\n \"https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915\",\n \"https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6\",\n \"https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4\",\n \"https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5\",\n \"https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to don't dirty inode for readonly filesystem\\n\\nsyzbot reports f2fs bug as below:\\n\\nkernel BUG at fs/f2fs/inode.c:933!\\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\\nCall Trace:\\n evict+0x2a4/0x620 fs/inode.c:664\\n dispose_list fs/inode.c:697 [inline]\\n evict_inodes+0x5f8/0x690 fs/inode.c:747\\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\\n kill_block_super+0x44/0x90 fs/super.c:1667\\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\\n task_work_run+0x24a/0x300 kernel/task_work.c:180\\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\\n syscall_exit_work kernel/entry/common.c:251 [inline]\\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nThe root cause is:\\n- do_sys_open\\n - f2fs_lookup\\n - __f2fs_find_entry\\n - f2fs_i_depth_write\\n - f2fs_mark_inode_dirty_sync\\n - f2fs_dirty_inode\\n - set_inode_flag(inode, FI_DIRTY_INODE)\\n\\n- umount\\n - kill_f2fs_super\\n - kill_block_super\\n - generic_shutdown_super\\n - sync_filesystem\\n : sb is readonly, skip sync_filesystem()\\n - evict_inodes\\n - iput\\n - f2fs_evict_inode\\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\\n : trigger kernel panic\\n\\nWhen we try to repair i_current_depth in readonly filesystem, let's\\nskip dirty inode to avoid panic in later f2fs_evict_inode().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42297\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42299", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42299" + }, + { + "url": "https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9" + }, + { + "url": "https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420" + }, + { + "url": "https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f" + }, + { + "url": "https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696" + }, + { + "url": "https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42299 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42299", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\n\nIf an NTFS file system is mounted to another system with different\nPAGE_SIZE from the original system, log->page_size will change in\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\nThis will cause a panic because \"u32 bytes = log->page_size - page_off\"\nwill get a negative value in the later read_log_page().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42299\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42299\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42299\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42299\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42299\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9\",\n \"https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420\",\n \"https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f\",\n \"https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696\",\n \"https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\\n\\nIf an NTFS file system is mounted to another system with different\\nPAGE_SIZE from the original system, log->page_size will change in\\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\\nThis will cause a panic because \\\"u32 bytes = log->page_size - page_off\\\"\\nwill get a negative value in the later read_log_page().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42299\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42301", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42301" + }, + { + "url": "https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8" + }, + { + "url": "https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d" + }, + { + "url": "https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a" + }, + { + "url": "https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84" + }, + { + "url": "https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0" + }, + { + "url": "https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5" + }, + { + "url": "https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e" + }, + { + "url": "https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42301 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42301", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndev/parport: fix the array out-of-bounds risk\n\nFixed array out-of-bounds issues caused by sprintf\nby replacing it with snprintf for safer data copying,\nensuring the destination buffer is not overflowed.\n\nBelow is the stack trace I encountered during the actual issue:\n\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42301\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42301\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42301\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42301\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42301\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8\",\n \"https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d\",\n \"https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a\",\n \"https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84\",\n \"https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0\",\n \"https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5\",\n \"https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e\",\n \"https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndev/parport: fix the array out-of-bounds risk\\n\\nFixed array out-of-bounds issues caused by sprintf\\nby replacing it with snprintf for safer data copying,\\nensuring the destination buffer is not overflowed.\\n\\nBelow is the stack trace I encountered during the actual issue:\\n\\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42301\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42302", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42302" + }, + { + "url": "https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed" + }, + { + "url": "https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7" + }, + { + "url": "https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f" + }, + { + "url": "https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62" + }, + { + "url": "https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d" + }, + { + "url": "https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42302 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42302", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred. To do so, it polls the\nconfig space of the first child device on the secondary bus. If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device. Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume. Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently. (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase. And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event. Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently. The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n BUG: unable to handle page fault for address: 00000000091400c0\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n RIP: pci_bus_read_config_dword+0x17/0x50\n pci_dev_wait()\n pci_bridge_wait_for_secondary_bus()\n dpc_reset_link()\n pcie_do_recovery()\n dpc_handler()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42302\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42302\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42302\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42302\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42302\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed\",\n \"https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7\",\n \"https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f\",\n \"https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62\",\n \"https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d\",\n \"https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\\n\\nKeith reports a use-after-free when a DPC event occurs concurrently to\\nhot-removal of the same portion of the hierarchy:\\n\\nThe dpc_handler() awaits readiness of the secondary bus below the\\nDownstream Port where the DPC event occurred. To do so, it polls the\\nconfig space of the first child device on the secondary bus. If that\\nchild device is concurrently removed, accesses to its struct pci_dev\\ncause the kernel to oops.\\n\\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\\nreference on the child device. Before v6.3, the function was only\\ncalled on resume from system sleep or on runtime resume. Holding a\\nreference wasn't necessary back then because the pciehp IRQ thread\\ncould never run concurrently. (On resume from system sleep, IRQs are\\nnot enabled until after the resume_noirq phase. And runtime resume is\\nalways awaited before a PCI device is removed.)\\n\\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\\ncalled on a DPC event. Commit 53b54ad074de (\\\"PCI/DPC: Await readiness\\nof secondary bus after reset\\\"), which introduced that, failed to\\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\\nreference on the child device because dpc_handler() and pciehp may\\nindeed run concurrently. The commit was backported to v5.10+ stable\\nkernels, so that's the oldest one affected.\\n\\nAdd the missing reference acquisition.\\n\\nAbridged stack trace:\\n\\n BUG: unable to handle page fault for address: 00000000091400c0\\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\\n RIP: pci_bus_read_config_dword+0x17/0x50\\n pci_dev_wait()\\n pci_bridge_wait_for_secondary_bus()\\n dpc_reset_link()\\n pcie_do_recovery()\\n dpc_handler()\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42302\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42304", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42304" + }, + { + "url": "https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1" + }, + { + "url": "https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a" + }, + { + "url": "https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac" + }, + { + "url": "https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5" + }, + { + "url": "https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe" + }, + { + "url": "https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136" + }, + { + "url": "https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa" + }, + { + "url": "https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42304 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42304", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: make sure the first directory block is not a hole\n\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\n\n ext4_mknod\n ...\n ext4_add_entry\n // Read block 0\n ext4_read_dirblock(dir, block, DIRENT)\n bh = ext4_bread(NULL, inode, block, 0)\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\n // The first directory block is a hole\n // But type == DIRENT, so no error is reported.\n\nAfter that, we get a directory block without '.' and '..' but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\n\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42304\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42304\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42304\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1\",\n \"https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a\",\n \"https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac\",\n \"https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5\",\n \"https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe\",\n \"https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136\",\n \"https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa\",\n \"https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: make sure the first directory block is not a hole\\n\\nThe syzbot constructs a directory that has no dirblock but is non-inline,\\ni.e. the first directory block is a hole. And no errors are reported when\\ncreating files in this directory in the following flow.\\n\\n ext4_mknod\\n ...\\n ext4_add_entry\\n // Read block 0\\n ext4_read_dirblock(dir, block, DIRENT)\\n bh = ext4_bread(NULL, inode, block, 0)\\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\\n // The first directory block is a hole\\n // But type == DIRENT, so no error is reported.\\n\\nAfter that, we get a directory block without '.' and '..' but with a valid\\ndentry. This may cause some code that relies on dot or dotdot (such as\\nmake_indexed_dir()) to crash.\\n\\nTherefore when ext4_read_dirblock() finds that the first directory block\\nis a hole report that the filesystem is corrupted and return an error to\\navoid loading corrupted data from disk causing something bad.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42304\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42305", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42305" + }, + { + "url": "https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8" + }, + { + "url": "https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa" + }, + { + "url": "https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7" + }, + { + "url": "https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a" + }, + { + "url": "https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2" + }, + { + "url": "https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c" + }, + { + "url": "https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db" + }, + { + "url": "https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42305 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42305", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check dot and dotdot of dx_root before making dir indexed\n\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\n\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\n\n do_split\n unsigned split\n dx_make_map\n count = 1\n split = count/2 = 0;\n continued = hash2 == map[split - 1].hash;\n ---> map[4294967295]\n\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\n\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\n\n bus dentry1 hole dentry2 free\n|xx--|xx-------------|...............|xx-------------|...............|\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\n\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\n\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That's why count is equal to 1.\n\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42305\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42305\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42305\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42305\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42305\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8\",\n \"https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa\",\n \"https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7\",\n \"https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a\",\n \"https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2\",\n \"https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c\",\n \"https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db\",\n \"https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: check dot and dotdot of dx_root before making dir indexed\\n\\nSyzbot reports a issue as follows:\\n============================================\\nBUG: unable to handle page fault for address: ffffed11022e24fe\\nPGD 23ffee067 P4D 23ffee067 PUD 0\\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\\nCall Trace:\\n \\n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\\n ext4_rename fs/ext4/namei.c:3936 [inline]\\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\\n[...]\\n============================================\\n\\nThe immediate cause of this problem is that there is only one valid dentry\\nfor the block to be split during do_split, so split==0 results in out of\\nbounds accesses to the map triggering the issue.\\n\\n do_split\\n unsigned split\\n dx_make_map\\n count = 1\\n split = count/2 = 0;\\n continued = hash2 == map[split - 1].hash;\\n ---> map[4294967295]\\n\\nThe maximum length of a filename is 255 and the minimum block size is 1024,\\nso it is always guaranteed that the number of entries is greater than or\\nequal to 2 when do_split() is called.\\n\\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\\ndistribution in dirblock is as follows:\\n\\n bus dentry1 hole dentry2 free\\n|xx--|xx-------------|...............|xx-------------|...............|\\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\\n\\nSo when renaming dentry1 increases its name_len length by 1, neither hole\\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\\ncalled.\\n\\nIn make_indexed_dir() it is assumed that the first two entries of the\\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\\nbecause they are treated as dot and dotdot, and only dentry2 is moved\\nto the new leaf block. That's why count is equal to 1.\\n\\nTherefore add the ext4_check_dx_root() helper function to add more sanity\\nchecks to dot and dotdot before starting the conversion to avoid the above\\nissue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42305\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42306", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42306" + }, + { + "url": "https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5" + }, + { + "url": "https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd" + }, + { + "url": "https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af" + }, + { + "url": "https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64" + }, + { + "url": "https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65" + }, + { + "url": "https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f" + }, + { + "url": "https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42306 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42306", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid using corrupted block bitmap buffer\n\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42306\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42306\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42306\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42306\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42306\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5\",\n \"https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd\",\n \"https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af\",\n \"https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64\",\n \"https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65\",\n \"https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f\",\n \"https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudf: Avoid using corrupted block bitmap buffer\\n\\nWhen the filesystem block bitmap is corrupted, we detect the corruption\\nwhile loading the bitmap and fail the allocation with error. However the\\nnext allocation from the same bitmap will notice the bitmap buffer is\\nalready loaded and tries to allocate from the bitmap with mixed results\\n(depending on the exact nature of the bitmap corruption). Fix the\\nproblem by using BH_verified bit to indicate whether the bitmap is valid\\nor not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42306\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42308", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42308" + }, + { + "url": "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89" + }, + { + "url": "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa" + }, + { + "url": "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a" + }, + { + "url": "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692" + }, + { + "url": "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb" + }, + { + "url": "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40" + }, + { + "url": "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42308 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42308", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why & how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42308\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42308\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42308\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42308\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42308\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89\",\n \"https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa\",\n \"https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a\",\n \"https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692\",\n \"https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb\",\n \"https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40\",\n \"https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check for NULL pointer\\n\\n[why & how]\\nNeed to make sure plane_state is initialized\\nbefore accessing its members.\\n\\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42308\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42309", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42309" + }, + { + "url": "https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee" + }, + { + "url": "https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6" + }, + { + "url": "https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692" + }, + { + "url": "https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14" + }, + { + "url": "https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9" + }, + { + "url": "https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c" + }, + { + "url": "https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc" + }, + { + "url": "https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42309 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42309", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\n\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42309\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42309\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42309\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42309\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42309\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee\",\n \"https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6\",\n \"https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692\",\n \"https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14\",\n \"https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9\",\n \"https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c\",\n \"https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc\",\n \"https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\\n\\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42309\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42310", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42310" + }, + { + "url": "https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d" + }, + { + "url": "https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23" + }, + { + "url": "https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6" + }, + { + "url": "https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc" + }, + { + "url": "https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5" + }, + { + "url": "https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79" + }, + { + "url": "https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56" + }, + { + "url": "https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42310 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42310", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\n\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42310\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42310\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42310\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42310\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42310\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d\",\n \"https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23\",\n \"https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6\",\n \"https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc\",\n \"https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5\",\n \"https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79\",\n \"https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56\",\n \"https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\\n\\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42310\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42311", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42311" + }, + { + "url": "https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65" + }, + { + "url": "https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b" + }, + { + "url": "https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2" + }, + { + "url": "https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971" + }, + { + "url": "https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4" + }, + { + "url": "https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1" + }, + { + "url": "https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3" + }, + { + "url": "https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42311 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42311", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\n\nSyzbot reports uninitialized value access issue as below:\n\nloop0: detected capacity change from 0 to 64\n=====================================================\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n d_revalidate fs/namei.c:862 [inline]\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\n walk_component fs/namei.c:2001 [inline]\n link_path_walk+0x817/0x1480 fs/namei.c:2332\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\n filename_lookup+0x22e/0x740 fs/namei.c:2515\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\n user_path_at include/linux/namei.h:57 [inline]\n do_mount fs/namespace.c:3689 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\n do_read_cache_page mm/filemap.c:3595 [inline]\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\n read_mapping_page include/linux/pagemap.h:755 [inline]\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\n mount_bdev+0x628/0x920 fs/super.c:1359\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2190 [inline]\n allocate_slab mm/slub.c:2354 [inline]\n new_slab+0x2d7/0x1400 mm/slub.c:2407\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\n __slab_alloc mm/slub.c:3625 [inline]\n __slab_alloc_node mm/slub.c:3678 [inline]\n slab_alloc_node mm/slub.c:3850 [inline]\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3018 [inline]\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\n alloc_inode+0x83/0x440 fs/inode.c:260\n new_inode_pseudo fs/inode.c:1005 [inline]\n new_inode+0x38/0x4f0 fs/inode.c:1031\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\n do_mkdirat+0x529/0x810 fs/namei.c:4149\n __do_sys_mkdirat fs/namei.c:4164 [inline]\n __se_sys_mkdirat fs/namei.c:4162 [inline]\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42311\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42311\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42311\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42311\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42311\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65\",\n \"https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b\",\n \"https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2\",\n \"https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971\",\n \"https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4\",\n \"https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1\",\n \"https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3\",\n \"https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\\n\\nSyzbot reports uninitialized value access issue as below:\\n\\nloop0: detected capacity change from 0 to 64\\n=====================================================\\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\\n d_revalidate fs/namei.c:862 [inline]\\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\\n walk_component fs/namei.c:2001 [inline]\\n link_path_walk+0x817/0x1480 fs/namei.c:2332\\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\\n filename_lookup+0x22e/0x740 fs/namei.c:2515\\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\\n user_path_at include/linux/namei.h:57 [inline]\\n do_mount fs/namespace.c:3689 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\\n do_read_cache_page mm/filemap.c:3595 [inline]\\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\\n read_mapping_page include/linux/pagemap.h:755 [inline]\\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\\n mount_bdev+0x628/0x920 fs/super.c:1359\\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\\n do_mount fs/namespace.c:3488 [inline]\\n __do_sys_mount fs/namespace.c:3697 [inline]\\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\\n\\nUninit was created at:\\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\\n __alloc_pages_node include/linux/gfp.h:238 [inline]\\n alloc_pages_node include/linux/gfp.h:261 [inline]\\n alloc_slab_page mm/slub.c:2190 [inline]\\n allocate_slab mm/slub.c:2354 [inline]\\n new_slab+0x2d7/0x1400 mm/slub.c:2407\\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\\n __slab_alloc mm/slub.c:3625 [inline]\\n __slab_alloc_node mm/slub.c:3678 [inline]\\n slab_alloc_node mm/slub.c:3850 [inline]\\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\\n alloc_inode_sb include/linux/fs.h:3018 [inline]\\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\\n alloc_inode+0x83/0x440 fs/inode.c:260\\n new_inode_pseudo fs/inode.c:1005 [inline]\\n new_inode+0x38/0x4f0 fs/inode.c:1031\\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\\n do_mkdirat+0x529/0x810 fs/namei.c:4149\\n __do_sys_mkdirat fs/namei.c:4164 [inline]\\n __se_sys_mkdirat fs/namei.c:4162 [inline]\\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42311\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42312", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42312" + }, + { + "url": "https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05" + }, + { + "url": "https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab" + }, + { + "url": "https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4" + }, + { + "url": "https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955" + }, + { + "url": "https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536" + }, + { + "url": "https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42312 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42312", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: always initialize i_uid/i_gid\n\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\ncan safely skip setting them.\n\nCommit 5ec27ec735ba (\"fs/proc/proc_sysctl.c: fix the default values of\ni_uid/i_gid on /proc/sys inodes.\") added defaults for i_uid/i_gid when\nset_ownership() was not implemented. It also missed adjusting\nnet_ctl_set_ownership() to use the same default values in case the\ncomputation of a better value failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42312\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42312\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42312\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42312\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42312\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05\",\n \"https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab\",\n \"https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4\",\n \"https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955\",\n \"https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536\",\n \"https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysctl: always initialize i_uid/i_gid\\n\\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\\ncan safely skip setting them.\\n\\nCommit 5ec27ec735ba (\\\"fs/proc/proc_sysctl.c: fix the default values of\\ni_uid/i_gid on /proc/sys inodes.\\\") added defaults for i_uid/i_gid when\\nset_ownership() was not implemented. It also missed adjusting\\nnet_ctl_set_ownership() to use the same default values in case the\\ncomputation of a better value failed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42312\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42313", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42313" + }, + { + "url": "https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36" + }, + { + "url": "https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635" + }, + { + "url": "https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2" + }, + { + "url": "https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567" + }, + { + "url": "https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e" + }, + { + "url": "https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6" + }, + { + "url": "https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad" + }, + { + "url": "https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42313 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42313", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free in vdec_close\n\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\n\nFix it by cancelling the work in vdec_close.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42313\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42313\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42313\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42313\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42313\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36\",\n \"https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635\",\n \"https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2\",\n \"https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567\",\n \"https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e\",\n \"https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6\",\n \"https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad\",\n \"https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: venus: fix use after free in vdec_close\\n\\nThere appears to be a possible use after free with vdec_close().\\nThe firmware will add buffer release work to the work queue through\\nHFI callbacks as a normal part of decoding. Randomly closing the\\ndecoder device from userspace during normal decoding can incur\\na read after free for inst.\\n\\nFix it by cancelling the work in vdec_close.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42313\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42315", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42315" + }, + { + "url": "https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62" + }, + { + "url": "https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9" + }, + { + "url": "https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42315 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42315", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi->s_lock between the two processes may occur.\n\n CPU0 CPU1\n ---- ----\n kswapd\n balance_pgdat\n lock(fs_reclaim)\n exfat_iterate\n lock(&sbi->s_lock)\n exfat_readdir\n exfat_get_uniname_from_ext_entry\n exfat_get_dentry_set\n __exfat_get_dentry_set\n kmalloc_array\n ...\n lock(fs_reclaim)\n ...\n evict\n exfat_evict_inode\n lock(&sbi->s_lock)\n\nTo fix this, let's allocate bh-array with GFP_NOFS.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42315\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42315\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42315\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42315\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42315\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62\",\n \"https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9\",\n \"https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nexfat: fix potential deadlock on __exfat_get_dentry_set\\n\\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\\na deadlock for sbi->s_lock between the two processes may occur.\\n\\n CPU0 CPU1\\n ---- ----\\n kswapd\\n balance_pgdat\\n lock(fs_reclaim)\\n exfat_iterate\\n lock(&sbi->s_lock)\\n exfat_readdir\\n exfat_get_uniname_from_ext_entry\\n exfat_get_dentry_set\\n __exfat_get_dentry_set\\n kmalloc_array\\n ...\\n lock(fs_reclaim)\\n ...\\n evict\\n exfat_evict_inode\\n lock(&sbi->s_lock)\\n\\nTo fix this, let's allocate bh-array with GFP_NOFS.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42315\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42318", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42318" + }, + { + "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2566" + }, + { + "url": "https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c" + }, + { + "url": "https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49" + }, + { + "url": "https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1" + }, + { + "url": "https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117" + }, + { + "url": "https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff" + }, + { + "url": "https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2024/08/17/2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42318 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42318", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don't lose track of restrictions on cred_transfer\n\nWhen a process' cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42318\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42318\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42318\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42318\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42318\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://bugs.chromium.org/p/project-zero/issues/detail?id=2566\",\n \"https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c\",\n \"https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49\",\n \"https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1\",\n \"https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117\",\n \"https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff\",\n \"https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/\",\n \"https://www.openwall.com/lists/oss-security/2024/08/17/2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlandlock: Don't lose track of restrictions on cred_transfer\\n\\nWhen a process' cred struct is replaced, this _almost_ always invokes\\nthe cred_prepare LSM hook; but in one special case (when\\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\\ncred_transfer LSM hook is used instead. Landlock only implements the\\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\\nall information on Landlock restrictions to be lost.\\n\\nThis basically means that a process with the ability to use the fork()\\nand keyctl() syscalls can get rid of all Landlock restrictions on\\nitself.\\n\\nFix it by adding a cred_transfer hook that does the same thing as the\\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\\ncall hook_cred_transfer() so that the two functions are less likely to\\naccidentally diverge in the future.)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42318\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42319", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42319" + }, + { + "url": "https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911" + }, + { + "url": "https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42319 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42319", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\n\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\npm_runtime_get_sync() < 0 occurs.\n\nAccording to the call tracei below:\n cmdq_mbox_shutdown\n mbox_free_channel\n mbox_controller_unregister\n __devm_mbox_controller_unregister\n ...\n\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\ncalling pm_runtime_disable() as observed below:\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\n to bind the cmdq device to the mbox_controller, so\n devm_mbox_controller_unregister() will automatically unregister\n the device bound to the mailbox controller when the device-managed\n resource is removed. That means devm_mbox_controller_unregister()\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\n will be called after cmdq_remove(), but before\n devm_mbox_controller_unregister().\n\nTo fix this problem, cmdq_probe() needs to move\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\ndevm_pm_runtime_disable() be called after\ndevm_mbox_controller_unregister().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42319\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42319\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42319\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42319\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42319\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911\",\n \"https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\\n\\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\\npm_runtime_get_sync() < 0 occurs.\\n\\nAccording to the call tracei below:\\n cmdq_mbox_shutdown\\n mbox_free_channel\\n mbox_controller_unregister\\n __devm_mbox_controller_unregister\\n ...\\n\\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\\ncalling pm_runtime_disable() as observed below:\\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\\n to bind the cmdq device to the mbox_controller, so\\n devm_mbox_controller_unregister() will automatically unregister\\n the device bound to the mailbox controller when the device-managed\\n resource is removed. That means devm_mbox_controller_unregister()\\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\\n will be called after cmdq_remove(), but before\\n devm_mbox_controller_unregister().\\n\\nTo fix this problem, cmdq_probe() needs to move\\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\\ndevm_pm_runtime_disable() be called after\\ndevm_mbox_controller_unregister().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42319\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42320", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42320" + }, + { + "url": "https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2" + }, + { + "url": "https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8" + }, + { + "url": "https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace" + }, + { + "url": "https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42320 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42320", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42320\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42320\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42320\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42320\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42320\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2\",\n \"https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8\",\n \"https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace\",\n \"https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: fix error checks in dasd_copy_pair_store()\\n\\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\\nfails. However, two callsites in dasd_copy_pair_store() do not check\\nthe result, potentially resulting in a NULL pointer dereference. Fix\\nthis by checking the result with IS_ERR() and returning the error up\\nthe stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42320\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42321", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42321" + }, + { + "url": "https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b" + }, + { + "url": "https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107" + }, + { + "url": "https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0" + }, + { + "url": "https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42321 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42321", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nThe following splat is easy to reproduce upstream as well as in -stable\nkernels. Florian Westphal provided the following commit:\n\n d1dab4f71d37 (\"net: add and use __skb_get_hash_symmetric_net\")\n\nbut this complementary fix has been also suggested by Willem de Bruijn\nand it can be easily backported to -stable kernel which consists in\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\nto identify packets in traces.\n\n[69133.561393] ------------[ cut here ]------------\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\n[...]\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\n[69133.562040] Call Trace:\n[69133.562044] \n[69133.562049] ? __warn+0x9f/0x1a0\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\n[...]\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\n[ 1211.841753] __skb_get_hash+0x97/0x280\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\n[ 1211.841776] ? mod_find+0xbf/0xe0\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\n[ 1211.841964] ? get_stack_info+0x2b/0x80\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42321\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42321\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42321\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42321\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42321\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b\",\n \"https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107\",\n \"https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0\",\n \"https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\\n\\nThe following splat is easy to reproduce upstream as well as in -stable\\nkernels. Florian Westphal provided the following commit:\\n\\n d1dab4f71d37 (\\\"net: add and use __skb_get_hash_symmetric_net\\\")\\n\\nbut this complementary fix has been also suggested by Willem de Bruijn\\nand it can be easily backported to -stable kernel which consists in\\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\\nto identify packets in traces.\\n\\n[69133.561393] ------------[ cut here ]------------\\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\\n[...]\\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\\n[69133.562040] Call Trace:\\n[69133.562044] \\n[69133.562049] ? __warn+0x9f/0x1a0\\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\\n[...]\\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\\n[ 1211.841753] __skb_get_hash+0x97/0x280\\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\\n[ 1211.841776] ? mod_find+0xbf/0xe0\\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\\n[ 1211.841964] ? get_stack_info+0x2b/0x80\\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42321\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42322", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42322" + }, + { + "url": "https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77" + }, + { + "url": "https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5" + }, + { + "url": "https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42322 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42322", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: properly dereference pe in ip_vs_add_service\n\nUse pe directly to resolve sparse warning:\n\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42322\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42322\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42322\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42322\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42322\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77\",\n \"https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5\",\n \"https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvs: properly dereference pe in ip_vs_add_service\\n\\nUse pe directly to resolve sparse warning:\\n\\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42322\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43817" + }, + { + "url": "https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f" + }, + { + "url": "https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775" + }, + { + "url": "https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf" + }, + { + "url": "https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8" + }, + { + "url": "https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: missing check virtio\n\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\nto crash kernels again\n\n1. After the skb_segment function the buffer may become non-linear\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\nthe __skb_linearize function will not be executed, then the buffer will\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\n\n2. The struct sk_buff and struct virtio_net_hdr members must be\nmathematically related.\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) may be 0 if division is without remainder.\n\noffset+2 (4191) > skb_headlen() (1116)\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nModules linked in:\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:451 [inline]\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3545 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n __sys_sendto+0x255/0x340 net/socket.c:2190\n __do_sys_sendto net/socket.c:2202 [inline]\n __se_sys_sendto net/socket.c:2198 [inline]\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f\",\n \"https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775\",\n \"https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf\",\n \"https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8\",\n \"https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: missing check virtio\\n\\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\\nto crash kernels again\\n\\n1. After the skb_segment function the buffer may become non-linear\\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\\nthe __skb_linearize function will not be executed, then the buffer will\\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\\n\\n2. The struct sk_buff and struct virtio_net_hdr members must be\\nmathematically related.\\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\\n(remainder) may be 0 if division is without remainder.\\n\\noffset+2 (4191) > skb_headlen() (1116)\\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\\nModules linked in:\\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\\n dst_output include/net/dst.h:451 [inline]\\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\\n xmit_one net/core/dev.c:3545 [inline]\\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3087 [inline]\\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\\n __sys_sendto+0x255/0x340 net/socket.c:2190\\n __do_sys_sendto net/socket.c:2202 [inline]\\n __se_sys_sendto net/socket.c:2198 [inline]\\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43819" + }, + { + "url": "https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6" + }, + { + "url": "https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6\",\n \"https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkvm: s390: Reject memory region operations for ucontrol VMs\\n\\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\\nwould thus result in a null pointer dereference further in.\\nMemory management needs to be performed in userspace and using the\\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\\n\\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\\nand KVM_SET_USER_MEMORY_REGION2.\\n\\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43823" + }, + { + "url": "https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23" + }, + { + "url": "https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775" + }, + { + "url": "https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506" + }, + { + "url": "https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43823", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\n\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\n\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23\",\n \"https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775\",\n \"https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506\",\n \"https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\\n\\nIf IORESOURCE_MEM is not provided in Device Tree due to\\nany error, resource_list_first_type() will return NULL and\\npci_parse_request_of_pci_ranges() will just emit a warning.\\n\\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\\nreturn check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43824", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43824" + }, + { + "url": "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a" + }, + { + "url": "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43824 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43824", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), 'epc_features' got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43824\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43824\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43824\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43824\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43824\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a\",\n \"https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\\n\\nInstead of getting the epc_features from pci_epc_get_features() API, use\\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\\nthe NULL check is already performed in pci_epf_test_bind(), having one more\\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\\nhit the NULL pointer dereference.\\n\\nAlso with commit a01e7214bef9 (\\\"PCI: endpoint: Remove \\\"core_init_notifier\\\"\\nflag\\\"), 'epc_features' got dereferenced without the NULL check, leading to\\nthe following false positive Smatch warning:\\n\\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\\n\\nThus, remove the redundant NULL check and also use the epc_features::\\n{msix_capable/msi_capable} flags directly to avoid local variables.\\n\\n[kwilczynski: commit log]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43824\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43828", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43828" + }, + { + "url": "https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121" + }, + { + "url": "https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2" + }, + { + "url": "https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1" + }, + { + "url": "https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178" + }, + { + "url": "https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706" + }, + { + "url": "https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix infinite loop when replaying fast_commit\n\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the 'es' variable.\n\nBecause 'es' contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\n\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\n\nThanks to Zhang Yi, for figuring out the real problem!", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121\",\n \"https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2\",\n \"https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1\",\n \"https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178\",\n \"https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706\",\n \"https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix infinite loop when replaying fast_commit\\n\\nWhen doing fast_commit replay an infinite loop may occur due to an\\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\\nnot detect the replay and calls ext4_es_find_extent_range(), which will\\nreturn immediately without initializing the 'es' variable.\\n\\nBecause 'es' contains garbage, an integer overflow may happen causing an\\ninfinite loop in this function, easily reproducible using fstest generic/039.\\n\\nThis commit fixes this issue by unconditionally initializing the structure\\nin function ext4_es_find_extent_range().\\n\\nThanks to Zhang Yi, for figuring out the real problem!\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43829", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43829" + }, + { + "url": "https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c" + }, + { + "url": "https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f" + }, + { + "url": "https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f" + }, + { + "url": "https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03" + }, + { + "url": "https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3" + }, + { + "url": "https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b" + }, + { + "url": "https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43829 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43829", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/qxl: Add check for drm_cvt_mode\n\nAdd check for the return value of drm_cvt_mode() and return the error if\nit fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43829\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43829\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43829\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43829\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43829\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c\",\n \"https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f\",\n \"https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f\",\n \"https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03\",\n \"https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3\",\n \"https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b\",\n \"https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/qxl: Add check for drm_cvt_mode\\n\\nAdd check for the return value of drm_cvt_mode() and return the error if\\nit fails in order to avoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43829\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43830", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43830" + }, + { + "url": "https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2" + }, + { + "url": "https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6" + }, + { + "url": "https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d" + }, + { + "url": "https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea" + }, + { + "url": "https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3" + }, + { + "url": "https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156" + }, + { + "url": "https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374" + }, + { + "url": "https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43830 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43830", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: Unregister sysfs attributes before calling deactivate()\n\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\n\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\n\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\n\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43830\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43830\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43830\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43830\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43830\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2\",\n \"https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6\",\n \"https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d\",\n \"https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea\",\n \"https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3\",\n \"https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156\",\n \"https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374\",\n \"https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: trigger: Unregister sysfs attributes before calling deactivate()\\n\\nTriggers which have trigger specific sysfs attributes typically store\\nrelated data in trigger-data allocated by the activate() callback and\\nfreed by the deactivate() callback.\\n\\nCalling device_remove_groups() after calling deactivate() leaves a window\\nwhere the sysfs attributes show/store functions could be called after\\ndeactivation and then operate on the just freed trigger-data.\\n\\nMove the device_remove_groups() call to before deactivate() to close\\nthis race window.\\n\\nThis also makes the deactivation path properly do things in reverse order\\nof the activation path which calls the activate() callback before calling\\ndevice_add_groups().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43830\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43831", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43831" + }, + { + "url": "https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db" + }, + { + "url": "https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f" + }, + { + "url": "https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43831 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43831", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Handle invalid decoder vsi\n\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43831\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43831\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db\",\n \"https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f\",\n \"https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Handle invalid decoder vsi\\n\\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\\nis valid for future use.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43831\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43832" + }, + { + "url": "https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7" + }, + { + "url": "https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d" + }, + { + "url": "https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb" + }, + { + "url": "https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/uv: Don't call folio_wait_writeback() without a folio reference\n\nfolio_wait_writeback() requires that no spinlocks are held and that\na folio reference is held, as documented. After we dropped the PTL, the\nfolio could get freed concurrently. So grab a temporary reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7\",\n \"https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d\",\n \"https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb\",\n \"https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/uv: Don't call folio_wait_writeback() without a folio reference\\n\\nfolio_wait_writeback() requires that no spinlocks are held and that\\na folio reference is held, as documented. After we dropped the PTL, the\\nfolio could get freed concurrently. So grab a temporary reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43834" + }, + { + "url": "https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537" + }, + { + "url": "https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26" + }, + { + "url": "https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec" + }, + { + "url": "https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a" + }, + { + "url": "https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd" + }, + { + "url": "https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: fix invalid wait context of page_pool_destroy()\n\nIf the driver uses a page pool, it creates a page pool with\npage_pool_create().\nThe reference count of page pool is 1 as default.\nA page pool will be destroyed only when a reference count reaches 0.\npage_pool_destroy() is used to destroy page pool, it decreases a\nreference count.\nWhen a page pool is destroyed, ->disconnect() is called, which is\nmem_allocator_disconnect().\nThis function internally acquires mutex_lock().\n\nIf the driver uses XDP, it registers a memory model with\nxdp_rxq_info_reg_mem_model().\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\nreference count if a memory model is a page pool.\nNow the reference count is 2.\n\nTo destroy a page pool, the driver should call both page_pool_destroy()\nand xdp_unreg_mem_model().\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\nOnly page_pool_destroy() decreases a reference count.\n\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\nwill face an invalid wait context warning.\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\nrcu_read_lock().\nThe page_pool_destroy() internally acquires mutex_lock().\n\nSplat looks like:\n=============================\n[ BUG: Invalid wait context ]\n6.10.0-rc6+ #4 Tainted: G W\n-----------------------------\nethtool/1806 is trying to lock:\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\nother info that might help us debug this:\ncontext-{5:5}\n3 locks held by ethtool/1806:\nstack backtrace:\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nCall Trace:\n\ndump_stack_lvl+0x7e/0xc0\n__lock_acquire+0x1681/0x4de0\n? _printk+0x64/0xe0\n? __pfx_mark_lock.part.0+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\nlock_acquire+0x1b3/0x580\n? mem_allocator_disconnect+0x73/0x150\n? __wake_up_klogd.part.0+0x16/0xc0\n? __pfx_lock_acquire+0x10/0x10\n? dump_stack_lvl+0x91/0xc0\n__mutex_lock+0x15c/0x1690\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_prb_read_valid+0x10/0x10\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_llist_add_batch+0x10/0x10\n? console_unlock+0x193/0x1b0\n? lockdep_hardirqs_on+0xbe/0x140\n? __pfx___mutex_lock+0x10/0x10\n? tick_nohz_tick_stopped+0x16/0x90\n? __irq_work_queue_local+0x1e5/0x330\n? irq_work_queue+0x39/0x50\n? __wake_up_klogd.part.0+0x79/0xc0\n? mem_allocator_disconnect+0x73/0x150\nmem_allocator_disconnect+0x73/0x150\n? __pfx_mem_allocator_disconnect+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? rcu_is_watching+0x11/0xb0\npage_pool_release+0x36e/0x6d0\npage_pool_destroy+0xd7/0x440\nxdp_unreg_mem_model+0x1a7/0x2a0\n? __pfx_xdp_unreg_mem_model+0x10/0x10\n? kfree+0x125/0x370\n? bnxt_free_ring.isra.0+0x2eb/0x500\n? bnxt_free_mem+0x5ac/0x2500\nxdp_rxq_info_unreg+0x4a/0xd0\nbnxt_free_mem+0x1356/0x2500\nbnxt_close_nic+0xf0/0x3b0\n? __pfx_bnxt_close_nic+0x10/0x10\n? ethnl_parse_bit+0x2c6/0x6d0\n? __pfx___nla_validate_parse+0x10/0x10\n? __pfx_ethnl_parse_bit+0x10/0x10\nbnxt_set_features+0x2a8/0x3e0\n__netdev_update_features+0x4dc/0x1370\n? ethnl_parse_bitset+0x4ff/0x750\n? __pfx_ethnl_parse_bitset+0x10/0x10\n? __pfx___netdev_update_features+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? _raw_spin_unlock_irqrestore+0x42/0x70\n? __pm_runtime_resume+0x7d/0x110\nethnl_set_features+0x32d/0xa20\n\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\nrhashtable_lookup() with rcu_read_lock().\nUsing xa without rcu_read_lock() here is safe.\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\ncall_rcu() of mem_xa_remove().\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\ncount reaches 0.\nThe xa is already protected by the reference count mechanism well in the\ncontrol plane.\nSo removing rcu_read_lock() for page_pool_destroy() is safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537\",\n \"https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26\",\n \"https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec\",\n \"https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a\",\n \"https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd\",\n \"https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: fix invalid wait context of page_pool_destroy()\\n\\nIf the driver uses a page pool, it creates a page pool with\\npage_pool_create().\\nThe reference count of page pool is 1 as default.\\nA page pool will be destroyed only when a reference count reaches 0.\\npage_pool_destroy() is used to destroy page pool, it decreases a\\nreference count.\\nWhen a page pool is destroyed, ->disconnect() is called, which is\\nmem_allocator_disconnect().\\nThis function internally acquires mutex_lock().\\n\\nIf the driver uses XDP, it registers a memory model with\\nxdp_rxq_info_reg_mem_model().\\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\\nreference count if a memory model is a page pool.\\nNow the reference count is 2.\\n\\nTo destroy a page pool, the driver should call both page_pool_destroy()\\nand xdp_unreg_mem_model().\\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\\nOnly page_pool_destroy() decreases a reference count.\\n\\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\\nwill face an invalid wait context warning.\\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\\nrcu_read_lock().\\nThe page_pool_destroy() internally acquires mutex_lock().\\n\\nSplat looks like:\\n=============================\\n[ BUG: Invalid wait context ]\\n6.10.0-rc6+ #4 Tainted: G W\\n-----------------------------\\nethtool/1806 is trying to lock:\\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\\nother info that might help us debug this:\\ncontext-{5:5}\\n3 locks held by ethtool/1806:\\nstack backtrace:\\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\\nCall Trace:\\n\\ndump_stack_lvl+0x7e/0xc0\\n__lock_acquire+0x1681/0x4de0\\n? _printk+0x64/0xe0\\n? __pfx_mark_lock.part.0+0x10/0x10\\n? __pfx___lock_acquire+0x10/0x10\\nlock_acquire+0x1b3/0x580\\n? mem_allocator_disconnect+0x73/0x150\\n? __wake_up_klogd.part.0+0x16/0xc0\\n? __pfx_lock_acquire+0x10/0x10\\n? dump_stack_lvl+0x91/0xc0\\n__mutex_lock+0x15c/0x1690\\n? mem_allocator_disconnect+0x73/0x150\\n? __pfx_prb_read_valid+0x10/0x10\\n? mem_allocator_disconnect+0x73/0x150\\n? __pfx_llist_add_batch+0x10/0x10\\n? console_unlock+0x193/0x1b0\\n? lockdep_hardirqs_on+0xbe/0x140\\n? __pfx___mutex_lock+0x10/0x10\\n? tick_nohz_tick_stopped+0x16/0x90\\n? __irq_work_queue_local+0x1e5/0x330\\n? irq_work_queue+0x39/0x50\\n? __wake_up_klogd.part.0+0x79/0xc0\\n? mem_allocator_disconnect+0x73/0x150\\nmem_allocator_disconnect+0x73/0x150\\n? __pfx_mem_allocator_disconnect+0x10/0x10\\n? mark_held_locks+0xa5/0xf0\\n? rcu_is_watching+0x11/0xb0\\npage_pool_release+0x36e/0x6d0\\npage_pool_destroy+0xd7/0x440\\nxdp_unreg_mem_model+0x1a7/0x2a0\\n? __pfx_xdp_unreg_mem_model+0x10/0x10\\n? kfree+0x125/0x370\\n? bnxt_free_ring.isra.0+0x2eb/0x500\\n? bnxt_free_mem+0x5ac/0x2500\\nxdp_rxq_info_unreg+0x4a/0xd0\\nbnxt_free_mem+0x1356/0x2500\\nbnxt_close_nic+0xf0/0x3b0\\n? __pfx_bnxt_close_nic+0x10/0x10\\n? ethnl_parse_bit+0x2c6/0x6d0\\n? __pfx___nla_validate_parse+0x10/0x10\\n? __pfx_ethnl_parse_bit+0x10/0x10\\nbnxt_set_features+0x2a8/0x3e0\\n__netdev_update_features+0x4dc/0x1370\\n? ethnl_parse_bitset+0x4ff/0x750\\n? __pfx_ethnl_parse_bitset+0x10/0x10\\n? __pfx___netdev_update_features+0x10/0x10\\n? mark_held_locks+0xa5/0xf0\\n? _raw_spin_unlock_irqrestore+0x42/0x70\\n? __pm_runtime_resume+0x7d/0x110\\nethnl_set_features+0x32d/0xa20\\n\\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\\nrhashtable_lookup() with rcu_read_lock().\\nUsing xa without rcu_read_lock() here is safe.\\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\\ncall_rcu() of mem_xa_remove().\\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\\ncount reaches 0.\\nThe xa is already protected by the reference count mechanism well in the\\ncontrol plane.\\nSo removing rcu_read_lock() for page_pool_destroy() is safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43835" + }, + { + "url": "https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd" + }, + { + "url": "https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix napi_skb_cache_put warning\n\nAfter the commit bdacf3e34945 (\"net: Use nested-BH locking for\nnapi_alloc_cache.\") was merged, the following warning began to appear:\n\n\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\n\n\t __warn+0x12f/0x340\n\t napi_skb_cache_put+0x82/0x4b0\n\t napi_skb_cache_put+0x82/0x4b0\n\t report_bug+0x165/0x370\n\t handle_bug+0x3d/0x80\n\t exc_invalid_op+0x1a/0x50\n\t asm_exc_invalid_op+0x1a/0x20\n\t __free_old_xmit+0x1c8/0x510\n\t napi_skb_cache_put+0x82/0x4b0\n\t __free_old_xmit+0x1c8/0x510\n\t __free_old_xmit+0x1c8/0x510\n\t __pfx___free_old_xmit+0x10/0x10\n\nThe issue arises because virtio is assuming it's running in NAPI context\neven when it's not, such as in the netpoll case.\n\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\nis available. Same for virtnet_poll_cleantx(), which always assumed that\nit was in a NAPI context.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd\",\n \"https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio_net: Fix napi_skb_cache_put warning\\n\\nAfter the commit bdacf3e34945 (\\\"net: Use nested-BH locking for\\nnapi_alloc_cache.\\\") was merged, the following warning began to appear:\\n\\n\\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\\n\\n\\t __warn+0x12f/0x340\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t report_bug+0x165/0x370\\n\\t handle_bug+0x3d/0x80\\n\\t exc_invalid_op+0x1a/0x50\\n\\t asm_exc_invalid_op+0x1a/0x20\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t __pfx___free_old_xmit+0x10/0x10\\n\\nThe issue arises because virtio is assuming it's running in NAPI context\\neven when it's not, such as in the netpoll case.\\n\\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\\nis available. Same for virtnet_poll_cleantx(), which always assumed that\\nit was in a NAPI context.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43839" + }, + { + "url": "https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1" + }, + { + "url": "https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3" + }, + { + "url": "https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef" + }, + { + "url": "https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43" + }, + { + "url": "https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76" + }, + { + "url": "https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da" + }, + { + "url": "https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5" + }, + { + "url": "https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1\",\n \"https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3\",\n \"https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef\",\n \"https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43\",\n \"https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76\",\n \"https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da\",\n \"https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5\",\n \"https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\\n\\nTo have enough space to write all possible sprintf() args. Currently\\n'name' size is 16, but the first '%s' specifier may already need at\\nleast 16 characters, since 'bnad->netdev->name' is used there.\\n\\nFor '%d' specifiers, assume that they require:\\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\\n is 16\\n\\nAnd replace sprintf with snprintf.\\n\\nDetected using the static analysis tool - Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43841" + }, + { + "url": "https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414" + }, + { + "url": "https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29" + }, + { + "url": "https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d" + }, + { + "url": "https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942" + }, + { + "url": "https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d" + }, + { + "url": "https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7" + }, + { + "url": "https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43841 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43841", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\n\nWhen user issues a connection with a different SSID than the one\nvirt_wifi has advertised, the __cfg80211_connect_result() will\ntrigger the warning: WARN_ON(bss_not_found).\n\nThe issue is because the connection code in virt_wifi does not\ncheck the SSID from user space (it only checks the BSSID), and\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\neven if the SSID is different from the one virt_wifi has advertised.\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\nthe warning.\n\nFixed it by checking the SSID (from user space) in the connection code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43841\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43841\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414\",\n \"https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29\",\n \"https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d\",\n \"https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942\",\n \"https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d\",\n \"https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7\",\n \"https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\\n\\nWhen user issues a connection with a different SSID than the one\\nvirt_wifi has advertised, the __cfg80211_connect_result() will\\ntrigger the warning: WARN_ON(bss_not_found).\\n\\nThe issue is because the connection code in virt_wifi does not\\ncheck the SSID from user space (it only checks the BSSID), and\\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\\neven if the SSID is different from the one virt_wifi has advertised.\\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\\nthe warning.\\n\\nFixed it by checking the SSID (from user space) in the connection code.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43841\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43842", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43842" + }, + { + "url": "https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74" + }, + { + "url": "https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891" + }, + { + "url": "https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58" + }, + { + "url": "https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43842 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43842", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\n\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\n\"copy-paste\" mistake.\n\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43842\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43842\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43842\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43842\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43842\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74\",\n \"https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891\",\n \"https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58\",\n \"https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\\n\\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\\n\\\"copy-paste\\\" mistake.\\n\\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43842\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43844" + }, + { + "url": "https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296" + }, + { + "url": "https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\n\nWe mistakenly put skb too large and that may exceed skb->end.\nTherefore, we fix it.\n\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:192!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:skb_panic+0x5d/0x60\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? skb_panic+0x5d/0x60\n ? do_error_trap+0x6d/0x90\n ? skb_panic+0x5d/0x60\n ? handle_invalid_op+0x30/0x40\n ? skb_panic+0x5d/0x60\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_panic+0x5d/0x60\n skb_put+0x49/0x50\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n dpm_run_callback+0x3c/0x140\n device_resume+0x1f9/0x3c0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n process_scheduled_works+0x1d8/0x3d0\n worker_thread+0x1fc/0x2f0\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\n cfg80211 ecc\ngsmi: Log Shutdown \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296\",\n \"https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\\n\\nWe mistakenly put skb too large and that may exceed skb->end.\\nTherefore, we fix it.\\n\\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\\n------------[ cut here ]------------\\nkernel BUG at net/core/skbuff.c:192!\\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\\nWorkqueue: events_unbound async_run_entry_fn\\nRIP: 0010:skb_panic+0x5d/0x60\\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\\nCall Trace:\\n \\n ? __die_body+0x1f/0x70\\n ? die+0x3d/0x60\\n ? do_trap+0xa4/0x110\\n ? skb_panic+0x5d/0x60\\n ? do_error_trap+0x6d/0x90\\n ? skb_panic+0x5d/0x60\\n ? handle_invalid_op+0x30/0x40\\n ? skb_panic+0x5d/0x60\\n ? exc_invalid_op+0x3c/0x50\\n ? asm_exc_invalid_op+0x16/0x20\\n ? skb_panic+0x5d/0x60\\n skb_put+0x49/0x50\\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n ? dev_printk_emit+0x51/0x70\\n ? _dev_info+0x6e/0x90\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n dpm_run_callback+0x3c/0x140\\n device_resume+0x1f9/0x3c0\\n ? __pfx_dpm_watchdog_handler+0x10/0x10\\n async_resume+0x1d/0x30\\n async_run_entry_fn+0x29/0xd0\\n process_scheduled_works+0x1d8/0x3d0\\n worker_thread+0x1fc/0x2f0\\n kthread+0xed/0x110\\n ? __pfx_worker_thread+0x10/0x10\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x38/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\\n cfg80211 ecc\\ngsmi: Log Shutdown \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43846" + }, + { + "url": "https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb" + }, + { + "url": "https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc" + }, + { + "url": "https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc" + }, + { + "url": "https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170" + }, + { + "url": "https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7" + }, + { + "url": "https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a" + }, + { + "url": "https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: objagg: Fix general protection fault\n\nThe library supports aggregation of objects into other objects only if\nthe parent object does not have a parent itself. That is, nesting is not\nsupported.\n\nAggregation happens in two cases: Without and with hints, where hints\nare a pre-computed recommendation on how to aggregate the provided\nobjects.\n\nNesting is not possible in the first case due to a check that prevents\nit, but in the second case there is no check because the assumption is\nthat nesting cannot happen when creating objects based on hints. The\nviolation of this assumption leads to various warnings and eventually to\na general protection fault [1].\n\nBefore fixing the root cause, error out when nesting happens and warn.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb\",\n \"https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc\",\n \"https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc\",\n \"https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170\",\n \"https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7\",\n \"https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a\",\n \"https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib: objagg: Fix general protection fault\\n\\nThe library supports aggregation of objects into other objects only if\\nthe parent object does not have a parent itself. That is, nesting is not\\nsupported.\\n\\nAggregation happens in two cases: Without and with hints, where hints\\nare a pre-computed recommendation on how to aggregate the provided\\nobjects.\\n\\nNesting is not possible in the first case due to a check that prevents\\nit, but in the second case there is no check because the assumption is\\nthat nesting cannot happen when creating objects based on hints. The\\nviolation of this assumption leads to various warnings and eventually to\\na general protection fault [1].\\n\\nBefore fixing the root cause, error out when nesting happens and warn.\\n\\n[1]\\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43849" + }, + { + "url": "https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84" + }, + { + "url": "https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08" + }, + { + "url": "https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80" + }, + { + "url": "https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc" + }, + { + "url": "https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c" + }, + { + "url": "https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: protect locator_addr with the main mutex\n\nIf the service locator server is restarted fast enough, the PDR can\nrewrite locator_addr fields concurrently. Protect them by placing\nmodification of those fields under the main pdr->lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84\",\n \"https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08\",\n \"https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80\",\n \"https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc\",\n \"https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c\",\n \"https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: pdr: protect locator_addr with the main mutex\\n\\nIf the service locator server is restarted fast enough, the PDR can\\nrewrite locator_addr fields concurrently. Protect them by placing\\nmodification of those fields under the main pdr->lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43853" + }, + { + "url": "https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a" + }, + { + "url": "https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4" + }, + { + "url": "https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e" + }, + { + "url": "https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nAn UAF can happen when /proc/cpuset is read as reported in [1].\n\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc//cpuset repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/ repeatly.\n\nThe race that cause this bug can be shown as below:\n\n(umount)\t\t|\t(cat /proc//cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css->cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(&cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\n\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n&cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\n\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp->root will not be freed.\n\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\"cgroup: Make operations on the cgroup root_list RCU safe\"),\ncss->cgroup won't be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\n\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a\",\n \"https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4\",\n \"https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e\",\n \"https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\\n\\nAn UAF can happen when /proc/cpuset is read as reported in [1].\\n\\nThis can be reproduced by the following methods:\\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\\n cgroup_path_ns function.\\n2.$cat /proc//cpuset repeatly.\\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\\n$umount /sys/fs/cgroup/cpuset/ repeatly.\\n\\nThe race that cause this bug can be shown as below:\\n\\n(umount)\\t\\t|\\t(cat /proc//cpuset)\\ncss_release\\t\\t|\\tproc_cpuset_show\\ncss_release_work_fn\\t|\\tcss = task_get_css(tsk, cpuset_cgrp_id);\\ncss_free_rwork_fn\\t|\\tcgroup_path_ns(css->cgroup, ...);\\ncgroup_destroy_root\\t|\\tmutex_lock(&cgroup_mutex);\\nrebind_subsystems\\t|\\ncgroup_free_root \\t|\\n\\t\\t\\t|\\t// cgrp was freed, UAF\\n\\t\\t\\t|\\tcgroup_path_ns_locked(cgrp,..);\\n\\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\\n&cgroup_root.cgrp. When the umount operation is executed,\\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\\n\\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\\nwhere the cgroup_root allocated by setting up the root for cgroup v1\\nis cached. This could lead to a Use-After-Free (UAF) if it is\\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\\nfreed after the css is released. However, the css of the root will never\\nbe released, yet the cgroup_root should be freed when it is unmounted.\\nThis means that obtaining a reference to the css of the root does\\nnot guarantee that css.cgrp->root will not be freed.\\n\\nFix this problem by using rcu_read_lock in proc_cpuset_show().\\nAs cgroup_root is kfree_rcu after commit d23b5c577715\\n(\\\"cgroup: Make operations on the cgroup root_list RCU safe\\\"),\\ncss->cgroup won't be freed during the critical section.\\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\\nreplace task_get_css with task_css.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43854" + }, + { + "url": "https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644" + }, + { + "url": "https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f" + }, + { + "url": "https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2" + }, + { + "url": "https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1" + }, + { + "url": "https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn't used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644\",\n \"https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f\",\n \"https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2\",\n \"https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1\",\n \"https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: initialize integrity buffer to zero before writing it to media\\n\\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\\nto random kernel memory being written media. For PI metadata this is\\nlimited to the app tag that isn't used by kernel generated metadata,\\nbut for non-PI metadata the entire buffer leaks kernel memory.\\n\\nFix this by adding the __GFP_ZERO flag to allocations for writes.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43856" + }, + { + "url": "https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130" + }, + { + "url": "https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e" + }, + { + "url": "https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7" + }, + { + "url": "https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20" + }, + { + "url": "https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9" + }, + { + "url": "https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954" + }, + { + "url": "https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb" + }, + { + "url": "https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43856", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130\",\n \"https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e\",\n \"https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7\",\n \"https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20\",\n \"https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9\",\n \"https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954\",\n \"https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb\",\n \"https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma: fix call order in dmam_free_coherent\\n\\ndmam_free_coherent() frees a DMA allocation, which makes the\\nfreed vaddr available for reuse, then calls devres_destroy()\\nto remove and free the data structure used to track the DMA\\nallocation. Between the two calls, it is possible for a\\nconcurrent task to make an allocation with the same vaddr\\nand add it to the devres list.\\n\\nIf this happens, there will be two entries in the devres list\\nwith the same vaddr and devres_destroy() can free the wrong\\nentry, triggering the WARN_ON() in dmam_match.\\n\\nFix by destroying the devres entry before freeing the DMA\\nallocation.\\n\\n kokonut //net/encryption\\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43858", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43858" + }, + { + "url": "https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80" + }, + { + "url": "https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00" + }, + { + "url": "https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9" + }, + { + "url": "https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42" + }, + { + "url": "https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28" + }, + { + "url": "https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862" + }, + { + "url": "https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a" + }, + { + "url": "https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43858", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix array-index-out-of-bounds in diFree", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80\",\n \"https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00\",\n \"https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9\",\n \"https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42\",\n \"https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28\",\n \"https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862\",\n \"https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a\",\n \"https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: Fix array-index-out-of-bounds in diFree\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43860", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43860" + }, + { + "url": "https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982" + }, + { + "url": "https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21" + }, + { + "url": "https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa" + }, + { + "url": "https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66" + }, + { + "url": "https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2" + }, + { + "url": "https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0" + }, + { + "url": "https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8" + }, + { + "url": "https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43860 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43860", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43860\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43860\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43860\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43860\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43860\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982\",\n \"https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21\",\n \"https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa\",\n \"https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66\",\n \"https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2\",\n \"https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0\",\n \"https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8\",\n \"https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\\n\\nIn imx_rproc_addr_init() \\\"nph = of_count_phandle_with_args()\\\" just counts\\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\\nAdjust this issue by adding NULL-return check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\\n\\n[Fixed title to fit within the prescribed 70-75 charcters]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43860\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43861" + }, + { + "url": "https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4" + }, + { + "url": "https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662" + }, + { + "url": "https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202" + }, + { + "url": "https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f" + }, + { + "url": "https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882" + }, + { + "url": "https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446" + }, + { + "url": "https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5" + }, + { + "url": "https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43861", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4\",\n \"https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662\",\n \"https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202\",\n \"https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f\",\n \"https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882\",\n \"https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446\",\n \"https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5\",\n \"https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: usb: qmi_wwan: fix memory leak for not ip packets\\n\\nFree the unused skb when not ip packets arrive.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43863" + }, + { + "url": "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc" + }, + { + "url": "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237" + }, + { + "url": "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e" + }, + { + "url": "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3" + }, + { + "url": "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc\",\n \"https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237\",\n \"https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e\",\n \"https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3\",\n \"https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\\n\\nIntroduce a version of the fence ops that on release doesn't remove\\nthe fence from the pending list, and thus doesn't require a lock to\\nfix poll->fence wait->fence unref deadlocks.\\n\\nvmwgfx overwrites the wait callback to iterate over the list of all\\nfences and update their status, to do that it holds a lock to prevent\\nthe list modifcations from other threads. The fence destroy callback\\nboth deletes the fence and removes it from the list of pending\\nfences, for which it holds a lock.\\n\\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\\ncalls the wait, which signals the fences, which are being destroyed.\\nThe destruction tries to acquire the lock on the pending fences list\\nwhich it can never get because it's held by the wait from which it\\nwas called.\\n\\nOld bug, but not a lot of userspace apps were using dma-buf polling\\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43866" + }, + { + "url": "https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393" + }, + { + "url": "https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285" + }, + { + "url": "https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393\",\n \"https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285\",\n \"https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Always drain health in shutdown callback\\n\\nThere is no point in recovery during device shutdown. if health\\nwork started need to wait for it to avoid races and NULL pointer\\naccess.\\n\\nHence, drain health WQ on shutdown callback.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43867" + }, + { + "url": "https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6" + }, + { + "url": "https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f" + }, + { + "url": "https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef" + }, + { + "url": "https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf" + }, + { + "url": "https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95" + }, + { + "url": "https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10" + }, + { + "url": "https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6\",\n \"https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f\",\n \"https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef\",\n \"https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf\",\n \"https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95\",\n \"https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10\",\n \"https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau: prime: fix refcount underflow\\n\\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\\nhence the backing ttm_bo) leads to a refcount underflow.\\n\\nInstead of calling nouveau_bo_ref() in the unwind path of\\ndrm_gem_object_init(), clean things up manually.\\n\\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43869" + }, + { + "url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4" + }, + { + "url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840" + }, + { + "url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0" + }, + { + "url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99" + }, + { + "url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> \n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= \n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> \n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= \n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4\",\n \"https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840\",\n \"https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0\",\n \"https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99\",\n \"https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: Fix event leak upon exec and file release\\n\\nThe perf pending task work is never waited upon the matching event\\nrelease. In the case of a child event, released via free_event()\\ndirectly, this can potentially result in a leaked event, such as in the\\nfollowing scenario that doesn't even require a weak IRQ work\\nimplementation to trigger:\\n\\nschedule()\\n prepare_task_switch()\\n=======> \\n perf_event_overflow()\\n event->pending_sigtrap = ...\\n irq_work_queue(&event->pending_irq)\\n<======= \\n perf_event_task_sched_out()\\n event_sched_out()\\n event->pending_sigtrap = 0;\\n atomic_long_inc_not_zero(&event->refcount)\\n task_work_add(&event->pending_task)\\n finish_lock_switch()\\n=======> \\n perf_pending_irq()\\n //do nothing, rely on pending task work\\n<======= \\n\\nbegin_new_exec()\\n perf_event_exit_task()\\n perf_event_exit_event()\\n // If is child event\\n free_event()\\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\\n // event is leaked\\n\\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\\nsimply against concurrent perf_event_release().\\n\\nFix this with synchonizing against the possibly remaining pending task\\nwork while freeing the event, just like is done with remaining pending\\nIRQ work. This means that the pending task callback neither need nor\\nshould hold a reference to the event, preventing it from ever beeing\\nfreed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43870" + }, + { + "url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51" + }, + { + "url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b" + }, + { + "url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a" + }, + { + "url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7" + }, + { + "url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51\",\n \"https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b\",\n \"https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a\",\n \"https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7\",\n \"https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: Fix event leak upon exit\\n\\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\\nto the target task upon resume to userspace via task_work.\\n\\nHowever failures while adding an event's callback to the task_work\\nengine are ignored. And since the last call for events exit happen\\nafter task work is eventually closed, there is a small window during\\nwhich pending sigtrap can be queued though ignored, leaking the event\\nrefcount addition such as in the following scenario:\\n\\n TASK A\\n -----\\n\\n do_exit()\\n exit_task_work(tsk);\\n\\n \\n perf_event_overflow()\\n event->pending_sigtrap = pending_id;\\n irq_work_queue(&event->pending_irq);\\n \\n =========> PREEMPTION: TASK A -> TASK B\\n event_sched_out()\\n event->pending_sigtrap = 0;\\n atomic_long_inc_not_zero(&event->refcount)\\n // FAILS: task work has exited\\n task_work_add(&event->pending_task)\\n [...]\\n \\n perf_pending_irq()\\n // early return: event->oncpu = -1\\n \\n [...]\\n =========> TASK B -> TASK A\\n perf_event_exit_task(tsk)\\n perf_event_exit_event()\\n free_event()\\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\\n // leak event due to unexpected refcount == 2\\n\\nAs a result the event is never released while the task exits.\\n\\nFix this with appropriate task_work_add()'s error handling.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43871" + }, + { + "url": "https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96" + }, + { + "url": "https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d" + }, + { + "url": "https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85" + }, + { + "url": "https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c" + }, + { + "url": "https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf" + }, + { + "url": "https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701" + }, + { + "url": "https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c" + }, + { + "url": "https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96\",\n \"https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d\",\n \"https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85\",\n \"https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c\",\n \"https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf\",\n \"https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701\",\n \"https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c\",\n \"https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\\n\\nIt will cause memory leakage when use driver API devm_free_percpu()\\nto free memory allocated by devm_alloc_percpu(), fixed by using\\ndevres_release() instead of devres_destroy() within devm_free_percpu().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43872" + }, + { + "url": "https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08" + }, + { + "url": "https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08\",\n \"https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix soft lockup under heavy CEQE load\\n\\nCEQEs are handled in interrupt handler currently. This may cause the\\nCPU core staying in interrupt context too long and lead to soft lockup\\nunder heavy load.\\n\\nHandle CEQEs in BH workqueue and set an upper limit for the number of\\nCEQE handled by a single call of work handler.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43873" + }, + { + "url": "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22" + }, + { + "url": "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb" + }, + { + "url": "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582" + }, + { + "url": "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c" + }, + { + "url": "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22\",\n \"https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb\",\n \"https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582\",\n \"https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c\",\n \"https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvhost/vsock: always initialize seqpacket_allow\\n\\nThere are two issues around seqpacket_allow:\\n1. seqpacket_allow is not initialized when socket is\\n created. Thus if features are never set, it will be\\n read uninitialized.\\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\\n then seqpacket_allow will not be cleared appropriately\\n (existing apps I know about don't usually do this but\\n it's legal and there's no way to be sure no one relies\\n on this).\\n\\nTo fix:\\n\\t- initialize seqpacket_allow after allocation\\n\\t- set it unconditionally in set_features\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43875" + }, + { + "url": "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f" + }, + { + "url": "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832" + }, + { + "url": "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0" + }, + { + "url": "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429" + }, + { + "url": "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f\",\n \"https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832\",\n \"https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0\",\n \"https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429\",\n \"https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\\n\\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\\n\\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\\n\\nInstead of printing an error message and then crashing we should return\\nan error code and clean up.\\n\\nAlso the NULL check is reversed so it prints an error for success\\ninstead of failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43879" + }, + { + "url": "https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27" + }, + { + "url": "https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd" + }, + { + "url": "https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f" + }, + { + "url": "https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9" + }, + { + "url": "https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086" + }, + { + "url": "https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142" + }, + { + "url": "https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d" + }, + { + "url": "https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27\",\n \"https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd\",\n \"https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f\",\n \"https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9\",\n \"https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086\",\n \"https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142\",\n \"https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d\",\n \"https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\\n\\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\\ncfg80211_calculate_bitrate_he(), leading to below warning:\\n\\nkernel: invalid HE MCS: bw:6, ru:6\\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\\n\\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43880" + }, + { + "url": "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037" + }, + { + "url": "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624" + }, + { + "url": "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb" + }, + { + "url": "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb" + }, + { + "url": "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf" + }, + { + "url": "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e" + }, + { + "url": "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037\",\n \"https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624\",\n \"https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb\",\n \"https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb\",\n \"https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf\",\n \"https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e\",\n \"https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_erp: Fix object nesting warning\\n\\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\\ncontain more ACLs (i.e., tc filters), but the number of masks in each\\nregion (i.e., tc chain) is limited.\\n\\nIn order to mitigate the effects of the above limitation, the device\\nallows filters to share a single mask if their masks only differ in up\\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\\nnumber of masks being used (and therefore does not support mask\\naggregation), but can contain a limited number of filters.\\n\\nThe driver uses the \\\"objagg\\\" library to perform the mask aggregation by\\npassing it objects that consist of the filter's mask and whether the\\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\\ndifferent TCAMs cannot share a mask.\\n\\nThe set of created objects is dependent on the insertion order of the\\nfilters and is not necessarily optimal. Therefore, the driver will\\nperiodically ask the library to compute a more optimal set (\\\"hints\\\") by\\nlooking at all the existing objects.\\n\\nWhen the library asks the driver whether two objects can be aggregated\\nthe driver only compares the provided masks and ignores the A-TCAM /\\nC-TCAM indication. This is the right thing to do since the goal is to\\nmove as many filters as possible to the A-TCAM. The driver also forbids\\ntwo identical masks from being aggregated since this can only happen if\\none was intentionally put in the C-TCAM to avoid a conflict in the\\nA-TCAM.\\n\\nThe above can result in the following set of hints:\\n\\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\\n\\nAfter getting the hints from the library the driver will start migrating\\nfilters from one region to another while consulting the computed hints\\nand instructing the device to perform a lookup in both regions during\\nthe transition.\\n\\nAssuming a filter with mask X is being migrated into the A-TCAM in the\\nnew region, the hints lookup will return H1. Since H2 is the parent of\\nH1, the library will try to find the object associated with it and\\ncreate it if necessary in which case another hints lookup (recursive)\\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\\nreturn H2 or H3 since the driver passes the library an object comparison\\nfunction that ignores the A-TCAM / C-TCAM indication.\\n\\nThis can eventually lead to nested objects which are not supported by\\nthe library [1].\\n\\nFix by removing the object comparison function from both the driver and\\nthe library as the driver was the only user. That way the lookup will\\nonly return exact matches.\\n\\nI do not have a reliable reproducer that can reproduce the issue in a\\ntimely manner, but before the fix the issue would reproduce in several\\nminutes and with the fix it does not reproduce in over an hour.\\n\\nNote that the current usefulness of the hints is limited because they\\ninclude the C-TCAM indication and represent aggregation that cannot\\nactually happen. This will be addressed in net-next.\\n\\n[1]\\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\\nModules linked in:\\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\\n[...]\\nCall Trace:\\n \\n __objagg_obj_get+0x2bb/0x580\\n objagg_obj_get+0xe/0x80\\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43882", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43882" + }, + { + "url": "https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759" + }, + { + "url": "https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada" + }, + { + "url": "https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e" + }, + { + "url": "https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64" + }, + { + "url": "https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e" + }, + { + "url": "https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f" + }, + { + "url": "https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb" + }, + { + "url": "https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43882 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43882", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43882\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43882\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43882\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43882\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43882\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759\",\n \"https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada\",\n \"https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e\",\n \"https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64\",\n \"https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e\",\n \"https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f\",\n \"https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb\",\n \"https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nexec: Fix ToCToU between perm check and set-uid/gid usage\\n\\nWhen opening a file for exec via do_filp_open(), permission checking is\\ndone against the file's metadata at that moment, and on success, a file\\npointer is passed back. Much later in the execve() code path, the file\\nmetadata (specifically mode, uid, and gid) is used to determine if/how\\nto set the uid and gid. However, those values may have changed since the\\npermissions check, meaning the execution may gain unintended privileges.\\n\\nFor example, if a file could change permissions from executable and not\\nset-id:\\n\\n---------x 1 root root 16048 Aug 7 13:16 target\\n\\nto set-id and non-executable:\\n\\n---S------ 1 root root 16048 Aug 7 13:16 target\\n\\nit is possible to gain root privileges when execution should have been\\ndisallowed.\\n\\nWhile this race condition is rare in real-world scenarios, it has been\\nobserved (and proven exploitable) when package managers are updating\\nthe setuid bits of installed programs. Such files start with being\\nworld-executable but then are adjusted to be group-exec with a set-uid\\nbit. For example, \\\"chmod o-x,u+s target\\\" makes \\\"target\\\" executable only\\nby uid \\\"root\\\" and gid \\\"cdrom\\\", while also becoming setuid-root:\\n\\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\\n\\nbecomes:\\n\\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\\n\\nBut racing the chmod means users without group \\\"cdrom\\\" membership can\\nget the permission to execute \\\"target\\\" just before the chmod, and when\\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\\nsetuid to root, violating the expressed authorization of \\\"only cdrom\\ngroup members can setuid to root\\\".\\n\\nRe-check that we still have execute permissions in case the metadata\\nhas changed. It would be better to keep a copy from the perm-check time,\\nbut until we can do that refactoring, the least-bad option is to do a\\nfull inode_permission() call (under inode lock). It is understood that\\nthis is safe against dead-locks, but hardly optimal.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43882\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43883", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43883" + }, + { + "url": "https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37" + }, + { + "url": "https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174" + }, + { + "url": "https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14" + }, + { + "url": "https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89" + }, + { + "url": "https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80" + }, + { + "url": "https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a" + }, + { + "url": "https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54" + }, + { + "url": "https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43883 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43883", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: vhci-hcd: Do not drop references before new references are gained\n\nAt a few places the driver carries stale pointers\nto references that can still be used. Make sure that does not happen.\nThis strictly speaking closes ZDI-CAN-22273, though there may be\nsimilar races in the driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43883\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43883\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43883\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43883\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43883\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37\",\n \"https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174\",\n \"https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14\",\n \"https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89\",\n \"https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80\",\n \"https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a\",\n \"https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54\",\n \"https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: vhci-hcd: Do not drop references before new references are gained\\n\\nAt a few places the driver carries stale pointers\\nto references that can still be used. Make sure that does not happen.\\nThis strictly speaking closes ZDI-CAN-22273, though there may be\\nsimilar races in the driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43883\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43884" + }, + { + "url": "https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Add error handling to pair_device()\n\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\npointer dereference causing a crash.\n\nFixed by adding error handling in the function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: MGMT: Add error handling to pair_device()\\n\\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\\npointer dereference causing a crash.\\n\\nFixed by adding error handling in the function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43886" + }, + { + "url": "https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6" + }, + { + "url": "https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\n\n[WHY]\nWhen switching from \"Extend\" to \"Second Display Only\" we sometimes\ncall resource_get_otg_master_for_stream on a stream for the eDP,\nwhich is disconnected. This leads to a null pointer dereference.\n\n[HOW]\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6\",\n \"https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\\n\\n[WHY]\\nWhen switching from \\\"Extend\\\" to \\\"Second Display Only\\\" we sometimes\\ncall resource_get_otg_master_for_stream on a stream for the eDP,\\nwhich is disconnected. This leads to a null pointer dereference.\\n\\n[HOW]\\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43889" + }, + { + "url": "https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c" + }, + { + "url": "https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d" + }, + { + "url": "https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c" + }, + { + "url": "https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f" + }, + { + "url": "https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3" + }, + { + "url": "https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\n\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\nbootup time.\n\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\n :\n [ 10.017963] Call Trace:\n [ 10.017968] \n [ 10.018004] ? padata_mt_helper+0x39/0xb0\n [ 10.018084] process_one_work+0x174/0x330\n [ 10.018093] worker_thread+0x266/0x3a0\n [ 10.018111] kthread+0xcf/0x100\n [ 10.018124] ret_from_fork+0x31/0x50\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\n [ 10.018147] \n\nLooking at the padata_mt_helper() function, the only way a divide-by-0\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\nmin_chunk in the passed-in padata_mt_job structure is 0.\n\nFix this divide-by-0 panic by making sure that chunk_size will be at least\n1 no matter what the input parameters are.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c\",\n \"https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d\",\n \"https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c\",\n \"https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f\",\n \"https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3\",\n \"https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\\n\\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\\nbootup time.\\n\\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\\n :\\n [ 10.017963] Call Trace:\\n [ 10.017968] \\n [ 10.018004] ? padata_mt_helper+0x39/0xb0\\n [ 10.018084] process_one_work+0x174/0x330\\n [ 10.018093] worker_thread+0x266/0x3a0\\n [ 10.018111] kthread+0xcf/0x100\\n [ 10.018124] ret_from_fork+0x31/0x50\\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\\n [ 10.018147] \\n\\nLooking at the padata_mt_helper() function, the only way a divide-by-0\\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\\nmin_chunk in the passed-in padata_mt_job structure is 0.\\n\\nFix this divide-by-0 panic by making sure that chunk_size will be at least\\n1 no matter what the input parameters are.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43890", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43890" + }, + { + "url": "https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6" + }, + { + "url": "https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c" + }, + { + "url": "https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5" + }, + { + "url": "https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8" + }, + { + "url": "https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143" + }, + { + "url": "https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da" + }, + { + "url": "https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18" + }, + { + "url": "https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43890 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43890", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix overflow in get_free_elt()\n\n\"tracing_map->next_elt\" in get_free_elt() is at risk of overflowing.\n\nOnce it overflows, new elements can still be inserted into the tracing_map\neven though the maximum number of elements (`max_elts`) has been reached.\nContinuing to insert elements after the overflow could result in the\ntracing_map containing \"tracing_map->max_size\" elements, leaving no empty\nentries.\nIf any attempt is made to insert an element into a full tracing_map using\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\ndisabled, leading to a CPU hang problem.\n\nFix this by preventing any further increments to \"tracing_map->next_elt\"\nonce it reaches \"tracing_map->max_elt\".", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43890\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43890\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43890\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43890\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43890\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6\",\n \"https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c\",\n \"https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5\",\n \"https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8\",\n \"https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143\",\n \"https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da\",\n \"https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18\",\n \"https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Fix overflow in get_free_elt()\\n\\n\\\"tracing_map->next_elt\\\" in get_free_elt() is at risk of overflowing.\\n\\nOnce it overflows, new elements can still be inserted into the tracing_map\\neven though the maximum number of elements (`max_elts`) has been reached.\\nContinuing to insert elements after the overflow could result in the\\ntracing_map containing \\\"tracing_map->max_size\\\" elements, leaving no empty\\nentries.\\nIf any attempt is made to insert an element into a full tracing_map using\\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\\ndisabled, leading to a CPU hang problem.\\n\\nFix this by preventing any further increments to \\\"tracing_map->next_elt\\\"\\nonce it reaches \\\"tracing_map->max_elt\\\".\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43890\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43892" + }, + { + "url": "https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b" + }, + { + "url": "https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946" + }, + { + "url": "https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: protect concurrent access to mem_cgroup_idr\n\nCommit 73f576c04b94 (\"mm: memcontrol: fix cgroup creation failure after\nmany small jobs\") decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures. It introduced IDR to maintain the memcg ID\nspace. The IDR depends on external synchronization mechanisms for\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero. Fix that.\n\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time. These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode. Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block's list_lru didn't have list_lru_one for the\nmemcg of that object. The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success. No evidence were found for these cases.\n\nLooking more deeply, we started seeing situations where valid memcg's id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them. Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b\",\n \"https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946\",\n \"https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmemcg: protect concurrent access to mem_cgroup_idr\\n\\nCommit 73f576c04b94 (\\\"mm: memcontrol: fix cgroup creation failure after\\nmany small jobs\\\") decoupled the memcg IDs from the CSS ID space to fix the\\ncgroup creation failures. It introduced IDR to maintain the memcg ID\\nspace. The IDR depends on external synchronization mechanisms for\\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\\nhappen within css callback and thus are protected through cgroup_mutex\\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\\nwas not protected against concurrency and can be run concurrently for\\ndifferent memcgs when they hit their refcnt to zero. Fix that.\\n\\nWe have been seeing list_lru based kernel crashes at a low frequency in\\nour fleet for a long time. These crashes were in different part of\\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\\ncode. Upon further inspection, it looked like for a given object (dentry\\nand inode), the super_block's list_lru didn't have list_lru_one for the\\nmemcg of that object. The initial suspicions were either the object is\\nnot allocated through kmem_cache_alloc_lru() or somehow\\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\\nreturned success. No evidence were found for these cases.\\n\\nLooking more deeply, we started seeing situations where valid memcg's id\\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\\nreasonable explanation is that these situations can happen due to race\\nbetween multiple idr_remove() calls or race between\\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\\nmultiple memcgs to acquire the same ID and then offlining of one of them\\nwould cleanup list_lrus on the system for all of them. Later access from\\nother memcgs to the list_lru cause crashes due to missing list_lru_one.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43893" + }, + { + "url": "https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba" + }, + { + "url": "https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e" + }, + { + "url": "https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f" + }, + { + "url": "https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8" + }, + { + "url": "https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193" + }, + { + "url": "https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49" + }, + { + "url": "https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051" + }, + { + "url": "https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divide by zero\n\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\n\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nRule: add", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba\",\n \"https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e\",\n \"https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f\",\n \"https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8\",\n \"https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193\",\n \"https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49\",\n \"https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051\",\n \"https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: core: check uartclk for zero to avoid divide by zero\\n\\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\\nresult in uartclk being zero, which will result in a\\ndivide by zero error in uart_get_divisor(). The check for\\nuartclk being zero in uart_set_info() needs to be done\\nbefore other settings are made as subsequent calls to\\nioctl TIOCSSERIAL for the same port would be impacted if\\nthe uartclk check was done where uartclk gets set.\\n\\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\\nCall Trace:\\n \\nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\\n drivers/tty/serial/8250/8250_port.c:2589)\\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\\n drivers/tty/serial/8250/8250_port.c:2741)\\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\\nuart_change_line_settings (./include/linux/spinlock.h:376\\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\\nuart_startup (drivers/tty/serial/serial_core.c:368)\\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\\ntty_set_serial (drivers/tty/tty_io.c:2637)\\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\\n fs/ioctl.c:893 fs/ioctl.c:893)\\ndo_syscall_64 (arch/x86/entry/common.c:52\\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nRule: add\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43894" + }, + { + "url": "https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f" + }, + { + "url": "https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6" + }, + { + "url": "https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e" + }, + { + "url": "https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff" + }, + { + "url": "https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52" + }, + { + "url": "https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62" + }, + { + "url": "https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset->mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f\",\n \"https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6\",\n \"https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e\",\n \"https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff\",\n \"https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52\",\n \"https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62\",\n \"https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\\n\\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\\nassigned to modeset->mode, which will lead to a possible NULL pointer\\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43895" + }, + { + "url": "https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9" + }, + { + "url": "https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919" + }, + { + "url": "https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad" + }, + { + "url": "https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.\n\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9\",\n \"https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919\",\n \"https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad\",\n \"https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\\n\\n[why]\\nEncounter NULL pointer dereference uner mst + dsc setup.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\\n Call Trace:\\n\\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? plist_add+0xbe/0x100\\n ? exc_page_fault+0x7c/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n drm_atomic_check_only+0x5c5/0xa40\\n drm_mode_atomic_ioctl+0x76e/0xbc0\\n\\n[how]\\ndsc recompute should be skipped if no mode change detected on the new\\nrequest. If detected, keep checking whether the stream is already on\\ncurrent state or not.\\n\\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43898" + }, + { + "url": "https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e" + }, + { + "url": "https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652" + }, + { + "url": "https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: sanity check for NULL pointer after ext4_force_shutdown\n\nTest case: 2 threads write short inline data to a file.\nIn ext4_page_mkwrite the resulting inline data is converted.\nHandling ext4_grp_locked_error with description \"block bitmap\nand bg descriptor inconsistent: X vs Y free clusters\" calls\next4_force_shutdown. The conversion clears\nEXT4_STATE_MAY_INLINE_DATA but fails for\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\nto ext4_forced_shutdown. The restoration of inline data fails\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\nWithout the flag set a regular process path in ext4_da_write_end\nfollows trying to dereference page folio private pointer that has\nnot been set. The fix calls early return with -EIO error shall the\npointer to private be NULL.\n\nSample crash report:\n\nUnable to handle kernel paging request at virtual address dfff800000000004\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000004] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\nsp : ffff8000a1957600\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\nCall trace:\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\n block_write_end+0xb4/0x104 fs/buffer.c:2253\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\n ext4_file_write_iter+0x188/0x1780\n call_write_iter include/linux/fs.h:2110 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x968/0xc3c fs/read_write.c:590\n ksys_write+0x15c/0x26c fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\n---[ end trace 0000000000000000 ]---\n----------------\nCode disassembly (best guess):\n 0:\t97f85911 \tbl\t0xffffffffffe16444\n 4:\tf94002da \tldr\tx26, [x22]\n 8:\t91008356 \tadd\tx22, x26, #0x20\n c:\td343fec8 \tlsr\tx8, x22, #3\n* 10:\t38796908 \tldrb\tw8, [x8, x25] <-- trapping instruction", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e\",\n \"https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652\",\n \"https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: sanity check for NULL pointer after ext4_force_shutdown\\n\\nTest case: 2 threads write short inline data to a file.\\nIn ext4_page_mkwrite the resulting inline data is converted.\\nHandling ext4_grp_locked_error with description \\\"block bitmap\\nand bg descriptor inconsistent: X vs Y free clusters\\\" calls\\next4_force_shutdown. The conversion clears\\nEXT4_STATE_MAY_INLINE_DATA but fails for\\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\\nto ext4_forced_shutdown. The restoration of inline data fails\\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\\nWithout the flag set a regular process path in ext4_da_write_end\\nfollows trying to dereference page folio private pointer that has\\nnot been set. The fix calls early return with -EIO error shall the\\npointer to private be NULL.\\n\\nSample crash report:\\n\\nUnable to handle kernel paging request at virtual address dfff800000000004\\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\\nMem abort info:\\n ESR = 0x0000000096000005\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x05: level 1 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[dfff800000000004] address between user and kernel address ranges\\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\\nsp : ffff8000a1957600\\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\\nCall trace:\\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\\n block_write_end+0xb4/0x104 fs/buffer.c:2253\\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\\n ext4_file_write_iter+0x188/0x1780\\n call_write_iter include/linux/fs.h:2110 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x968/0xc3c fs/read_write.c:590\\n ksys_write+0x15c/0x26c fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\\n---[ end trace 0000000000000000 ]---\\n----------------\\nCode disassembly (best guess):\\n 0:\\t97f85911 \\tbl\\t0xffffffffffe16444\\n 4:\\tf94002da \\tldr\\tx26, [x22]\\n 8:\\t91008356 \\tadd\\tx22, x26, #0x20\\n c:\\td343fec8 \\tlsr\\tx8, x22, #3\\n* 10:\\t38796908 \\tldrb\\tw8, [x8, x25] <-- trapping instruction\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43899" + }, + { + "url": "https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e" + }, + { + "url": "https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\n\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\n\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\n\nand then enabling fullscreen playback (double click on the video)\n\nThe following calltrace will be seen:\n\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\n[ 181.844003] #PF: error_code(0x0010) - not-present page\n[ 181.844009] PGD 0 P4D 0\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\n[ 181.844044] RIP: 0010:0x0\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\n[ 181.844141] Call Trace:\n[ 181.844146] \n[ 181.844153] ? show_regs+0x6d/0x80\n[ 181.844167] ? __die+0x24/0x80\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e\",\n \"https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\\n\\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\\n\\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\\n\\nand then enabling fullscreen playback (double click on the video)\\n\\nThe following calltrace will be seen:\\n\\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\\n[ 181.844003] #PF: error_code(0x0010) - not-present page\\n[ 181.844009] PGD 0 P4D 0\\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\\n[ 181.844044] RIP: 0010:0x0\\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\\n[ 181.844141] Call Trace:\\n[ 181.844146] \\n[ 181.844153] ? show_regs+0x6d/0x80\\n[ 181.844167] ? __die+0x24/0x80\\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43900" + }, + { + "url": "https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5" + }, + { + "url": "https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60" + }, + { + "url": "https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b" + }, + { + "url": "https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\n\nsyzkaller reported use-after-free in load_firmware_cb() [1].\nThe reason is because the module allocated a struct tuner in tuner_probe(),\nand then the module initialization failed, the struct tuner was released.\nA worker which created during module initialization accesses this struct\ntuner later, it caused use-after-free.\n\nThe process is as follows:\n\ntask-6504 worker_thread\ntuner_probe <= alloc dvb_frontend [2]\n...\nrequest_firmware_nowait <= create a worker\n...\ntuner_remove <= free dvb_frontend\n...\n request_firmware_work_func <= the firmware is ready\n load_firmware_cb <= but now the dvb_frontend has been freed\n\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\nnull, report a warning and just return.\n\n[1]:\n ==================================================================\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\n\n Call trace:\n load_firmware_cb+0x1310/0x17a0\n request_firmware_work_func+0x128/0x220\n process_one_work+0x770/0x1824\n worker_thread+0x488/0xea0\n kthread+0x300/0x430\n ret_from_fork+0x10/0x20\n\n Allocated by task 6504:\n kzalloc\n tuner_probe+0xb0/0x1430\n i2c_device_probe+0x92c/0xaf0\n really_probe+0x678/0xcd0\n driver_probe_device+0x280/0x370\n __device_attach_driver+0x220/0x330\n bus_for_each_drv+0x134/0x1c0\n __device_attach+0x1f4/0x410\n device_initial_probe+0x20/0x30\n bus_probe_device+0x184/0x200\n device_add+0x924/0x12c0\n device_register+0x24/0x30\n i2c_new_device+0x4e0/0xc44\n v4l2_i2c_new_subdev_board+0xbc/0x290\n v4l2_i2c_new_subdev+0xc8/0x104\n em28xx_v4l2_init+0x1dd0/0x3770\n\n Freed by task 6504:\n kfree+0x238/0x4e4\n tuner_remove+0x144/0x1c0\n i2c_device_remove+0xc8/0x290\n __device_release_driver+0x314/0x5fc\n device_release_driver+0x30/0x44\n bus_remove_device+0x244/0x490\n device_del+0x350/0x900\n device_unregister+0x28/0xd0\n i2c_unregister_device+0x174/0x1d0\n v4l2_device_unregister+0x224/0x380\n em28xx_v4l2_init+0x1d90/0x3770\n\n The buggy address belongs to the object at ffff8000d7ca2000\n which belongs to the cache kmalloc-2k of size 2048\n The buggy address is located 776 bytes inside of\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\n The buggy address belongs to the page:\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\n flags: 0x7ff800000000100(slab)\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\n[2]\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5\",\n \"https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60\",\n \"https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b\",\n \"https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\\n\\nsyzkaller reported use-after-free in load_firmware_cb() [1].\\nThe reason is because the module allocated a struct tuner in tuner_probe(),\\nand then the module initialization failed, the struct tuner was released.\\nA worker which created during module initialization accesses this struct\\ntuner later, it caused use-after-free.\\n\\nThe process is as follows:\\n\\ntask-6504 worker_thread\\ntuner_probe <= alloc dvb_frontend [2]\\n...\\nrequest_firmware_nowait <= create a worker\\n...\\ntuner_remove <= free dvb_frontend\\n...\\n request_firmware_work_func <= the firmware is ready\\n load_firmware_cb <= but now the dvb_frontend has been freed\\n\\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\\nnull, report a warning and just return.\\n\\n[1]:\\n ==================================================================\\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\\n\\n Call trace:\\n load_firmware_cb+0x1310/0x17a0\\n request_firmware_work_func+0x128/0x220\\n process_one_work+0x770/0x1824\\n worker_thread+0x488/0xea0\\n kthread+0x300/0x430\\n ret_from_fork+0x10/0x20\\n\\n Allocated by task 6504:\\n kzalloc\\n tuner_probe+0xb0/0x1430\\n i2c_device_probe+0x92c/0xaf0\\n really_probe+0x678/0xcd0\\n driver_probe_device+0x280/0x370\\n __device_attach_driver+0x220/0x330\\n bus_for_each_drv+0x134/0x1c0\\n __device_attach+0x1f4/0x410\\n device_initial_probe+0x20/0x30\\n bus_probe_device+0x184/0x200\\n device_add+0x924/0x12c0\\n device_register+0x24/0x30\\n i2c_new_device+0x4e0/0xc44\\n v4l2_i2c_new_subdev_board+0xbc/0x290\\n v4l2_i2c_new_subdev+0xc8/0x104\\n em28xx_v4l2_init+0x1dd0/0x3770\\n\\n Freed by task 6504:\\n kfree+0x238/0x4e4\\n tuner_remove+0x144/0x1c0\\n i2c_device_remove+0xc8/0x290\\n __device_release_driver+0x314/0x5fc\\n device_release_driver+0x30/0x44\\n bus_remove_device+0x244/0x490\\n device_del+0x350/0x900\\n device_unregister+0x28/0xd0\\n i2c_unregister_device+0x174/0x1d0\\n v4l2_device_unregister+0x224/0x380\\n em28xx_v4l2_init+0x1d90/0x3770\\n\\n The buggy address belongs to the object at ffff8000d7ca2000\\n which belongs to the cache kmalloc-2k of size 2048\\n The buggy address is located 776 bytes inside of\\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\\n The buggy address belongs to the page:\\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\\n flags: 0x7ff800000000100(slab)\\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\\n page dumped because: kasan: bad access detected\\n\\n Memory state around the buggy address:\\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ^\\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ==================================================================\\n\\n[2]\\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43901" + }, + { + "url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351" + }, + { + "url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] \n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351\",\n \"https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\\n\\nWhen users run the command:\\n\\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\\n\\nThe following NULL pointer dereference happens:\\n\\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\\n[ +0.000002] #PF: error_code(0x0010) - not-present page\\n[ +0.000002] PGD 0 P4D 0\\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\\n[ +0.000003] RIP: 0010:0x0\\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n[...]\\n[ +0.000002] PKRU: 55555554\\n[ +0.000002] Call Trace:\\n[ +0.000002] \\n[ +0.000003] ? show_regs+0x65/0x70\\n[ +0.000006] ? __die+0x24/0x70\\n[ +0.000004] ? page_fault_oops+0x160/0x470\\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\\n[ +0.000003] ? prb_read_valid+0x1c/0x30\\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000003] ? vsnprintf+0x2fb/0x600\\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? do_anonymous_page+0x337/0x700\\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\\n[ +0.000207] full_proxy_read+0x66/0x90\\n[ +0.000007] vfs_read+0xb0/0x340\\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\\n[ +0.000003] ksys_read+0x6b/0xf0\\n[ +0.000004] __x64_sys_read+0x19/0x20\\n[ +0.000003] do_syscall_64+0x60/0x130\\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\\n[...]\\n\\nThis error happens when the color log tries to read the gamut remap\\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\\nwhich leads to a null pointer dereference. This commit addresses this\\nissue by adding a proper guard to access the gamut_remap callback in\\ncase the specific ASIC did not implement this function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43902" + }, + { + "url": "https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2" + }, + { + "url": "https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175" + }, + { + "url": "https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a" + }, + { + "url": "https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d" + }, + { + "url": "https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2\",\n \"https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175\",\n \"https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a\",\n \"https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d\",\n \"https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null checker before passing variables\\n\\nChecks null pointer before passing variables to functions.\\n\\nThis fixes 3 NULL_RETURNS issues reported by Coverity.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43903" + }, + { + "url": "https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc" + }, + { + "url": "https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff" + }, + { + "url": "https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04" + }, + { + "url": "https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc\",\n \"https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff\",\n \"https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04\",\n \"https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\\n\\nThis commit adds a null check for the 'afb' variable in the\\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\\nassumed to be null, but was used later in the code without a null check.\\nThis could potentially lead to a null pointer dereference.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43904" + }, + { + "url": "https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea" + }, + { + "url": "https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\n\nThis commit adds null checks for the 'stream' and 'plane' variables in\nthe dcn30_apply_idle_power_optimizations function. These variables were\npreviously assumed to be null at line 922, but they were used later in\nthe code without checking if they were null. This could potentially lead\nto a null pointer dereference, which would cause a crash.\n\nThe null checks ensure that 'stream' and 'plane' are not null before\nthey are used, preventing potential crashes.\n\nFixes the below static smatch checker:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea\",\n \"https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\\n\\nThis commit adds null checks for the 'stream' and 'plane' variables in\\nthe dcn30_apply_idle_power_optimizations function. These variables were\\npreviously assumed to be null at line 922, but they were used later in\\nthe code without checking if they were null. This could potentially lead\\nto a null pointer dereference, which would cause a crash.\\n\\nThe null checks ensure that 'stream' and 'plane' are not null before\\nthey are used, preventing potential crashes.\\n\\nFixes the below static smatch checker:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43905" + }, + { + "url": "https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80" + }, + { + "url": "https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab" + }, + { + "url": "https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239" + }, + { + "url": "https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80\",\n \"https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab\",\n \"https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239\",\n \"https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\\n\\nCheck return value and conduct null pointer handling to avoid null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43906" + }, + { + "url": "https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d" + }, + { + "url": "https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d" + }, + { + "url": "https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/admgpu: fix dereferencing null pointer context\n\nWhen user space sets an invalid ta type, the pointer context will be empty.\nSo it need to check the pointer context before using it", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d\",\n \"https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d\",\n \"https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/admgpu: fix dereferencing null pointer context\\n\\nWhen user space sets an invalid ta type, the pointer context will be empty.\\nSo it need to check the pointer context before using it\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43907" + }, + { + "url": "https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac" + }, + { + "url": "https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82" + }, + { + "url": "https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30" + }, + { + "url": "https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622" + }, + { + "url": "https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054" + }, + { + "url": "https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac\",\n \"https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82\",\n \"https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30\",\n \"https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622\",\n \"https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054\",\n \"https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\\n\\nCheck the pointer value to fix potential null pointer\\ndereference\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43908" + }, + { + "url": "https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4" + }, + { + "url": "https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4" + }, + { + "url": "https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43" + }, + { + "url": "https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a" + }, + { + "url": "https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2" + }, + { + "url": "https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c" + }, + { + "url": "https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\n\nCheck ras_manager before using it", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4\",\n \"https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4\",\n \"https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43\",\n \"https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a\",\n \"https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2\",\n \"https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c\",\n \"https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\\n\\nCheck ras_manager before using it\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43909", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43909" + }, + { + "url": "https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb" + }, + { + "url": "https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d" + }, + { + "url": "https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce" + }, + { + "url": "https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751" + }, + { + "url": "https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43909 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43909", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\n\noptimize the code to avoid pass a null pointer (hwmgr->backend)\nto function smu7_update_edc_leakage_table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43909\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43909\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43909\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43909\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43909\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb\",\n \"https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d\",\n \"https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce\",\n \"https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751\",\n \"https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\\n\\noptimize the code to avoid pass a null pointer (hwmgr->backend)\\nto function smu7_update_edc_leakage_table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43909\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43910" + }, + { + "url": "https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a" + }, + { + "url": "https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\n\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\na global function as an argument. The adverse effects of this is that\nBPF helpers can continue to make use of this modified\nCONST_PTR_TO_DYNPTR from within the context of the global function,\nwhich can unintentionally result in out-of-bounds memory accesses and\ntherefore compromise overall system stability i.e.\n\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\n[ 244.174318] Call Trace:\n[ 244.175787] \n[ 244.177356] dump_stack_lvl+0x66/0xa0\n[ 244.179531] print_report+0xce/0x670\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\n[ 244.184908] kasan_report+0xd7/0x110\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\n[ 244.192020] bpf_dynptr_data+0x137/0x140\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\n[ 244.204744] ? 0xffffffffc0009e58\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\n[ 244.220912] do_syscall_64+0xc1/0x1d0\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\n[ 244.268303] \n\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\nverifies the arguments of global function arguments, specifically\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\nexplicit and strict type matching on the supplied register type, so\nlet's also enforce that a register either type PTR_TO_STACK or\nCONST_PTR_TO_DYNPTR is by the caller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a\",\n \"https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\\n\\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\\na global function as an argument. The adverse effects of this is that\\nBPF helpers can continue to make use of this modified\\nCONST_PTR_TO_DYNPTR from within the context of the global function,\\nwhich can unintentionally result in out-of-bounds memory accesses and\\ntherefore compromise overall system stability i.e.\\n\\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\\n[ 244.174318] Call Trace:\\n[ 244.175787] \\n[ 244.177356] dump_stack_lvl+0x66/0xa0\\n[ 244.179531] print_report+0xce/0x670\\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\\n[ 244.184908] kasan_report+0xd7/0x110\\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\\n[ 244.192020] bpf_dynptr_data+0x137/0x140\\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\\n[ 244.204744] ? 0xffffffffc0009e58\\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\\n[ 244.220912] do_syscall_64+0xc1/0x1d0\\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\\n[ 244.268303] \\n\\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\\nverifies the arguments of global function arguments, specifically\\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\\nexplicit and strict type matching on the supplied register type, so\\nlet's also enforce that a register either type PTR_TO_STACK or\\nCONST_PTR_TO_DYNPTR is by the caller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43911" + }, + { + "url": "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b" + }, + { + "url": "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b\",\n \"https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\\n\\nIn MLD connection, link_data/link_conf are dynamically allocated. They\\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\\nht_supported/vht_supported/has_he/has_eht on sta deflink.\\n\\nCrash log (with rtw89 version under MLO development):\\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[ 9890.526102] #PF: supervisor read access in kernel mode\\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\\n[ 9890.526109] PGD 0 P4D 0\\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\\nAll code\\n========\\n 0:\\tf7 e8 \\timul %eax\\n 2:\\td5 \\t(bad)\\n 3:\\t93 \\txchg %eax,%ebx\\n 4:\\t3e ea \\tds (bad)\\n 6:\\t48 83 c4 28 \\tadd $0x28,%rsp\\n a:\\t89 d8 \\tmov %ebx,%eax\\n c:\\t5b \\tpop %rbx\\n d:\\t41 5c \\tpop %r12\\n f:\\t41 5d \\tpop %r13\\n 11:\\t41 5e \\tpop %r14\\n 13:\\t41 5f \\tpop %r15\\n 15:\\t5d \\tpop %rbp\\n 16:\\tc3 \\tretq\\n 17:\\tcc \\tint3\\n 18:\\tcc \\tint3\\n 19:\\tcc \\tint3\\n 1a:\\tcc \\tint3\\n 1b:\\t49 8b 84 24 e0 f1 ff \\tmov -0xe20(%r12),%rax\\n 22:\\tff\\n 23:\\t48 8b 80 90 1b 00 00 \\tmov 0x1b90(%rax),%rax\\n 2a:*\\t83 38 03 \\tcmpl $0x3,(%rax)\\t\\t<-- trapping instruction\\n 2d:\\t0f 84 37 fe ff ff \\tje 0xfffffffffffffe6a\\n 33:\\tbb ea ff ff ff \\tmov $0xffffffea,%ebx\\n 38:\\teb cc \\tjmp 0x6\\n 3a:\\t49 \\trex.WB\\n 3b:\\t8b \\t.byte 0x8b\\n 3c:\\t84 24 10 \\ttest %ah,(%rax,%rdx,1)\\n 3f:\\tf3 \\trepz\\n\\nCode starting with the faulting instruction\\n===========================================\\n 0:\\t83 38 03 \\tcmpl $0x3,(%rax)\\n 3:\\t0f 84 37 fe ff ff \\tje 0xfffffffffffffe40\\n 9:\\tbb ea ff ff ff \\tmov $0xffffffea,%ebx\\n e:\\teb cc \\tjmp 0xffffffffffffffdc\\n 10:\\t49 \\trex.WB\\n 11:\\t8b \\t.byte 0x8b\\n 12:\\t84 24 10 \\ttest %ah,(%rax,%rdx,1)\\n 15:\\tf3 \\trepz\\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\\n[ 9890.526321] Call Trace:\\n[ 9890.526324] \\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43912" + }, + { + "url": "https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe" + }, + { + "url": "https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e" + }, + { + "url": "https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc" + }, + { + "url": "https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: disallow setting special AP channel widths\n\nSetting the AP channel width is meant for use with the normal\n20/40/... MHz channel width progression, and switching around\nin S1G or narrow channels isn't supported. Disallow that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe\",\n \"https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e\",\n \"https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc\",\n \"https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: nl80211: disallow setting special AP channel widths\\n\\nSetting the AP channel width is meant for use with the normal\\n20/40/... MHz channel width progression, and switching around\\nin S1G or narrow channels isn't supported. Disallow that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43913" + }, + { + "url": "https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210" + }, + { + "url": "https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210\",\n \"https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: apple: fix device reference counting\\n\\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\\nSplit the allocation side out to make the error handling boundary easier\\nto navigate. The apple driver had been doing this wrong, leaking the\\ncontroller device memory on a tagset failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43914" + }, + { + "url": "https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0" + }, + { + "url": "https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49" + }, + { + "url": "https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707" + }, + { + "url": "https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab" + }, + { + "url": "https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2" + }, + { + "url": "https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600" + }, + { + "url": "https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666" + }, + { + "url": "https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\n\nCurrently, mdadm support --revert-reshape to abort the reshape while\nreassembling, as the test 07revert-grow. However, following BUG_ON()\ncan be triggerred by the test:\n\nkernel BUG at drivers/md/raid5.c:6278!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nirq event stamp: 158985\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\nRIP: 0010:reshape_request+0x3f1/0xe60\nCall Trace:\n \n raid5_sync_request+0x43d/0x550\n md_do_sync+0xb7a/0x2110\n md_thread+0x294/0x2b0\n kthread+0x147/0x1c0\n ret_from_fork+0x59/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\nwhile reshape position is still set, and after reassembling the array,\nreshape position will be read from super block, then during reshape the\nchecking of 'writepos' that is caculated by old reshape position will\nfail.\n\nFix this panic the easy way first, by converting the BUG_ON() to\nWARN_ON(), and stop the reshape if checkings fail.\n\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\nshould enhance metadata validation as well, however this means\nreassemble will fail and there must be user tools to fix the wrong\nmetadata.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0\",\n \"https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49\",\n \"https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707\",\n \"https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab\",\n \"https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2\",\n \"https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600\",\n \"https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666\",\n \"https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\\n\\nCurrently, mdadm support --revert-reshape to abort the reshape while\\nreassembling, as the test 07revert-grow. However, following BUG_ON()\\ncan be triggerred by the test:\\n\\nkernel BUG at drivers/md/raid5.c:6278!\\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\\nirq event stamp: 158985\\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\\nRIP: 0010:reshape_request+0x3f1/0xe60\\nCall Trace:\\n \\n raid5_sync_request+0x43d/0x550\\n md_do_sync+0xb7a/0x2110\\n md_thread+0x294/0x2b0\\n kthread+0x147/0x1c0\\n ret_from_fork+0x59/0x70\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\\nwhile reshape position is still set, and after reassembling the array,\\nreshape position will be read from super block, then during reshape the\\nchecking of 'writepos' that is caculated by old reshape position will\\nfail.\\n\\nFix this panic the easy way first, by converting the BUG_ON() to\\nWARN_ON(), and stop the reshape if checkings fail.\\n\\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\\nshould enhance metadata validation as well, however this means\\nreassemble will fail and there must be user tools to fix the wrong\\nmetadata.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44931" + }, + { + "url": "https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc" + }, + { + "url": "https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb" + }, + { + "url": "https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\n\nUserspace may trigger a speculative read of an address outside the gpio\ndescriptor array.\nUsers can do that by calling gpio_ioctl() with an offset out of range.\nOffset is copied from user and then used as an array index to get\nthe gpio descriptor without sanitization in gpio_device_get_desc().\n\nThis change ensures that the offset is sanitized by using\narray_index_nospec() to mitigate any possibility of speculative\ninformation leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc\",\n \"https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb\",\n \"https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\\n\\nUserspace may trigger a speculative read of an address outside the gpio\\ndescriptor array.\\nUsers can do that by calling gpio_ioctl() with an offset out of range.\\nOffset is copied from user and then used as an array index to get\\nthe gpio descriptor without sanitization in gpio_device_get_desc().\\n\\nThis change ensures that the offset is sanitized by using\\narray_index_nospec() to mitigate any possibility of speculative\\ninformation leaks.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44934" + }, + { + "url": "https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f" + }, + { + "url": "https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f" + }, + { + "url": "https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078" + }, + { + "url": "https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658" + }, + { + "url": "https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f\",\n \"https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f\",\n \"https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078\",\n \"https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658\",\n \"https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: mcast: wait for previous gc cycles when removing port\\n\\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\\nmake sure that all previous garbage has been collected when removing a\\nport. What happens is:\\n CPU 1 CPU 2\\n start gc cycle remove port\\n acquire gc lock first\\n wait for lock\\n call br_multicasg_gc() directly\\n acquire lock now but free port\\n the port can be freed\\n while grp timers still\\n running\\n\\nMake sure all previous gc cycles have finished by using flush_work before\\nfreeing the port.\\n\\n[1]\\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\\n\\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\\n Call Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0xc3/0x620 mm/kasan/report.c:488\\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\\n expire_timers kernel/time/timer.c:1843 [inline]\\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\\n __run_timer_base kernel/time/timer.c:2428 [inline]\\n __run_timer_base kernel/time/timer.c:2421 [inline]\\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44935" + }, + { + "url": "https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5" + }, + { + "url": "https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84" + }, + { + "url": "https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c" + }, + { + "url": "https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928" + }, + { + "url": "https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18" + }, + { + "url": "https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7" + }, + { + "url": "https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix null-ptr-deref in reuseport_add_sock().\n\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\nreuseport_add_sock(). [0]\n\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\nanother listener on the same port and concurrently closes the first\nlistener.\n\nThe second listen() calls reuseport_add_sock() with the first listener as\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\nbut the close() does clear it by reuseport_detach_sock().\n\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\nreuseport_add_sock(), and reuseport_detach_sock().\n\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\nprovide synchronisation for sockets that are classified into the same\nreuseport group.\n\nOtherwise, such sockets form multiple identical reuseport groups, and\nall groups except one would be silently dead.\n\n 1. Two sockets call listen() concurrently\n 2. No socket in the same group found in sctp_ep_hashtable[]\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\n incoming packets\n\nAlso, the reported null-ptr-deref could occur.\n\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\n\nLet's apply the locking strategy to __sctp_hash_endpoint() and\n__sctp_unhash_endpoint().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\n sctp_listen_start net/sctp/socket.c:8570 [inline]\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]\n __se_sys_listen net/socket.c:1900 [inline]\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f24e46039b9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\nR13:\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5\",\n \"https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84\",\n \"https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c\",\n \"https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928\",\n \"https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18\",\n \"https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7\",\n \"https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: Fix null-ptr-deref in reuseport_add_sock().\\n\\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\\nreuseport_add_sock(). [0]\\n\\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\\nanother listener on the same port and concurrently closes the first\\nlistener.\\n\\nThe second listen() calls reuseport_add_sock() with the first listener as\\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\\nbut the close() does clear it by reuseport_detach_sock().\\n\\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\\nreuseport_add_sock(), and reuseport_detach_sock().\\n\\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\\nprovide synchronisation for sockets that are classified into the same\\nreuseport group.\\n\\nOtherwise, such sockets form multiple identical reuseport groups, and\\nall groups except one would be silently dead.\\n\\n 1. Two sockets call listen() concurrently\\n 2. No socket in the same group found in sctp_ep_hashtable[]\\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\\n incoming packets\\n\\nAlso, the reported null-ptr-deref could occur.\\n\\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\\n\\nLet's apply the locking strategy to __sctp_hash_endpoint() and\\n__sctp_unhash_endpoint().\\n\\n[0]:\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\\n sctp_listen_start net/sctp/socket.c:8570 [inline]\\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\\n __sys_listen_socket net/socket.c:1883 [inline]\\n __sys_listen+0x1b7/0x230 net/socket.c:1894\\n __do_sys_listen net/socket.c:1902 [inline]\\n __se_sys_listen net/socket.c:1900 [inline]\\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f24e46039b9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\\nR13:\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44938" + }, + { + "url": "https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630" + }, + { + "url": "https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2" + }, + { + "url": "https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix shift-out-of-bounds in dbDiscardAG\n\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\ncausing shift exponent -1 to be negative.\n\nThis patch fixes the issue by exiting the loop directly when negative\nshift is found.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630\",\n \"https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2\",\n \"https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: Fix shift-out-of-bounds in dbDiscardAG\\n\\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\\ncausing shift exponent -1 to be negative.\\n\\nThis patch fixes the issue by exiting the loop directly when negative\\nshift is found.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44939" + }, + { + "url": "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6" + }, + { + "url": "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702" + }, + { + "url": "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6\",\n \"https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702\",\n \"https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix null ptr deref in dtInsertEntry\\n\\n[syzbot reported]\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\\n...\\n[Analyze]\\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\\npreviously true judgment \\\"p->header.flag & BT-LEAF\\\" to change to no after writing\\nthe name operation, this leads to entering an incorrect branch and accessing the\\nuninitialized object ih when judging this condition for the second time.\\n\\n[Fix]\\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\\nand return -EINVAL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44940" + }, + { + "url": "https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59" + }, + { + "url": "https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79" + }, + { + "url": "https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59\",\n \"https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79\",\n \"https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfou: remove warn in gue_gro_receive on unsupported protocol\\n\\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\\nnot known or does not have a GRO handler.\\n\\nSuch a packet is easily constructed. Syzbot generates them and sets\\noff this warning.\\n\\nRemove the warning as it is expected and not actionable.\\n\\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\\ncommit 270136613bf7 (\\\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\\nproto callbacks\\\").\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44941" + }, + { + "url": "https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8" + }, + { + "url": "https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d" + }, + { + "url": "https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8\",\n \"https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d\",\n \"https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to cover read extent cache access with lock\\n\\nsyzbot reports a f2fs bug as below:\\n\\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\\n\\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\\n do_read_inode fs/f2fs/inode.c:509 [inline]\\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\\n do_handle_to_path fs/fhandle.c:155 [inline]\\n handle_to_path fs/fhandle.c:210 [inline]\\n do_handle_open+0x495/0x650 fs/fhandle.c:226\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\\nso, below race case may happen, result in use after free issue.\\n\\n- f2fs_iget\\n - do_read_inode\\n - f2fs_init_read_extent_tree\\n : add largest extent entry in to cache\\n\\t\\t\\t\\t\\t- shrink\\n\\t\\t\\t\\t\\t - f2fs_shrink_read_extent_tree\\n\\t\\t\\t\\t\\t - __shrink_extent_tree\\n\\t\\t\\t\\t\\t - __detach_extent_node\\n\\t\\t\\t\\t\\t : drop largest extent entry\\n - sanity_check_extent_cache\\n : access et->largest w/o lock\\n\\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\\nand call it before f2fs_init_read_extent_tree() to fix this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44942" + }, + { + "url": "https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f" + }, + { + "url": "https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745" + }, + { + "url": "https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inline.c:258!\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\nCall Trace:\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f2/0x390 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nThe root cause is: inline_data inode can be fuzzed, so that there may\nbe valid blkaddr in its direct node, once f2fs triggers background GC\nto migrate the block, it will hit f2fs_bug_on() during dirty page\nwriteback.\n\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\nso that, it can forbid migrating inline_data inode's data block for\nfixing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f\",\n \"https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745\",\n \"https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\\n\\nsyzbot reports a f2fs bug as below:\\n\\n------------[ cut here ]------------\\nkernel BUG at fs/f2fs/inline.c:258!\\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\\nCall Trace:\\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\\n process_one_work kernel/workqueue.c:3254 [inline]\\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\\n kthread+0x2f2/0x390 kernel/kthread.c:388\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n\\nThe root cause is: inline_data inode can be fuzzed, so that there may\\nbe valid blkaddr in its direct node, once f2fs triggers background GC\\nto migrate the block, it will hit f2fs_bug_on() during dirty page\\nwriteback.\\n\\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\\nso that, it can forbid migrating inline_data inode's data block for\\nfixing.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + } + ], + "sha256": "8ee3cf4d2e5c92c36501d4c503c7261131e5dbfe6d6da95f5e5d8e970d5136e0" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ] + } +} \ No newline at end of file diff --git a/test/sample_data/anchoregrype/tensorflow-grype-withraw.json b/test/sample_data/anchoregrype/tensorflow-grype-withraw.json new file mode 100644 index 000000000..218a7df30 --- /dev/null +++ b/test/sample_data/anchoregrype/tensorflow-grype-withraw.json @@ -0,0 +1,259536 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.10.15", + "target_id": null + }, + "version": "2.10.15", + "statistics": { + "duration": null + }, + "profiles": [ + { + "name": "Anchore - Grype", + "title": "Anchore Grype Matches", + "version": "0.79.3", + "maintainer": null, + "summary": null, + "license": null, + "copyright": null, + "copyright_email": null, + "supports": [], + "attributes": [], + "depends": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-27943", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-27943" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-27943 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-27943", + "desc": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-27943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-27943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-27943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-27943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-27943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=28995\"\n ],\n \"description\": \"libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"0d7332e43f485d8d\",\n \"name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-12-base:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"816f5e3fe2b8694c\",\n \"name\": \"libatomic1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libatomic1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"a69323dca274b473\",\n \"name\": \"libcc1-0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcc1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e06d1fc320a8a1ac\",\n \"name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-s1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"c8cf906bd8b6dcd3\",\n \"name\": \"libgomp1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgomp1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"3df6bfc8ac5188d7\",\n \"name\": \"libitm1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libitm1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"e41baeef893dc672\",\n \"name\": \"liblsan0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/liblsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"851fee7a303de1b7\",\n \"name\": \"libquadmath0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libquadmath0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"4ddc88716174352d\",\n \"name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-27943\"\n }\n }\n]", + "message": "{\n \"id\": \"0bd42c1a89f86d7c\",\n \"name\": \"libubsan1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libubsan1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-1010204", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-1010204" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190822-0001/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" + }, + { + "url": "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-1010204 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-1010204", + "desc": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-1010204\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-1010204\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-1010204\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-1010204\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-1010204\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.netapp.com/advisory/ntap-20190822-0001/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=23765\",\n \"https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS\"\n ],\n \"description\": \"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-1010204\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13716", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13716" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13716 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2017-13716", + "desc": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13716\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13716\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13716\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13716\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13716\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=22009\"\n ],\n \"description\": \"The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13716\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48064", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48064" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0008/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29922" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48064 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-48064", + "desc": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0008/\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=29922\",\n \"https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931\"\n ],\n \"description\": \"GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48064\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-20657", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-20657" + }, + { + "url": "http://www.securityfocus.com/bid/106444" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3352" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539" + }, + { + "url": "https://support.f5.com/csp/article/K62602089" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-20657 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2018-20657", + "desc": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-20657\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-20657\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-20657\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-20657\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-20657\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/106444\",\n \"https://access.redhat.com/errata/RHSA-2019:3352\",\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539\",\n \"https://support.f5.com/csp/article/K62602089\"\n ],\n \"description\": \"The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"2baa616d4a39d455\",\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"63fdcfa2d3d7f050\",\n \"name\": \"binutils-common\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-common:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"f1c65ff7effb20c8\",\n \"name\": \"binutils-x86-64-linux-gnu\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"e1318293ffeacaf0\",\n \"name\": \"libbinutils\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libbinutils:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"f60f0b441039170a\",\n \"name\": \"libctf-nobfd0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libctf-nobfd0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"binutils\",\n \"version\": \"2.38-4ubuntu2.6\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-20657\"\n }\n }\n]", + "message": "{\n \"id\": \"090aac7e6312e1a4\",\n \"name\": \"libctf0\",\n \"version\": \"2.38-4ubuntu2.6\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/binutils-common/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libctf0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL\",\n \"GPL\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"binutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-2781", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-2781" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/28/3" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-2781 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-2781", + "desc": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-2781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-2781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-2781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-2781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-2781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/02/28/2\",\n \"http://www.openwall.com/lists/oss-security/2016/02/28/3\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2781\"\n }\n }\n]", + "message": "{\n \"id\": \"ba31f56208da56da\",\n \"name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/coreutils/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/coreutils.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:coreutils:coreutils:8.32-4.1ubuntu1.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1.2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4039", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4039" + }, + { + "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64" + }, + { + "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4039 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-4039", + "desc": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4039\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4039\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4039\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4039\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4039\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64\",\n \"https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf\"\n ],\n \"description\": \"\\n\\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \\nthat target AArch64 allows an attacker to exploit an existing buffer \\noverflow in dynamically-sized local variables in your application \\nwithout this being detected. This stack-protector failure only applies \\nto C99-style dynamically-sized local variables or those created using \\nalloca(). The stack-protector operates as intended for statically-sized \\nlocal variables.\\n\\nThe default behavior when the stack-protector \\ndetects an overflow is to terminate your application, resulting in \\ncontrolled loss of availability. An attacker who can exploit a buffer \\noverflow without triggering the stack-protector might be able to change \\nprogram flow control to cause an uncontrolled loss of availability or to\\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"arm-security@arm.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"0d7332e43f485d8d\",\n \"name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-12-base:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"816f5e3fe2b8694c\",\n \"name\": \"libatomic1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libatomic1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"a69323dca274b473\",\n \"name\": \"libcc1-0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcc1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"e06d1fc320a8a1ac\",\n \"name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-s1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"c8cf906bd8b6dcd3\",\n \"name\": \"libgomp1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgomp1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"3df6bfc8ac5188d7\",\n \"name\": \"libitm1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libitm1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"e41baeef893dc672\",\n \"name\": \"liblsan0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/liblsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"851fee7a303de1b7\",\n \"name\": \"libquadmath0\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libquadmath0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"4ddc88716174352d\",\n \"name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-12\",\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4039\"\n }\n }\n]", + "message": "{\n \"id\": \"0bd42c1a89f86d7c\",\n \"name\": \"libubsan1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-12-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libubsan1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-12\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-13844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-13844" + }, + { + "url": "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation" + }, + { + "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-13844 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2020-13844", + "desc": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-13844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-13844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-13844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-13844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation\",\n \"https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions\",\n \"https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html\"\n ],\n \"description\": \"Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \\\"straight-line speculation.\\\"\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-13844\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-15847", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-15847" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-15847 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-15847", + "desc": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-15847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-15847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-15847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-15847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-15847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html\",\n \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html\",\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481\"\n ],\n \"description\": \"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"c933f77f391da70f\",\n \"name\": \"cpp\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"991685e1bc259ed8\",\n \"name\": \"g++\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15847\"\n }\n }\n]", + "message": "{\n \"id\": \"343d7434c8c334f5\",\n \"name\": \"gcc\",\n \"version\": \"4:11.2.0-1ubuntu1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/cpp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-defaults\",\n \"version\": \"1.193ubuntu1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46195", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46195" + }, + { + "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46195 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-46195", + "desc": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46195\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46195\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46195\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46195\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46195\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841\"\n ],\n \"description\": \"GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46195\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3826", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3826" + }, + { + "url": "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505" + }, + { + "url": "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3826 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-3826", + "desc": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505\",\n \"https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/\"\n ],\n \"description\": \"Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"ec8dc9fd7bb4eba9\",\n \"name\": \"cpp-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/cpp-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"4b5cc3dda3447fc9\",\n \"name\": \"g++-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/g++-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"b15bbd3cb5f12603\",\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"21bb5fd2d1b64d58\",\n \"name\": \"gcc-11-base\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gcc-11-base:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"56ea2975ec405acb\",\n \"name\": \"libasan6\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libasan6:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"851df3c34e377555\",\n \"name\": \"libgcc-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"5c5dbe65627d4087\",\n \"name\": \"libstdc++-11-dev\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gcc-11\",\n \"version\": \"11.4.0-1ubuntu1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3826\"\n }\n }\n]", + "message": "{\n \"id\": \"f12aede72a6ee01b\",\n \"name\": \"libtsan0\",\n \"version\": \"11.4.0-1ubuntu1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gcc-11-base/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtsan0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GFDL-1.2\",\n \"GPL\",\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gcc-11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7264", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 7.81.0-1ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-7264" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/07/31/1" + }, + { + "url": "https://curl.se/docs/CVE-2024-7264.html" + }, + { + "url": "https://curl.se/docs/CVE-2024-7264.json" + }, + { + "url": "https://hackerone.com/reports/2629968" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7264 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-7264", + "desc": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7264\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-7264\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-7264\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"7.81.0-1ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-7264\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7264\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/07/31/1\",\n \"https://curl.se/docs/CVE-2024-7264.html\",\n \"https://curl.se/docs/CVE-2024-7264.json\",\n \"https://hackerone.com/reports/2629968\"\n ],\n \"description\": \"libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\\nparser might end up using -1 for the length of the *time fraction*, leading to\\na `strlen()` getting performed on a pointer to a heap buffer area that is not\\n(purposely) null terminated.\\n\\nThis flaw most likely leads to a crash, but can also lead to heap contents\\ngetting returned to the application when\\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"324465965a47402a\",\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/curl/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/curl.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:curl:curl:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"b4d74f55020f24c9\",\n \"name\": \"libcurl3-gnutls\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libcurl3-gnutls/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcurl3-gnutls:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libcurl3:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcurl3-gnutls@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"curl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"curl\",\n \"version\": \"7.81.0-1ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 7.81.0-1ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7264\"\n }\n }\n]", + "message": "{\n \"id\": \"52b4ac2b67a9ecd2\",\n \"name\": \"libcurl4\",\n \"version\": \"7.81.0-1ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libcurl4/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libcurl4:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-Clause\",\n \"BSD-4-Clause\",\n \"ISC\",\n \"curl\",\n \"other\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libcurl4:libcurl4:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libcurl4@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"curl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-34969", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-34969" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231208-0007/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-34969 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-34969", + "desc": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-34969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-34969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-34969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-34969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gitlab.freedesktop.org/dbus/dbus/-/issues/457\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/\",\n \"https://security.netapp.com/advisory/ntap-20231208-0007/\"\n ],\n \"description\": \"D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-34969\"\n }\n }\n]", + "message": "{\n \"id\": \"60da06608335c6e9\",\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/dbus/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dbus.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dbus.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"AFL-2.1\",\n \"BSD-3-clause\",\n \"BSD-3-clause-generic\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"Tcl-BSDish\",\n \"g10-permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:dbus:dbus:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/dbus@1.12.20-2ubuntu4.1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"dbus\",\n \"version\": \"1.12.20-2ubuntu4.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-34969\"\n }\n }\n]", + "message": "{\n \"id\": \"0c67a21e65bd16ee\",\n \"name\": \"libdbus-1-3\",\n \"version\": \"1.12.20-2ubuntu4.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libdbus-1-3/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libdbus-1-3:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"AFL-2.1\",\n \"BSD-3-clause\",\n \"BSD-3-clause-generic\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"Tcl-BSDish\",\n \"g10-permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libdbus-1-3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1-3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1_3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1_3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus-1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus_1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libdbus:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libdbus-1-3@1.12.20-2ubuntu4.1?arch=amd64&upstream=dbus&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"dbus\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3219", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3219" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127010" + }, + { + "url": "https://dev.gnupg.org/D556" + }, + { + "url": "https://dev.gnupg.org/T5993" + }, + { + "url": "https://marc.info/?l=oss-security&m=165696590211434&w=4" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3219 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-3219", + "desc": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3219\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3219\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3219\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3219\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3219\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-3219\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2127010\",\n \"https://dev.gnupg.org/D556\",\n \"https://dev.gnupg.org/T5993\",\n \"https://marc.info/?l=oss-security&m=165696590211434&w=4\",\n \"https://security.netapp.com/advisory/ntap-20230324-0001/\"\n ],\n \"description\": \"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"efa651c03e29c607\",\n \"name\": \"dirmngr\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/dirmngr/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/dirmngr.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:dirmngr:dirmngr:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/dirmngr@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"1d53afeb1b2bed73\",\n \"name\": \"gnupg\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg:gnupg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"50e44f27e2b0c800\",\n \"name\": \"gnupg-l10n\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg-l10n/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg-l10n.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg-l10n@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"1d0ecf2cdf605099\",\n \"name\": \"gnupg-utils\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gnupg-utils/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gnupg-utils.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gnupg-utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg-utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg_utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gnupg:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gnupg-utils@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"22ea11b15ccb9d9a\",\n \"name\": \"gpg\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg:gpg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"6b1172046efd6589\",\n \"name\": \"gpg-agent\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-agent/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-agent.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-agent.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-agent@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"165b537d3990d094\",\n \"name\": \"gpg-wks-client\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-wks-client/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-wks-client.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-wks-client@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"89c2406ff86aa601\",\n \"name\": \"gpg-wks-server\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpg-wks-server/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpg-wks-server.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpg-wks-server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks-server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks_server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg-wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg_wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gpg:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpg-wks-server@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"775f261341147b3c\",\n \"name\": \"gpgconf\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgconf/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgconf.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgconf:gpgconf:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgconf@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"5e764c44f36dd32a\",\n \"name\": \"gpgsm\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgsm/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgsm.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgsm:gpgsm:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgsm@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"gnupg2\",\n \"version\": \"2.2.27-3ubuntu2.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3219\"\n }\n }\n]", + "message": "{\n \"id\": \"9b32ff71df8828aa\",\n \"name\": \"gpgv\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gpgv/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gpgv.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"LGPL-3\",\n \"LGPL-3+\",\n \"RFC-Reference\",\n \"TinySCHEME\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gpgv:gpgv:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"gnupg2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0217", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0217" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0217" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256624" + }, + { + "url": "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0217 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0217", + "desc": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0217\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0217\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0217\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0217\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0217\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-0217\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2256624\",\n \"https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79\"\n ],\n \"description\": \"A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"3e0695ea8a15e043\",\n \"name\": \"gir1.2-packagekitglib-1.0\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gir1.2-packagekitglib-1.0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"4e2ed93a3f00508b\",\n \"name\": \"libpackagekit-glib2-18\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpackagekit-glib2-18/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0217\"\n }\n }\n]", + "message": "{\n \"id\": \"cb13b67d8759b594\",\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/packagekit/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0987", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0987" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0987 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-0987", + "desc": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0987\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0987\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0987\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0987\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0987\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2064315\"\n ],\n \"description\": \"A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"3e0695ea8a15e043\",\n \"name\": \"gir1.2-packagekitglib-1.0\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/gir1.2-packagekitglib-1.0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"4e2ed93a3f00508b\",\n \"name\": \"libpackagekit-glib2-18\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpackagekit-glib2-18/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"packagekit\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0987\"\n }\n }\n]", + "message": "{\n \"id\": \"cb13b67d8759b594\",\n \"name\": \"packagekit\",\n \"version\": \"1.2.5-2ubuntu2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/packagekit/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/packagekit.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-1585", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-1585" + }, + { + "url": "https://bugs.launchpad.net/apparmor/+bug/1597017" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-1585 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-1585", + "desc": "In all versions of AppArmor mount rules are accidentally widened when compiled.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-1585\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-1585\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-1585\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-1585\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1585\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.launchpad.net/apparmor/+bug/1597017\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"In all versions of AppArmor mount rules are accidentally widened when compiled.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@ubuntu.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.9,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"apparmor\",\n \"version\": \"3.0.4-2ubuntu2.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-1585\"\n }\n }\n]", + "message": "{\n \"id\": \"20b7d6a703b1cdb0\",\n \"name\": \"libapparmor1\",\n \"version\": \"3.0.4-2ubuntu2.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libapparmor1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libapparmor1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libapparmor1:libapparmor1:3.0.4-2ubuntu2.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libapparmor1@3.0.4-2ubuntu2.3?arch=amd64&upstream=apparmor&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"apparmor\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-20013", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-20013" + }, + { + "url": "https://akkadia.org/drepper/SHA-crypt.txt" + }, + { + "url": "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/" + }, + { + "url": "https://twitter.com/solardiz/status/795601240151457793" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-20013 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-20013", + "desc": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-20013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-20013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-20013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-20013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-20013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://akkadia.org/drepper/SHA-crypt.txt\",\n \"https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/\",\n \"https://twitter.com/solardiz/status/795601240151457793\"\n ],\n \"description\": \"sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"534613922e3db6d7\",\n \"name\": \"libc-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-bin.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc-bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"57746bb623c8ca26\",\n \"name\": \"libc-dev-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc-dev-bin/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc-dev-bin.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc-dev-bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev-bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev_bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev_bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc-dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc_dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc-dev-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"cde0d63aef474648\",\n \"name\": \"libc6\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6:amd64.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc6:libc6:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc6@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"glibc\",\n \"version\": \"2.35-0ubuntu3.8\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-20013\"\n }\n }\n]", + "message": "{\n \"id\": \"ce5bb87ce346e38b\",\n \"name\": \"libc6-dev\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libc6-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libc6-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-2\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libc6-dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6-dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6_dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6_dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libc6:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libc6-dev@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"glibc\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25260", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25260" + }, + { + "url": "https://github.com/schsiung/fuzzer_issues/issues/1" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31058" + }, + { + "url": "https://sourceware.org/elfutils/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25260 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-25260", + "desc": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25260\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25260\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25260\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25260\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25260\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/schsiung/fuzzer_issues/issues/1\",\n \"https://sourceware.org/bugzilla/show_bug.cgi?id=31058\",\n \"https://sourceware.org/elfutils/\"\n ],\n \"description\": \"elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"elfutils\",\n \"version\": \"0.186-1build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25260\"\n }\n }\n]", + "message": "{\n \"id\": \"84f06d819a7d441b\",\n \"name\": \"libdw1\",\n \"version\": \"0.186-1build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libdw1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libdw1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libdw1:libdw1:0.186-1build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libdw1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"elfutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"elfutils\",\n \"version\": \"0.186-1build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25260\"\n }\n }\n]", + "message": "{\n \"id\": \"db43cdc9ed146fdf\",\n \"name\": \"libelf1\",\n \"version\": \"0.186-1build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libelf1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libelf1:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"GPL-3\",\n \"LGPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libelf1:libelf1:0.186-1build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libelf1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"elfutils\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2236", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2236" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-2236" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245218" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268268" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2236 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-2236", + "desc": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2236\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2236\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2236\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2236\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2236\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-2236\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2245218\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2268268\"\n ],\n \"description\": \"A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.\",\n \"cvss\": [\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2236\"\n }\n }\n]", + "message": "{\n \"id\": \"8bd34a8029c4772d\",\n \"name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgcrypt20/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgcrypt20:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\",\n \"LGPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgcrypt20:libgcrypt20:1.9.4-3ubuntu3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37371", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.19.2-2ubuntu0.4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37371" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37371 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37371", + "desc": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37371\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37371\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.19.2-2ubuntu0.4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37371\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37371\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37371\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37370", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.19.2-2ubuntu0.4", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37370" + }, + { + "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37370 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37370", + "desc": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37370\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37370\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.19.2-2ubuntu0.4\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37370\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37370\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef\",\n \"https://web.mit.edu/kerberos/www/advisories/\"\n ],\n \"description\": \"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.19.2-2ubuntu0.4 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37370\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26462", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26462" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0012/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26462 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26462", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26462\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26462\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26462\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26462\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26462\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0012/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26462\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26461", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26461" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0011/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26461 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26461", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26461\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26461\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26461\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26461\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26461\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0011/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26461\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26458", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26458" + }, + { + "url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0010/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26458 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-26458", + "desc": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26458\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26458\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26458\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26458\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26458\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md\",\n \"https://security.netapp.com/advisory/ntap-20240415-0010/\"\n ],\n \"description\": \"Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"9ca0af3dda6de8e1\",\n \"name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libgssapi-krb5-2/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"5b4458fd2a0b50fd\",\n \"name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libk5crypto3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libk5crypto3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"2b04489baa0c5a85\",\n \"name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5-3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5-3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + }, + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"krb5\",\n \"version\": \"1.19.2-2ubuntu0.3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26458\"\n }\n }\n]", + "message": "{\n \"id\": \"3ead40926c2b5d5c\",\n \"name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libkrb5support0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libkrb5support0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"krb5\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-0347", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-0347" + }, + { + "url": "https://source.android.com/security/bulletin/android-11" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-0347 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2020-0347", + "desc": "In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-0347\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-0347\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-0347\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-0347\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-0347\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://source.android.com/security/bulletin/android-11\"\n ],\n \"description\": \"In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.7,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"iptables\",\n \"version\": \"1.8.7-1ubuntu5.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-0347\"\n }\n }\n]", + "message": "{\n \"id\": \"6e9c18c8e88097db\",\n \"name\": \"libip4tc2\",\n \"version\": \"1.8.7-1ubuntu5.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libip4tc2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libip4tc2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Artistic\",\n \"GPL-2\",\n \"GPL-2+\",\n \"custom\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libip4tc2:libip4tc2:1.8.7-1ubuntu5.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libip4tc2@1.8.7-1ubuntu5.2?arch=amd64&upstream=iptables&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"iptables\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-50495", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-50495" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240119-0008/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-50495 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-50495", + "desc": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-50495\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-50495\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-50495\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-50495\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-50495\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/\",\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html\",\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html\",\n \"https://security.netapp.com/advisory/ntap-20240119-0008/\"\n ],\n \"description\": \"NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"9d631babdfb8df3e\",\n \"name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncurses6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"0532d09628a2ff0b\",\n \"name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncursesw6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"e392e94b182b72b9\",\n \"name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtinfo6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"3760343f92af5dba\",\n \"name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-50495\"\n }\n }\n]", + "message": "{\n \"id\": \"38ed2d1a224f9399\",\n \"name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-45918", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-45918" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240315-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-45918 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-45918", + "desc": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-45918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-45918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-45918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-45918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html\",\n \"https://security.netapp.com/advisory/ntap-20240315-0006/\"\n ],\n \"description\": \"ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"9d631babdfb8df3e\",\n \"name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncurses6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"0532d09628a2ff0b\",\n \"name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libncursesw6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"e392e94b182b72b9\",\n \"name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtinfo6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtinfo6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"3760343f92af5dba\",\n \"name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-base/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-base.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"ncurses\",\n \"version\": \"6.3-2ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-45918\"\n }\n }\n]", + "message": "{\n \"id\": \"38ed2d1a224f9399\",\n \"name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/ncurses-bin/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/ncurses-bin.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"MIT/X11\",\n \"X11\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"ncurses\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-7008", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-7008" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2463" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3203" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-7008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222672" + }, + { + "url": "https://github.com/systemd/systemd/issues/25676" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-7008 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-7008", + "desc": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-7008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-7008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-7008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-7008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-7008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2463\",\n \"https://access.redhat.com/errata/RHSA-2024:3203\",\n \"https://access.redhat.com/security/cve/CVE-2023-7008\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2222261\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2222672\",\n \"https://github.com/systemd/systemd/issues/25676\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/\"\n ],\n \"description\": \"A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"4d802af324d0c968\",\n \"name\": \"libpam-systemd\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpam-systemd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpam-systemd:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpam-systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam-systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam_systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam_systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpam:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpam-systemd@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"837dfa89fb7aecbb\",\n \"name\": \"libsystemd0\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libsystemd0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libsystemd0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libsystemd0:libsystemd0:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"dfcf0201a1ab32bf\",\n \"name\": \"libudev1\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libudev1/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libudev1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libudev1:libudev1:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"08e5107537f6b389\",\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/systemd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:systemd:systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/systemd@249.11-0ubuntu3.12?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"systemd\",\n \"version\": \"249.11-0ubuntu3.12\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-7008\"\n }\n }\n]", + "message": "{\n \"id\": \"6a9688725c2c3e10\",\n \"name\": \"systemd-sysv\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/systemd-sysv/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/systemd-sysv.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"CC0-1.0\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"public-domain\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:systemd-sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd-sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd_sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd_sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:systemd:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/systemd-sysv@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"systemd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-41409", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-41409" + }, + { + "url": "https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35" + }, + { + "url": "https://github.com/PCRE2Project/pcre2/issues/141" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-41409 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-41409", + "desc": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-41409\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-41409\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-41409\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-41409\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41409\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35\",\n \"https://github.com/PCRE2Project/pcre2/issues/141\"\n ],\n \"description\": \"Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"pcre2\",\n \"version\": \"10.39-3ubuntu0.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-41409\"\n }\n }\n]", + "message": "{\n \"id\": \"b83e437a170b2b4b\",\n \"name\": \"libpcre2-8-0\",\n \"version\": \"10.39-3ubuntu0.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpcre2-8-0/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpcre2-8-0:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:libpcre2-8-0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8-0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8_0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8_0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2-8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2_8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpcre2:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&upstream=pcre2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"pcre2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-11164", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-11164" + }, + { + "url": "http://openwall.com/lists/oss-security/2017/07/11/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/11/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/04/12/1" + }, + { + "url": "http://www.securityfocus.com/bid/99575" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-11164 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2017-11164", + "desc": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-11164\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-11164\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-11164\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-11164\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-11164\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://openwall.com/lists/oss-security/2017/07/11/3\",\n \"http://www.openwall.com/lists/oss-security/2023/04/11/1\",\n \"http://www.openwall.com/lists/oss-security/2023/04/12/1\",\n \"http://www.securityfocus.com/bid/99575\",\n \"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E\"\n ],\n \"description\": \"In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"pcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-11164\"\n }\n }\n]", + "message": "{\n \"id\": \"c17e17a6c3b778e9\",\n \"name\": \"libpcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpcre3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpcre3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [],\n \"cpes\": [\n \"cpe:2.3:a:libpcre3:libpcre3:2:8.39-13ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpcre3@2:8.39-13ubuntu0.22.04.1?arch=amd64&upstream=pcre3&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"pcre3\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-2568", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-2568" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/02/26/3" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2016-2568" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1300746" + }, + { + "url": "https://ubuntu.com/security/CVE-2016-2568" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-2568 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2016-2568", + "desc": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-2568\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-2568\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-2568\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-2568\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-2568\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/02/26/3\",\n \"https://access.redhat.com/security/cve/cve-2016-2568\",\n \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1300746\",\n \"https://ubuntu.com/security/CVE-2016-2568\"\n ],\n \"description\": \"pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.1,\n \"impactScore\": 6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"75f309e7896cc7d5\",\n \"name\": \"libpolkit-agent-1-0\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpolkit-agent-1-0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpolkit-agent-1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpolkit-agent-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"ff118ec3fae758b1\",\n \"name\": \"libpolkit-gobject-1-0\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpolkit-gobject-1-0/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpolkit-gobject-1-0:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpolkit-gobject-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"d55289a43c85d6a4\",\n \"name\": \"pkexec\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/pkexec/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/pkexec.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:pkexec:pkexec:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/pkexec@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"d757443f44e8916c\",\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/policykit-1/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/policykit-1.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:policykit-1:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit-1:policykit_1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit_1:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit_1:policykit_1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit:policykit-1:0.105-33:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:policykit:policykit_1:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/policykit-1@0.105-33?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"policykit-1\",\n \"version\": \"0.105-33\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-2568\"\n }\n }\n]", + "message": "{\n \"id\": \"6ace8efb10979881\",\n \"name\": \"polkitd\",\n \"version\": \"0.105-33\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/polkitd/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/polkitd.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/polkitd.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"LGPL-2\",\n \"LGPL-2.0+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:polkitd:polkitd:0.105-33:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/polkitd@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"policykit-1\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-8088", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-8088" + }, + { + "url": "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e" + }, + { + "url": "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64" + }, + { + "url": "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea" + }, + { + "url": "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db" + }, + { + "url": "https://github.com/python/cpython/issues/122905" + }, + { + "url": "https://github.com/python/cpython/issues/123270" + }, + { + "url": "https://github.com/python/cpython/pull/122906" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-8088 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-8088", + "desc": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-8088\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-8088\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-8088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-8088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e\",\n \"https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64\",\n \"https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea\",\n \"https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db\",\n \"https://github.com/python/cpython/issues/122905\",\n \"https://github.com/python/cpython/issues/123270\",\n \"https://github.com/python/cpython/pull/122906\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/\"\n ],\n \"description\": \"There is a HIGH severity vulnerability affecting the CPython \\\"zipfile\\\"\\nmodule affecting \\\"zipfile.Path\\\". Note that the more common API \\\"zipfile.ZipFile\\\" class is unaffected.\\n\\n\\n\\n\\n\\nWhen iterating over names of entries in a zip archive (for example, methods\\nof \\\"zipfile.Path\\\" like \\\"namelist()\\\", \\\"iterdir()\\\", etc)\\nthe process can be put into an infinite loop with a maliciously crafted\\nzip archive. This defect applies when reading only metadata or extracting\\nthe contents of the zip archive. Programs that are not handling\\nuser-controlled zip archives are not affected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-8088\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-7592", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-7592" + }, + { + "url": "https://github.com/python/cpython/issues/123067" + }, + { + "url": "https://github.com/python/cpython/pull/123075" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-7592 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-7592", + "desc": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-7592\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-7592\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-7592\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7592\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/123067\",\n \"https://github.com/python/cpython/pull/123075\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/\"\n ],\n \"description\": \"There is a LOW severity vulnerability affecting CPython, specifically the\\n'http.cookies' standard library module.\\n\\n\\nWhen parsing cookies that contained backslashes for quoted characters in\\nthe cookie value, the parser would use an algorithm with quadratic\\ncomplexity, resulting in excess CPU resources being used while parsing the\\nvalue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-7592\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-6923" + }, + { + "url": "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7" + }, + { + "url": "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0" + }, + { + "url": "https://github.com/python/cpython/issues/121650" + }, + { + "url": "https://github.com/python/cpython/pull/122233" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6923 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-6923", + "desc": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-6923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-6923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7\",\n \"https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0\",\n \"https://github.com/python/cpython/issues/121650\",\n \"https://github.com/python/cpython/pull/122233\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/\"\n ],\n \"description\": \"There is a MEDIUM severity vulnerability affecting CPython.\\n\\nThe \\nemail module didn’t properly quote newlines for email headers when \\nserializing an email message allowing for header injection when an email\\n is serialized.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 3.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6923\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0397", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.10.12-1~22.04.5", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0397" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/2" + }, + { + "url": "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d" + }, + { + "url": "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524" + }, + { + "url": "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e" + }, + { + "url": "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286" + }, + { + "url": "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa" + }, + { + "url": "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab" + }, + { + "url": "https://github.com/python/cpython/issues/114572" + }, + { + "url": "https://github.com/python/cpython/pull/114573" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0397 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0397", + "desc": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.10.12-1~22.04.5\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/2\",\n \"https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d\",\n \"https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524\",\n \"https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e\",\n \"https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286\",\n \"https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa\",\n \"https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab\",\n \"https://github.com/python/cpython/issues/114572\",\n \"https://github.com/python/cpython/pull/114573\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/\"\n ],\n \"description\": \"A defect was discovered in the Python “ssl” module where there is a memory\\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\\n“get_ca_certs()”. The race condition can be triggered if the methods are\\ncalled at the same time as certificates are loaded into the SSLContext,\\nsuch as during the TLS handshake with a certificate directory configured.\\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0397\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-27043", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-27043" + }, + { + "url": "http://python.org" + }, + { + "url": "https://github.com/python/cpython/issues/102988" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/" + }, + { + "url": "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-27043 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-27043", + "desc": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-27043\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-27043\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-27043\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-27043\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://python.org\",\n \"https://github.com/python/cpython/issues/102988\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/\",\n \"https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0003/\"\n ],\n \"description\": \"The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-27043\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4032", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.10.12-1~22.04.5", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4032" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/17/3" + }, + { + "url": "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8" + }, + { + "url": "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f" + }, + { + "url": "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3" + }, + { + "url": "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb" + }, + { + "url": "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906" + }, + { + "url": "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3" + }, + { + "url": "https://github.com/python/cpython/issues/113171" + }, + { + "url": "https://github.com/python/cpython/pull/113179" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240726-0004/" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + }, + { + "url": "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4032 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4032", + "desc": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.10.12-1~22.04.5\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-4032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/17/3\",\n \"https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8\",\n \"https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f\",\n \"https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3\",\n \"https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb\",\n \"https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906\",\n \"https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3\",\n \"https://github.com/python/cpython/issues/113171\",\n \"https://github.com/python/cpython/pull/113179\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/\",\n \"https://security.netapp.com/advisory/ntap-20240726-0004/\",\n \"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\n \"https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\"\n ],\n \"description\": \"The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\\n\\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"b091a7d3eecb8cae\",\n \"name\": \"libpython3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"7c865f57958d3c18\",\n \"name\": \"libpython3.10-stdlib\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"4dc42e62f2b0d64b\",\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.10\",\n \"version\": \"3.10.12-1~22.04.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.10.12-1~22.04.5 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"e31d6d71fb42d87a\",\n \"name\": \"python3.10-minimal\",\n \"version\": \"3.10.12-1~22.04.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.10-minimal/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.10-minimal.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.10\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4032\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-42919", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-42919" + }, + { + "url": "https://github.com/python/cpython/compare/v3.10.8...v3.10.9" + }, + { + "url": "https://github.com/python/cpython/compare/v3.9.15...v3.9.16" + }, + { + "url": "https://github.com/python/cpython/issues/97514" + }, + { + "url": "https://github.com/python/cpython/issues/97514#issuecomment-1310277840" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221209-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-42919 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-42919", + "desc": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "impact": 0.7, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-42919\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-42919\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-42919\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-42919\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42919\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/compare/v3.10.8...v3.10.9\",\n \"https://github.com/python/cpython/compare/v3.9.15...v3.9.16\",\n \"https://github.com/python/cpython/issues/97514\",\n \"https://github.com/python/cpython/issues/97514#issuecomment-1310277840\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/\",\n \"https://security.gentoo.org/glsa/202305-02\",\n \"https://security.netapp.com/advisory/ntap-20221209-0006/\"\n ],\n \"description\": \"Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-42919\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0450", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0450" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/20/5" + }, + { + "url": "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85" + }, + { + "url": "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba" + }, + { + "url": "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675" + }, + { + "url": "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51" + }, + { + "url": "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549" + }, + { + "url": "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183" + }, + { + "url": "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b" + }, + { + "url": "https://github.com/python/cpython/issues/109858" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/" + }, + { + "url": "https://www.bamsoftware.com/hacks/zipbomb/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0450 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-0450", + "desc": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0450\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0450\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0450\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0450\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0450\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/20/5\",\n \"https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85\",\n \"https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba\",\n \"https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675\",\n \"https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51\",\n \"https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549\",\n \"https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183\",\n \"https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b\",\n \"https://github.com/python/cpython/issues/109858\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/\",\n \"https://www.bamsoftware.com/hacks/zipbomb/\"\n ],\n \"description\": \"An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\\n\\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0450\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6597", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6597" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/20/5" + }, + { + "url": "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a" + }, + { + "url": "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25" + }, + { + "url": "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5" + }, + { + "url": "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d" + }, + { + "url": "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82" + }, + { + "url": "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b" + }, + { + "url": "https://github.com/python/cpython/issues/91133" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6597 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-6597", + "desc": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6597\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6597\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6597\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6597\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6597\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/20/5\",\n \"https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a\",\n \"https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25\",\n \"https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5\",\n \"https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d\",\n \"https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82\",\n \"https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b\",\n \"https://github.com/python/cpython/issues/91133\",\n \"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/\"\n ],\n \"description\": \"An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\\n\\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\\n\",\n \"cvss\": [\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6597\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-41105", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-41105" + }, + { + "url": "https://github.com/python/cpython/issues/106242" + }, + { + "url": "https://github.com/python/cpython/pull/107981" + }, + { + "url": "https://github.com/python/cpython/pull/107982" + }, + { + "url": "https://github.com/python/cpython/pull/107983" + }, + { + "url": "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0015/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-41105 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-41105", + "desc": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-41105\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-41105\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-41105\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-41105\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-41105\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/106242\",\n \"https://github.com/python/cpython/pull/107981\",\n \"https://github.com/python/cpython/pull/107982\",\n \"https://github.com/python/cpython/pull/107983\",\n \"https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0015/\"\n ],\n \"description\": \"An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-41105\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-40217", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-40217" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231006-0014/" + }, + { + "url": "https://www.python.org/dev/security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-40217 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-40217", + "desc": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-40217\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-40217\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-40217\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-40217\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-40217\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html\",\n \"https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/\",\n \"https://security.netapp.com/advisory/ntap-20231006-0014/\",\n \"https://www.python.org/dev/security/\"\n ],\n \"description\": \"An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \\\"not connected\\\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-40217\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-24329", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-24329" + }, + { + "url": "https://github.com/python/cpython/issues/102153" + }, + { + "url": "https://github.com/python/cpython/pull/99421" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/" + }, + { + "url": "https://pointernull.com/security/python-url-parse-problem.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230324-0004/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/127587" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-24329 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-24329", + "desc": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-24329\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-24329\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-24329\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-24329\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-24329\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/102153\",\n \"https://github.com/python/cpython/pull/99421\",\n \"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/\",\n \"https://pointernull.com/security/python-url-parse-problem.html\",\n \"https://security.netapp.com/advisory/ntap-20230324-0004/\",\n \"https://www.kb.cert.org/vuls/id/127587\"\n ],\n \"description\": \"An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-24329\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45061", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45061" + }, + { + "url": "https://github.com/python/cpython/issues/98433" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221209-0007/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45061 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-45061", + "desc": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45061\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45061\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45061\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45061\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45061\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/python/cpython/issues/98433\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/\",\n \"https://security.gentoo.org/glsa/202305-02\",\n \"https://security.netapp.com/advisory/ntap-20221209-0007/\"\n ],\n \"description\": \"An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"6804eab1d6c15334\",\n \"name\": \"libpython3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"f22d42b9e8547354\",\n \"name\": \"libpython3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"79dc12f98cb88c59\",\n \"name\": \"libpython3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"2f404a2f16e30ca1\",\n \"name\": \"libpython3.11-stdlib\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libpython3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"b01dc75ced99d8e1\",\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"79c2c10d8eae10cc\",\n \"name\": \"python3.11-dev\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-dev.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"9176608c6605979b\",\n \"name\": \"python3.11-minimal\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11-minimal/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-minimal.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python3.11\",\n \"version\": \"3.11.0~rc1-1~22.04\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45061\"\n }\n }\n]", + "message": "{\n \"id\": \"ea04946965edbd31\",\n \"name\": \"python3.11-venv\",\n \"version\": \"3.11.0~rc1-1~22.04\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3.11/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3.11-venv.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"By\",\n \"GPL-2\",\n \"Permission\",\n \"Redistribution\",\n \"This\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python3.11\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41996", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41996" + }, + { + "url": "https://dheatattack.gitlab.io/details/" + }, + { + "url": "https://dheatattack.gitlab.io/faq/" + }, + { + "url": "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41996 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-41996", + "desc": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41996\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41996\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41996\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41996\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41996\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://dheatattack.gitlab.io/details/\",\n \"https://dheatattack.gitlab.io/faq/\",\n \"https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1\"\n ],\n \"description\": \"Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41996\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41996\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5535", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-5535" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5535 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-5535", + "desc": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-5535\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-5535\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/06/27/1\",\n \"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\n \"https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37\",\n \"https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e\",\n \"https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c\",\n \"https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c\",\n \"https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87\",\n \"https://security.netapp.com/advisory/ntap-20240712-0005/\",\n \"https://www.openssl.org/news/secadv/20240627.txt\"\n ],\n \"description\": \"Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\\nempty supported client protocols buffer may cause a crash or memory contents to\\nbe sent to the peer.\\n\\nImpact summary: A buffer overread can have a range of potential consequences\\nsuch as unexpected application beahviour or a crash. In particular this issue\\ncould result in up to 255 bytes of arbitrary private data from memory being sent\\nto the peer leading to a loss of confidentiality. However, only applications\\nthat directly call the SSL_select_next_proto function with a 0 length list of\\nsupported client protocols are affected by this issue. This would normally never\\nbe a valid scenario and is typically not under attacker control but may occur by\\naccident in the case of a configuration or programming error in the calling\\napplication.\\n\\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\\n(Next Protocol Negotiation). NPN is older, was never standardised and\\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\\nprotocols from the server and a list of protocols from the client and returns\\nthe first protocol that appears in the server list that also appears in the\\nclient list. In the case of no overlap between the two lists it returns the\\nfirst item in the client list. In either case it will signal whether an overlap\\nbetween the two lists was found. In the case where SSL_select_next_proto is\\ncalled with a zero length client list it fails to notice this condition and\\nreturns the memory immediately following the client list pointer (and reports\\nthat there was no overlap in the lists).\\n\\nThis function is typically called from a server side application callback for\\nALPN or a client side application callback for NPN. In the case of ALPN the list\\nof protocols supplied by the client is guaranteed by libssl to never be zero in\\nlength. The list of server protocols comes from the application and should never\\nnormally be expected to be of zero length. In this case if the\\nSSL_select_next_proto function has been called as expected (with the list\\nsupplied by the client passed in the client/client_len parameters), then the\\napplication will not be vulnerable to this issue. If the application has\\naccidentally been configured with a zero length server list, and has\\naccidentally passed that zero length server list in the client/client_len\\nparameters, and has additionally failed to correctly handle a \\\"no overlap\\\"\\nresponse (which would normally result in a handshake failure in ALPN) then it\\nwill be vulnerable to this problem.\\n\\nIn the case of NPN, the protocol permits the client to opportunistically select\\na protocol when there is no overlap. OpenSSL returns the first client protocol\\nin the no overlap case in support of this. The list of client protocols comes\\nfrom the application and should never normally be expected to be of zero length.\\nHowever if the SSL_select_next_proto function is accidentally called with a\\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\\napplication uses this output as the opportunistic protocol then the loss of\\nconfidentiality will occur.\\n\\nThis issue has been assessed as Low severity because applications are most\\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\\nwidely used. It also requires an application configuration or programming error.\\nFinally, this issue would not typically be under attacker control making active\\nexploitation unlikely.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\\n\\nDue to the low severity of this issue we are not issuing new releases of\\nOpenSSL at this time. The fix will be included in the next releases when they\\nbecome available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5535\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5535\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4741", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4741" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4741 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4741", + "desc": "no description found", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4741\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4741\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-4603", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-4603" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/16/2" + }, + { + "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397" + }, + { + "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e" + }, + { + "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d" + }, + { + "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0001/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-4603 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-4603", + "desc": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-4603\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-4603\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-4603\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-4603\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4603\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/16/2\",\n \"https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397\",\n \"https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e\",\n \"https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d\",\n \"https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740\",\n \"https://security.netapp.com/advisory/ntap-20240621-0001/\",\n \"https://www.openssl.org/news/secadv/20240516.txt\"\n ],\n \"description\": \"Issue summary: Checking excessively long DSA keys or parameters may be very\\nslow.\\n\\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\\nexperience long delays. Where the key or parameters that are being checked\\nhave been obtained from an untrusted source this may lead to a Denial of\\nService.\\n\\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\\nvarious checks on DSA parameters. Some of those computations take a long time\\nif the modulus (`p` parameter) is too large.\\n\\nTrying to use a very large modulus is slow and OpenSSL will not allow using\\npublic keys with a modulus which is over 10,000 bits in length for signature\\nverification. However the key and parameter check functions do not limit\\nthe modulus size when performing the checks.\\n\\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\\nand supplies a key or parameters obtained from an untrusted source could be\\nvulnerable to a Denial of Service attack.\\n\\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\\nonly applications that directly call these functions may be vulnerable.\\n\\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\\nwhen using the `-check` option.\\n\\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\\n\\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4603\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-4603\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2511", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 3.0.2-0ubuntu1.17", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2511" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/04/08/5" + }, + { + "url": "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce" + }, + { + "url": "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d" + }, + { + "url": "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0013/" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2511 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-2511", + "desc": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2511\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2511\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"3.0.2-0ubuntu1.17\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/04/08/5\",\n \"https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce\",\n \"https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d\",\n \"https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08\",\n \"https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640\",\n \"https://security.netapp.com/advisory/ntap-20240503-0013/\",\n \"https://www.openssl.org/news/secadv/20240408.txt\"\n ],\n \"description\": \"Issue summary: Some non-default TLS server configurations can cause unbounded\\nmemory growth when processing TLSv1.3 sessions\\n\\nImpact summary: An attacker may exploit certain server configurations to trigger\\nunbounded memory growth that would lead to a Denial of Service\\n\\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\\nbeing used (but not if early_data support is also configured and the default\\nanti-replay protection is in use). In this case, under certain conditions, the\\nsession cache can get into an incorrect state and it will fail to flush properly\\nas it fills. The session cache will continue to grow in an unbounded manner. A\\nmalicious client could deliberately create the scenario for this failure to\\nforce a Denial of Service. It may also happen by accident in normal operation.\\n\\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\\nclients.\\n\\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\\n1.0.2 is also not affected by this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2511\"\n }\n }\n]", + "message": "{\n \"id\": \"44b973ec93703d21\",\n \"name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libssl3:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"openssl\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 3.0.2-0ubuntu1.17 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2511\"\n }\n }\n]", + "message": "{\n \"id\": \"fed47764300c311f\",\n \"name\": \"openssl\",\n \"version\": \"3.0.2-0ubuntu1.16\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libssl3/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/openssl.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"Artistic\",\n \"GPL-1\",\n \"GPL-1+\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46848", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46848" + }, + { + "url": "https://bugs.gentoo.org/866237" + }, + { + "url": "https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5" + }, + { + "url": "https://gitlab.com/gnutls/libtasn1/-/issues/32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221118-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46848 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-46848", + "desc": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugs.gentoo.org/866237\",\n \"https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5\",\n \"https://gitlab.com/gnutls/libtasn1/-/issues/32\",\n \"https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/\",\n \"https://security.netapp.com/advisory/ntap-20221118-0006/\"\n ],\n \"description\": \"GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46848\"\n }\n }\n]", + "message": "{\n \"id\": \"48034bac058cf4d8\",\n \"name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libtasn1-6/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libtasn1-6:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.3\",\n \"GPL-3\",\n \"LGPL\",\n \"LGPL-2.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libtasn1-6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1-6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1_6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1_6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libtasn1:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34459", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34459" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34459 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-34459", + "desc": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34459\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34459\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34459\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34459\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34459\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720\",\n \"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8\",\n \"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/\"\n ],\n \"description\": \"An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libxml2\",\n \"version\": \"2.9.13+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34459\"\n }\n }\n]", + "message": "{\n \"id\": \"2c561f4e739dd13a\",\n \"name\": \"libxml2\",\n \"version\": \"2.9.13+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libxml2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libxml2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"ISC\",\n \"MIT-1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libxml2:libxml2:2.9.13+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libxml2@2.9.13%2Bdfsg-1ubuntu0.4?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35328", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35328" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35328 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35328", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35328\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35328\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35328\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35328\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35328\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35328\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35326", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35326" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35326 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35326", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35326\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35326\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35326\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35326\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35326\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35326\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35325", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35325" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35325 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35325", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35325\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35325\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35325\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35325\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35325\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libyaml\",\n \"version\": \"0.2.2-1build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35325\"\n }\n }\n]", + "message": "{\n \"id\": \"df8d710de57d7548\",\n \"name\": \"libyaml-0-2\",\n \"version\": \"0.2.2-1build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libyaml-0-2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\",\n \"permissive\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libyaml\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4899", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-4899" + }, + { + "url": "https://github.com/facebook/zstd/issues/3200" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230725-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4899 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2022-4899", + "desc": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-4899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-4899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-4899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/facebook/zstd/issues/3200\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/\",\n \"https://security.netapp.com/advisory/ntap-20230725-0005/\"\n ],\n \"description\": \"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"libzstd\",\n \"version\": \"1.4.8+dfsg-3build1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-4899\"\n }\n }\n]", + "message": "{\n \"id\": \"db01fe463729db55\",\n \"name\": \"libzstd1\",\n \"version\": \"1.4.8+dfsg-3build1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/libzstd1/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/libzstd1:amd64.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3-clause\",\n \"Expat\",\n \"GPL-2\",\n \"zlib\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:libzstd1:libzstd1:1.4.8+dfsg-3build1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&upstream=libzstd&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"libzstd\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-29383", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-29383" + }, + { + "url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d" + }, + { + "url": "https://github.com/shadow-maint/shadow/pull/687" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/" + }, + { + "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-29383 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-29383", + "desc": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-29383\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-29383\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-29383\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-29383\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-29383\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d\",\n \"https://github.com/shadow-maint/shadow/pull/687\",\n \"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/\",\n \"https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797\"\n ],\n \"description\": \"In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\\\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\\\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \\\"cat /etc/passwd\\\" shows a rogue user account.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"shadow\",\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-29383\"\n }\n }\n]", + "message": "{\n \"id\": \"c25e61c8104d045b\",\n \"name\": \"login\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/login/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/login.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/login.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:login:login:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/login@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"shadow\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"shadow\",\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-29383\"\n }\n }\n]", + "message": "{\n \"id\": \"fdb7dd2a267a46c4\",\n \"name\": \"passwd\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/passwd/copyright\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/passwd.conffiles\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/passwd.md5sums\",\n \"layerID\": \"sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:passwd:passwd:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/passwd@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"shadow\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-45261", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-45261" + }, + { + "url": "https://savannah.gnu.org/bugs/?61685" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-45261 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-45261", + "desc": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-45261\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-45261\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-45261\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-45261\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-45261\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://savannah.gnu.org/bugs/?61685\"\n ],\n \"description\": \"An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-45261\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-20633", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-20633" + }, + { + "url": "https://savannah.gnu.org/bugs/index.php?56683" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-20633 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2019-20633", + "desc": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-20633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-20633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-20633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-20633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://savannah.gnu.org/bugs/index.php?56683\"\n ],\n \"description\": \"GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-20633\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-6952", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-6952" + }, + { + "url": "http://www.securityfocus.com/bid/103047" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2033" + }, + { + "url": "https://savannah.gnu.org/bugs/index.php?53133" + }, + { + "url": "https://security.gentoo.org/glsa/201904-17" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-6952 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2018-6952", + "desc": "A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-6952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-6952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-6952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-6952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-6952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/103047\",\n \"https://access.redhat.com/errata/RHSA-2019:2033\",\n \"https://savannah.gnu.org/bugs/index.php?53133\",\n \"https://security.gentoo.org/glsa/201904-17\"\n ],\n \"description\": \"A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-6952\"\n }\n }\n]", + "message": "{\n \"id\": \"ee1d527e22791580\",\n \"name\": \"patch\",\n \"version\": \"2.7.6-7build2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/patch/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/patch.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-21240", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-21240" + }, + { + "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc" + }, + { + "url": "https://github.com/httplib2/httplib2/pull/182" + }, + { + "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m" + }, + { + "url": "https://pypi.org/project/httplib2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-21240 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-21240", + "desc": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-21240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-21240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-21240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-21240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\",\n \"https://github.com/httplib2/httplib2/pull/182\",\n \"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\",\n \"https://pypi.org/project/httplib2\"\n ],\n \"description\": \"httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \\\"\\\\xa0\\\" characters in the \\\"www-authenticate\\\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-httplib2\",\n \"version\": \"0.20.2-2\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-21240\"\n }\n }\n]", + "message": "{\n \"id\": \"9a3b917c64001b05\",\n \"name\": \"python3-httplib2\",\n \"version\": \"0.20.2-2\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-httplib2/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-httplib2.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"BSD-3\",\n \"Expat\",\n \"GPL-2\",\n \"GPL-2+\",\n \"GPL-3\",\n \"GPL-3+\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-1.1\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-httplib2@0.20.2-2?arch=all&upstream=python-httplib2&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-httplib2\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-6345", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-6345" + }, + { + "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" + }, + { + "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-6345 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-6345", + "desc": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-6345\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-6345\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-6345\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6345\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0\",\n \"https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5\"\n ],\n \"description\": \"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"96186ba8ec8bad45\",\n \"name\": \"python3-pkg-resources\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pkg-resources/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pkg-resources.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-3-clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pkg-resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg-resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg_resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg_resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pkg-resources@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"setuptools\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + }, + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-6345\"\n }\n }\n]", + "message": "{\n \"id\": \"2806aa205839c7c6\",\n \"name\": \"python3-setuptools-whl\",\n \"version\": \"59.6.0-1.2ubuntu0.22.04.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-setuptools-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-setuptools-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-3-clause\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-setuptools-whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools-whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools_whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools_whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-setuptools-whl@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"setuptools\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-3651", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-3651" + }, + { + "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d" + }, + { + "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-3651 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-3651", + "desc": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-3651\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-3651\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-3651\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-3651\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-3651\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d\",\n \"https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb\"\n ],\n \"description\": \"A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-3651\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35195", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35195" + }, + { + "url": "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac" + }, + { + "url": "https://github.com/psf/requests/pull/6655" + }, + { + "url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35195 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-35195", + "desc": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35195\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35195\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35195\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35195\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35195\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac\",\n \"https://github.com/psf/requests/pull/6655\",\n \"https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/\"\n ],\n \"description\": \"Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.6,\n \"exploitabilityScore\": 0.3,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35195\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-5752", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-5752" + }, + { + "url": "https://github.com/pypa/pip/pull/12306" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-5752 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-5752", + "desc": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-5752\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-5752\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-5752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://github.com/pypa/pip/pull/12306\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/\",\n \"https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/\"\n ],\n \"description\": \"When installing a package from a Mercurial VCS URL (ie \\\"pip install \\nhg+...\\\") with pip prior to v23.3, the specified Mercurial revision could\\n be used to inject arbitrary configuration options to the \\\"hg clone\\\" \\ncall (ie \\\"--config\\\"). Controlling the Mercurial configuration can modify\\n how and which repository is installed. This vulnerability does not \\naffect users who aren't installing from Mercurial.\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@python.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-5752\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-32681", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-32681" + }, + { + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/" + }, + { + "url": "https://security.gentoo.org/glsa/202309-08" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-32681 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2023-32681", + "desc": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-32681\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-32681\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-32681\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-32681\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-32681\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5\",\n \"https://github.com/psf/requests/releases/tag/v2.31.0\",\n \"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q\",\n \"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/\",\n \"https://security.gentoo.org/glsa/202309-08\"\n ],\n \"description\": \"Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-32681\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37891", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37891" + }, + { + "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" + }, + { + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37891 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-37891", + "desc": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "impact": 0.3, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37891\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37891\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e\",\n \"https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf\"\n ],\n \"description\": \" urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.\",\n \"cvss\": [\n {\n \"source\": \"security-advisories@github.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-pip\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37891\"\n }\n }\n]", + "message": "{\n \"id\": \"0e693380e112a507\",\n \"name\": \"python3-pip-whl\",\n \"version\": \"22.0.2+dfsg-1ubuntu0.4\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-pip-whl/copyright\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-pip-whl.md5sums\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Apache-2.0\",\n \"BSD-2\",\n \"BSD-3\",\n \"Expat\",\n \"ISC\",\n \"LGPL-2.1\",\n \"LGPL-2.1+\",\n \"MPL-2\",\n \"MPL-2.0\",\n \"Python\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-pip\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-5569", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 1.0.0-3ubuntu0.1", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-5569" + }, + { + "url": "https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd" + }, + { + "url": "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-5569 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2024-5569", + "desc": "A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-5569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-5569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-5569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"1.0.0-3ubuntu0.1\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-5569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-5569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd\",\n \"https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae\"\n ],\n \"description\": \"A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.\",\n \"cvss\": [\n {\n \"source\": \"security@huntr.dev\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"python-zipp\",\n \"version\": \"1.0.0-3\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 1.0.0-3ubuntu0.1 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-5569\"\n }\n }\n]", + "message": "{\n \"id\": \"e3bc49624ab198ff\",\n \"name\": \"python3-zipp\",\n \"version\": \"1.0.0-3\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/python3-zipp/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/python3-zipp.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"Expat\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:python3-zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3-zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3_zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3-zipp:1.0.0-3:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:python3:python3_zipp:1.0.0-3:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/python3-zipp@1.0.0-3?arch=all&upstream=python-zipp&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"python-zipp\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-31879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-31879" + }, + { + "url": "https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210618-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-31879 in tensorflow/tensorflow:latest", + "id": "Grype/CVE-2021-31879", + "desc": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.", + "impact": 0.5, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-31879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-31879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-31879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-31879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html\",\n \"https://security.netapp.com/advisory/ntap-20210618-0002/\"\n ],\n \"description\": \"GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 2.7\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-direct-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"wget\",\n \"version\": \"1.21.2-2ubuntu1.1\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-31879\"\n }\n }\n]", + "message": "{\n \"id\": \"313cc77842f860d3\",\n \"name\": \"wget\",\n \"version\": \"1.21.2-2ubuntu1.1\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/wget/copyright\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/wget.conffiles\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/wget.md5sums\",\n \"layerID\": \"sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GFDL-1.2\",\n \"GPL-3\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:wget:wget:1.21.2-2ubuntu1.1:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/wget@1.21.2-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04\",\n \"upstreams\": []\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2012-4542", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2012-4542" + }, + { + "url": "http://marc.info/?l=linux-kernel&m=135903967015813&w=2" + }, + { + "url": "http://marc.info/?l=linux-kernel&m=135904012416042&w=2" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0496.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0579.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0882.html" + }, + { + "url": "http://rhn.redhat.com/errata/RHSA-2013-0928.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=875360" + }, + { + "url": "https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2012-4542 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2012-4542", + "desc": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2012-4542\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2012-4542\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2012-4542\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2012-4542\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-4542\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://marc.info/?l=linux-kernel&m=135903967015813&w=2\",\n \"http://marc.info/?l=linux-kernel&m=135904012416042&w=2\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0496.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0579.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0882.html\",\n \"http://rhn.redhat.com/errata/RHSA-2013-0928.html\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=875360\",\n \"https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8\"\n ],\n \"description\": \"block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2012-4542\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2013-7445", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2013-7445" + }, + { + "url": "https://bugzilla.kernel.org/show_bug.cgi?id=60533" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2013-7445 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2013-7445", + "desc": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2013-7445\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2013-7445\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2013-7445\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2013-7445\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-7445\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.kernel.org/show_bug.cgi?id=60533\"\n ],\n \"description\": \"The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2013-7445\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2015-8553", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2015-8553" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-120.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Aug/18" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4497" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2015-8553 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2015-8553", + "desc": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2015-8553\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2015-8553\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2015-8553\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2015-8553\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8553\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://xenbits.xen.org/xsa/advisory-120.html\",\n \"https://seclists.org/bugtraq/2019/Aug/18\",\n \"https://www.debian.org/security/2019/dsa-4497\"\n ],\n \"description\": \"Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2015-8553\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2016-8660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2016-8660" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2016/10/13/8" + }, + { + "url": "http://www.securityfocus.com/bid/93558" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1384851" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2016-8660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2016-8660", + "desc": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2016-8660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2016-8660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2016-8660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2016-8660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-8660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2016/10/13/8\",\n \"http://www.securityfocus.com/bid/93558\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1384851\"\n ],\n \"description\": \"The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \\\"page lock order bug in the XFS seek hole/data implementation.\\\"\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2016-8660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-0537", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-0537" + }, + { + "url": "http://www.securityfocus.com/bid/96831" + }, + { + "url": "http://www.securitytracker.com/id/1037968" + }, + { + "url": "https://source.android.com/security/bulletin/2017-03-01" + }, + { + "url": "https://source.android.com/security/bulletin/2017-03-01.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-0537 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-0537", + "desc": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-0537\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-0537\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-0537\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-0537\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-0537\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/96831\",\n \"http://www.securitytracker.com/id/1037968\",\n \"https://source.android.com/security/bulletin/2017-03-01\",\n \"https://source.android.com/security/bulletin/2017-03-01.html\"\n ],\n \"description\": \"An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.6,\n \"exploitabilityScore\": 4.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-0537\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13165", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13165" + }, + { + "url": "https://source.android.com/security/bulletin/pixel/2017-12-01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13165 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13165", + "desc": "An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13165\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13165\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13165\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13165\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13165\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://source.android.com/security/bulletin/pixel/2017-12-01\"\n ],\n \"description\": \"An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13165\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13693", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13693" + }, + { + "url": "http://www.securityfocus.com/bid/100502" + }, + { + "url": "https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732" + }, + { + "url": "https://patchwork.kernel.org/patch/9919053/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13693", + "desc": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/100502\",\n \"https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\",\n \"https://patchwork.kernel.org/patch/9919053/\"\n ],\n \"description\": \"The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2017-13694", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2017-13694" + }, + { + "url": "http://www.securityfocus.com/bid/100500" + }, + { + "url": "https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0" + }, + { + "url": "https://patchwork.kernel.org/patch/9806085/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2017-13694 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2017-13694", + "desc": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2017-13694\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2017-13694\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2017-13694\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2017-13694\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13694\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/100500\",\n \"https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0\",\n \"https://patchwork.kernel.org/patch/9806085/\"\n ],\n \"description\": \"The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2017-13694\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-1121", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-1121" + }, + { + "url": "http://seclists.org/oss-sec/2018/q2/122" + }, + { + "url": "http://www.securityfocus.com/bid/104214" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121" + }, + { + "url": "https://www.exploit-db.com/exploits/44806/" + }, + { + "url": "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-1121 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-1121", + "desc": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-1121\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-1121\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-1121\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-1121\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1121\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://seclists.org/oss-sec/2018/q2/122\",\n \"http://www.securityfocus.com/bid/104214\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121\",\n \"https://www.exploit-db.com/exploits/44806/\",\n \"https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt\"\n ],\n \"description\": \"procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.9,\n \"exploitabilityScore\": 1.3,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-1121\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12928", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12928" + }, + { + "url": "http://www.securityfocus.com/bid/104593" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384" + }, + { + "url": "https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12928", + "desc": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104593\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384\",\n \"https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2\"\n ],\n \"description\": \"In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12929", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12929" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12929", + "desc": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12930", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12930" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12930 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12930", + "desc": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12930\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12930\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12930\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12930\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12930\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12930\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-12931", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-12931" + }, + { + "url": "http://www.securityfocus.com/bid/104588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0641" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403" + }, + { + "url": "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-12931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-12931", + "desc": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-12931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-12931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-12931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-12931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/104588\",\n \"https://access.redhat.com/errata/RHSA-2019:0641\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403\",\n \"https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2\"\n ],\n \"description\": \"ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-12931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2018-17977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2018-17977" + }, + { + "url": "http://www.securityfocus.com/bid/105539" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2018/10/05/5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2018-17977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2018-17977", + "desc": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2018-17977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2018-17977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2018-17977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2018-17977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-17977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.securityfocus.com/bid/105539\",\n \"https://www.openwall.com/lists/oss-security/2018/10/05/5\"\n ],\n \"description\": \"The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2018-17977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-14899", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-14899" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Dec/32" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/23" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/24" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Jul/25" + }, + { + "url": "http://seclists.org/fulldisclosure/2020/Nov/20" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/08/13/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/10/07/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/07/05/1" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899" + }, + { + "url": "https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/" + }, + { + "url": "https://support.apple.com/kb/HT211288" + }, + { + "url": "https://support.apple.com/kb/HT211289" + }, + { + "url": "https://support.apple.com/kb/HT211290" + }, + { + "url": "https://support.apple.com/kb/HT211850" + }, + { + "url": "https://support.apple.com/kb/HT211931" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-14899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-14899", + "desc": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-14899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-14899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-14899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-14899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://seclists.org/fulldisclosure/2020/Dec/32\",\n \"http://seclists.org/fulldisclosure/2020/Jul/23\",\n \"http://seclists.org/fulldisclosure/2020/Jul/24\",\n \"http://seclists.org/fulldisclosure/2020/Jul/25\",\n \"http://seclists.org/fulldisclosure/2020/Nov/20\",\n \"http://www.openwall.com/lists/oss-security/2020/08/13/2\",\n \"http://www.openwall.com/lists/oss-security/2020/10/07/3\",\n \"http://www.openwall.com/lists/oss-security/2021/07/05/1\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899\",\n \"https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/\",\n \"https://support.apple.com/kb/HT211288\",\n \"https://support.apple.com/kb/HT211289\",\n \"https://support.apple.com/kb/HT211290\",\n \"https://support.apple.com/kb/HT211850\",\n \"https://support.apple.com/kb/HT211931\"\n ],\n \"description\": \"A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:S/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 4.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-14899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-15213", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-15213" + }, + { + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2019/08/20/2" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20190905-0002/" + }, + { + "url": "https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-15213 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-15213", + "desc": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-15213\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-15213\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-15213\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-15213\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-15213\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html\",\n \"http://www.openwall.com/lists/oss-security/2019/08/20/2\",\n \"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7\",\n \"https://security.netapp.com/advisory/ntap-20190905-0002/\",\n \"https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.9,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-15213\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-19378", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-19378" + }, + { + "url": "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200103-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-19378 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-19378", + "desc": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-19378\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-19378\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-19378\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-19378\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-19378\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378\",\n \"https://security.netapp.com/advisory/ntap-20200103-0001/\"\n ],\n \"description\": \"In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-19378\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-19814", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-19814" + }, + { + "url": "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200103-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-19814 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-19814", + "desc": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-19814\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-19814\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-19814\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-19814\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-19814\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814\",\n \"https://security.netapp.com/advisory/ntap-20200103-0001/\"\n ],\n \"description\": \"In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 9.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-19814\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2019-20794", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2019-20794" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2020/08/24/1" + }, + { + "url": "https://github.com/sargun/fuse-example" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20200608-0001/" + }, + { + "url": "https://sourceforge.net/p/fuse/mailman/message/36598753/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2019-20794 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2019-20794", + "desc": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2019-20794\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2019-20794\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2019-20794\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2019-20794\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20794\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2020/08/24/1\",\n \"https://github.com/sargun/fuse-example\",\n \"https://security.netapp.com/advisory/ntap-20200608-0001/\",\n \"https://sourceforge.net/p/fuse/mailman/message/36598753/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:N/I:N/A:C\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2019-20794\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-11935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-11935" + }, + { + "url": "https://bugs.launchpad.net/bugs/1873074" + }, + { + "url": "https://ubuntu.com/security/CVE-2020-11935" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-11935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-11935", + "desc": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-11935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-11935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-11935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-11935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugs.launchpad.net/bugs/1873074\",\n \"https://ubuntu.com/security/CVE-2020-11935\"\n ],\n \"description\": \"It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@ubuntu.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-11935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-14304", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-14304" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-14304 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-14304", + "desc": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-14304\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-14304\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-14304\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-14304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304\"\n ],\n \"description\": \"A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-14304\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-15802", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-15802" + }, + { + "url": "https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/589825" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-15802 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-15802", + "desc": "Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-15802\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-15802\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-15802\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-15802\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-15802\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709\",\n \"https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/\",\n \"https://www.kb.cert.org/vuls/id/589825\"\n ],\n \"description\": \"Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 8.6,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-15802\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26140", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26140" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26140 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26140", + "desc": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26140\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26140\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26140\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26140\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26140\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26140\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26142", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26142" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26142 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26142", + "desc": "An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26142\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26142\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26142\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26142\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26142\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:H/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.6,\n \"exploitabilityScore\": 4.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26142\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26143", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26143" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26143 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26143", + "desc": "An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26143\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26143\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26143\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26143\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26143\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26143\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26146", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26146" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/05/11/12" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf" + }, + { + "url": "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu" + }, + { + "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63" + }, + { + "url": "https://www.fragattacks.com" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26146 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26146", + "desc": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26146\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26146\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26146\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26146\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26146\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2021/05/11/12\",\n \"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf\",\n \"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md\",\n \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\",\n \"https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\",\n \"https://www.fragattacks.com\"\n ],\n \"description\": \"An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:N/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26146\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26556", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26556" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/799380" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26556 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26556", + "desc": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26556\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26556\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26556\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26556\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26556\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\",\n \"https://www.kb.cert.org/vuls/id/799380\"\n ],\n \"description\": \"Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26556\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26557", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26557" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26557 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26557", + "desc": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26557\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26557\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26557\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26557\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26557\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26557\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26559" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26559", + "desc": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 5.8,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-26560", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-26560" + }, + { + "url": "https://kb.cert.org/vuls/id/799380" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-26560 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-26560", + "desc": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-26560\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-26560\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-26560\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-26560\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26560\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://kb.cert.org/vuls/id/799380\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:L/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 6.5,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-26560\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2020-35501", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2020-35501" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1908577" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2020-35501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2020-35501", + "desc": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2020-35501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2020-35501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2020-35501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2020-35501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1908577\"\n ],\n \"description\": \"A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\n \"metrics\": {\n \"baseScore\": 3.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 4.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2020-35501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-26934", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-26934" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-363.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20210326-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-26934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-26934", + "desc": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-26934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-26934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-26934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-26934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-26934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://xenbits.xen.org/xsa/advisory-363.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/\",\n \"https://security.netapp.com/advisory/ntap-20210326-0001/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-26934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-31615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-31615" + }, + { + "url": "https://bluetooth.com" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-31615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-31615", + "desc": "Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-31615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-31615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-31615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-31615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bluetooth.com\",\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/\"\n ],\n \"description\": \"Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:A/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.9,\n \"exploitabilityScore\": 5.5,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-31615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-33096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-33096" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220210-0010/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-33096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-33096", + "desc": "Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-33096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-33096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-33096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-33096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-33096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://security.netapp.com/advisory/ntap-20220210-0010/\",\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html\"\n ],\n \"description\": \"Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-33096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3714", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3714" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3714" + }, + { + "url": "https://arxiv.org/abs/2111.08553" + }, + { + "url": "https://arxiv.org/pdf/2111.08553.pdf" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1931327" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3714 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3714", + "desc": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3714\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3714\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3714\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3714\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3714\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2021-3714\",\n \"https://arxiv.org/abs/2111.08553\",\n \"https://arxiv.org/pdf/2111.08553.pdf\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=1931327\"\n ],\n \"description\": \"A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.9,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3714\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3773", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3773" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004949" + }, + { + "url": "https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3773 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3773", + "desc": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3773\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3773\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3773\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3773\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3773\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2004949\",\n \"https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/\",\n \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n ],\n \"description\": \"A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 10,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3773\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-3864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-3864" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/" + }, + { + "url": "https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/10/20/2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-3864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-3864", + "desc": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-3864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-3864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-3864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-3864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2021-3864\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2015046\",\n \"https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/\",\n \"https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/\",\n \"https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/\",\n \"https://security-tracker.debian.org/tracker/CVE-2021-3864\",\n \"https://www.openwall.com/lists/oss-security/2021/10/20/2\"\n ],\n \"description\": \"A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-3864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-4095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-4095" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/1" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031194" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-4095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-4095", + "desc": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-4095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-4095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-4095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-4095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-4095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2022/01/17/1\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2031194\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/\"\n ],\n \"description\": \"A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:N/I:N/A:P\",\n \"metrics\": {\n \"baseScore\": 1.9,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-4095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-46928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-46928" + }, + { + "url": "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26" + }, + { + "url": "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8" + }, + { + "url": "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-46928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-46928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-46928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-46928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-46928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-46928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26\",\n \"https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8\",\n \"https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nparisc: Clear stale IIR value on instruction access rights trap\\n\\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\\ncouldn't execute an instruction due to missing execute permissions on\\nthe memory region. In this case it seems the CPU didn't even fetched\\nthe instruction from memory and thus did not store it in the cr19 (IIR)\\nregister before calling the trap handler. So, the trap handler will find\\nsome random old stale value in cr19.\\n\\nThis patch simply overwrites the stale IIR value with a constant magic\\n\\\"bad food\\\" value (0xbaadf00d), in the hope people don't start to try to\\nunderstand the various random IIR values in trap 7 dumps.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-46928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47432", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47432" + }, + { + "url": "https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac" + }, + { + "url": "https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0" + }, + { + "url": "https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437" + }, + { + "url": "https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47432 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47432", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Don't overflow in peek()\n\nWhen we started spreading new inode numbers throughout most of the 64\nbit inode space, that triggered some corner case bugs, in particular\nsome integer overflows related to the radix tree code. Oops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47432\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47432\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47432\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47432\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47432\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac\",\n \"https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0\",\n \"https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437\",\n \"https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib/generic-radix-tree.c: Don't overflow in peek()\\n\\nWhen we started spreading new inode numbers throughout most of the 64\\nbit inode space, that triggered some corner case bugs, in particular\\nsome integer overflows related to the radix tree code. Oops.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47432\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47472", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47472" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47472 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47472", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47472\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47472\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47472\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47472\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47472\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47472\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47599", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47599" + }, + { + "url": "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2" + }, + { + "url": "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47599 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47599", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47599\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47599\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47599\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47599\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47599\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2\",\n \"https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: use latest_dev in btrfs_show_devname\\n\\nThe test case btrfs/238 reports the warning below:\\n\\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\\n Call trace:\\n btrfs_show_devname+0x108/0x1b4 [btrfs]\\n show_mountinfo+0x234/0x2c4\\n m_show+0x28/0x34\\n seq_read_iter+0x12c/0x3c4\\n vfs_read+0x29c/0x2c8\\n ksys_read+0x80/0xec\\n __arm64_sys_read+0x28/0x34\\n invoke_syscall+0x50/0xf8\\n do_el0_svc+0x88/0x138\\n el0_svc+0x2c/0x8c\\n el0t_64_sync_handler+0x84/0xe4\\n el0t_64_sync+0x198/0x19c\\n\\nReason:\\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\\nand found none, leading to the warning as in above.\\n\\nFix:\\nlatest_dev is updated according to the changes to the device list.\\nThat means we could use the latest_dev->name to show the device name in\\n/proc/self/mounts, the pointer will be always valid as it's assigned\\nbefore the device is deleted from the list in remove or replace.\\nThe RCU protection is sufficient as the device structure is freed after\\nsynchronization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47599\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2021-47615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2021-47615" + }, + { + "url": "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9" + }, + { + "url": "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701" + }, + { + "url": "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2021-47615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2021-47615", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it's\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn't udata, which indicates that this isn't a user MR.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2021-47615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2021-47615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2021-47615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2021-47615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9\",\n \"https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701\",\n \"https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\\n\\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\\nwrong values in the union which leads to attempt to release resources that\\nwere not allocated in the first place.\\n\\nFor example:\\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\\n RIP: 0010:check_unmap+0x54f/0x8b0\\n Call Trace:\\n debug_dma_unmap_page+0x57/0x60\\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\\n ib_dereg_mr_user+0x60/0x140 [ib_core]\\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\\n uobj_destroy+0x3f/0x80 [ib_uverbs]\\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\\n ? lock_acquire+0xc4/0x2e0\\n ? lock_acquired+0x12/0x380\\n ? lock_acquire+0xc4/0x2e0\\n ? lock_acquire+0xc4/0x2e0\\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\\n ? lock_release+0x28a/0x400\\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\\n __x64_sys_ioctl+0x7f/0xb0\\n do_syscall_64+0x38/0x90\\n\\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\\n - Move the ib_umem field into the user MRs structure in the union as it's\\n applicable only there.\\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\\n in case there isn't udata, which indicates that this isn't a user MR.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2021-47615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0400", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0400" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-0400" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040604" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044575" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0400 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0400", + "desc": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0400\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0400\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0400\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0400\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0400\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-0400\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2040604\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2044575\"\n ],\n \"description\": \"An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0400\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0480", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0480" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-0480" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2049700" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042" + }, + { + "url": "https://github.com/kata-containers/kata-containers/issues/3373" + }, + { + "url": "https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/" + }, + { + "url": "https://ubuntu.com/security/CVE-2022-0480" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0480 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0480", + "desc": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0480\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0480\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0480\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0480\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0480\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-0480\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2049700\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042\",\n \"https://github.com/kata-containers/kata-containers/issues/3373\",\n \"https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/\",\n \"https://ubuntu.com/security/CVE-2022-0480\"\n ],\n \"description\": \"A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0480\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0854", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0854" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5161" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5173" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0854", + "desc": "A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13\",\n \"https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html\",\n \"https://www.debian.org/security/2022/dsa-5161\",\n \"https://www.debian.org/security/2022/dsa-5173\"\n ],\n \"description\": \"A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-0995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-0995" + }, + { + "url": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html" + }, + { + "url": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220429-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-0995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-0995", + "desc": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-0995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-0995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-0995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-0995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html\",\n \"http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2063786\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb\",\n \"https://security.netapp.com/advisory/ntap-20220429-0001/\"\n ],\n \"description\": \"An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\n \"metrics\": {\n \"baseScore\": 7.2,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 10\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-0995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1205", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-1205" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1205" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071047" + }, + { + "url": "https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0" + }, + { + "url": "https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/04/02/4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1205 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-1205", + "desc": "A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1205\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-1205\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-1205\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-1205\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1205\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-1205\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2071047\",\n \"https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0\",\n \"https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009\",\n \"https://www.openwall.com/lists/oss-security/2022/04/02/4\"\n ],\n \"description\": \"A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-1205\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-1247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-1247" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1247" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066799" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-1247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-1247", + "desc": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-1247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-1247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-1247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-1247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-1247\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2066799\"\n ],\n \"description\": \"An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-1247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-23825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-23825" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/11/08/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/11/10/2" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" + }, + { + "url": "https://security.gentoo.org/glsa/202402-07" + }, + { + "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5184" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-23825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-23825", + "desc": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-23825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-23825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-23825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-23825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-23825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2022/11/08/1\",\n \"http://www.openwall.com/lists/oss-security/2022/11/10/2\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/\",\n \"https://security.gentoo.org/glsa/202402-07\",\n \"https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037\",\n \"https://www.debian.org/security/2022/dsa-5184\"\n ],\n \"description\": \"Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 2.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 2.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-23825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25265", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25265" + }, + { + "url": "https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294" + }, + { + "url": "https://github.com/x0reaxeax/exec-prot-bypass" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220318-0005/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25265 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25265", + "desc": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25265\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25265\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25265\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25265\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25265\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294\",\n \"https://github.com/x0reaxeax/exec-prot-bypass\",\n \"https://security.netapp.com/advisory/ntap-20220318-0005/\"\n ],\n \"description\": \"In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"2.0\",\n \"vector\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 3.4,\n \"impactScore\": 6.4\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25265\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25836" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25836", + "desc": "Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-25837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-25837" + }, + { + "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-25837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-25837", + "desc": "Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-25837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-25837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-25837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-25837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/\"\n ],\n \"description\": \"Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-25837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-26047", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-26047" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-26047 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-26047", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-26047\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-26047\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-26047\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-26047\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-26047\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-26047\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-28667" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-28667", + "desc": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-28667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-28667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-28667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-28667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html\"\n ],\n \"description\": \"Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-28667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-28693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-28693" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-28693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-28693", + "desc": "no description found", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-28693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-28693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-28693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": []\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-28693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-2961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-2961" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2961" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230214-0004/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-2961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-2961", + "desc": "A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-2961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-2961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-2961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-2961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2022-2961\",\n \"https://security.netapp.com/advisory/ntap-20230214-0004/\"\n ],\n \"description\": \"A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-2961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3114", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3114" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153054" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3114 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3114", + "desc": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3114\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3114\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3114\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3114\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3114\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2153054\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3114\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3238", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3238" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127927" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3238 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3238", + "desc": "A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3238\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3238\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3238\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3238\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3238\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2127927\"\n ],\n \"description\": \"A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3238\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-3523", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-3523" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33" + }, + { + "url": "https://vuldb.com/?id.211020" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-3523 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-3523", + "desc": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-3523\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-3523\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-3523\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-3523\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3523\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33\",\n \"https://vuldb.com/?id.211020\"\n ],\n \"description\": \"A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cna@vuldb.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-3523\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-38096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-38096" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-38096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-38096", + "desc": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-38096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-38096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-38096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-38096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2073\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2022-38096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-38457", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-38457" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-38457 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-38457", + "desc": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-38457\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-38457\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-38457\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-38457\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38457\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2074\"\n ],\n \"description\": \"A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-38457\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-40133", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-40133" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-40133 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-40133", + "desc": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-40133\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-40133\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-40133\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-40133\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40133\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=2075\"\n ],\n \"description\": \"A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 2.1,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-40133\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-41848", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-41848" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-41848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-41848", + "desc": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-41848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-41848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-41848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-41848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c\",\n \"https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270\"\n ],\n \"description\": \"drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.2,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-41848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44032", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44032" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44032", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44033", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44033" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44033 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44033", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44033\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44033\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44033\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44033\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44033\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44033\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-44034", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-44034" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15" + }, + { + "url": "https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/" + }, + { + "url": "https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-44034 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-44034", + "desc": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-44034\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-44034\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-44034\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-44034\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-44034\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15\",\n \"https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/\",\n \"https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-44034\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-4543", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-4543" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/12/16/3" + }, + { + "url": "https://www.willsroot.io/2022/12/entrybleed.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-4543 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-4543", + "desc": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-4543\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-4543\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-4543\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-4543\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4543\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.openwall.com/lists/oss-security/2022/12/16/3\",\n \"https://www.willsroot.io/2022/12/entrybleed.html\"\n ],\n \"description\": \"A flaw named \\\"EntryBleed\\\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-4543\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45884", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45884" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45884", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45885", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45885" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45885", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45887" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/" + }, + { + "url": "https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45887", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/\",\n \"https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-45888", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-45888" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920" + }, + { + "url": "https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230113-0006/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-45888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-45888", + "desc": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-45888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-45888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-45888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-45888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920\",\n \"https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/\",\n \"https://security.netapp.com/advisory/ntap-20230113-0006/\"\n ],\n \"description\": \"An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-45888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48628", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48628" + }, + { + "url": "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571" + }, + { + "url": "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5" + }, + { + "url": "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48628 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48628", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48628\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48628\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48628\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48628\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48628\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571\",\n \"https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5\",\n \"https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nceph: drop messages from MDS when unmounting\\n\\nWhen unmounting all the dirty buffers will be flushed and after\\nthe last osd request is finished the last reference of the i_count\\nwill be released. Then it will flush the dirty cap/snap to MDSs,\\nand the unmounting won't wait the possible acks, which will ihold\\nthe inodes when updating the metadata locally but makes no sense\\nany more, of this. This will make the evict_inodes() to skip these\\ninodes.\\n\\nIf encrypt is enabled the kernel generate a warning when removing\\nthe encrypt keys when the skipped inodes still hold the keyring:\\n\\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\ngeneric_shutdown_super+0x47/0x120\\nkill_anon_super+0x14/0x30\\nceph_kill_sb+0x36/0x90 [ceph]\\ndeactivate_locked_super+0x29/0x60\\ncleanup_mnt+0xb8/0x140\\ntask_work_run+0x67/0xb0\\nexit_to_user_mode_prepare+0x23d/0x240\\nsyscall_exit_to_user_mode+0x25/0x60\\ndo_syscall_64+0x40/0x80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\nRIP: 0033:0x7fd83dc39e9b\\n\\nLater the kernel will crash when iput() the inodes and dereferencing\\nthe \\\"sb->s_master_keys\\\", which has been released by the\\ngeneric_shutdown_super().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48628\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48631", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48631" + }, + { + "url": "https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0" + }, + { + "url": "https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d" + }, + { + "url": "https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc" + }, + { + "url": "https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0" + }, + { + "url": "https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48631 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48631", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\n\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\nassumes that the extent header has been previously validated. However, there\nare no checks that verify that the number of entries (eh->eh_entries) is\nnon-zero when depth is > 0. And this will lead to problems because the\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\n\n[ 135.245946] ------------[ cut here ]------------\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\n[ 135.256475] Code:\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\n[ 135.277952] Call Trace:\n[ 135.278635] \n[ 135.279247] ? preempt_count_add+0x6d/0xa0\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\n[ 135.283745] ? xa_load+0x6f/0xa0\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\n[ 135.285646] read_pages+0x67/0x1d0\n[ 135.286492] ? folio_add_lru+0x51/0x80\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\n[ 135.289457] ? path_openat+0xa72/0xdd0\n[ 135.290332] filemap_read+0xbf/0x300\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\n[ 135.292192] new_sync_read+0x103/0x170\n[ 135.293014] vfs_read+0x15d/0x180\n[ 135.293745] ksys_read+0xa1/0xe0\n[ 135.294461] do_syscall_64+0x3c/0x80\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\neh_entries is not 0 when eh_depth is > 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48631\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48631\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48631\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48631\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48631\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0\",\n \"https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d\",\n \"https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc\",\n \"https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0\",\n \"https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\\n\\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\\nassumes that the extent header has been previously validated. However, there\\nare no checks that verify that the number of entries (eh->eh_entries) is\\nnon-zero when depth is > 0. And this will lead to problems because the\\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\\n\\n[ 135.245946] ------------[ cut here ]------------\\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\\n[ 135.256475] Code:\\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\\n[ 135.277952] Call Trace:\\n[ 135.278635] \\n[ 135.279247] ? preempt_count_add+0x6d/0xa0\\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\\n[ 135.283745] ? xa_load+0x6f/0xa0\\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\\n[ 135.285646] read_pages+0x67/0x1d0\\n[ 135.286492] ? folio_add_lru+0x51/0x80\\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\\n[ 135.289457] ? path_openat+0xa72/0xdd0\\n[ 135.290332] filemap_read+0xbf/0x300\\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\\n[ 135.292192] new_sync_read+0x103/0x170\\n[ 135.293014] vfs_read+0x15d/0x180\\n[ 135.293745] ksys_read+0xa1/0xe0\\n[ 135.294461] do_syscall_64+0x3c/0x80\\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\\neh_entries is not 0 when eh_depth is > 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48631\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48632" + }, + { + "url": "https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8" + }, + { + "url": "https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e" + }, + { + "url": "https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2" + }, + { + "url": "https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\n\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8\",\n \"https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e\",\n \"https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2\",\n \"https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\\n\\nmemcpy() is called in a loop while 'operation->length' upper bound\\nis not checked and 'data_idx' also increments.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48633", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48633" + }, + { + "url": "https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474" + }, + { + "url": "https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48633 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48633", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\n\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\ngets destroyed by drm_gem_object_release() move the\ndrm_gem_object_release() call in psb_gem_free_object() to after\nthe unpin to fix the below warning:\n\n[ 79.693962] ------------[ cut here ]------------\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\n[ 79.694734] Call Trace:\n[ 79.694749] \n[ 79.694761] ? __schedule+0x47f/0x1670\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\n[ 79.694885] ? __cond_resched+0x1c/0x30\n[ 79.694902] ww_mutex_lock+0x38/0xa0\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\n[ 79.695042] idr_for_each+0x4b/0xb0\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 79.695095] drm_gem_release+0x1c/0x30\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\n[ 79.695150] drm_release+0x6a/0x120\n[ 79.695175] __fput+0x9f/0x260\n[ 79.695203] task_work_run+0x59/0xa0\n[ 79.695227] do_exit+0x387/0xbe0\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695304] do_group_exit+0x33/0xb0\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\n[ 79.695353] do_syscall_64+0x58/0x80\n[ 79.695376] ? up_read+0x17/0x20\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474\",\n \"https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\\n\\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\\ngets destroyed by drm_gem_object_release() move the\\ndrm_gem_object_release() call in psb_gem_free_object() to after\\nthe unpin to fix the below warning:\\n\\n[ 79.693962] ------------[ cut here ]------------\\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\\n[ 79.694734] Call Trace:\\n[ 79.694749] \\n[ 79.694761] ? __schedule+0x47f/0x1670\\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\\n[ 79.694885] ? __cond_resched+0x1c/0x30\\n[ 79.694902] ww_mutex_lock+0x38/0xa0\\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\\n[ 79.695042] idr_for_each+0x4b/0xb0\\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\\n[ 79.695095] drm_gem_release+0x1c/0x30\\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\\n[ 79.695150] drm_release+0x6a/0x120\\n[ 79.695175] __fput+0x9f/0x260\\n[ 79.695203] task_work_run+0x59/0xa0\\n[ 79.695227] do_exit+0x387/0xbe0\\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\\n[ 79.695304] do_group_exit+0x33/0xb0\\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\\n[ 79.695353] do_syscall_64+0x58/0x80\\n[ 79.695376] ? up_read+0x17/0x20\\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48633\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48634" + }, + { + "url": "https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281" + }, + { + "url": "https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd" + }, + { + "url": "https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd" + }, + { + "url": "https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\n\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\ncrtc_funcs->mode_set_base() which takes ww_mutex.\n\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\non mode_set_base() errors.\n\nInstead unlock it after setting gma_crtc->page_flip_event and on\nerrors re-take the lock and clear gma_crtc->page_flip_event it\nit is still set.\n\nThis fixes the following WARN/stacktrace:\n\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\n[ 512.123031] preempt_count: 1, expected: 0\n[ 512.123048] RCU nest depth: 0, expected: 0\n[ 512.123066] INFO: lockdep is turned off.\n[ 512.123080] irq event stamp: 0\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 512.123233] Preemption disabled at:\n[ 512.123241] [<0000000000000000>] 0x0\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 512.123323] Call Trace:\n[ 512.123346] \n[ 512.123370] dump_stack_lvl+0x5b/0x77\n[ 512.123412] __might_resched.cold+0xff/0x13a\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\n[ 512.123984] drm_ioctl+0x21f/0x420\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\n[ 512.124104] ? lock_release+0x1ef/0x2d0\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\n[ 512.124203] do_syscall_64+0x58/0x80\n[ 512.124239] ? do_syscall_64+0x67/0x80\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\n[ 512.124300] ? do_syscall_64+0x67/0x80\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\n[ 512.124647] ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281\",\n \"https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd\",\n \"https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd\",\n \"https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\\n\\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\\ncrtc_funcs->mode_set_base() which takes ww_mutex.\\n\\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\\non mode_set_base() errors.\\n\\nInstead unlock it after setting gma_crtc->page_flip_event and on\\nerrors re-take the lock and clear gma_crtc->page_flip_event it\\nit is still set.\\n\\nThis fixes the following WARN/stacktrace:\\n\\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\\n[ 512.123031] preempt_count: 1, expected: 0\\n[ 512.123048] RCU nest depth: 0, expected: 0\\n[ 512.123066] INFO: lockdep is turned off.\\n[ 512.123080] irq event stamp: 0\\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\\n[ 512.123233] Preemption disabled at:\\n[ 512.123241] [<0000000000000000>] 0x0\\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\\n[ 512.123323] Call Trace:\\n[ 512.123346] \\n[ 512.123370] dump_stack_lvl+0x5b/0x77\\n[ 512.123412] __might_resched.cold+0xff/0x13a\\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\\n[ 512.123984] drm_ioctl+0x21f/0x420\\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\\n[ 512.124104] ? lock_release+0x1ef/0x2d0\\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\\n[ 512.124203] do_syscall_64+0x58/0x80\\n[ 512.124239] ? do_syscall_64+0x67/0x80\\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\\n[ 512.124300] ? do_syscall_64+0x67/0x80\\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\\n[ 512.124647] \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48635", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48635" + }, + { + "url": "https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3" + }, + { + "url": "https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0" + }, + { + "url": "https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48635 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48635", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got an infinite loop and a WARNING report when executing a tail command\nin virtiofs.\n\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\n Modules linked in:\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\n Call Trace:\n \n dax_iomap_rw+0xea/0x620\n ? __this_cpu_preempt_check+0x13/0x20\n fuse_dax_read_iter+0x47/0x80\n fuse_file_read_iter+0xae/0xd0\n new_sync_read+0xfe/0x180\n ? 0xffffffff81000000\n vfs_read+0x14d/0x1a0\n ksys_read+0x6d/0xf0\n __x64_sys_read+0x1a/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe tail command will call read() with a count of 0. In this case,\niomap_iter() will report this WARNING, and always return 1 which casuing\nthe infinite loop in dax_iomap_rw().\n\nFixing by checking count whether is 0 in dax_iomap_rw().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48635\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48635\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48635\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48635\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48635\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3\",\n \"https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0\",\n \"https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfsdax: Fix infinite loop in dax_iomap_rw()\\n\\nI got an infinite loop and a WARNING report when executing a tail command\\nin virtiofs.\\n\\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\\n Modules linked in:\\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\\n Call Trace:\\n \\n dax_iomap_rw+0xea/0x620\\n ? __this_cpu_preempt_check+0x13/0x20\\n fuse_dax_read_iter+0x47/0x80\\n fuse_file_read_iter+0xae/0xd0\\n new_sync_read+0xfe/0x180\\n ? 0xffffffff81000000\\n vfs_read+0x14d/0x1a0\\n ksys_read+0x6d/0xf0\\n __x64_sys_read+0x1a/0x20\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe tail command will call read() with a count of 0. In this case,\\niomap_iter() will report this WARNING, and always return 1 which casuing\\nthe infinite loop in dax_iomap_rw().\\n\\nFixing by checking count whether is 0 in dax_iomap_rw().\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48635\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48636", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48636" + }, + { + "url": "https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1" + }, + { + "url": "https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4" + }, + { + "url": "https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac" + }, + { + "url": "https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1" + }, + { + "url": "https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6" + }, + { + "url": "https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70" + }, + { + "url": "https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d" + }, + { + "url": "https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48636 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48636", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\n\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\n\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\n\nFix by checking the pavgroup pointer with lcu->lock held.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48636\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48636\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48636\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48636\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48636\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1\",\n \"https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4\",\n \"https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac\",\n \"https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1\",\n \"https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6\",\n \"https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70\",\n \"https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d\",\n \"https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\\n\\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\\npointer being NULL.\\n\\nThe pavgroup pointer is checked on the entrance of the function but\\nwithout the lcu->lock being held. Therefore there is a race window\\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\\npavgroup to NULL with the lcu->lock held.\\n\\nFix by checking the pavgroup pointer with lcu->lock held.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48636\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48637", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48637" + }, + { + "url": "https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6" + }, + { + "url": "https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338" + }, + { + "url": "https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48637 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48637", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: prevent skb UAF after handing over to PTP worker\n\nWhen reading the timestamp is required bnxt_tx_int() hands\nover the ownership of the completed skb to the PTP worker.\nThe skb should not be used afterwards, as the worker may\nrun before the rest of our code and free the skb, leading\nto a use-after-free.\n\nSince dev_kfree_skb_any() accepts NULL make the loss of\nownership more obvious and set skb to NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48637\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48637\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48637\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48637\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48637\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6\",\n \"https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338\",\n \"https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt: prevent skb UAF after handing over to PTP worker\\n\\nWhen reading the timestamp is required bnxt_tx_int() hands\\nover the ownership of the completed skb to the PTP worker.\\nThe skb should not be used afterwards, as the worker may\\nrun before the rest of our code and free the skb, leading\\nto a use-after-free.\\n\\nSince dev_kfree_skb_any() accepts NULL make the loss of\\nownership more obvious and set skb to NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48637\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48638", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48638" + }, + { + "url": "https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b" + }, + { + "url": "https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad" + }, + { + "url": "https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48638 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48638", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\n\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\nespecially cgroup id is provide from userspace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48638\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48638\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48638\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48638\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48638\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b\",\n \"https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad\",\n \"https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\\n\\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\\nespecially cgroup id is provide from userspace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48638\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48639" + }, + { + "url": "https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88" + }, + { + "url": "https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596" + }, + { + "url": "https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a" + }, + { + "url": "https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5" + }, + { + "url": "https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48639", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix possible refcount leak in tc_new_tfilter()\n\ntfilter_put need to be called to put the refount got by tp->ops->get to\navoid possible refcount leak when chain->tmplt_ops != NULL and\nchain->tmplt_ops != tp->ops.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88\",\n \"https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596\",\n \"https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a\",\n \"https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5\",\n \"https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: sched: fix possible refcount leak in tc_new_tfilter()\\n\\ntfilter_put need to be called to put the refount got by tp->ops->get to\\navoid possible refcount leak when chain->tmplt_ops != NULL and\\nchain->tmplt_ops != tp->ops.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48640", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48640" + }, + { + "url": "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6" + }, + { + "url": "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7" + }, + { + "url": "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48640 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48640", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n [ 334.694703] Mem abort info:\n [ 334.697486] ESR = 0x0000000096000004\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 334.706536] SET = 0, FnV = 0\n [ 334.709579] EA = 0, S1PTW = 0\n [ 334.712719] FSC = 0x04: level 0 translation fault\n [ 334.717586] Data abort info:\n [ 334.720454] ISV = 0, ISS = 0x00000004\n [ 334.724288] CM = 0, WnR = 0\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.807962] sp : ffff8000221733e0\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n [ 334.882532] Call trace:\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\n [ 334.913799] arp_xmit+0x3c/0xbc\n [ 334.916932] arp_send_dst+0x98/0xd0\n [ 334.920410] arp_solicit+0xe8/0x230\n [ 334.923888] neigh_probe+0x60/0xb0\n [ 334.927279] __neigh_event_send+0x3b0/0x470\n [ 334.931453] neigh_resolve_output+0x70/0x90\n [ 334.935626] ip_finish_output2+0x158/0x514\n [ 334.939714] __ip_finish_output+0xac/0x1a4\n [ 334.943800] ip_finish_output+0x40/0xfc\n [ 334.947626] ip_output+0xf8/0x1a4\n [ 334.950931] ip_send_skb+0x5c/0x100\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\n [ 334.958758] raw_sendmsg+0x458/0x6d0\n [ 334.962325] inet_sendmsg+0x50/0x80\n [ 334.965805] sock_sendmsg+0x60/0x6c\n [ 334.969286] __sys_sendto+0xc8/0x134\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48640\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48640\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48640\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48640\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48640\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6\",\n \"https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7\",\n \"https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: fix NULL deref in bond_rr_gen_slave_id\\n\\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\\nif a bond is initially created with an initial mode != zero (Round Robin)\\nthe memory required for the counter is never created and when the mode is\\nchanged there is never any attempt to verify the memory is allocated upon\\nswitching modes.\\n\\nThis causes the following Oops on an aarch64 machine:\\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\\n [ 334.694703] Mem abort info:\\n [ 334.697486] ESR = 0x0000000096000004\\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\\n [ 334.706536] SET = 0, FnV = 0\\n [ 334.709579] EA = 0, S1PTW = 0\\n [ 334.712719] FSC = 0x04: level 0 translation fault\\n [ 334.717586] Data abort info:\\n [ 334.720454] ISV = 0, ISS = 0x00000004\\n [ 334.724288] CM = 0, WnR = 0\\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n [ 334.807962] sp : ffff8000221733e0\\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\\n [ 334.882532] Call trace:\\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\\n [ 334.913799] arp_xmit+0x3c/0xbc\\n [ 334.916932] arp_send_dst+0x98/0xd0\\n [ 334.920410] arp_solicit+0xe8/0x230\\n [ 334.923888] neigh_probe+0x60/0xb0\\n [ 334.927279] __neigh_event_send+0x3b0/0x470\\n [ 334.931453] neigh_resolve_output+0x70/0x90\\n [ 334.935626] ip_finish_output2+0x158/0x514\\n [ 334.939714] __ip_finish_output+0xac/0x1a4\\n [ 334.943800] ip_finish_output+0x40/0xfc\\n [ 334.947626] ip_output+0xf8/0x1a4\\n [ 334.950931] ip_send_skb+0x5c/0x100\\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\\n [ 334.958758] raw_sendmsg+0x458/0x6d0\\n [ 334.962325] inet_sendmsg+0x50/0x80\\n [ 334.965805] sock_sendmsg+0x60/0x6c\\n [ 334.969286] __sys_sendto+0xc8/0x134\\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48640\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48641", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48641" + }, + { + "url": "https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab" + }, + { + "url": "https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e" + }, + { + "url": "https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33" + }, + { + "url": "https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9" + }, + { + "url": "https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1" + }, + { + "url": "https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f" + }, + { + "url": "https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48641 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48641", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix memory leak when blob is malformed\n\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48641\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48641\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48641\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48641\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48641\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab\",\n \"https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e\",\n \"https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33\",\n \"https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9\",\n \"https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1\",\n \"https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f\",\n \"https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: ebtables: fix memory leak when blob is malformed\\n\\nThe bug fix was incomplete, it \\\"replaced\\\" crash with a memory leak.\\nThe old code had an assignment to \\\"ret\\\" embedded into the conditional,\\nrestore this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48641\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48642", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48642" + }, + { + "url": "https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852" + }, + { + "url": "https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714" + }, + { + "url": "https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac" + }, + { + "url": "https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48642 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48642", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\n\nIt seems to me that percpu memory for chain stats started leaking since\ncommit 3bc158f8d0330f0a (\"netfilter: nf_tables: map basechain priority to\nhardware priority\") when nft_chain_offload_priority() returned an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48642\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48642\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48642\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852\",\n \"https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714\",\n \"https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac\",\n \"https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\\n\\nIt seems to me that percpu memory for chain stats started leaking since\\ncommit 3bc158f8d0330f0a (\\\"netfilter: nf_tables: map basechain priority to\\nhardware priority\\\") when nft_chain_offload_priority() returned an error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48642\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48643", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48643" + }, + { + "url": "https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378" + }, + { + "url": "https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91" + }, + { + "url": "https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d" + }, + { + "url": "https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48643 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48643", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\n\nsyzbot is reporting underflow of nft_counters_enabled counter at\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\"netfilter:\nnf_tables: do not leave chain stats enabled on error\") missed that\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\nnf_tables_addchain() decrements the counter because nft_basechain_init()\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\n\nIncrement the counter immediately after returning from\nnft_basechain_init().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48643\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48643\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48643\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48643\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48643\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378\",\n \"https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91\",\n \"https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d\",\n \"https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\\n\\nsyzbot is reporting underflow of nft_counters_enabled counter at\\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\\\"netfilter:\\nnf_tables: do not leave chain stats enabled on error\\\") missed that\\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\\nnf_tables_addchain() decrements the counter because nft_basechain_init()\\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\\n\\nIncrement the counter immediately after returning from\\nnft_basechain_init().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48643\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48644", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48644" + }, + { + "url": "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb" + }, + { + "url": "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323" + }, + { + "url": "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76" + }, + { + "url": "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92" + }, + { + "url": "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48644 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48644", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48644\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48644\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48644\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48644\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48644\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb\",\n \"https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323\",\n \"https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76\",\n \"https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92\",\n \"https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: avoid disabling offload when it was never enabled\\n\\nIn an incredibly strange API design decision, qdisc->destroy() gets\\ncalled even if qdisc->init() never succeeded, not exclusively since\\ncommit 87b60cfacf9f (\\\"net_sched: fix error recovery at qdisc creation\\\"),\\nbut apparently also earlier (in the case of qdisc_create_dflt()).\\n\\nThe taprio qdisc does not fully acknowledge this when it attempts full\\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\\n\\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\\n\\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\\nan invalid set of flags.\\n\\nAs a result, it is possible to crash the kernel if user space forces an\\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\\nof taprio_enable_offload(). This is because drivers do not expect the\\noffload to be disabled when it was never enabled.\\n\\nThe error that we force here is to attach taprio as a non-root qdisc,\\nbut instead as child of an mqprio root qdisc:\\n\\n$ tc qdisc add dev swp0 root handle 1: \\\\\\n\\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\\n$ tc qdisc replace dev swp0 parent 1:1 \\\\\\n\\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\\\\n\\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\\\\n\\tflags 0x0 clockid CLOCK_TAI\\nUnable to handle kernel paging request at virtual address fffffffffffffff8\\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\\nCall trace:\\n taprio_dump+0x27c/0x310\\n vsc9959_port_setup_tc+0x1f4/0x460\\n felix_port_setup_tc+0x24/0x3c\\n dsa_slave_setup_tc+0x54/0x27c\\n taprio_disable_offload.isra.0+0x58/0xe0\\n taprio_destroy+0x80/0x104\\n qdisc_create+0x240/0x470\\n tc_modify_qdisc+0x1fc/0x6b0\\n rtnetlink_rcv_msg+0x12c/0x390\\n netlink_rcv_skb+0x5c/0x130\\n rtnetlink_rcv+0x1c/0x2c\\n\\nFix this by keeping track of the operations we made, and undo the\\noffload only if we actually did it.\\n\\nI've added \\\"bool offloaded\\\" inside a 4 byte hole between \\\"int clockid\\\"\\nand \\\"atomic64_t picos_per_byte\\\". Now the first cache line looks like\\nbelow:\\n\\n$ pahole -C taprio_sched net/sched/sch_taprio.o\\nstruct taprio_sched {\\n struct Qdisc * * qdiscs; /* 0 8 */\\n struct Qdisc * root; /* 8 8 */\\n u32 flags; /* 16 4 */\\n enum tk_offsets tk_offset; /* 20 4 */\\n int clockid; /* 24 4 */\\n bool offloaded; /* 28 1 */\\n\\n /* XXX 3 bytes hole, try to pack */\\n\\n atomic64_t picos_per_byte; /* 32 0 */\\n\\n /* XXX 8 bytes hole, try to pack */\\n\\n spinlock_t current_entry_lock; /* 40 0 */\\n\\n /* XXX 8 bytes hole, try to pack */\\n\\n struct sched_entry * current_entry; /* 48 8 */\\n struct sched_gate_list * oper_sched; /* 56 8 */\\n /* --- cacheline 1 boundary (64 bytes) --- */\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48644\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48645", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48645" + }, + { + "url": "https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f" + }, + { + "url": "https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7" + }, + { + "url": "https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48645 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48645", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\n\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\n\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\n\nMoreover, attempting to access these registers crashes the kernel:\n\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\n\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48645\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48645\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48645\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48645\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48645\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f\",\n \"https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7\",\n \"https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\\n\\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\\nthrough a mix of command BD ring messages and port registers:\\nenetc_port_rd(), enetc_port_wr().\\n\\nPort registers are a region of the ENETC memory map which are only\\naccessible from the PCIe Physical Function. They are not accessible from\\nthe Virtual Functions.\\n\\nMoreover, attempting to access these registers crashes the kernel:\\n\\n$ echo 1 > /sys/bus/pci/devices/0000\\\\:00\\\\:00.0/sriov_numvfs\\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\\\\n\\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\\\\n\\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\\nUnable to handle kernel paging request at virtual address ffff800009551a08\\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\\npc : enetc_setup_tc_taprio+0x170/0x47c\\nlr : enetc_setup_tc_taprio+0x16c/0x47c\\nCall trace:\\n enetc_setup_tc_taprio+0x170/0x47c\\n enetc_setup_tc+0x38/0x2dc\\n taprio_change+0x43c/0x970\\n taprio_init+0x188/0x1e0\\n qdisc_create+0x114/0x470\\n tc_modify_qdisc+0x1fc/0x6c0\\n rtnetlink_rcv_msg+0x12c/0x390\\n\\nSplit enetc_setup_tc() into separate functions for the PF and for the\\nVF drivers. Also remove enetc_qos.o from being included into\\nenetc-vf.ko, since it serves absolutely no purpose there.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48645\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48646", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48646" + }, + { + "url": "https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa" + }, + { + "url": "https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48646 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48646", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\n\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\npointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48646\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48646\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48646\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48646\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48646\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa\",\n \"https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\\n\\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\\npointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48646\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48647", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48647" + }, + { + "url": "https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b" + }, + { + "url": "https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff" + }, + { + "url": "https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c" + }, + { + "url": "https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48647 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48647", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interrupts\n\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\nthe offset is 0 because the tx queues are in the single existing channel\nat index 0, together with the rx queue.\n\nWithout this fix, as soon as you try to send any traffic, it tries to\nget the tx queues from an uninitialized channel getting these errors:\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48647\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48647\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48647\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48647\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48647\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b\",\n \"https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff\",\n \"https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c\",\n \"https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc: fix TX channel offset when using legacy interrupts\\n\\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\\nthe offset is 0 because the tx queues are in the single existing channel\\nat index 0, together with the rx queue.\\n\\nWithout this fix, as soon as you try to send any traffic, it tries to\\nget the tx queues from an uninitialized channel getting these errors:\\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\\n [...]\\n Call Trace:\\n \\n dev_hard_start_xmit+0xd7/0x230\\n sch_direct_xmit+0x9f/0x360\\n __dev_queue_xmit+0x890/0xa40\\n [...]\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\\n [...]\\n Call Trace:\\n \\n dev_hard_start_xmit+0xd7/0x230\\n sch_direct_xmit+0x9f/0x360\\n __dev_queue_xmit+0x890/0xa40\\n [...]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48647\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48648" + }, + { + "url": "https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3" + }, + { + "url": "https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998" + }, + { + "url": "https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7" + }, + { + "url": "https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn't\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it's wrong anyway so let's fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3\",\n \"https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998\",\n \"https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7\",\n \"https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsfc: fix null pointer dereference in efx_hard_start_xmit\\n\\nTrying to get the channel from the tx_queue variable here is wrong\\nbecause we can only be here if tx_queue is NULL, so we shouldn't\\ndereference it. As the above comment in the code says, this is very\\nunlikely to happen, but it's wrong anyway so let's fix it.\\n\\nI hit this issue because of a different bug that caused tx_queue to be\\nNULL. If that happens, this is the error message that we get here:\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\\n [...]\\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48650", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48650" + }, + { + "url": "https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf" + }, + { + "url": "https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7" + }, + { + "url": "https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48650 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48650", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\n\nCommit 8f394da36a36 (\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\")\nmade the __qlt_24xx_handle_abts() function return early if\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\nup the allocated memory for the management command.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48650\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48650\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48650\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48650\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48650\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf\",\n \"https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7\",\n \"https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\\n\\nCommit 8f394da36a36 (\\\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\\\")\\nmade the __qlt_24xx_handle_abts() function return early if\\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\\nup the allocated memory for the management command.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48650\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48651", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48651" + }, + { + "url": "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca" + }, + { + "url": "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be" + }, + { + "url": "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4" + }, + { + "url": "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7" + }, + { + "url": "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638" + }, + { + "url": "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241" + }, + { + "url": "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef" + }, + { + "url": "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48651 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48651", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\n and skb->protocol is not specified as in packet_parse_headers()\n\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\n\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb->head + skb->mac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48651\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48651\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48651\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48651\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48651\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca\",\n \"https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be\",\n \"https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4\",\n \"https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7\",\n \"https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638\",\n \"https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241\",\n \"https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef\",\n \"https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\\n\\nIf an AF_PACKET socket is used to send packets through ipvlan and the\\ndefault xmit function of the AF_PACKET socket is changed from\\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\\nbugs as following:\\n\\n=================================================================\\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\\nall Trace:\\nprint_address_description.constprop.0+0x1d/0x160\\nprint_report.cold+0x4f/0x112\\nkasan_report+0xa3/0x130\\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\\n__dev_direct_xmit+0x2e2/0x380\\npacket_direct_xmit+0x22/0x60\\npacket_snd+0x7c9/0xc40\\nsock_sendmsg+0x9a/0xa0\\n__sys_sendto+0x18a/0x230\\n__x64_sys_sendto+0x74/0x90\\ndo_syscall_64+0x3b/0x90\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe root cause is:\\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\\n and skb->protocol is not specified as in packet_parse_headers()\\n\\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\\n\\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\\nuse \\\"skb->head + skb->mac_header\\\", out-of-bound access occurs.\\n\\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\\nand reset mac header in multicast to solve this out-of-bound bug.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48651\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48653", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48653" + }, + { + "url": "https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93" + }, + { + "url": "https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783" + }, + { + "url": "https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48653 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48653", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't double unplug aux on peer initiated reset\n\nIn the IDC callback that is accessed when the aux drivers request a reset,\nthe function to unplug the aux devices is called. This function is also\ncalled in the ice_prepare_for_reset function. This double call is causing\na \"scheduling while atomic\" BUG.\n\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\n\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\n\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\n\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\n\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\n r ttm\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\n[ 662.815557] Preemption disabled at:\n[ 662.815558] [<0000000000000000>] 0x0\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\n[ 662.815568] Call Trace:\n[ 662.815572] \n[ 662.815574] dump_stack_lvl+0x33/0x42\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\n[ 662.815588] __schedule+0x798/0x990\n[ 662.815595] schedule+0x44/0xc0\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\n[ 662.815633] device_del+0x37/0x3d0\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\n[ 662.815764] handle_irq_event+0x34/0x60\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\n[ 662.815770] __common_interrupt+0x62/0x100\n[ 662.815774] common_interrupt+0xb4/0xd0\n[ 662.815779] \n[ 662.815780] \n[ 662.815780] asm_common_interrupt+0x1e/0x40\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\n[ 662.815795] RDX: 0000009a52da2d08 R\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48653\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48653\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48653\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48653\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48653\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93\",\n \"https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783\",\n \"https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Don't double unplug aux on peer initiated reset\\n\\nIn the IDC callback that is accessed when the aux drivers request a reset,\\nthe function to unplug the aux devices is called. This function is also\\ncalled in the ice_prepare_for_reset function. This double call is causing\\na \\\"scheduling while atomic\\\" BUG.\\n\\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\\n\\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\\n\\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\\n\\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\\n\\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\\n\\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\\n\\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\\n r ttm\\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\\n[ 662.815557] Preemption disabled at:\\n[ 662.815558] [<0000000000000000>] 0x0\\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\\n[ 662.815568] Call Trace:\\n[ 662.815572] \\n[ 662.815574] dump_stack_lvl+0x33/0x42\\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\\n[ 662.815588] __schedule+0x798/0x990\\n[ 662.815595] schedule+0x44/0xc0\\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\\n[ 662.815633] device_del+0x37/0x3d0\\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\\n[ 662.815764] handle_irq_event+0x34/0x60\\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\\n[ 662.815770] __common_interrupt+0x62/0x100\\n[ 662.815774] common_interrupt+0xb4/0xd0\\n[ 662.815779] \\n[ 662.815780] \\n[ 662.815780] asm_common_interrupt+0x1e/0x40\\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\\n[ 662.815795] RDX: 0000009a52da2d08 R\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48653\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48654", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48654" + }, + { + "url": "https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8" + }, + { + "url": "https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47" + }, + { + "url": "https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e" + }, + { + "url": "https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764" + }, + { + "url": "https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48654 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48654", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48654\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48654\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48654\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48654\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48654\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8\",\n \"https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47\",\n \"https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e\",\n \"https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764\",\n \"https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\\n\\nnf_osf_find() incorrectly returns true on mismatch, this leads to\\ncopying uninitialized memory area in nft_osf which can be used to leak\\nstale kernel stack data to userspace.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48654\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48656", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48656" + }, + { + "url": "https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2" + }, + { + "url": "https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5" + }, + { + "url": "https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d" + }, + { + "url": "https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48656 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48656", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48656\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48656\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48656\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48656\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48656\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2\",\n \"https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5\",\n \"https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d\",\n \"https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\\n\\nWe should call of_node_put() for the reference returned by\\nof_parse_phandle() in fail path or when it is not used anymore.\\nHere we only need to move the of_node_put() before the check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48656\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48658", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48658" + }, + { + "url": "https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b" + }, + { + "url": "https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a" + }, + { + "url": "https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48658 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48658", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48658\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48658\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48658\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48658\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48658\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b\",\n \"https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a\",\n \"https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\\n\\nCommit 5a836bf6b09f (\\\"mm: slub: move flush_cpu_slab() invocations\\n__free_slab() invocations out of IRQ context\\\") moved all flush_cpu_slab()\\ninvocations to the global workqueue to avoid a problem related\\nwith deactivate_slab()/__free_slab() being called from an IRQ context\\non PREEMPT_RT kernels.\\n\\nWhen the flush_all_cpu_locked() function is called from a task context\\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\\nflushing the global workqueue, this will cause a dependency issue.\\n\\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\\n check_flush_dependency+0x10a/0x120\\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\\n __flush_work.isra.0+0xbf/0x220\\n ? __queue_work+0x1dc/0x420\\n flush_all_cpus_locked+0xfb/0x120\\n __kmem_cache_shutdown+0x2b/0x320\\n kmem_cache_destroy+0x49/0x100\\n bioset_exit+0x143/0x190\\n blk_release_queue+0xb9/0x100\\n kobject_cleanup+0x37/0x130\\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\\n\\nFix this bug by creating a workqueue for the flush operation with\\nthe WQ_MEM_RECLAIM bit set.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48658\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48659", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48659" + }, + { + "url": "https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9" + }, + { + "url": "https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296" + }, + { + "url": "https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c" + }, + { + "url": "https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124" + }, + { + "url": "https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd" + }, + { + "url": "https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c" + }, + { + "url": "https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457" + }, + { + "url": "https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48659 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48659", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48659\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48659\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48659\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48659\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48659\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9\",\n \"https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296\",\n \"https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c\",\n \"https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124\",\n \"https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd\",\n \"https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c\",\n \"https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457\",\n \"https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/slub: fix to return errno if kmalloc() fails\\n\\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\\nout-of-memory, if it fails, return errno correctly rather than\\ntriggering panic via BUG_ON();\\n\\nkernel BUG at mm/slub.c:5893!\\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\\n\\nCall trace:\\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\\n create_cache mm/slab_common.c:229 [inline]\\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\\n mount_bdev+0x1b8/0x210 fs/super.c:1400\\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\\n vfs_get_tree+0x40/0x140 fs/super.c:1530\\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\\n path_mount+0x358/0x914 fs/namespace.c:3370\\n do_mount fs/namespace.c:3383 [inline]\\n __do_sys_mount fs/namespace.c:3591 [inline]\\n __se_sys_mount fs/namespace.c:3568 [inline]\\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48659\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48660" + }, + { + "url": "https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd" + }, + { + "url": "https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1" + }, + { + "url": "https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168" + }, + { + "url": "https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48660", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd\",\n \"https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1\",\n \"https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168\",\n \"https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\\n\\nWhen running gpio test on nxp-ls1028 platform with below command\\ngpiomon --num-events=3 --rising-edge gpiochip1 25\\nThere will be a warning trace as below:\\nCall trace:\\nfree_irq+0x204/0x360\\nlineevent_free+0x64/0x70\\ngpio_ioctl+0x598/0x6a0\\n__arm64_sys_ioctl+0xb4/0x100\\ninvoke_syscall+0x5c/0x130\\n......\\nel0t_64_sync+0x1a0/0x1a4\\nThe reason of this issue is that calling request_threaded_irq()\\nfunction failed, and then lineevent_free() is invoked to release\\nthe resource. Since the lineevent_state::irq was already set, so\\nthe subsequent invocation of free_irq() would trigger the above\\nwarning call trace. To fix this issue, set the lineevent_state::irq\\nafter the IRQ register successfully.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48661" + }, + { + "url": "https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933" + }, + { + "url": "https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872" + }, + { + "url": "https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933\",\n \"https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872\",\n \"https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: mockup: Fix potential resource leakage when register a chip\\n\\nIf creation of software node fails, the locally allocated string\\narray is left unfreed. Free it on error path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48664", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48664" + }, + { + "url": "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8" + }, + { + "url": "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b" + }, + { + "url": "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b" + }, + { + "url": "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48664 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48664", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\n Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\n Sep 07 11:55:32 debian9 kernel: Call Trace:\n Sep 07 11:55:32 debian9 kernel: \n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: \n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n block group, but the metadata reservation can not be satisfied right\n away, so a reservation ticket is created and it starts the async\n metadata reclaim task (fs_info->async_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n (generic/562 creates a lot of 2K files with the goal of filling\n metadata space). We try to create an inline extent for them, but we\n fail when trying to insert the inline extent with -ENOSPC (at\n cow_file_range_inline()) - since this is not critical, we fallback\n to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48664\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48664\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48664\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48664\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48664\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8\",\n \"https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b\",\n \"https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b\",\n \"https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix hang during unmount when stopping a space reclaim worker\\n\\nOften when running generic/562 from fstests we can hang during unmount,\\nresulting in a trace like this:\\n\\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\\n Sep 07 11:55:32 debian9 kernel: \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\\n Sep 07 11:55:32 debian9 kernel: Call Trace:\\n Sep 07 11:55:32 debian9 kernel: \\n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\\n Sep 07 11:55:32 debian9 kernel: \\n\\nWhat happens is the following:\\n\\n1) The cleaner kthread tries to start a transaction to delete an unused\\n block group, but the metadata reservation can not be satisfied right\\n away, so a reservation ticket is created and it starts the async\\n metadata reclaim task (fs_info->async_reclaim_work);\\n\\n2) Writeback for all the filler inodes with an i_size of 2K starts\\n (generic/562 creates a lot of 2K files with the goal of filling\\n metadata space). We try to create an inline extent for them, but we\\n fail when trying to insert the inline extent with -ENOSPC (at\\n cow_file_range_inline()) - since this is not critical, we fallback\\n to non-inline mode (back to cow_file_range()), reserve extents\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48664\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48666", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48666" + }, + { + "url": "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a" + }, + { + "url": "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f" + }, + { + "url": "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506" + }, + { + "url": "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48666 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48666", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48666\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48666\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48666\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48666\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48666\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a\",\n \"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f\",\n \"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506\",\n \"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix a use-after-free\\n\\nThere are two .exit_cmd_priv implementations. Both implementations use\\nresources associated with the SCSI host. Make sure that these resources are\\nstill available when .exit_cmd_priv is called by waiting inside\\nscsi_remove_host() until the tag set has been freed.\\n\\nThis commit fixes the following use-after-free:\\n\\n==================================================================\\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\\nCall Trace:\\n \\n dump_stack_lvl+0x34/0x44\\n print_report.cold+0x5e/0x5db\\n kasan_report+0xab/0x120\\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\n scsi_mq_exit_request+0x4d/0x70\\n blk_mq_free_rqs+0x143/0x410\\n __blk_mq_free_map_and_rqs+0x6e/0x100\\n blk_mq_free_tag_set+0x2b/0x160\\n scsi_host_dev_release+0xf3/0x1a0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\\n execute_in_process_context+0x23/0x90\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_disk_release+0x3f/0x50\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n disk_release+0x17f/0x1b0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n dm_put_table_device+0xa3/0x160 [dm_mod]\\n dm_put_device+0xd0/0x140 [dm_mod]\\n free_priority_group+0xd8/0x110 [dm_multipath]\\n free_multipath+0x94/0xe0 [dm_multipath]\\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\\n __dm_destroy+0x196/0x350 [dm_mod]\\n dev_remove+0x10c/0x160 [dm_mod]\\n ctl_ioctl+0x2c2/0x590 [dm_mod]\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.4,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48666\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48667" + }, + { + "url": "https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e" + }, + { + "url": "https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in insert range\n\ninsert range doesn't discard the affected cached region\nso can risk temporarily corrupting file data.\n\nAlso includes some minor cleanup (avoiding rereading\ninode size repeatedly unnecessarily) to make it clearer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e\",\n \"https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix temporary data corruption in insert range\\n\\ninsert range doesn't discard the affected cached region\\nso can risk temporarily corrupting file data.\\n\\nAlso includes some minor cleanup (avoiding rereading\\ninode size repeatedly unnecessarily) to make it clearer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48668", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48668" + }, + { + "url": "https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9" + }, + { + "url": "https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48668 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48668", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in collapse range\n\ncollapse range doesn't discard the affected cached region\nso can risk temporarily corrupting the file data. This\nfixes xfstest generic/031\n\nI also decided to merge a minor cleanup to this into the same patch\n(avoiding rereading inode size repeatedly unnecessarily) to make it\nclearer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48668\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48668\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48668\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48668\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48668\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9\",\n \"https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix temporary data corruption in collapse range\\n\\ncollapse range doesn't discard the affected cached region\\nso can risk temporarily corrupting the file data. This\\nfixes xfstest generic/031\\n\\nI also decided to merge a minor cleanup to this into the same patch\\n(avoiding rereading inode size repeatedly unnecessarily) to make it\\nclearer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48668\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48672" + }, + { + "url": "https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e" + }, + { + "url": "https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0" + }, + { + "url": "https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181" + }, + { + "url": "https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7" + }, + { + "url": "https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853" + }, + { + "url": "https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf" + }, + { + "url": "https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e\",\n \"https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0\",\n \"https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181\",\n \"https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7\",\n \"https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853\",\n \"https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf\",\n \"https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\\n\\nCommit 78c44d910d3e (\\\"drivers/of: Fix depth when unflattening devicetree\\\")\\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\\nwhich makes it possible to overflow the nps[] buffer...\\n\\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\\nanalysis tool.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48673", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48673" + }, + { + "url": "https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde" + }, + { + "url": "https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48673 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48673", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48673\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48673\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48673\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48673\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48673\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde\",\n \"https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: Fix possible access to freed memory in link clear\\n\\nAfter modifying the QP to the Error state, all RX WR would be completed\\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\\nwait for it is done, but destroy the QP and free the link group directly.\\nSo there is a risk that accessing the freed memory in tasklet context.\\n\\nHere is a crash example:\\n\\n BUG: unable to handle page fault for address: ffffffff8f220860\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\\n Oops: 0002 [#1] SMP PTI\\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n \\n _raw_spin_lock_irqsave+0x30/0x40\\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\\n tasklet_action_common.isra.21+0x66/0x100\\n __do_softirq+0xd5/0x29c\\n asm_call_irq_on_stack+0x12/0x20\\n \\n do_softirq_own_stack+0x37/0x40\\n irq_exit_rcu+0x9d/0xa0\\n sysvec_call_function_single+0x34/0x80\\n asm_sysvec_call_function_single+0x12/0x20\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48673\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48675", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48675" + }, + { + "url": "https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785" + }, + { + "url": "https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3" + }, + { + "url": "https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833" + }, + { + "url": "https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48675 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48675", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48675\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48675\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48675\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48675\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48675\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785\",\n \"https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3\",\n \"https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833\",\n \"https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/core: Fix a nested dead lock as part of ODP flow\\n\\nFix a nested dead lock as part of ODP flow by using mmput_async().\\n\\nFrom the below call trace [1] can see that calling mmput() once we have\\nthe umem_odp->umem_mutex locked as required by\\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\\nmay dead lock when trying to lock the same mutex.\\n\\nMoving to use mmput_async() will solve the problem as the above\\nexit_mmap() flow will be called in other task and will be executed once\\nthe lock will be available.\\n\\n[1]\\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\\n2 flags:0x00004000\\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\\n[64843.077719] Call Trace:\\n[64843.077722] \\n[64843.077724] __schedule+0x23d/0x590\\n[64843.077729] schedule+0x4e/0xb0\\n[64843.077735] schedule_preempt_disabled+0xe/0x10\\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\\n[64843.077752] mutex_lock+0x34/0x40\\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\\n[64843.077816] exit_mmap+0x1bc/0x200\\n[64843.077822] ? walk_page_range+0x9c/0x120\\n[64843.077828] ? __cond_resched+0x1a/0x50\\n[64843.077833] ? mutex_lock+0x13/0x40\\n[64843.077839] ? uprobe_clear_state+0xac/0x120\\n[64843.077860] mmput+0x5f/0x140\\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\\n[mlx5_ib]\\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\\n[64843.078051] process_one_work+0x22b/0x3d0\\n[64843.078059] worker_thread+0x53/0x410\\n[64843.078065] ? process_one_work+0x3d0/0x3d0\\n[64843.078073] kthread+0x12a/0x150\\n[64843.078079] ? set_kthread_struct+0x50/0x50\\n[64843.078085] ret_from_fork+0x22/0x30\\n[64843.078093] \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48675\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48686" + }, + { + "url": "https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5" + }, + { + "url": "https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea" + }, + { + "url": "https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3" + }, + { + "url": "https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff" + }, + { + "url": "https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5\",\n \"https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea\",\n \"https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3\",\n \"https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff\",\n \"https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-tcp: fix UAF when detecting digest errors\\n\\nWe should also bail from the io_work loop when we set rd_enabled to true,\\nso we don't attempt to read data from the socket when the TCP stream is\\nalready out-of-sync or corrupted.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48687", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48687" + }, + { + "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa" + }, + { + "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c" + }, + { + "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093" + }, + { + "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3" + }, + { + "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35" + }, + { + "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864" + }, + { + "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48687 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48687", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48687\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48687\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48687\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48687\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48687\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\",\n \"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\",\n \"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\",\n \"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\",\n \"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\",\n \"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\",\n \"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix out-of-bounds read when setting HMAC data.\\n\\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\\nSegment Routing Headers. This configuration is realised via netlink through\\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\\nlength of the SECRET attribute, it is possible to provide invalid combinations\\n(e.g., secret = \\\"\\\", secretlen = 64). This case is not checked in the code and\\nwith an appropriately crafted netlink message, an out-of-bounds read of up\\nto 64 bytes (max secret length) can occur past the skb end pointer and into\\nskb_shared_info:\\n\\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\\n208\\t\\tmemcpy(hinfo->secret, secret, slen);\\n(gdb) bt\\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\\n family=) at net/netlink/genetlink.c:731\\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\\n at net/netlink/af_netlink.c:2501\\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\\n at net/netlink/af_netlink.c:1319\\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\\n at net/netlink/af_netlink.c:1345\\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\\n...\\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\\n$1 = 0xffff88800b1b76c0\\n(gdb) p/x secret\\n$2 = 0xffff88800b1b76c0\\n(gdb) p slen\\n$3 = 64 '@'\\n\\nThe OOB data can then be read back from userspace by dumping HMAC state. This\\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\\nSECRET.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48687\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48688", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48688" + }, + { + "url": "https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae" + }, + { + "url": "https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc" + }, + { + "url": "https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9" + }, + { + "url": "https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc" + }, + { + "url": "https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746" + }, + { + "url": "https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48688 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48688", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48688\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48688\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48688\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48688\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48688\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae\",\n \"https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc\",\n \"https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9\",\n \"https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc\",\n \"https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746\",\n \"https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Fix kernel crash during module removal\\n\\nThe driver incorrectly frees client instance and subsequent\\ni40e module removal leads to kernel crash.\\n\\nReproducer:\\n1. Do ethtool offline test followed immediately by another one\\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\\n2. Remove recursively irdma module that also removes i40e module\\nhost# modprobe -r irdma\\n\\nResult:\\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\\n[ 8687.768755] #PF: supervisor read access in kernel mode\\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\\n[ 8687.779034] PGD 0 P4D 0\\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 8687.905572] PKRU: 55555554\\n[ 8687.908286] Call Trace:\\n[ 8687.910737] \\n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\\n[ 8687.917040] pci_device_remove+0x33/0xa0\\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\\n[ 8687.926188] driver_detach+0x44/0x90\\n[ 8687.929770] bus_remove_driver+0x55/0xe0\\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\\n\\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\\nfailure is indicated back to i40e_client_subtask() that calls\\ni40e_client_del_instance() to free client instance referenced\\nby pf->cinst and sets this pointer to NULL. During the module\\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\\npf->cinst that is NULL -> crash.\\nDo not remove client instance when client open callbacks fails and\\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\\nto take care about this situation (when netdev is up and client\\nis NOT opened) in i40e_notify_client_of_netdev_close() and\\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\\nis set.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48688\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48689", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48689" + }, + { + "url": "https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775" + }, + { + "url": "https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83" + }, + { + "url": "https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48689 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48689", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48689\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48689\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48689\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48689\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48689\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775\",\n \"https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83\",\n \"https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: TX zerocopy should not sense pfmemalloc status\\n\\nWe got a recent syzbot report [1] showing a possible misuse\\nof pfmemalloc page status in TCP zerocopy paths.\\n\\nIndeed, for pages coming from user space or other layers,\\nusing page_is_pfmemalloc() is moot, and possibly could give\\nfalse positives.\\n\\nThere has been attempts to make page_is_pfmemalloc() more robust,\\nbut not using it in the first place in this context is probably better,\\nremoving cpu cycles.\\n\\nNote to stable teams :\\n\\nYou need to backport 84ce071e38a6 (\\\"net: introduce\\n__skb_fill_page_desc_noacc\\\") as a prereq.\\n\\nRace is more probable after commit c07aea3ef4d4\\n(\\\"mm: add a signature in struct page\\\") because page_is_pfmemalloc()\\nis now using low order bit from page->lru.next, which can change\\nmore often than page->index.\\n\\nLow order bit should never be set for lru.next (when used as an anchor\\nin LRU list), so KCSAN report is mostly a false positive.\\n\\nBackporting to older kernel versions seems not necessary.\\n\\n[1]\\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\\n\\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\\n__list_add include/linux/list.h:73 [inline]\\nlist_add include/linux/list.h:88 [inline]\\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\\nlru_add_fn+0x440/0x520 mm/swap.c:228\\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\\nfolio_batch_add_and_move mm/swap.c:263 [inline]\\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\\next4_file_write_iter+0x2e3/0x1210\\ncall_write_iter include/linux/fs.h:2187 [inline]\\nnew_sync_write fs/read_write.c:491 [inline]\\nvfs_write+0x468/0x760 fs/read_write.c:578\\nksys_write+0xe8/0x1a0 fs/read_write.c:631\\n__do_sys_write fs/read_write.c:643 [inline]\\n__se_sys_write fs/read_write.c:640 [inline]\\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\\nkernel_sendpage+0x184/0x300 net/socket.c:3561\\nsock_sendpage+0x5a/0x70 net/socket.c:1054\\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\\nsplice_from_pipe_feed fs/splice.c:415 [inline]\\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\\nsplice_from_pipe fs/splice.c:594 [inline]\\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\\ndo_splice_from fs/splice.c:764 [inline]\\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48689\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48691" + }, + { + "url": "https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157" + }, + { + "url": "https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65" + }, + { + "url": "https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4" + }, + { + "url": "https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157\",\n \"https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65\",\n \"https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4\",\n \"https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: clean up hook list when offload flags check fails\\n\\nsplice back the hook list so nft_chain_release_hook() has a chance to\\nrelease the hooks.\\n\\nBUG: memory leak\\nunreferenced object 0xffff88810180b100 (size 96):\\n comm \\\"syz-executor133\\\", pid 3619, jiffies 4294945714 (age 12.690s)\\n hex dump (first 32 bytes):\\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\\n backtrace:\\n [] kmalloc include/linux/slab.h:600 [inline]\\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48692", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48692" + }, + { + "url": "https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa" + }, + { + "url": "https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb" + }, + { + "url": "https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624" + }, + { + "url": "https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48692 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48692", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48692\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48692\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48692\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48692\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48692\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa\",\n \"https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb\",\n \"https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624\",\n \"https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\\n\\nThis change fixes the following kernel NULL pointer dereference\\nwhich is reproduced by blktests srp/007 occasionally.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000170\\nPGD 0 P4D 0\\nOops: 0002 [#1] PREEMPT SMP NOPTI\\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\\nWorkqueue: 0x0 (kblockd)\\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\\nCall Trace:\\n \\n __ib_process_cq+0xb7/0x280 [ib_core]\\n ib_poll_handler+0x2b/0x130 [ib_core]\\n irq_poll_softirq+0x93/0x150\\n __do_softirq+0xee/0x4b8\\n irq_exit_rcu+0xf7/0x130\\n sysvec_apic_timer_interrupt+0x8e/0xc0\\n \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48692\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48693" + }, + { + "url": "https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883" + }, + { + "url": "https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1" + }, + { + "url": "https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d" + }, + { + "url": "https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b" + }, + { + "url": "https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82" + }, + { + "url": "https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48693", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883\",\n \"https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1\",\n \"https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d\",\n \"https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b\",\n \"https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82\",\n \"https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\\n\\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\\n\\n(1) we need to add of_node_put() when for_each__matching_node() breaks\\n(2) we need to add iounmap() for each iomap in fail path\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48695", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48695" + }, + { + "url": "https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b" + }, + { + "url": "https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5" + }, + { + "url": "https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7" + }, + { + "url": "https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16" + }, + { + "url": "https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34" + }, + { + "url": "https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82" + }, + { + "url": "https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48695 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48695", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48695\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48695\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48695\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48695\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48695\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b\",\n \"https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5\",\n \"https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7\",\n \"https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16\",\n \"https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34\",\n \"https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82\",\n \"https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6\",\n \"https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Fix use-after-free warning\\n\\nFix the following use-after-free warning which is observed during\\ncontroller reset:\\n\\nrefcount_t: underflow; use-after-free.\\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48695\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48697", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48697" + }, + { + "url": "https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e" + }, + { + "url": "https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060" + }, + { + "url": "https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52" + }, + { + "url": "https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717" + }, + { + "url": "https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b" + }, + { + "url": "https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48697 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48697", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48697\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48697\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48697\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48697\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48697\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e\",\n \"https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060\",\n \"https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52\",\n \"https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717\",\n \"https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b\",\n \"https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: fix a use-after-free\\n\\nFix the following use-after-free complaint triggered by blktests nvme/004:\\n\\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\\nCall Trace:\\n show_stack+0x52/0x58\\n dump_stack_lvl+0x49/0x5e\\n print_report.cold+0x36/0x1e2\\n kasan_report+0xb9/0xf0\\n __asan_load4+0x6b/0x80\\n blk_mq_complete_request_remote+0xac/0x350\\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\\n nvmet_req_complete+0x15/0x40 [nvmet]\\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\\n process_one_work+0x56e/0xa70\\n worker_thread+0x2d1/0x640\\n kthread+0x183/0x1c0\\n ret_from_fork+0x1f/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48697\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48698", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48698" + }, + { + "url": "https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05" + }, + { + "url": "https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54" + }, + { + "url": "https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48698 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48698", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48698\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48698\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48698\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48698\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48698\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05\",\n \"https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54\",\n \"https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fix memory leak when using debugfs_lookup()\\n\\nWhen calling debugfs_lookup() the result must have dput() called on it,\\notherwise the memory will leak over time. Fix this up by properly\\ncalling dput().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48698\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48699" + }, + { + "url": "https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3" + }, + { + "url": "https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2" + }, + { + "url": "https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3\",\n \"https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2\",\n \"https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/debug: fix dentry leak in update_sched_domain_debugfs\\n\\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\\nleaks a dentry and with a hotplug stress test, the machine eventually\\nruns out of memory.\\n\\nFix this up by using the newly created debugfs_lookup_and_remove() call\\ninstead which properly handles the dentry reference counting logic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48700" + }, + { + "url": "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986" + }, + { + "url": "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03" + }, + { + "url": "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46" + }, + { + "url": "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere's currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it's not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there's no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986\",\n \"https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03\",\n \"https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46\",\n \"https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/type1: Unpin zero pages\\n\\nThere's currently a reference count leak on the zero page. We increment\\nthe reference via pin_user_pages_remote(), but the page is later handled\\nas an invalid/reserved page, therefore it's not accounted against the\\nuser and not unpinned by our put_pfn().\\n\\nIntroducing special zero page handling in put_pfn() would resolve the\\nleak, but without accounting of the zero page, a single user could\\nstill create enough mappings to generate a reference count overflow.\\n\\nThe zero page is always resident, so for our purposes there's no reason\\nto keep it pinned. Therefore, add a loop to walk pages returned from\\npin_user_pages_remote() and unpin any zero pages.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48701", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48701" + }, + { + "url": "https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712" + }, + { + "url": "https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936" + }, + { + "url": "https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf" + }, + { + "url": "https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0" + }, + { + "url": "https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251" + }, + { + "url": "https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd" + }, + { + "url": "https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061" + }, + { + "url": "https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48701 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48701", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48701\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48701\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48701\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48701\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48701\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712\",\n \"https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936\",\n \"https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf\",\n \"https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0\",\n \"https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251\",\n \"https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd\",\n \"https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061\",\n \"https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\\n\\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\\nwhen parsing the interface descriptor for this device.\\n\\nFix this by checking the number of interfaces.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48701\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48702", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48702" + }, + { + "url": "https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c" + }, + { + "url": "https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178" + }, + { + "url": "https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2" + }, + { + "url": "https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1" + }, + { + "url": "https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa" + }, + { + "url": "https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275" + }, + { + "url": "https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7" + }, + { + "url": "https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48702 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48702", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48702\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48702\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48702\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48702\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48702\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c\",\n \"https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178\",\n \"https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2\",\n \"https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1\",\n \"https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa\",\n \"https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275\",\n \"https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7\",\n \"https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\\n\\nThe voice allocator sometimes begins allocating from near the end of the\\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\\naccesses the newly allocated voices as if it never wrapped around.\\n\\nThis results in out of bounds access if the first voice has a high enough\\nindex so that first_voice + requested_voice_count > NUM_G (64).\\nThe more voices are requested, the more likely it is for this to occur.\\n\\nThis was initially discovered using PipeWire, however it can be reproduced\\nby calling aplay multiple times with 16 channels:\\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\\n\\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\\nCall Trace:\\n\\ndump_stack_lvl+0x49/0x63\\ndump_stack+0x10/0x16\\nubsan_epilogue+0x9/0x3f\\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\\n? exit_to_user_mode_prepare+0x35/0x170\\n? do_syscall_64+0x69/0x90\\n? syscall_exit_to_user_mode+0x26/0x50\\n? do_syscall_64+0x69/0x90\\n? exit_to_user_mode_prepare+0x35/0x170\\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\\n__x64_sys_ioctl+0x95/0xd0\\ndo_syscall_64+0x5c/0x90\\n? do_syscall_64+0x69/0x90\\n? do_syscall_64+0x69/0x90\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48702\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48703", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48703" + }, + { + "url": "https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d" + }, + { + "url": "https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48703 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48703", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48703\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48703\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48703\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48703\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48703\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d\",\n \"https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\\n\\nIn some case, the GDDV returns a package with a buffer which has\\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\\n\\nThen the data_vault_read() got NULL point dereference problem when\\naccessing the 0x10 value in data_vault.\\n\\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\\n0000000000000010\\n\\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\\nNULL value in data_vault.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48703\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48704", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48704" + }, + { + "url": "https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40" + }, + { + "url": "https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8" + }, + { + "url": "https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d" + }, + { + "url": "https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c" + }, + { + "url": "https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe" + }, + { + "url": "https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3" + }, + { + "url": "https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d" + }, + { + "url": "https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48704 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48704", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [] ra = [] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[] si_dma_is_lockup+0x34/0xd0\n[] radeon_fence_check_lockup+0xd0/0x290\n[] process_one_work+0x280/0x550\n[] worker_thread+0x70/0x7c0\n[] worker_thread+0x130/0x7c0\n[] kthread+0x200/0x210\n[] worker_thread+0x0/0x7c0\n[] kthread+0x14c/0x210\n[] ret_from_kernel_thread+0x18/0x20\n[] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48704\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48704\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48704\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48704\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48704\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40\",\n \"https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8\",\n \"https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d\",\n \"https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c\",\n \"https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe\",\n \"https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3\",\n \"https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d\",\n \"https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: add a force flush to delay work when radeon\\n\\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\\nput device in D3hot state.\\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\\n> Configuration and Message requests are the only TLPs accepted by a Function in\\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\\n> and all received Completions may optionally be handled as Unexpected Completions.\\nThis issue will happen in following logs:\\nUnable to handle kernel paging request at virtual address 00008800e0008010\\nCPU 0 kworker/0:3(131): Oops 0\\npc = [] ra = [] ps = 0000 Tainted: G W\\npc is at si_gpu_check_soft_reset+0x3c/0x240\\nra is at si_dma_is_lockup+0x34/0xd0\\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\\ns6 = fff00007ef07bd98\\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\\ngp = ffffffff81d89690 sp = 00000000aa814126\\nDisabling lock debugging due to kernel taint\\nTrace:\\n[] si_dma_is_lockup+0x34/0xd0\\n[] radeon_fence_check_lockup+0xd0/0x290\\n[] process_one_work+0x280/0x550\\n[] worker_thread+0x70/0x7c0\\n[] worker_thread+0x130/0x7c0\\n[] kthread+0x200/0x210\\n[] worker_thread+0x0/0x7c0\\n[] kthread+0x14c/0x210\\n[] ret_from_kernel_thread+0x18/0x20\\n[] kthread+0x0/0x210\\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\\n <88210000> 4821ed21\\nSo force lockup work queue flush to fix this problem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48704\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48706", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48706" + }, + { + "url": "https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e" + }, + { + "url": "https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48706 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48706", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48706\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48706\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48706\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48706\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48706\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e\",\n \"https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\\n\\nifcvf_mgmt_dev leaks memory if it is not freed before\\nreturning. Call is made to correct return statement\\nso memory does not leak. ifcvf_init_hw does not take\\ncare of this so it is needed to do it here.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48706\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48708", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48708" + }, + { + "url": "https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db" + }, + { + "url": "https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb" + }, + { + "url": "https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208" + }, + { + "url": "https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26" + }, + { + "url": "https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2" + }, + { + "url": "https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b" + }, + { + "url": "https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48708 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48708", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference\n\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48708\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48708\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48708\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48708\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48708\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db\",\n \"https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb\",\n \"https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208\",\n \"https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26\",\n \"https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2\",\n \"https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b\",\n \"https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: single: fix potential NULL dereference\\n\\nAdded checking of pointer \\\"function\\\" in pcs_set_mux().\\npinmux_generic_get_function() can return NULL and the pointer\\n\\\"function\\\" was dereferenced without checking against NULL.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48708\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48710", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48710" + }, + { + "url": "https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17" + }, + { + "url": "https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f" + }, + { + "url": "https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60" + }, + { + "url": "https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9" + }, + { + "url": "https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29" + }, + { + "url": "https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f" + }, + { + "url": "https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9" + }, + { + "url": "https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479" + }, + { + "url": "https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48710 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48710", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48710\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48710\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48710\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48710\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48710\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17\",\n \"https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f\",\n \"https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60\",\n \"https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9\",\n \"https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29\",\n \"https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f\",\n \"https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9\",\n \"https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479\",\n \"https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: fix a possible null pointer dereference\\n\\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\\n\\nThe failure status of drm_cvt_mode() on the other path is checked too.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48710\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48744" + }, + { + "url": "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e" + }, + { + "url": "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48744", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e\",\n \"https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Avoid field-overflowing memcpy()\\n\\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\\nintentionally writing across neighboring fields.\\n\\nUse flexible arrays instead of zero-element arrays (which look like they\\nare always overflowing) and split the cross-field memcpy() into two halves\\nthat can be appropriately bounds-checked by the compiler.\\n\\nWe were doing:\\n\\n\\t#define ETH_HLEN 14\\n\\t#define VLAN_HLEN 4\\n\\t...\\n\\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\\n\\t...\\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\\n\\t...\\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\\n struct mlx5_wqe_data_seg *dseg = wqe->data;\\n\\t...\\n\\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\\n\\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\\n2 bytes in size), but copying 18, intending to write across start\\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\\n(8 bytes).\\n\\nstruct mlx5e_tx_wqe {\\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\\n\\n /* size: 32, cachelines: 1, members: 3 */\\n /* last cacheline: 32 bytes */\\n};\\n\\nstruct mlx5_wqe_eth_seg {\\n u8 swp_outer_l4_offset; /* 0 1 */\\n u8 swp_outer_l3_offset; /* 1 1 */\\n u8 swp_inner_l4_offset; /* 2 1 */\\n u8 swp_inner_l3_offset; /* 3 1 */\\n u8 cs_flags; /* 4 1 */\\n u8 swp_flags; /* 5 1 */\\n __be16 mss; /* 6 2 */\\n __be32 flow_table_metadata; /* 8 4 */\\n union {\\n struct {\\n __be16 sz; /* 12 2 */\\n u8 start[2]; /* 14 2 */\\n } inline_hdr; /* 12 4 */\\n struct {\\n __be16 type; /* 12 2 */\\n __be16 vlan_tci; /* 14 2 */\\n } insert; /* 12 4 */\\n __be32 trailer; /* 12 4 */\\n }; /* 12 4 */\\n\\n /* size: 16, cachelines: 1, members: 9 */\\n /* last cacheline: 16 bytes */\\n};\\n\\nstruct mlx5_wqe_data_seg {\\n __be32 byte_count; /* 0 4 */\\n __be32 lkey; /* 4 4 */\\n __be64 addr; /* 8 8 */\\n\\n /* size: 16, cachelines: 1, members: 3 */\\n /* last cacheline: 16 bytes */\\n};\\n\\nSo, split the memcpy() so the compiler can reason about the buffer\\nsizes.\\n\\n\\\"pahole\\\" shows no size nor member offset changes to struct mlx5e_tx_wqe\\nnor struct mlx5e_umr_wqe. \\\"objdump -d\\\" shows no meaningful object\\ncode changes (i.e. only source line number induced differences and\\noptimizations).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48766", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48766" + }, + { + "url": "https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f" + }, + { + "url": "https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48766 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48766", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48766\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48766\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48766\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48766\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48766\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f\",\n \"https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\\n\\nMirrors the logic for dcn30. Cue lots of WARNs and some\\nkernel panics without this fix.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48766\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48771", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48771" + }, + { + "url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d" + }, + { + "url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565" + }, + { + "url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c" + }, + { + "url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82" + }, + { + "url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c" + }, + { + "url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414" + }, + { + "url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48771 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48771", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48771\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48771\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48771\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48771\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48771\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d\",\n \"https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565\",\n \"https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c\",\n \"https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82\",\n \"https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c\",\n \"https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414\",\n \"https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\\n\\nA failing usercopy of the fence_rep object will lead to a stale entry in\\nthe file descriptor table as put_unused_fd() won't release it. This\\nenables userland to refer to a dangling 'file' object through that still\\nvalid file descriptor, leading to all kinds of use-after-free\\nexploitation scenarios.\\n\\nFix this by deferring the call to fd_install() until after the usercopy\\nhas succeeded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48771\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48772", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48772" + }, + { + "url": "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea" + }, + { + "url": "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87" + }, + { + "url": "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0" + }, + { + "url": "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115" + }, + { + "url": "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4" + }, + { + "url": "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d" + }, + { + "url": "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48772 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48772", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] \n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48772\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48772\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48772\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48772\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48772\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea\",\n \"https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87\",\n \"https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0\",\n \"https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115\",\n \"https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4\",\n \"https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d\",\n \"https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: lgdt3306a: Add a check against null-pointer-def\\n\\nThe driver should check whether the client provides the platform_data.\\n\\nThe following log reveals it:\\n\\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\\n[ 29.612820] Call Trace:\\n[ 29.613030] \\n[ 29.613201] dump_stack_lvl+0x56/0x6f\\n[ 29.613496] ? kmemdup+0x30/0x40\\n[ 29.613754] print_report.cold+0x494/0x6b7\\n[ 29.614082] ? kmemdup+0x30/0x40\\n[ 29.614340] kasan_report+0x8a/0x190\\n[ 29.614628] ? kmemdup+0x30/0x40\\n[ 29.614888] kasan_check_range+0x14d/0x1d0\\n[ 29.615213] memcpy+0x20/0x60\\n[ 29.615454] kmemdup+0x30/0x40\\n[ 29.615700] lgdt3306a_probe+0x52/0x310\\n[ 29.616339] i2c_device_probe+0x951/0xa90\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48772\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48781", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48781" + }, + { + "url": "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3" + }, + { + "url": "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48781 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48781", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3\",\n \"https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: af_alg - get rid of alg_memory_allocated\\n\\nalg_memory_allocated does not seem to be really used.\\n\\nalg_proto does have a .memory_allocated field, but no\\ncorresponding .sysctl_mem.\\n\\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\\nusers will trigger a NULL dereference [1].\\n\\nTHis was not a problem until SO_RESERVE_MEM addition.\\n\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\\n __do_sys_setsockopt net/socket.c:2191 [inline]\\n __se_sys_setsockopt net/socket.c:2188 [inline]\\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x7fc7440fddc9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\\n \\nModules linked in:\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48781\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48808" + }, + { + "url": "https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7" + }, + { + "url": "https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae" + }, + { + "url": "https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7\",\n \"https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae\",\n \"https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: fix panic when DSA master device unbinds on shutdown\\n\\nRafael reports that on a system with LX2160A and Marvell DSA switches,\\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\\npanic can be seen:\\n\\nsystemd-shutdown[1]: Rebooting.\\nUnable to handle kernel paging request at virtual address 00a0000800000041\\n[00a0000800000041] address between user and kernel address ranges\\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\\npc : dsa_slave_netdevice_event+0x130/0x3e4\\nlr : raw_notifier_call_chain+0x50/0x6c\\nCall trace:\\n dsa_slave_netdevice_event+0x130/0x3e4\\n raw_notifier_call_chain+0x50/0x6c\\n call_netdevice_notifiers_info+0x54/0xa0\\n __dev_close_many+0x50/0x130\\n dev_close_many+0x84/0x120\\n unregister_netdevice_many+0x130/0x710\\n unregister_netdevice_queue+0x8c/0xd0\\n unregister_netdev+0x20/0x30\\n dpaa2_eth_remove+0x68/0x190\\n fsl_mc_driver_remove+0x20/0x5c\\n __device_release_driver+0x21c/0x220\\n device_release_driver_internal+0xac/0xb0\\n device_links_unbind_consumers+0xd4/0x100\\n __device_release_driver+0x94/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_device_remove+0x24/0x40\\n __fsl_mc_device_remove+0xc/0x20\\n device_for_each_child+0x58/0xa0\\n dprc_remove+0x90/0xb0\\n fsl_mc_driver_remove+0x20/0x5c\\n __device_release_driver+0x21c/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_bus_remove+0x80/0x100\\n fsl_mc_bus_shutdown+0xc/0x1c\\n platform_shutdown+0x20/0x30\\n device_shutdown+0x154/0x330\\n __do_sys_reboot+0x1cc/0x250\\n __arm64_sys_reboot+0x20/0x30\\n invoke_syscall.constprop.0+0x4c/0xe0\\n do_el0_svc+0x4c/0x150\\n el0_svc+0x24/0xb0\\n el0t_64_sync_handler+0xa8/0xb0\\n el0t_64_sync+0x178/0x17c\\n\\nIt can be seen from the stack trace that the problem is that the\\nderegistration of the master causes a dev_close(), which gets notified\\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\\nBut dsa_switch_shutdown() has already run, and this has unregistered the\\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\\ncall dev_close_many() on those slave interfaces, leading to the problem.\\n\\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\\nstopped being uppers of the DSA master, we can now reset to NULL the\\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\\nnotifier events on the master.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48816", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48816" + }, + { + "url": "https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07" + }, + { + "url": "https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48816 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48816", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48816\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48816\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48816\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48816\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48816\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07\",\n \"https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: lock against ->sock changing during sysfs read\\n\\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\\nSo it is important to hold that mutex. Otherwise a sysfs read can\\ntrigger an oops.\\nCommit 17f09d3f619a (\\\"SUNRPC: Check if the xprt is connected before\\nhandling sysfs reads\\\") appears to attempt to fix this problem, but it\\nonly narrows the race window.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48816\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48833" + }, + { + "url": "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec" + }, + { + "url": "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82" + }, + { + "url": "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] \n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec\",\n \"https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82\",\n \"https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\\n\\nAfter the recent changes made by commit c2e39305299f01 (\\\"btrfs: clear\\nextent buffer uptodate when we fail to write it\\\") and its followup fix,\\ncommit 651740a5024117 (\\\"btrfs: check WRITE_ERR when trying to read an\\nextent buffer\\\"), we can now end up not cleaning up space reservations of\\nlog tree extent buffers after a transaction abort happens, as well as not\\ncleaning up still dirty extent buffers.\\n\\nThis happens because if writeback for a log tree extent buffer failed,\\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\\nwhen trying to free the log tree with free_log_tree(), which iterates\\nover the tree, we can end up getting an -EIO error when trying to read\\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\\nimmediately as we can not iterate over the entire tree.\\n\\nIn that case we never update the reserved space for an extent buffer in\\nthe respective block group and space_info object.\\n\\nWhen this happens we get the following traces when unmounting the fs:\\n\\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\\n[174957.399379] ------------[ cut here ]------------\\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\\n[174957.429717] Code: 21 48 8b bd (...)\\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[174957.443948] Call Trace:\\n[174957.444264] \\n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\\n[174957.445803] ? call_rcu+0x16c/0x290\\n[174957.446250] generic_shutdown_super+0x74/0x120\\n[174957.446832] kill_anon_super+0x14/0x30\\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\\n[174957.447890] deactivate_locked_super+0x31/0xa0\\n[174957.448440] cleanup_mnt+0x147/0x1c0\\n[174957.448888] task_work_run+0x5c/0xa0\\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\\n[174957.450512] do_syscall_64+0x48/0xc0\\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[174957.451605] RIP: 0033:0x7f328fdc4a97\\n[174957.452059] Code: 03 0c 00 f7 (...)\\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48834" + }, + { + "url": "https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e" + }, + { + "url": "https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952" + }, + { + "url": "https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016" + }, + { + "url": "https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7" + }, + { + "url": "https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e\",\n \"https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952\",\n \"https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016\",\n \"https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7\",\n \"https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: usbtmc: Fix bug in pipe direction for control transfers\\n\\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\\n\\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\\nModules linked in:\\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\\n\\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\\nall of its transfers, whether they are in or out. It's easy to fix.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48835" + }, + { + "url": "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f" + }, + { + "url": "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05" + }, + { + "url": "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3" + }, + { + "url": "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f\",\n \"https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05\",\n \"https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3\",\n \"https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Page fault in reply q processing\\n\\nA page fault was encountered in mpt3sas on a LUN reset error path:\\n\\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\\n[ 149.885617] #PF: supervisor read access in kernel mode\\n[ 149.894346] #PF: error_code(0x0000) - not-present page\\n[ 149.903123] PGD 0 P4D 0\\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 150.108323] PKRU: 55555554\\n[ 150.114690] Call Trace:\\n[ 150.120497] ? printk+0x48/0x4a\\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\\n[ 150.203206] ? __schedule+0x1e9/0x610\\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\\n[ 150.217924] kthread+0x12e/0x150\\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\\n[ 150.231206] ret_from_fork+0x1f/0x30\\n\\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\\npointer outside of the list_for_each_entry() loop. At the end of the full\\nlist traversal the pointer is invalid.\\n\\nMove the _base_process_reply_queue() call inside of the loop.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48836" + }, + { + "url": "https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7" + }, + { + "url": "https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8" + }, + { + "url": "https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821" + }, + { + "url": "https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f" + }, + { + "url": "https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c" + }, + { + "url": "https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31" + }, + { + "url": "https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a" + }, + { + "url": "https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48836", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n \n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7\",\n \"https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8\",\n \"https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821\",\n \"https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f\",\n \"https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c\",\n \"https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31\",\n \"https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a\",\n \"https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: aiptek - properly check endpoint type\\n\\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\\nendpoint type. There was a check for the number of endpoints, but not\\nfor the type of endpoint.\\n\\nFix it by replacing old desc.bNumEndpoints check with\\nusb_find_common_endpoints() helper for finding endpoints\\n\\nFail log:\\n\\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\nModules linked in:\\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\\nWorkqueue: usb_hub_wq hub_event\\n...\\nCall Trace:\\n \\n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48837" + }, + { + "url": "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7" + }, + { + "url": "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e" + }, + { + "url": "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65" + }, + { + "url": "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c" + }, + { + "url": "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa" + }, + { + "url": "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b" + }, + { + "url": "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90" + }, + { + "url": "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7\",\n \"https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e\",\n \"https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65\",\n \"https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c\",\n \"https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa\",\n \"https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b\",\n \"https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90\",\n \"https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\\n\\nIf \\\"BufOffset\\\" is very large the \\\"BufOffset + 8\\\" operation can have an\\ninteger overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48838", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48838" + }, + { + "url": "https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646" + }, + { + "url": "https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740" + }, + { + "url": "https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a" + }, + { + "url": "https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5" + }, + { + "url": "https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e" + }, + { + "url": "https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b" + }, + { + "url": "https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e" + }, + { + "url": "https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48838 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48838", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48838\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48838\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48838\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48838\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48838\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646\",\n \"https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740\",\n \"https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a\",\n \"https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5\",\n \"https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e\",\n \"https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b\",\n \"https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e\",\n \"https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\\n\\nThe syzbot fuzzer found a use-after-free bug:\\n\\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\\n\\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\\n __kasan_report mm/kasan/report.c:442 [inline]\\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\\n\\nAlthough the bug manifested in the driver core, the real cause was a\\nrace with the gadget core. dev_uevent() does:\\n\\n\\tif (dev->driver)\\n\\t\\tadd_uevent_var(env, \\\"DRIVER=%s\\\", dev->driver->name);\\n\\nand between the test and the dereference of dev->driver, the gadget\\ncore sets dev->driver to NULL.\\n\\nThe race wouldn't occur if the gadget core registered its devices on\\na real bus, using the standard synchronization techniques of the\\ndriver core. However, it's not necessary to make such a large change\\nin order to fix this bug; all we need to do is make sure that\\nudc->dev.driver is always NULL.\\n\\nIn fact, there is no reason for udc->dev.driver ever to be set to\\nanything, let alone to the value it currently gets: the address of the\\ngadget's driver. After all, a gadget driver only knows how to manage\\na gadget, not how to manage a UDC.\\n\\nThis patch simply removes the statements in the gadget core that touch\\nudc->dev.driver.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48838\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48839" + }, + { + "url": "https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d" + }, + { + "url": "https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02" + }, + { + "url": "https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a" + }, + { + "url": "https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da" + }, + { + "url": "https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33" + }, + { + "url": "https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0" + }, + { + "url": "https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a" + }, + { + "url": "https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n \n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n==================================================================", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d\",\n \"https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02\",\n \"https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a\",\n \"https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da\",\n \"https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33\",\n \"https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0\",\n \"https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a\",\n \"https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\\n\\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\\nand mmap operations, tpacket_rcv() is queueing skbs with\\ngarbage in skb->cb[], triggering a too big copy [1]\\n\\nPresumably, users of af_packet using mmap() already gets correct\\nmetadata from the mapped buffer, we can simply make sure\\nto clear 12 bytes that might be copied to user space later.\\n\\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\\n\\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\\n __kasan_report mm/kasan/report.c:442 [inline]\\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\\n check_region_inline mm/kasan/generic.c:183 [inline]\\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\\n memcpy include/linux/fortify-string.h:225 [inline]\\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\\n sock_recvmsg_nosec net/socket.c:948 [inline]\\n sock_recvmsg net/socket.c:966 [inline]\\n sock_recvmsg net/socket.c:962 [inline]\\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x7fdfd5954c29\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\\n \\n\\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\\n\\nthis frame has 1 object:\\n [32, 160) 'addr'\\n\\nMemory state around the buggy address:\\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\\n ^\\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\\n==================================================================\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48840" + }, + { + "url": "https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57" + }, + { + "url": "https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813" + }, + { + "url": "https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57\",\n \"https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813\",\n \"https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niavf: Fix hang during reboot/shutdown\\n\\nRecent commit 974578017fc1 (\\\"iavf: Add waiting so the port is\\ninitialized in remove\\\") adds a wait-loop at the beginning of\\niavf_remove() to ensure that port initialization is finished\\nprior unregistering net device. This causes a regression\\nin reboot/shutdown scenario because in this case callback\\niavf_shutdown() is called and this callback detaches the device,\\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\\nis called. That callback calls among other things sriov_disable()\\nthat calls indirectly iavf_remove() (see stack trace below).\\nAs the adapter state is already __IAVF_REMOVE then the mentioned\\nloop is end-less and shutdown process hangs.\\n\\nThe patch fixes this by checking adapter's state at the beginning\\nof iavf_remove() and skips the rest of the function if the adapter\\nis already in remove state (shutdown is in progress).\\n\\nReproducer:\\n1. Create VF on PF driven by ice or i40e driver\\n2. Ensure that the VF is bound to iavf driver\\n3. Reboot\\n\\n[52625.981294] sysrq: SysRq : Show Blocked State\\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\\n[52625.996732] Call Trace:\\n[52625.999187] __schedule+0x2d1/0x830\\n[52626.007400] schedule+0x35/0xa0\\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\\n[52626.020046] usleep_range+0x5b/0x80\\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\\n[52626.027645] pci_device_remove+0x3b/0xc0\\n[52626.031572] device_release_driver_internal+0x103/0x1f0\\n[52626.036805] pci_stop_bus_device+0x72/0xa0\\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\\n[52626.050232] sriov_disable+0x2f/0xe0\\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\\n[52626.057946] ice_remove+0x220/0x240 [ice]\\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\\n[52626.065987] pci_device_shutdown+0x34/0x60\\n[52626.070086] device_shutdown+0x165/0x1c5\\n[52626.074011] kernel_restart+0xe/0x30\\n[52626.077593] __do_sys_reboot+0x1d2/0x210\\n[52626.093815] do_syscall_64+0x5b/0x1a0\\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48846" + }, + { + "url": "https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29" + }, + { + "url": "https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e" + }, + { + "url": "https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29\",\n \"https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e\",\n \"https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: release rq qos structures for queue without disk\\n\\nblkcg_init_queue() may add rq qos structures to request queue, previously\\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\\n8e141f9eb803 (\\\"block: drain file system I/O on del_gendisk\\\")\\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\\nbecause queues may not have disk, such as un-present scsi luns, nvme\\nadmin queue, ...\\n\\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\\n\\nBTW, v5.18 won't need this patch any more since we move\\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\\nhandler, and patches have been in for-5.18/block.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48868" + }, + { + "url": "https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7" + }, + { + "url": "https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960" + }, + { + "url": "https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7\",\n \"https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960\",\n \"https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\\n\\nThe workqueue is enabled when the appropriate driver is loaded and\\ndisabled when the driver is removed. When the driver is removed it\\nassumes that the workqueue was enabled successfully and proceeds to\\nfree allocations made during workqueue enabling.\\n\\nFailure during workqueue enabling does not prevent the driver from\\nbeing loaded. This is because the error path within drv_enable_wq()\\nreturns success unless a second failure is encountered\\nduring the error path. By returning success it is possible to load\\nthe driver even if the workqueue cannot be enabled and\\nallocations that do not exist are attempted to be freed during\\ndriver remove.\\n\\nSome examples of problematic flows:\\n(a)\\n\\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\\n In above flow, if idxd_wq_request_irq() fails then\\n idxd_wq_unmap_portal() is called on error exit path, but\\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\\n driver is thus loaded successfully.\\n\\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\\n Above flow on driver unload triggers the WARN in devm_iounmap() because\\n the device resource has already been removed during error path of\\n drv_enable_wq().\\n\\n(b)\\n\\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\\n In above flow, if idxd_wq_request_irq() fails then\\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\\n counter, yet the driver loads successfully because drv_enable_wq()\\n returns 0.\\n\\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\\n Above flow on driver unload triggers a BUG when attempting to drop the\\n initial ref of the uninitialized percpu ref:\\n BUG: kernel NULL pointer dereference, address: 0000000000000010\\n\\nFix the drv_enable_wq() error path by returning the original error that\\nindicates failure of workqueue enabling. This ensures that the probe\\nfails when an error is encountered and the driver remove paths are only\\nattempted when the workqueue was enabled successfully.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48869" + }, + { + "url": "https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3" + }, + { + "url": "https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4" + }, + { + "url": "https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae" + }, + { + "url": "https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9" + }, + { + "url": "https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3\",\n \"https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4\",\n \"https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae\",\n \"https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9\",\n \"https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: gadgetfs: Fix race between mounting and unmounting\\n\\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\\nin the gadgetfs driver, involving processes concurrently mounting and\\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\\nthe_device while the former is using it. The output from KASAN says,\\nin part:\\n\\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\\n\\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\\nCall Trace:\\n \\n...\\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\\n vfs_get_super fs/super.c:1190 [inline]\\n get_tree_single+0xd0/0x160 fs/super.c:1207\\n vfs_get_tree+0x88/0x270 fs/super.c:1531\\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\\n\\nThe simplest solution is to ensure that gadgetfs_fill_super() and\\ngadgetfs_kill_sb() are serialized by making them both acquire a new\\nmutex.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48870" + }, + { + "url": "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f" + }, + { + "url": "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5" + }, + { + "url": "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f\",\n \"https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5\",\n \"https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: fix possible null-ptr-defer in spk_ttyio_release\\n\\nRun the following tests on the qemu platform:\\n\\nsyzkaller:~# modprobe speakup_audptr\\n input: Speakup as /devices/virtual/input/input4\\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\\n speakup 3.1.6: initialized\\n synth name on entry is: (null)\\n synth probe\\n\\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\\nproblem, as follow:\\n\\nsyzkaller:~# modprobe -r speakup_audptr\\n releasing synth audptr\\n BUG: kernel NULL pointer dereference, address: 0000000000000080\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD 0 P4D 0\\n Oops: 0002 [#1] PREEMPT SMP PTI\\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\\n RIP: 0010:mutex_lock+0x14/0x30\\n Call Trace:\\n \\n spk_ttyio_release+0x19/0x70 [speakup]\\n synth_release.part.6+0xac/0xc0 [speakup]\\n synth_remove+0x56/0x60 [speakup]\\n __x64_sys_delete_module+0x156/0x250\\n ? fpregs_assert_state_consistent+0x1d/0x50\\n do_syscall_64+0x37/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n \\n Modules linked in: speakup_audptr(-) speakup\\n Dumping ftrace buffer:\\n\\nin_synth->dev was not initialized during modprobe, so we add check\\nfor in_synth->dev to fix this bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48871" + }, + { + "url": "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a" + }, + { + "url": "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2" + }, + { + "url": "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a" + }, + { + "url": "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a\",\n \"https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2\",\n \"https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a\",\n \"https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\\n\\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\\nqcom_geni_serial_port_setup() updates the RX FIFO depth\\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\\n\\nThe RX UART handle code will read \\\"port->rx_fifo_depth\\\" number of words\\ninto \\\"port->rx_fifo\\\" buffer, thus exceeding the bounds. This can be\\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\\ndevice and KASAN:\\n\\n Bluetooth: hci0: QCA Product ID :0x00000010\\n Bluetooth: hci0: QCA SOC Version :0x400a0200\\n Bluetooth: hci0: QCA ROM Version :0x00000200\\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\\n Bluetooth: hci0: QCA controller version 0x02000200\\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\\n Bluetooth: hci0: QCA Failed to download patch (-2)\\n ==================================================================\\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\\n\\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n dump_backtrace.part.0+0xe0/0xf0\\n show_stack+0x18/0x40\\n dump_stack_lvl+0x8c/0xb8\\n print_report+0x188/0x488\\n kasan_report+0xb4/0x100\\n __asan_store4+0x80/0xa4\\n handle_rx_uart+0xa8/0x18c\\n qcom_geni_serial_handle_rx+0x84/0x9c\\n qcom_geni_serial_isr+0x24c/0x760\\n __handle_irq_event_percpu+0x108/0x500\\n handle_irq_event+0x6c/0x110\\n handle_fasteoi_irq+0x138/0x2cc\\n generic_handle_domain_irq+0x48/0x64\\n\\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48872" + }, + { + "url": "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907" + }, + { + "url": "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4" + }, + { + "url": "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1" + }, + { + "url": "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb" + }, + { + "url": "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907\",\n \"https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4\",\n \"https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1\",\n \"https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb\",\n \"https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmisc: fastrpc: Fix use-after-free race condition for maps\\n\\nIt is possible that in between calling fastrpc_map_get() until\\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\\nfastrpc_map_lookup() and get a reference to a map that is about to be\\ndeleted.\\n\\nRewrite fastrpc_map_get() to only increase the reference count of a map\\nif it's non-zero. Propagate this to callers so they can know if a map is\\nabout to be deleted.\\n\\nFixes this warning:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\\n...\\nCall trace:\\n refcount_warn_saturate\\n [fastrpc_map_get inlined]\\n [fastrpc_map_lookup inlined]\\n fastrpc_map_create\\n fastrpc_internal_invoke\\n fastrpc_device_ioctl\\n __arm64_sys_ioctl\\n invoke_syscall\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48873" + }, + { + "url": "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330" + }, + { + "url": "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8" + }, + { + "url": "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b" + }, + { + "url": "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7" + }, + { + "url": "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330\",\n \"https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8\",\n \"https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b\",\n \"https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7\",\n \"https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmisc: fastrpc: Don't remove map on creater_process and device_release\\n\\nDo not remove the map from the list on error path in\\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\\nuse-after-free. Do not remove it on fastrpc_device_release either,\\ncall fastrpc_map_put instead.\\n\\nThe fastrpc_free_map is the only proper place to remove the map.\\nThis is called only after the reference count is 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48875" + }, + { + "url": "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef" + }, + { + "url": "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df" + }, + { + "url": "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e" + }, + { + "url": "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef\",\n \"https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df\",\n \"https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e\",\n \"https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: sdata can be NULL during AMPDU start\\n\\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\\ndeauthentication is ongoing.\\n\\nHere a trace triggering the race with the hostapd test\\nmulti_ap_fronthaul_on_ap:\\n\\n(gdb) list *drv_ampdu_action+0x46\\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\\n391 int ret = -EOPNOTSUPP;\\n392\\n393 might_sleep();\\n394\\n395 sdata = get_bss_sdata(sdata);\\n396 if (!check_sdata_in_driver(sdata))\\n397 return -EIO;\\n398\\n399 trace_drv_ampdu_action(local, sdata, params);\\n400\\n\\nwlan0: moving STA 02:00:00:00:03:00 to state 3\\nwlan0: associated\\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\\nwlan0: moving STA 02:00:00:00:03:00 to state 2\\nwlan0: moving STA 02:00:00:00:03:00 to state 1\\nwlan0: Removed STA 02:00:00:00:03:00\\nwlan0: Destroyed STA 02:00:00:00:03:00\\nBUG: unable to handle page fault for address: fffffffffffffb48\\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\\nCall Trace:\\n \\n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\\n process_one_work+0x29f/0x620\\n worker_thread+0x4d/0x3d0\\n ? process_one_work+0x620/0x620\\n kthread+0xfb/0x120\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork+0x22/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48877" + }, + { + "url": "https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb" + }, + { + "url": "https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91" + }, + { + "url": "https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31" + }, + { + "url": "https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0" + }, + { + "url": "https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692" + }, + { + "url": "https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8" + }, + { + "url": "https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb\",\n \"https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91\",\n \"https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31\",\n \"https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0\",\n \"https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692\",\n \"https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8\",\n \"https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: let's avoid panic if extent_tree is not created\\n\\nThis patch avoids the below panic.\\n\\npc : __lookup_extent_tree+0xd8/0x760\\nlr : f2fs_do_write_data_page+0x104/0x87c\\nsp : ffffffc010cbb3c0\\nx29: ffffffc010cbb3e0 x28: 0000000000000000\\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\\nx23: ffffffc010cbb480 x22: 0000000000000000\\nx21: 0000000000000000 x20: ffffffff22e90900\\nx19: 0000000000000000 x18: ffffffc010c5d080\\nx17: 0000000000000000 x16: 0000000000000020\\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\\nx13: 0000000000000000 x12: ffffff802da49000\\nx11: 000000000a001200 x10: ffffff8803e7ed40\\nx9 : ffffff8023195800 x8 : ffffff802da49078\\nx7 : 0000000000000001 x6 : 0000000000000000\\nx5 : 0000000000000006 x4 : ffffffc010cbba28\\nx3 : 0000000000000000 x2 : ffffffc010cbb480\\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\\nCall trace:\\n __lookup_extent_tree+0xd8/0x760\\n f2fs_do_write_data_page+0x104/0x87c\\n f2fs_write_single_data_page+0x420/0xb60\\n f2fs_write_cache_pages+0x418/0xb1c\\n __f2fs_write_data_pages+0x428/0x58c\\n f2fs_write_data_pages+0x30/0x40\\n do_writepages+0x88/0x190\\n __writeback_single_inode+0x48/0x448\\n writeback_sb_inodes+0x468/0x9e8\\n __writeback_inodes_wb+0xb8/0x2a4\\n wb_writeback+0x33c/0x740\\n wb_do_writeback+0x2b4/0x400\\n wb_workfn+0xe4/0x34c\\n process_one_work+0x24c/0x5bc\\n worker_thread+0x3e8/0xa50\\n kthread+0x150/0x1b4\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48878" + }, + { + "url": "https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8" + }, + { + "url": "https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3" + }, + { + "url": "https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587" + }, + { + "url": "https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8\",\n \"https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3\",\n \"https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587\",\n \"https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\\n\\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\\nover serdev) should not be invoked when HCI device is not open (e.g. if\\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\\neither. Also skip this step if device is powered off\\n(qca_power_shutdown()).\\n\\nThe shutdown callback causes use-after-free during system reboot with\\nQualcomm Atheros Bluetooth:\\n\\n Unable to handle kernel paging request at virtual address\\n 0072662f67726fd7\\n ...\\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n tty_driver_flush_buffer+0x4/0x30\\n serdev_device_write_flush+0x24/0x34\\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\\n device_shutdown+0x15c/0x260\\n kernel_restart+0x48/0xac\\n\\nKASAN report:\\n\\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\\n\\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\\n Call trace:\\n dump_backtrace.part.0+0xdc/0xf0\\n show_stack+0x18/0x30\\n dump_stack_lvl+0x68/0x84\\n print_report+0x188/0x488\\n kasan_report+0xa4/0xf0\\n __asan_load8+0x80/0xac\\n tty_driver_flush_buffer+0x1c/0x50\\n ttyport_write_flush+0x34/0x44\\n serdev_device_write_flush+0x48/0x60\\n qca_serdev_shutdown+0x124/0x274\\n device_shutdown+0x1e8/0x350\\n kernel_restart+0x48/0xb0\\n __do_sys_reboot+0x244/0x2d0\\n __arm64_sys_reboot+0x54/0x70\\n invoke_syscall+0x60/0x190\\n el0_svc_common.constprop.0+0x7c/0x160\\n do_el0_svc+0x44/0xf0\\n el0_svc+0x2c/0x6c\\n el0t_64_sync_handler+0xbc/0x140\\n el0t_64_sync+0x190/0x194\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48879" + }, + { + "url": "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5" + }, + { + "url": "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794" + }, + { + "url": "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452" + }, + { + "url": "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104" + }, + { + "url": "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747" + }, + { + "url": "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5\",\n \"https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794\",\n \"https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452\",\n \"https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104\",\n \"https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747\",\n \"https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nefi: fix NULL-deref in init error path\\n\\nIn cases where runtime services are not supported or have been disabled,\\nthe runtime services workqueue will never have been allocated.\\n\\nDo not try to destroy the workqueue unconditionally in the unlikely\\nevent that EFI initialisation fails to avoid dereferencing a NULL\\npointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48880" + }, + { + "url": "https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb" + }, + { + "url": "https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb\",\n \"https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884\",\n \"https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\\n\\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\\nrequest should be freed via ssam_request_sync_free(). Currently it is\\nleaked instead. Fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48887" + }, + { + "url": "https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a" + }, + { + "url": "https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a\",\n \"https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Remove rcu locks from user resources\\n\\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\\nthe rcu paths were buggy and it was easy to make the driver crash by\\nsubmitting command buffers from two different threads. Because the\\nlookups never show up in performance profiles replace them with a\\nregular spin lock which fixes the races in accesses to those shared\\nresources.\\n\\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\\nseen crashes with apps using shared resources.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48891", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48891" + }, + { + "url": "https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb" + }, + { + "url": "https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91" + }, + { + "url": "https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01" + }, + { + "url": "https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53" + }, + { + "url": "https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5" + }, + { + "url": "https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae" + }, + { + "url": "https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48891 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48891", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48891\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48891\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48891\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48891\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48891\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb\",\n \"https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91\",\n \"https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01\",\n \"https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53\",\n \"https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5\",\n \"https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae\",\n \"https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nregulator: da9211: Use irq handler when ready\\n\\nIf the system does not come from reset (like when it is kexec()), the\\nregulator might have an IRQ waiting for us.\\n\\nIf we enable the IRQ handler before its structures are ready, we crash.\\n\\nThis patch fixes:\\n\\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\\n[ 1.316096] Call trace:\\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\\n[ 1.327825] da9211_irq_handler+0x68/0xf8\\n[ 1.327829] irq_thread+0x11c/0x234\\n[ 1.327833] kthread+0x13c/0x154\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48891\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48892" + }, + { + "url": "https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc" + }, + { + "url": "https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8" + }, + { + "url": "https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc\",\n \"https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8\",\n \"https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\\n\\nSince commit 07ec77a1d4e8 (\\\"sched: Allow task CPU affinity to be\\nrestricted on asymmetric systems\\\"), the setting and clearing of\\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\\nprotection. Since sched_setaffinity() can be invoked from another\\nprocess, the process being modified may be undergoing fork() at\\nthe same time. When racing with the clearing of user_cpus_ptr in\\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\\npossibly double-free in arm64 kernel.\\n\\nCommit 8f9ea86fdf99 (\\\"sched: Always preserve the user requested\\ncpumask\\\") fixes this problem as user_cpus_ptr, once set, will never\\nbe cleared in a task's lifetime. However, this bug was re-introduced\\nin commit 851a723e45d1 (\\\"sched: Always clear user_cpus_ptr in\\ndo_set_cpus_allowed()\\\") which allows the clearing of user_cpus_ptr in\\ndo_set_cpus_allowed(). This time, it will affect all arches.\\n\\nFix this bug by always clearing the user_cpus_ptr of the newly\\ncloned/forked task before the copying process starts and check the\\nuser_cpus_ptr state of the source task under pi_lock.\\n\\nNote to stable, this patch won't be applicable to stable releases.\\nJust copy the new dup_user_cpus_ptr() function over.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48893" + }, + { + "url": "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112" + }, + { + "url": "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112\",\n \"https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Cleanup partial engine discovery failures\\n\\nIf we abort driver initialisation in the middle of gt/engine discovery,\\nsome engines will be fully setup and some not. Those incompletely setup\\nengines only have 'engine->release == NULL' and so will leak any of the\\ncommon objects allocated.\\n\\nv2:\\n - Drop the destroy_pinned_context() helper for now. It's not really\\n worth it with just a single callsite at the moment. (Janusz)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48895" + }, + { + "url": "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a" + }, + { + "url": "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a\",\n \"https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/arm-smmu: Don't unregister on shutdown\\n\\nMichael Walle says he noticed the following stack trace while performing\\na shutdown with \\\"reboot -f\\\". He suggests he got \\\"lucky\\\" and just hit the\\ncorrect spot for the reboot while there was a packet transmission in\\nflight.\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\\nHardware name: Kontron KBox A-230-LS (DT)\\npc : iommu_get_dma_domain+0x14/0x20\\nlr : iommu_dma_map_page+0x9c/0x254\\nCall trace:\\n iommu_get_dma_domain+0x14/0x20\\n dma_map_page_attrs+0x1ec/0x250\\n enetc_start_xmit+0x14c/0x10b0\\n enetc_xmit+0x60/0xdc\\n dev_hard_start_xmit+0xb8/0x210\\n sch_direct_xmit+0x11c/0x420\\n __dev_queue_xmit+0x354/0xb20\\n ip6_finish_output2+0x280/0x5b0\\n __ip6_finish_output+0x15c/0x270\\n ip6_output+0x78/0x15c\\n NF_HOOK.constprop.0+0x50/0xd0\\n mld_sendpack+0x1bc/0x320\\n mld_ifc_work+0x1d8/0x4dc\\n process_one_work+0x1e8/0x460\\n worker_thread+0x178/0x534\\n kthread+0xe0/0xe4\\n ret_from_fork+0x10/0x20\\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\\n---[ end trace 0000000000000000 ]---\\nKernel panic - not syncing: Oops: Fatal exception in interrupt\\n\\nThis appears to be reproducible when the board has a fixed IP address,\\nis ping flooded from another host, and \\\"reboot -f\\\" is used.\\n\\nThe following is one more manifestation of the issue:\\n\\n$ reboot -f\\nkvm: exiting hardware virtualization\\ncfg80211: failed to load regulatory.db\\narm-smmu 5000000.iommu: disabling translation\\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\\ndwc3 3100000.usb: Removing from iommu group 9\\ndwc3 3110000.usb: Removing from iommu group 10\\nahci-qoriq 3200000.sata: Removing from iommu group 2\\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\\nplatform f080000.display: Removing from iommu group 0\\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\\netnaviv etnaviv: Removing from iommu group 1\\ncaam_jr 8010000.jr: Removing from iommu group 13\\ncaam_jr 8020000.jr: Removing from iommu group 14\\ncaam_jr 8030000.jr: Removing from iommu group 15\\ncaam_jr 8040000.jr: Removing from iommu group 16\\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\\nmscc_felix 0000:00:00.5: Removing from iommu group 3\\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\\npcieport 0001:00:00.0: Removing from iommu group 18\\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \\\"arm-smmu.disable_bypass=0\\\" to allow, but this may have security implications\\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\\npcieport 0002:00:00.0: Removing from iommu group 19\\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\\npc : iommu_get_dma_domain+0x14/0x20\\nlr : iommu_dma_unmap_page+0x38/0xe0\\nCall trace:\\n iommu_get_dma_domain+0x14/0x20\\n dma_unmap_page_attrs+0x38/0x1d0\\n en\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48896" + }, + { + "url": "https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0" + }, + { + "url": "https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8" + }, + { + "url": "https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18" + }, + { + "url": "https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07" + }, + { + "url": "https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0\",\n \"https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8\",\n \"https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18\",\n \"https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07\",\n \"https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nixgbe: fix pci device refcount leak\\n\\nAs the comment of pci_get_domain_bus_and_slot() says, it\\nreturns a PCI device with refcount incremented, when finish\\nusing it, the caller must decrement the reference count by\\ncalling pci_dev_put().\\n\\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\\npci_dev_put() is called to avoid leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48898" + }, + { + "url": "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169" + }, + { + "url": "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1" + }, + { + "url": "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a" + }, + { + "url": "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169\",\n \"https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1\",\n \"https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a\",\n \"https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\\n\\nThere are 3 possible interrupt sources are handled by DP controller,\\nHPDstatus, Controller state changes and Aux read/write transaction.\\nAt every irq, DP controller have to check isr status of every interrupt\\nsources and service the interrupt if its isr status bits shows interrupts\\nare pending. There is potential race condition may happen at current aux\\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\\neven irq is not for aux read or write transaction. This may cause aux read\\ntransaction return premature if host aux data read is in the middle of\\nwaiting for sink to complete transferring data to host while irq happen.\\nThis will cause host's receiving buffer contains unexpected data. This\\npatch fixes this problem by checking aux isr and return immediately at\\naux isr handler if there are no any isr status bits set.\\n\\nCurrent there is a bug report regrading eDP edid corruption happen during\\nsystem booting up. After lengthy debugging to found that VIDEO_READY\\ninterrupt was continuously firing during system booting up which cause\\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\\nfrom aux hardware buffer which is not yet contains complete data transfer\\nfrom sink. This cause edid corruption.\\n\\nFollows are the signature at kernel logs when problem happen,\\nEDID has corrupt header\\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\\n\\nChanges in v2:\\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\\n-- add more commit text\\n\\nChanges in v3:\\n-- add Stephen suggested\\n-- dp_aux_isr() return IRQ_XXX back to caller\\n-- dp_ctrl_isr() return IRQ_XXX back to caller\\n\\nChanges in v4:\\n-- split into two patches\\n\\nChanges in v5:\\n-- delete empty line between tags\\n\\nChanges in v6:\\n-- remove extra \\\"that\\\" and fixed line more than 75 char at commit text\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/516121/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48899" + }, + { + "url": "https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8" + }, + { + "url": "https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea" + }, + { + "url": "https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e" + }, + { + "url": "https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2" + }, + { + "url": "https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317" + }, + { + "url": "https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8\",\n \"https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea\",\n \"https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e\",\n \"https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2\",\n \"https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317\",\n \"https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/virtio: Fix GEM handle creation UAF\\n\\nUserspace can guess the handle value and try to race GEM object creation\\nwith handle close, resulting in a use-after-free if we dereference the\\nobject after dropping the handle's reference. For that reason, dropping\\nthe handle's reference must be done *after* we are done dereferencing\\nthe object.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48900" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48900", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2022-48929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2022-48929" + }, + { + "url": "https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1" + }, + { + "url": "https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae" + }, + { + "url": "https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2022-48929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2022-48929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2022-48929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2022-48929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2022-48929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2022-48929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-48929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1\",\n \"https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae\",\n \"https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\\n\\nWhen commit e6ac2450d6de (\\\"bpf: Support bpf program calling kernel function\\\") added\\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\\nreg type to the appropriate btf_vmlinux BTF ID, however\\ncommit c25b2ae13603 (\\\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\\\")\\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\\nthe base register types, and defined other variants using type flag\\ncomposition. However, now, the direct usage of reg->type to index into\\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\\nout of bounds access and kernel crash on dereference of bad pointer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2022-48929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0030", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-0030" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157270" + }, + { + "url": "https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230413-0010/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0030 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-0030", + "desc": "A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0030\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-0030\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-0030\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-0030\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0030\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2157270\",\n \"https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10\",\n \"https://security.netapp.com/advisory/ntap-20230413-0010/\"\n ],\n \"description\": \"A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-0030\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-0160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-0160" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0160" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" + }, + { + "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-0160 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-0160", + "desc": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-0160\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-0160\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-0160\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-0160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-0160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-0160\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2159764\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56\",\n \"https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/\"\n ],\n \"description\": \"A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-0160\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1193", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1193" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-1193" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154177" + }, + { + "url": "https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1193 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1193", + "desc": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1193\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1193\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1193\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1193\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1193\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-1193\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2154177\",\n \"https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/\"\n ],\n \"description\": \"A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1193\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1872" + }, + { + "url": "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1872", + "desc": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0002/\"\n ],\n \"description\": \"A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\\n\\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\\n\\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"cve-coordination@google.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-1989", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-1989" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230601-0004/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5492" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-1989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-1989", + "desc": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-1989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-1989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-1989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-1989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html\",\n \"https://security.netapp.com/advisory/ntap-20230601-0004/\",\n \"https://www.debian.org/security/2023/dsa-5492\"\n ],\n \"description\": \"A use-after-free flaw was found in btsdio_remove in drivers\\\\bluetooth\\\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-1989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-2007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-2007" + }, + { + "url": "https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240119-0011/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5480" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-2007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-2007", + "desc": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-2007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-2007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-2007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-2007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-2007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0\",\n \"https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html\",\n \"https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html\",\n \"https://security.netapp.com/advisory/ntap-20240119-0011/\",\n \"https://www.debian.org/security/2023/dsa-5480\"\n ],\n \"description\": \"The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-2007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-20569", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-20569" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/08/08/4" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-434.html" + }, + { + "url": "https://comsec.ethz.ch/research/microarch/inception/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240605-0006/" + }, + { + "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5475" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-20569 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-20569", + "desc": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-20569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-20569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-20569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-20569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-20569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2023/08/08/4\",\n \"http://xenbits.xen.org/xsa/advisory-434.html\",\n \"https://comsec.ethz.ch/research/microarch/inception/\",\n \"https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/\",\n \"https://security.netapp.com/advisory/ntap-20240605-0006/\",\n \"https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005\",\n \"https://www.debian.org/security/2023/dsa-5475\"\n ],\n \"description\": \"\\n\\n\\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-20569\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-26242", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-26242" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208518" + }, + { + "url": "https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230406-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-26242 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-26242", + "desc": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-26242\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-26242\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-26242\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-26242\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26242\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.suse.com/show_bug.cgi?id=1208518\",\n \"https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com\",\n \"https://security.netapp.com/advisory/ntap-20230406-0002/\"\n ],\n \"description\": \"afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-26242\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-28327", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-28327" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177382" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-28327 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-28327", + "desc": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-28327\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-28327\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-28327\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-28327\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-28327\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2177382\"\n ],\n \"description\": \"A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-28327\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-31082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-31082" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210781" + }, + { + "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230929-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-31082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-31082", + "desc": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-31082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-31082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-31082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-31082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-31082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.suse.com/show_bug.cgi?id=1210781\",\n \"https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/\",\n \"https://security.netapp.com/advisory/ntap-20230929-0003/\"\n ],\n \"description\": \"An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-31082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-33053", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-33053" + }, + { + "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-33053 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-33053", + "desc": "Memory corruption in Kernel while parsing metadata.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-33053\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-33053\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-33053\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-33053\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-33053\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin\"\n ],\n \"description\": \"Memory corruption in Kernel while parsing metadata.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"product-security@qualcomm.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-33053\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3397", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-3397" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3397" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" + }, + { + "url": "https://www.spinics.net/lists/kernel/msg4788636.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3397 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-3397", + "desc": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-3397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-3397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-3397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-3397\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2217271\",\n \"https://www.spinics.net/lists/kernel/msg4788636.html\"\n ],\n \"description\": \"A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-3397\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-3640", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-3640" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3640" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-3640 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-3640", + "desc": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-3640\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-3640\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-3640\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-3640\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-3640\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-3640\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2217523\"\n ],\n \"description\": \"A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-3640\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-38417", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-38417" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-38417 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-38417", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-38417\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-38417\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-38417\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-38417\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-38417\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.3,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-38417\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4010", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4010" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + }, + { + "url": "https://github.com/wanrenmi/a-usb-kernel-bug" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4010 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-4010", + "desc": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4010\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4010\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4010\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4010\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4010\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2023-4010\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2227726\",\n \"https://github.com/wanrenmi/a-usb-kernel-bug\"\n ],\n \"description\": \"A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4010\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-4133", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-4133" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2950" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3138" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-4133 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-4133", + "desc": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-4133\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-4133\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-4133\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-4133\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4133\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2394\",\n \"https://access.redhat.com/errata/RHSA-2024:2950\",\n \"https://access.redhat.com/errata/RHSA-2024:3138\",\n \"https://access.redhat.com/security/cve/CVE-2023-4133\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2221702\"\n ],\n \"description\": \"A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-4133\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-44452", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-44452" + }, + { + "url": "https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1836/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-44452 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-44452", + "desc": "Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-44452\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-44452\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-44452\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-44452\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-44452\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736\",\n \"https://www.zerodayinitiative.com/advisories/ZDI-23-1836/\"\n ],\n \"description\": \"Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\\n\\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.\",\n \"cvss\": [\n {\n \"source\": \"zdi-disclosures@trendmicro.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.0\",\n \"vector\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-44452\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-47210", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-47210" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-47210 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-47210", + "desc": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-47210\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-47210\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-47210\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-47210\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-47210\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html\"\n ],\n \"description\": \"Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-47210\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52438", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52438" + }, + { + "url": "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906" + }, + { + "url": "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6" + }, + { + "url": "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56" + }, + { + "url": "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869" + }, + { + "url": "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3" + }, + { + "url": "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c" + }, + { + "url": "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52438 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52438", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52438\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52438\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52438\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52438\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52438\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906\",\n \"https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6\",\n \"https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56\",\n \"https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869\",\n \"https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3\",\n \"https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c\",\n \"https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: fix use-after-free in shinker's callback\\n\\nThe mmap read lock is used during the shrinker's callback, which means\\nthat using alloc->vma pointer isn't safe as it can race with munmap().\\nAs of commit dd2283f2605e (\\\"mm: mmap: zap pages with read mmap_sem in\\nmunmap\\\") the mmap lock is downgraded after the vma has been isolated.\\n\\nI was able to reproduce this issue by manually adding some delays and\\ntriggering page reclaiming through the shrinker's debug sysfs. The\\nfollowing KASAN report confirms the UAF:\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\\n\\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\\n Hardware name: linux,dummy-virt (DT)\\n Call trace:\\n zap_page_range_single+0x470/0x4b8\\n binder_alloc_free_page+0x608/0xadc\\n __list_lru_walk_one+0x130/0x3b0\\n list_lru_walk_node+0xc4/0x22c\\n binder_shrink_scan+0x108/0x1dc\\n shrinker_debugfs_scan_write+0x2b4/0x500\\n full_proxy_write+0xd4/0x140\\n vfs_write+0x1ac/0x758\\n ksys_write+0xf0/0x1dc\\n __arm64_sys_write+0x6c/0x9c\\n\\n Allocated by task 492:\\n kmem_cache_alloc+0x130/0x368\\n vm_area_alloc+0x2c/0x190\\n mmap_region+0x258/0x18bc\\n do_mmap+0x694/0xa60\\n vm_mmap_pgoff+0x170/0x29c\\n ksys_mmap_pgoff+0x290/0x3a0\\n __arm64_sys_mmap+0xcc/0x144\\n\\n Freed by task 491:\\n kmem_cache_free+0x17c/0x3c8\\n vm_area_free_rcu_cb+0x74/0x98\\n rcu_core+0xa38/0x26d4\\n rcu_core_si+0x10/0x1c\\n __do_softirq+0x2fc/0xd24\\n\\n Last potentially related work creation:\\n __call_rcu_common.constprop.0+0x6c/0xba0\\n call_rcu+0x10/0x1c\\n vm_area_free+0x18/0x24\\n remove_vma+0xe4/0x118\\n do_vmi_align_munmap.isra.0+0x718/0xb5c\\n do_vmi_munmap+0xdc/0x1fc\\n __vm_munmap+0x10c/0x278\\n __arm64_sys_munmap+0x58/0x7c\\n\\nFix this issue by performing instead a vma_lookup() which will fail to\\nfind the vma that was isolated before the mmap lock downgrade. Note that\\nthis option has better performance than upgrading to a mmap write lock\\nwhich would increase contention. Plus, mmap_write_trylock() has been\\nrecently removed anyway.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52438\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52439", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52439" + }, + { + "url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2" + }, + { + "url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea" + }, + { + "url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c" + }, + { + "url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad" + }, + { + "url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7" + }, + { + "url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570" + }, + { + "url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41" + }, + { + "url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52439 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52439", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52439\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52439\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52439\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52439\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52439\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2\",\n \"https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea\",\n \"https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c\",\n \"https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad\",\n \"https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7\",\n \"https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570\",\n \"https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41\",\n \"https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nuio: Fix use-after-free in uio_open\\n\\ncore-1\\t\\t\\t\\tcore-2\\n-------------------------------------------------------\\nuio_unregister_device\\t\\tuio_open\\n\\t\\t\\t\\tidev = idr_find()\\ndevice_unregister(&idev->dev)\\nput_device(&idev->dev)\\nuio_device_release\\n\\t\\t\\t\\tget_device(&idev->dev)\\nkfree(idev)\\nuio_free_minor(minor)\\n\\t\\t\\t\\tuio_release\\n\\t\\t\\t\\tput_device(&idev->dev)\\n\\t\\t\\t\\tkfree(idev)\\n-------------------------------------------------------\\n\\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\\nidev when the idev->dev kobject ref is 1. But after core-1\\ndevice_unregister, put_device and before doing kfree, the core-2 may\\nget_device. Then:\\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\\n2. When core-2 do uio_release and put_device, the idev will be double\\n freed.\\n\\nTo address this issue, we can get idev atomic & inc idev reference with\\nminor_lock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52439\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52452", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52452" + }, + { + "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + }, + { + "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52452 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52452", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52452\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52452\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52452\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52452\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52452\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19\",\n \"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529\",\n \"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix accesses to uninit stack slots\\n\\nPrivileged programs are supposed to be able to read uninitialized stack\\nmemory (ever since 6715df8d5) but, before this patch, these accesses\\nwere permitted inconsistently. In particular, accesses were permitted\\nabove state->allocated_stack, but not below it. In other words, if the\\nstack was already \\\"large enough\\\", the access was permitted, but\\notherwise the access was rejected instead of being allowed to \\\"grow the\\nstack\\\". This undesired rejection was happening in two places:\\n- in check_stack_slot_within_bounds()\\n- in check_stack_range_initialized()\\nThis patch arranges for these accesses to be permitted. A bunch of tests\\nthat were relying on the old rejection had to change; all of them were\\nchanged to add also run unprivileged, in which case the old behavior\\npersists. One tests couldn't be updated - global_func16 - because it\\ncan't run unprivileged for other reasons.\\n\\nThis patch also fixes the tracking of the stack size for variable-offset\\nreads. This second fix is bundled in the same commit as the first one\\nbecause they're inter-related. Before this patch, writes to the stack\\nusing registers containing a variable offset (as opposed to registers\\nwith fixed, known values) were not properly contributing to the\\nfunction's needed stack size. As a result, it was possible for a program\\nto verify, but then to attempt to read out-of-bounds data at runtime\\nbecause a too small stack had been allocated for it.\\n\\nEach function tracks the size of the stack it needs in\\nbpf_subprog_info.stack_depth, which is maintained by\\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\\nwas calling update_state_depth() but it was passing in only the fixed\\npart of the offset register, ignoring the variable offset. This was\\nincorrect; the minimum possible value of that register should be used\\ninstead.\\n\\nThis tracking is now fixed by centralizing the tracking of stack size in\\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\\nnow simpler and more convincingly tracks the correct maximum stack size.\\ncheck_stack_range_initialized() can now rely on enough stack having been\\nallocated for the access; this helps with the fix for the first issue.\\n\\nA few tests were changed to also check the stack depth computation. The\\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52452\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52475", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52475" + }, + { + "url": "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46" + }, + { + "url": "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd" + }, + { + "url": "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc" + }, + { + "url": "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc" + }, + { + "url": "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f" + }, + { + "url": "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9" + }, + { + "url": "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06" + }, + { + "url": "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52475 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52475", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52475\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52475\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52475\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52475\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52475\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46\",\n \"https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd\",\n \"https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc\",\n \"https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc\",\n \"https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f\",\n \"https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9\",\n \"https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06\",\n \"https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: powermate - fix use-after-free in powermate_config_complete\\n\\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\\nhappens when the device is disconnected, which leads to a memory free from\\nthe powermate_device struct. When an asynchronous control message\\ncompletes after the kfree and its callback is invoked, the lock does not\\nexist anymore and hence the bug.\\n\\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\\ndevice disconnection.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52475\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52476", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52476" + }, + { + "url": "https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c" + }, + { + "url": "https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c" + }, + { + "url": "https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265" + }, + { + "url": "https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52476 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52476", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52476\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52476\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52476\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52476\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52476\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c\",\n \"https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c\",\n \"https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265\",\n \"https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/x86/lbr: Filter vsyscall addresses\\n\\nWe found that a panic can occur when a vsyscall is made while LBR sampling\\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\\ncall sequence can occur (most recent at top):\\n\\n __insn_get_emulate_prefix()\\n insn_get_emulate_prefix()\\n insn_get_prefixes()\\n insn_get_opcode()\\n decode_branch_type()\\n get_branch_type()\\n intel_pmu_lbr_filter()\\n intel_pmu_handle_irq()\\n perf_event_nmi_handler()\\n\\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\\n\\n peek_nbyte_next(insn_byte_t, insn, i)\\n\\nWithin this macro, this dereference occurs:\\n\\n (insn)->next_byte\\n\\nInspecting registers at this point, the value of the next_byte field is the\\naddress of the vsyscall made, for example the location of the vsyscall\\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\\nin the vsyscall region will trigger an oops due to an unhandled page fault.\\n\\nTo fix the bug, filtering for vsyscalls can be done when\\ndetermining the branch type. This patch will return\\na \\\"none\\\" branch if a kernel address if found to lie in the\\nvsyscall region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52476\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52477", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52477" + }, + { + "url": "https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289" + }, + { + "url": "https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c" + }, + { + "url": "https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b" + }, + { + "url": "https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3" + }, + { + "url": "https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d" + }, + { + "url": "https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81" + }, + { + "url": "https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee" + }, + { + "url": "https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52477 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52477", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52477\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52477\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52477\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52477\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52477\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289\",\n \"https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c\",\n \"https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b\",\n \"https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3\",\n \"https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d\",\n \"https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81\",\n \"https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee\",\n \"https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: hub: Guard against accesses to uninitialized BOS descriptors\\n\\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\\naccess fields inside udev->bos without checking if it was allocated and\\ninitialized. If usb_get_bos_descriptor() fails for whatever\\nreason, udev->bos will be NULL and those accesses will result in a\\ncrash:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000018\\nPGD 0 P4D 0\\nOops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\\nWorkqueue: usb_hub_wq hub_event\\nRIP: 0010:hub_port_reset+0x193/0x788\\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\\nCall Trace:\\nhub_event+0x73f/0x156e\\n? hub_activate+0x5b7/0x68f\\nprocess_one_work+0x1a2/0x487\\nworker_thread+0x11a/0x288\\nkthread+0x13a/0x152\\n? process_one_work+0x487/0x487\\n? kthread_associate_blkcg+0x70/0x70\\nret_from_fork+0x1f/0x30\\n\\nFall back to a default behavior if the BOS descriptor isn't accessible\\nand skip all the functionalities that depend on it: LPM support checks,\\nSuper Speed capabilitiy checks, U1/U2 states setup.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52477\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52478", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52478" + }, + { + "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1" + }, + { + "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528" + }, + { + "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c" + }, + { + "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5" + }, + { + "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b" + }, + { + "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452" + }, + { + "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e" + }, + { + "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52478 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52478", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52478\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52478\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52478\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52478\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52478\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1\",\n \"https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528\",\n \"https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c\",\n \"https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5\",\n \"https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b\",\n \"https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452\",\n \"https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e\",\n \"https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\\n\\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\\nraces when it races with itself.\\n\\nhidpp_connect_event() primarily runs from a workqueue but it also runs\\non probe() and if a \\\"device-connected\\\" packet is received by the hw\\nwhen the thread running hidpp_connect_event() from probe() is waiting on\\nthe hw, then a second thread running hidpp_connect_event() will be\\nstarted from the workqueue.\\n\\nThis opens the following races (note the below code is simplified):\\n\\n1. Retrieving + printing the protocol (harmless race):\\n\\n\\tif (!hidpp->protocol_major) {\\n\\t\\thidpp_root_get_protocol_version()\\n\\t\\thidpp->protocol_major = response.rap.params[0];\\n\\t}\\n\\nWe can actually see this race hit in the dmesg in the abrt output\\nattached to rhbz#2227968:\\n\\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n\\nTesting with extra logging added has shown that after this the 2 threads\\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\\nthrough all the other TOCTOU cases managing to hit all of them:\\n\\n2. Updating the name to the HIDPP name (harmless race):\\n\\n\\tif (hidpp->name == hdev->name) {\\n\\t\\t...\\n\\t\\thidpp->name = new_name;\\n\\t}\\n\\n3. Initializing the power_supply class for the battery (problematic!):\\n\\nhidpp_initialize_battery()\\n{\\n if (hidpp->battery.ps)\\n return 0;\\n\\n\\tprobe_battery(); /* Blocks, threads take turns executing this */\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n}\\n\\n4. Creating delayed input_device (potentially problematic):\\n\\n\\tif (hidpp->delayed_input)\\n\\t\\treturn;\\n\\n\\thidpp->delayed_input = hidpp_allocate_input(hdev);\\n\\nThe really big problem here is 3. Hitting the race leads to the following\\nsequence:\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n\\n\\t...\\n\\n\\thidpp->battery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp->battery.ps =\\n\\t\\tdevm_power_supply_register(&hidpp->hid_dev->dev,\\n\\t\\t\\t\\t\\t &hidpp->battery.desc, cfg);\\n\\nSo now we have registered 2 power supplies for the same battery,\\nwhich looks a bit weird from userspace's pov but this is not even\\nthe really big problem.\\n\\nNotice how:\\n\\n1. This is all devm-maganaged\\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\\n3. hidpp->battery.desc.properties points to the result from the second\\n devm_kmemdup()\\n\\nThis causes a use after free scenario on USB disconnect of the receiver:\\n1. The last registered power supply class device gets unregistered\\n2. The memory from the last devm_kmemdup() call gets freed,\\n hidpp->battery.desc.properties now points to freed memory\\n3. The first registered power supply class device gets unregistered,\\n this involves sending a remove uevent to userspace which invokes\\n power_supply_uevent() to fill the uevent data\\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\\n now points to freed memory leading to backtraces like this one:\\n\\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\\n...\\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\\n...\\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\\nSep 22 20:01:35 eric kernel: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52478\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52479", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52479" + }, + { + "url": "https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd" + }, + { + "url": "https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930" + }, + { + "url": "https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce" + }, + { + "url": "https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52479 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52479", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52479\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52479\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52479\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52479\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52479\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd\",\n \"https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930\",\n \"https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce\",\n \"https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix uaf in smb20_oplock_break_ack\\n\\ndrop reference after use opinfo.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52479\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52481", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52481" + }, + { + "url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25" + }, + { + "url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513" + }, + { + "url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52481 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52481", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52481\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52481\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52481\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52481\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52481\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25\",\n \"https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513\",\n \"https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\\n\\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\\naffected Cortex-A520 core, a speculatively executed unprivileged load\\nmight leak data from a privileged load via a cache side channel. The\\nissue only exists for loads within a translation regime with the same\\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\\nthe return to EL0.\\n\\nThe workaround is to execute a TLBI before returning to EL0 after all\\nloads of privileged data. A non-shareable TLBI to any address is\\nsufficient.\\n\\nThe workaround isn't necessary if page table isolation (KPTI) is\\nenabled, but for simplicity it will be. Page table isolation should\\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\\nand the E0PD feature (used when KASLR is enabled).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52481\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52482", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52482" + }, + { + "url": "https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96" + }, + { + "url": "https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d" + }, + { + "url": "https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4" + }, + { + "url": "https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d" + }, + { + "url": "https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52482 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52482", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52482\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52482\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52482\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52482\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52482\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96\",\n \"https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d\",\n \"https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4\",\n \"https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d\",\n \"https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/srso: Add SRSO mitigation for Hygon processors\\n\\nAdd mitigation for the speculative return stack overflow vulnerability\\nwhich exists on Hygon processors too.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52482\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52483", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52483" + }, + { + "url": "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a" + }, + { + "url": "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4" + }, + { + "url": "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c" + }, + { + "url": "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52483 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52483", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52483\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52483\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52483\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52483\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52483\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a\",\n \"https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4\",\n \"https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c\",\n \"https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmctp: perform route lookups under a RCU read-side lock\\n\\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\\ntraverse the net's route list without the RCU read lock held. This means\\nthe route lookup is subject to preemption, resulting in an potential\\ngrace period expiry, and so an eventual kfree() while we still have the\\nroute pointer.\\n\\nAdd the proper read-side critical section locks around the route\\nlookups, preventing premption and a possible parallel kfree.\\n\\nThe remaining net->mctp.routes accesses are already under a\\nrcu_read_lock, or protected by the RTNL for updates.\\n\\nBased on an analysis from Sili Luo , where\\nintroducing a delay in the route lookup could cause a UAF on\\nsimultaneous sendmsg() and route deletion.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52483\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52484" + }, + { + "url": "https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429" + }, + { + "url": "https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6" + }, + { + "url": "https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b" + }, + { + "url": "https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429\",\n \"https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6\",\n \"https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b\",\n \"https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\\n\\nWhen running an SVA case, the following soft lockup is triggered:\\n--------------------------------------------------------------------\\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\\nsp : ffff8000d83ef290\\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\\nCall trace:\\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\\n __arm_smmu_tlb_inv_range+0x118/0x254\\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\\n arm_smmu_mm_invalidate_range+0xa0/0xa4\\n __mmu_notifier_invalidate_range_end+0x88/0x120\\n unmap_vmas+0x194/0x1e0\\n unmap_region+0xb4/0x144\\n do_mas_align_munmap+0x290/0x490\\n do_mas_munmap+0xbc/0x124\\n __vm_munmap+0xa8/0x19c\\n __arm64_sys_munmap+0x28/0x50\\n invoke_syscall+0x78/0x11c\\n el0_svc_common.constprop.0+0x58/0x1c0\\n do_el0_svc+0x34/0x60\\n el0_svc+0x2c/0xd4\\n el0t_64_sync_handler+0x114/0x140\\n el0t_64_sync+0x1a4/0x1a8\\n--------------------------------------------------------------------\\n\\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\\nto \\\"arm_smmu_mm_arch_invalidate_secondary_tlbs\\\", yet the problem remains.\\n\\nThe commit 06ff87bae8d3 (\\\"arm64: mm: remove unused functions and variable\\nprotoypes\\\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\\ntypically next to MMU tlb flush function, e.g.\\n\\ttlb_flush_mmu_tlbonly {\\n\\t\\ttlb_flush {\\n\\t\\t\\t__flush_tlb_range {\\n\\t\\t\\t\\t// check MAX_TLBI_OPS\\n\\t\\t\\t}\\n\\t\\t}\\n\\t\\tmmu_notifier_arch_invalidate_secondary_tlbs {\\n\\t\\t\\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\\n\\t\\t\\t\\t// does not check MAX_TLBI_OPS\\n\\t\\t\\t}\\n\\t\\t}\\n\\t}\\n\\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\\nTLBI command, if the request size hits this threshold.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52485", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52485" + }, + { + "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + }, + { + "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52485 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52485", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52485\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52485\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52485\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52485\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52485\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009\",\n \"https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wake DMCUB before sending a command\\n\\n[Why]\\nWe can hang in place trying to send commands when the DMCUB isn't\\npowered on.\\n\\n[How]\\nFor functions that execute within a DC context or DC lock we can\\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\\nexits idle power optimizations and reallows once we're done with\\nthe command submission on success.\\n\\nFor DM direct submissions the DM will need to manage the enter/exit\\nsequencing manually.\\n\\nWe cannot invoke a DMCUB command directly within the DM execution\\nhelper or we can deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52485\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52488", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52488" + }, + { + "url": "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db" + }, + { + "url": "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573" + }, + { + "url": "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611" + }, + { + "url": "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23" + }, + { + "url": "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b" + }, + { + "url": "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52488 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52488", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52488\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52488\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52488\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52488\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52488\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db\",\n \"https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573\",\n \"https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611\",\n \"https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23\",\n \"https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b\",\n \"https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\\n\\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\\ninitial register address is sent ($00), followed by all the FIFO data\\nwithout having to resend the register address each time. In this mode, the\\nIC doesn't increment the register address for each R/W byte.\\n\\nThe regmap_raw_read() and regmap_raw_write() are functions which can\\nperform IO over multiple registers. They are currently used to read/write\\nfrom/to the FIFO, and although they operate correctly in this burst mode on\\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\\nmanually. The reason is that when the R/W size is more than 1 byte, these\\nfunctions assume that the register address is incremented and handle the\\ncache accordingly.\\n\\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\\nremove the manual cache control which was a workaround when using the\\n_raw_ versions. FIFO registers are properly declared as volatile so\\ncache will not be used/updated for FIFO accesses.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52488\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52499", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52499" + }, + { + "url": "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820" + }, + { + "url": "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746" + }, + { + "url": "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3" + }, + { + "url": "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52499 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52499", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR: 00000030 CR: 00001000 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52499\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52499\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52499\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52499\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52499\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820\",\n \"https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746\",\n \"https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3\",\n \"https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/47x: Fix 47x syscall return crash\\n\\nEddie reported that newer kernels were crashing during boot on his 476\\nFSP2 system:\\n\\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\\n BUG: Unable to handle kernel instruction fetch\\n Faulting instruction address: 0xb7ee2000\\n Oops: Kernel access of bad area, sig: 11 [#1]\\n BE PAGE_SIZE=4K FSP-2\\n Modules linked in:\\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\\n MSR: 00000030 CR: 00001000 XER: 20000000\\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\\n NIP [b7ee2000] 0xb7ee2000\\n LR [8c008000] 0x8c008000\\n Call Trace:\\n Instruction dump:\\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\\n ---[ end trace 0000000000000000 ]---\\n\\nThe problem is in ret_from_syscall where the check for\\nicache_44x_need_flush is done. When the flush is needed the code jumps\\nout-of-line to do the flush, and then intends to jump back to continue\\nthe syscall return.\\n\\nHowever the branch back to label 1b doesn't return to the correct\\nlocation, instead branching back just prior to the return to userspace,\\ncausing bogus register values to be used by the rfi.\\n\\nThe breakage was introduced by commit 6f76a01173cc\\n(\\\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\\\") which\\ninadvertently removed the \\\"1\\\" label and reused it elsewhere.\\n\\nFix it by adding named local labels in the correct locations. Note that\\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\\ncompiles.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52499\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52500", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52500" + }, + { + "url": "https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749" + }, + { + "url": "https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7" + }, + { + "url": "https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4" + }, + { + "url": "https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172" + }, + { + "url": "https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52500 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52500", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52500\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52500\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52500\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52500\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52500\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749\",\n \"https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7\",\n \"https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4\",\n \"https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172\",\n \"https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\\n\\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\\nwhen we receive the response.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52500\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52501", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52501" + }, + { + "url": "https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d" + }, + { + "url": "https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a" + }, + { + "url": "https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca" + }, + { + "url": "https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49" + }, + { + "url": "https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52501", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d\",\n \"https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a\",\n \"https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca\",\n \"https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49\",\n \"https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Do not attempt to read past \\\"commit\\\"\\n\\nWhen iterating over the ring buffer while the ring buffer is active, the\\nwriter can corrupt the reader. There's barriers to help detect this and\\nhandle it, but that code missed the case where the last event was at the\\nvery end of the page and has only 4 bytes left.\\n\\nThe checks to detect the corruption by the writer to reads needs to see the\\nlength of the event. If the length in the first 4 bytes is zero then the\\nlength is stored in the second 4 bytes. But if the writer is in the process\\nof updating that code, there's a small window where the length in the first\\n4 bytes could be zero even though the length is only 4 bytes. That will\\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\\nallocated page.\\n\\nTo protect against this, fail immediately if the next event pointer is\\nless than 8 bytes from the end of the commit (last byte of data), as all\\nevents must be a minimum of 8 bytes anyway.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52502", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52502" + }, + { + "url": "https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93" + }, + { + "url": "https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9" + }, + { + "url": "https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d" + }, + { + "url": "https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c" + }, + { + "url": "https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8" + }, + { + "url": "https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc" + }, + { + "url": "https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52502 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52502", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52502\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52502\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52502\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52502\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52502\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93\",\n \"https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9\",\n \"https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d\",\n \"https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c\",\n \"https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8\",\n \"https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc\",\n \"https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\\n\\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\\n\\nGetting a reference on the socket found in a lookup while\\nholding a lock should happen before releasing the lock.\\n\\nnfc_llcp_sock_get_sn() has a similar problem.\\n\\nFinally nfc_llcp_recv_snl() needs to make sure the socket\\nfound by nfc_llcp_sock_from_sn() does not disappear.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52502\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52503", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52503" + }, + { + "url": "https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116" + }, + { + "url": "https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce" + }, + { + "url": "https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c" + }, + { + "url": "https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27" + }, + { + "url": "https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52503 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52503", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52503\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52503\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52503\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52503\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52503\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116\",\n \"https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce\",\n \"https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c\",\n \"https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27\",\n \"https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\\n\\nThere is a potential race condition in amdtee_close_session that may\\ncause use-after-free in amdtee_open_session. For instance, if a session\\nhas refcount == 1, and one thread tries to free this session via:\\n\\n kref_put(&sess->refcount, destroy_session);\\n\\nthe reference count will get decremented, and the next step would be to\\ncall destroy_session(). However, if in another thread,\\namdtee_open_session() is called before destroy_session() has completed\\nexecution, alloc_session() may return 'sess' that will be freed up\\nlater in destroy_session() leading to use-after-free in\\namdtee_open_session.\\n\\nTo fix this issue, treat decrement of sess->refcount and removal of\\n'sess' from session list in destroy_session() as a critical section, so\\nthat it is executed atomically.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52503\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52504", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52504" + }, + { + "url": "https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae" + }, + { + "url": "https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1" + }, + { + "url": "https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b" + }, + { + "url": "https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e" + }, + { + "url": "https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4" + }, + { + "url": "https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61" + }, + { + "url": "https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52504 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52504", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52504\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52504\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52504\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52504\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52504\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae\",\n \"https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1\",\n \"https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b\",\n \"https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e\",\n \"https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4\",\n \"https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61\",\n \"https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/alternatives: Disable KASAN in apply_alternatives()\\n\\nFei has reported that KASAN triggers during apply_alternatives() on\\na 5-level paging machine:\\n\\n\\tBUG: KASAN: out-of-bounds in rcu_is_watching()\\n\\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\\n\\t...\\n\\t__asan_load4()\\n\\trcu_is_watching()\\n\\ttrace_hardirqs_on()\\n\\ttext_poke_early()\\n\\tapply_alternatives()\\n\\t...\\n\\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\\n\\nKASAN gets confused when apply_alternatives() patches the\\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\\n\\nFix it for real by disabling KASAN while the kernel is patching alternatives.\\n\\n[ mingo: updated the changelog ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52504\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52507", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52507" + }, + { + "url": "https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213" + }, + { + "url": "https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53" + }, + { + "url": "https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0" + }, + { + "url": "https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da" + }, + { + "url": "https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848" + }, + { + "url": "https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb" + }, + { + "url": "https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802" + }, + { + "url": "https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52507 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52507", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52507\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52507\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52507\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52507\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52507\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213\",\n \"https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53\",\n \"https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0\",\n \"https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da\",\n \"https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848\",\n \"https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb\",\n \"https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802\",\n \"https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: assert requested protocol is valid\\n\\nThe protocol is used in a bit mask to determine if the protocol is\\nsupported. Assert the provided protocol is less than the maximum\\ndefined so it doesn't potentially perform a shift-out-of-bounds and\\nprovide a clearer error for undefined protocols vs unsupported ones.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52507\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52508", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52508" + }, + { + "url": "https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c" + }, + { + "url": "https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea" + }, + { + "url": "https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52508 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52508", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52508\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52508\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52508\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52508\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52508\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c\",\n \"https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea\",\n \"https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\\n\\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\\nnull request structure pointer. An FC LLDD may make a call to\\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\\n\\nAdd validation of the request structure pointer before dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52508\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52509", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52509" + }, + { + "url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705" + }, + { + "url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89" + }, + { + "url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6" + }, + { + "url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5" + }, + { + "url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965" + }, + { + "url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52509 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52509", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52509\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52509\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52509\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52509\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52509\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705\",\n \"https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89\",\n \"https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6\",\n \"https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5\",\n \"https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965\",\n \"https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\\n\\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\\nravb_tx_timeout_work() is possible to use the freed priv after\\nravb_remove() was called like below:\\n\\nCPU0\\t\\t\\tCPU1\\n\\t\\t\\travb_tx_timeout()\\nravb_remove()\\nunregister_netdev()\\nfree_netdev(ndev)\\n// free priv\\n\\t\\t\\travb_tx_timeout_work()\\n\\t\\t\\t// use priv\\n\\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\\ncalled. And, after phy_stop() is called, netif_carrier_off()\\nis also called. So that .ndo_tx_timeout() will not be called\\nafter phy_stop().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52509\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52510", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52510" + }, + { + "url": "https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66" + }, + { + "url": "https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add" + }, + { + "url": "https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f" + }, + { + "url": "https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e" + }, + { + "url": "https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc" + }, + { + "url": "https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640" + }, + { + "url": "https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d" + }, + { + "url": "https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52510 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52510", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52510\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52510\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52510\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52510\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52510\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66\",\n \"https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add\",\n \"https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f\",\n \"https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e\",\n \"https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc\",\n \"https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640\",\n \"https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d\",\n \"https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\\n\\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\\nit calls clk_unregister() to release priv->clk and returns an\\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\\nthis case, a use-after-free may happen in the second time we call\\nclk_unregister().\\n\\nFix this by removing the first clk_unregister(). Also, priv->clk could\\nbe an error code on failure of clk_register_fixed_rate(). Use\\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52510\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52511", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52511" + }, + { + "url": "https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18" + }, + { + "url": "https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355" + }, + { + "url": "https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb" + }, + { + "url": "https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52511 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52511", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52511\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52511\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52511\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52511\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52511\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18\",\n \"https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355\",\n \"https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb\",\n \"https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: sun6i: reduce DMA RX transfer width to single byte\\n\\nThrough empirical testing it has been determined that sometimes RX SPI\\ntransfers with DMA enabled return corrupted data. This is down to single\\nor even multiple bytes lost during DMA transfer from SPI peripheral to\\nmemory. It seems the RX FIFO within the SPI peripheral can become\\nconfused when performing bus read accesses wider than a single byte to it\\nduring an active SPI transfer.\\n\\nThis patch reduces the width of individual DMA read accesses to the\\nRX FIFO to a single byte to mitigate that issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52511\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52516", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52516" + }, + { + "url": "https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c" + }, + { + "url": "https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab" + }, + { + "url": "https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae" + }, + { + "url": "https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1" + }, + { + "url": "https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52516 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52516", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52516\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52516\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52516\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52516\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52516\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c\",\n \"https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab\",\n \"https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae\",\n \"https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1\",\n \"https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\\n\\n__dma_entry_alloc_check_leak() calls into printk -> serial console\\noutput (qcom geni) and grabs port->lock under free_entries_lock\\nspin lock, which is a reverse locking dependency chain as qcom_geni\\nIRQ handler can call into dma-debug code and grab free_entries_lock\\nunder port->lock.\\n\\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\\nscope so that we don't acquire serial console's port->lock under it.\\n\\nTrimmed-down lockdep splat:\\n\\n The existing dependency chain (in reverse order) is:\\n\\n -> #2 (free_entries_lock){-.-.}-{2:2}:\\n _raw_spin_lock_irqsave+0x60/0x80\\n dma_entry_alloc+0x38/0x110\\n debug_dma_map_page+0x60/0xf8\\n dma_map_page_attrs+0x1e0/0x230\\n dma_map_single_attrs.constprop.0+0x6c/0xc8\\n geni_se_rx_dma_prep+0x40/0xcc\\n qcom_geni_serial_isr+0x310/0x510\\n __handle_irq_event_percpu+0x110/0x244\\n handle_irq_event_percpu+0x20/0x54\\n handle_irq_event+0x50/0x88\\n handle_fasteoi_irq+0xa4/0xcc\\n handle_irq_desc+0x28/0x40\\n generic_handle_domain_irq+0x24/0x30\\n gic_handle_irq+0xc4/0x148\\n do_interrupt_handler+0xa4/0xb0\\n el1_interrupt+0x34/0x64\\n el1h_64_irq_handler+0x18/0x24\\n el1h_64_irq+0x64/0x68\\n arch_local_irq_enable+0x4/0x8\\n ____do_softirq+0x18/0x24\\n ...\\n\\n -> #1 (&port_lock_key){-.-.}-{2:2}:\\n _raw_spin_lock_irqsave+0x60/0x80\\n qcom_geni_serial_console_write+0x184/0x1dc\\n console_flush_all+0x344/0x454\\n console_unlock+0x94/0xf0\\n vprintk_emit+0x238/0x24c\\n vprintk_default+0x3c/0x48\\n vprintk+0xb4/0xbc\\n _printk+0x68/0x90\\n register_console+0x230/0x38c\\n uart_add_one_port+0x338/0x494\\n qcom_geni_serial_probe+0x390/0x424\\n platform_probe+0x70/0xc0\\n really_probe+0x148/0x280\\n __driver_probe_device+0xfc/0x114\\n driver_probe_device+0x44/0x100\\n __device_attach_driver+0x64/0xdc\\n bus_for_each_drv+0xb0/0xd8\\n __device_attach+0xe4/0x140\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x44/0xb0\\n device_add+0x538/0x668\\n of_device_add+0x44/0x50\\n of_platform_device_create_pdata+0x94/0xc8\\n of_platform_bus_create+0x270/0x304\\n of_platform_populate+0xac/0xc4\\n devm_of_platform_populate+0x60/0xac\\n geni_se_probe+0x154/0x160\\n platform_probe+0x70/0xc0\\n ...\\n\\n -> #0 (console_owner){-...}-{0:0}:\\n __lock_acquire+0xdf8/0x109c\\n lock_acquire+0x234/0x284\\n console_flush_all+0x330/0x454\\n console_unlock+0x94/0xf0\\n vprintk_emit+0x238/0x24c\\n vprintk_default+0x3c/0x48\\n vprintk+0xb4/0xbc\\n _printk+0x68/0x90\\n dma_entry_alloc+0xb4/0x110\\n debug_dma_map_sg+0xdc/0x2f8\\n __dma_map_sg_attrs+0xac/0xe4\\n dma_map_sgtable+0x30/0x4c\\n get_pages+0x1d4/0x1e4 [msm]\\n msm_gem_pin_pages_locked+0x38/0xac [msm]\\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\\n drm_ioctl_kernel+0xe0/0x15c\\n drm_ioctl+0x2e8/0x3f4\\n vfs_ioctl+0x30/0x50\\n ...\\n\\n Chain exists of:\\n console_owner --> &port_lock_key --> free_entries_lock\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(free_entries_lock);\\n lock(&port_lock_key);\\n lock(free_entries_lock);\\n lock(console_owner);\\n\\n *** DEADLOCK ***\\n\\n Call trace:\\n dump_backtrace+0xb4/0xf0\\n show_stack+0x20/0x30\\n dump_stack_lvl+0x60/0x84\\n dump_stack+0x18/0x24\\n print_circular_bug+0x1cc/0x234\\n check_noncircular+0x78/0xac\\n __lock_acquire+0xdf8/0x109c\\n lock_acquire+0x234/0x284\\n console_flush_all+0x330/0x454\\n consol\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52516\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52517", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52517" + }, + { + "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d" + }, + { + "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209" + }, + { + "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097" + }, + { + "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52517 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52517", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52517\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52517\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52517\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52517\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52517\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d\",\n \"https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209\",\n \"https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097\",\n \"https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\\n\\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\\nread any data remaining in FIFO to the RX buffer. This behaviour is\\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\\ntransfer complete interrupt still fires as soon as all bytes to be\\ntransferred have been stored in the FIFO. At that point data in the FIFO\\nstill needs to be picked up by the DMA engine. Thus the drain procedure\\nand DMA engine end up racing to read from RX FIFO, corrupting any data\\nread. Additionally the RX buffer pointer is never adjusted according to\\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\\nmode is a bug.\\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\\nAlso wait for completion of RX DMA when in DMA mode before returning to\\nensure all data has been copied to the supplied memory buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52517\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52522", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52522" + }, + { + "url": "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa" + }, + { + "url": "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd" + }, + { + "url": "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0" + }, + { + "url": "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af" + }, + { + "url": "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc" + }, + { + "url": "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52522 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52522", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52522\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52522\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52522\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52522\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52522\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa\",\n \"https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd\",\n \"https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0\",\n \"https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af\",\n \"https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc\",\n \"https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix possible store tearing in neigh_periodic_work()\\n\\nWhile looking at a related syzbot report involving neigh_periodic_work(),\\nI found that I forgot to add an annotation when deleting an\\nRCU protected item from a list.\\n\\nReaders use rcu_deference(*np), we need to use either\\nrcu_assign_pointer() or WRITE_ONCE() on writer side\\nto prevent store tearing.\\n\\nI use rcu_assign_pointer() to have lockdep support,\\nthis was the choice made in neigh_flush_dev().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52522\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52524", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52524" + }, + { + "url": "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391" + }, + { + "url": "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391" + }, + { + "url": "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b" + }, + { + "url": "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082" + }, + { + "url": "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb" + }, + { + "url": "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52524 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52524", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52524\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52524\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52524\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52524\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52524\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391\",\n \"https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391\",\n \"https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b\",\n \"https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082\",\n \"https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb\",\n \"https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nfc: llcp: Add lock when modifying device list\\n\\nThe device list needs its associated lock held when modifying it, or the\\nlist could become corrupted, as syzbot discovered.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52524\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52527", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52527" + }, + { + "url": "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6" + }, + { + "url": "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59" + }, + { + "url": "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844" + }, + { + "url": "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed" + }, + { + "url": "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070" + }, + { + "url": "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb" + }, + { + "url": "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f" + }, + { + "url": "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52527 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52527", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52527\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52527\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52527\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52527\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52527\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6\",\n \"https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59\",\n \"https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844\",\n \"https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed\",\n \"https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070\",\n \"https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb\",\n \"https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f\",\n \"https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\\n\\nIncluding the transhdrlen in length is a problem when the packet is\\npartially filled (e.g. something like send(MSG_MORE) happened previously)\\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\\ntransport header or account for it twice. This can happen under some\\ncircumstances, such as splicing into an L2TP socket.\\n\\nThe symptom observed is a warning in __ip6_append_data():\\n\\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\\n\\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\\npartially occupied skbuff. The warning occurs when 'copy' is larger than\\nthe amount of data in the message iterator. This is because the requested\\nlength includes the transport header length when it shouldn't. This can be\\ntriggered by, for example:\\n\\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\\n bind(sfd, ...); // ::1\\n connect(sfd, ...); // ::1 port 7\\n send(sfd, buffer, 4100, MSG_MORE);\\n sendfile(sfd, dfd, NULL, 1024);\\n\\nFix this by only adding transhdrlen into the length if the write queue is\\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\\n\\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\\nthe UDP packet itself.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52527\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52528", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52528" + }, + { + "url": "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed" + }, + { + "url": "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5" + }, + { + "url": "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825" + }, + { + "url": "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4" + }, + { + "url": "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d" + }, + { + "url": "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09" + }, + { + "url": "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812" + }, + { + "url": "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52528 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52528", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52528\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52528\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52528\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52528\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52528\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed\",\n \"https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5\",\n \"https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825\",\n \"https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4\",\n \"https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d\",\n \"https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09\",\n \"https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812\",\n \"https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\\n\\nsyzbot reported the following uninit-value access issue:\\n\\n=====================================================\\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nWorkqueue: usb_hub_wq hub_event\\nCall Trace:\\n __dump_stack lib/dump_stack.c:77 [inline]\\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\\n port_event drivers/usb/core/hub.c:5494 [inline]\\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\\n kthread+0x551/0x590 kernel/kthread.c:292\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\\n\\nLocal variable ----buf.i87@smsc75xx_bind created at:\\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\\n\\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\\n\\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\\nless bytes than requested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52528\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52531", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52531" + }, + { + "url": "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0" + }, + { + "url": "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef" + }, + { + "url": "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d" + }, + { + "url": "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52531 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52531", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52531\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52531\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52531\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52531\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52531\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0\",\n \"https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef\",\n \"https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d\",\n \"https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: Fix a memory corruption issue\\n\\nA few lines above, space is kzalloc()'ed for:\\n\\tsizeof(struct iwl_nvm_data) +\\n\\tsizeof(struct ieee80211_channel) +\\n\\tsizeof(struct ieee80211_rate)\\n\\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\\n\\nAt the end of this structure, there is the 'channels' flex array.\\nEach element is of type 'struct ieee80211_channel'.\\nSo only 1 element is allocated in this array.\\n\\nWhen doing:\\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\\nWe point at the first element of the 'channels' flex array.\\nSo this is fine.\\n\\nHowever, when doing:\\n mvm->nvm_data->bands[0].bitrates =\\n\\t\\t\\t(void *)((u8 *)mvm->nvm_data->channels + 1);\\nbecause of the \\\"(u8 *)\\\" cast, we add only 1 to the address of the beginning\\nof the flex array.\\n\\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\\njust after.\\n\\nRemove the spurious casting so that the pointer arithmetic works as\\nexpected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52531\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52532", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52532" + }, + { + "url": "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80" + }, + { + "url": "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c" + }, + { + "url": "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52532 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52532", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52532\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52532\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52532\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52532\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52532\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80\",\n \"https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c\",\n \"https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mana: Fix TX CQE error handling\\n\\nFor an unknown TX CQE error type (probably from a newer hardware),\\nstill free the SKB, update the queue tail, etc., otherwise the\\naccounting will be wrong.\\n\\nAlso, TX errors can be triggered by injecting corrupted packets, so\\nreplace the WARN_ONCE to ratelimited error logging.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52532\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52559" + }, + { + "url": "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e" + }, + { + "url": "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0" + }, + { + "url": "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e" + }, + { + "url": "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52559", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e\",\n \"https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0\",\n \"https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e\",\n \"https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Avoid memory allocation in iommu_suspend()\\n\\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\\nthe suspend callback, which can cause intermittent suspend/hibernation\\nproblems with the following kernel traces:\\n\\nCalling iommu_suspend+0x0/0x1d0\\n------------[ cut here ]------------\\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\\n...\\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\\nRIP: 0010:ktime_get+0x9b/0xb0\\n...\\nCall Trace:\\n \\n tick_sched_timer+0x22/0x90\\n ? __pfx_tick_sched_timer+0x10/0x10\\n __hrtimer_run_queues+0x111/0x2b0\\n hrtimer_interrupt+0xfa/0x230\\n __sysvec_apic_timer_interrupt+0x63/0x140\\n sysvec_apic_timer_interrupt+0x7b/0xa0\\n \\n \\n asm_sysvec_apic_timer_interrupt+0x1f/0x30\\n...\\n------------[ cut here ]------------\\nInterrupts enabled after iommu_suspend+0x0/0x1d0\\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\\nRIP: 0010:syscore_suspend+0x147/0x270\\n...\\nCall Trace:\\n \\n hibernation_snapshot+0x25b/0x670\\n hibernate+0xcd/0x390\\n state_store+0xcf/0xe0\\n kobj_attr_store+0x13/0x30\\n sysfs_kf_write+0x3f/0x50\\n kernfs_fop_write_iter+0x128/0x200\\n vfs_write+0x1fd/0x3c0\\n ksys_write+0x6f/0xf0\\n __x64_sys_write+0x1d/0x30\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\nGiven that only 4 words memory is needed, avoid the memory allocation in\\niommu_suspend().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52561", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52561" + }, + { + "url": "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6" + }, + { + "url": "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2" + }, + { + "url": "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52561 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52561", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\n\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\n\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52561\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52561\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52561\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52561\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52561\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6\",\n \"https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2\",\n \"https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\\n\\nAdding a reserved memory region for the framebuffer memory\\n(the splash memory region set up by the bootloader).\\n\\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\\nat this particular memory region) reported on DB845c running\\nv5.10.y.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52561\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52566", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52566" + }, + { + "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33" + }, + { + "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2" + }, + { + "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8" + }, + { + "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7" + }, + { + "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc" + }, + { + "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c" + }, + { + "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b" + }, + { + "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52566 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52566", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52566\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52566\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52566\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52566\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52566\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\",\n \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\",\n \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\",\n \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\",\n \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\",\n \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\",\n \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\",\n \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\\n\\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\\nreference count of bh when the call to nilfs_dat_translate() fails. If\\nthe reference count hits 0 and its owner page gets unlocked, bh may be\\nfreed. However, bh->b_page is dereferenced to put the page after that,\\nwhich may result in a use-after-free bug. This patch moves the release\\noperation after unlocking and putting the page.\\n\\nNOTE: The function in question is only called in GC, and in combination\\nwith current userland tools, address translation using DAT does not occur\\nin that function, so the code path that causes this issue will not be\\nexecuted. However, it is possible to run that code path by intentionally\\nmodifying the userland GC library or by calling the GC ioctl directly.\\n\\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52566\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52569", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52569" + }, + { + "url": "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9" + }, + { + "url": "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f" + }, + { + "url": "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52569 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52569", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52569\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52569\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52569\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52569\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52569\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9\",\n \"https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f\",\n \"https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: remove BUG() after failure to insert delayed dir index item\\n\\nInstead of calling BUG() when we fail to insert a delayed dir index item\\ninto the delayed node's tree, we can just release all the resources we\\nhave allocated/acquired before and return the error to the caller. This is\\nfine because all existing call chains undo anything they have done before\\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\\nsnapshots in the transaction commit path).\\n\\nSo remove the BUG() call and do proper error handling.\\n\\nThis relates to a syzbot report linked below, but does not fix it because\\nit only prevents hitting a BUG(), it does not fix the issue where somehow\\nwe attempt to use twice the same index number for different index items.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52569\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52572", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52572" + }, + { + "url": "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a" + }, + { + "url": "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3" + }, + { + "url": "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52572 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52572", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52572\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52572\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52572\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52572\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52572\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a\",\n \"https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3\",\n \"https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: Fix UAF in cifs_demultiplex_thread()\\n\\nThere is a UAF when xfstests on cifs:\\n\\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\\n\\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\\n ...\\n Call Trace:\\n \\n dump_stack_lvl+0x34/0x44\\n print_report+0x171/0x472\\n kasan_report+0xad/0x130\\n kasan_check_range+0x145/0x1a0\\n smb2_is_network_name_deleted+0x27/0x160\\n cifs_demultiplex_thread.cold+0x172/0x5a4\\n kthread+0x165/0x1a0\\n ret_from_fork+0x1f/0x30\\n \\n\\n Allocated by task 923:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n __kasan_slab_alloc+0x54/0x60\\n kmem_cache_alloc+0x147/0x320\\n mempool_alloc+0xe1/0x260\\n cifs_small_buf_get+0x24/0x60\\n allocate_buffers+0xa1/0x1c0\\n cifs_demultiplex_thread+0x199/0x10d0\\n kthread+0x165/0x1a0\\n ret_from_fork+0x1f/0x30\\n\\n Freed by task 921:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n kasan_save_free_info+0x2a/0x40\\n ____kasan_slab_free+0x143/0x1b0\\n kmem_cache_free+0xe3/0x4d0\\n cifs_small_buf_release+0x29/0x90\\n SMB2_negotiate+0x8b7/0x1c60\\n smb2_negotiate+0x51/0x70\\n cifs_negotiate_protocol+0xf0/0x160\\n cifs_get_smb_ses+0x5fa/0x13c0\\n mount_get_conns+0x7a/0x750\\n cifs_mount+0x103/0xd00\\n cifs_smb3_do_mount+0x1dd/0xcb0\\n smb3_get_tree+0x1d5/0x300\\n vfs_get_tree+0x41/0xf0\\n path_mount+0x9b3/0xdd0\\n __x64_sys_mount+0x190/0x1d0\\n do_syscall_64+0x35/0x80\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nThe UAF is because:\\n\\n mount(pid: 921) | cifsd(pid: 923)\\n-------------------------------|-------------------------------\\n | cifs_demultiplex_thread\\nSMB2_negotiate |\\n cifs_send_recv |\\n compound_send_recv |\\n smb_send_rqst |\\n wait_for_response |\\n wait_event_state [1] |\\n | standard_receive3\\n | cifs_handle_standard\\n | handle_mid\\n | mid->resp_buf = buf; [2]\\n | dequeue_mid [3]\\n KILL the process [4] |\\n resp_iov[i].iov_base = buf |\\n free_rsp_buf [5] |\\n | is_network_name_deleted [6]\\n | callback\\n\\n1. After send request to server, wait the response until\\n mid->mid_state != SUBMITTED;\\n2. Receive response from server, and set it to mid;\\n3. Set the mid state to RECEIVED;\\n4. Kill the process, the mid state already RECEIVED, get 0;\\n5. Handle and release the negotiate response;\\n6. UAF.\\n\\nIt can be easily reproduce with add some delay in [3] - [6].\\n\\nOnly sync call has the problem since async call's callback is\\nexecuted in cifsd process.\\n\\nAdd an extra state to mark the mid state to READY before wakeup the\\nwaitter, then it can get the resp safely.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52572\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52574", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52574" + }, + { + "url": "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457" + }, + { + "url": "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58" + }, + { + "url": "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd" + }, + { + "url": "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7" + }, + { + "url": "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7" + }, + { + "url": "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d" + }, + { + "url": "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d" + }, + { + "url": "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52574 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52574", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52574\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52574\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52574\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52574\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52574\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457\",\n \"https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58\",\n \"https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd\",\n \"https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7\",\n \"https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7\",\n \"https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d\",\n \"https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d\",\n \"https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nteam: fix null-ptr-deref when team device type is changed\\n\\nGet a null-ptr-deref bug as follows with reproducer [1].\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000228\\n...\\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\\n...\\nCall Trace:\\n \\n ? __die+0x24/0x70\\n ? page_fault_oops+0x82/0x150\\n ? exc_page_fault+0x69/0x150\\n ? asm_exc_page_fault+0x26/0x30\\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\\n neigh_connected_output+0xb2/0x100\\n ip6_finish_output2+0x1cb/0x520\\n ? nf_hook_slow+0x43/0xc0\\n ? ip6_mtu+0x46/0x80\\n ip6_finish_output+0x2a/0xb0\\n mld_sendpack+0x18f/0x250\\n mld_ifc_work+0x39/0x160\\n process_one_work+0x1e6/0x3f0\\n worker_thread+0x4d/0x2f0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe5/0x120\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n\\n[1]\\n$ teamd -t team0 -d -c '{\\\"runner\\\": {\\\"name\\\": \\\"loadbalance\\\"}}'\\n$ ip link add name t-dummy type dummy\\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\\n$ ip link add name t-nlmon type nlmon\\n$ ip link set t-nlmon master team0\\n$ ip link set t-nlmon nomaster\\n$ ip link set t-dummy up\\n$ ip link set team0 up\\n$ ip link set t-dummy.100 down\\n$ ip link set t-dummy.100 master team0\\n\\nWhen enslave a vlan device to team device and team device type is changed\\nfrom non-ether to ether, header_ops of team device is changed to\\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\\na vlan device.\\n\\nCache eth_header_ops in team_setup(), then assign cached header_ops to\\nheader_ops of team net device when its type is changed from non-ether\\nto ether to fix the bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52574\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52576", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52576" + }, + { + "url": "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b" + }, + { + "url": "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204" + }, + { + "url": "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52576 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52576", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52576\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52576\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52576\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52576\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52576\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b\",\n \"https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204\",\n \"https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\\n\\nThe code calling ima_free_kexec_buffer() runs long after the memblock\\nallocator has already been torn down, potentially resulting in a use\\nafter free in memblock_isolate_range().\\n\\nWith KASAN or KFENCE, this use after free will result in a BUG\\nfrom the idle task, and a subsequent kernel panic.\\n\\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\\nthat bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52576\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52578", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52578" + }, + { + "url": "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd" + }, + { + "url": "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4" + }, + { + "url": "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2" + }, + { + "url": "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394" + }, + { + "url": "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5" + }, + { + "url": "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839" + }, + { + "url": "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52578 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52578", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52578\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52578\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52578\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52578\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52578\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd\",\n \"https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4\",\n \"https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2\",\n \"https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394\",\n \"https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5\",\n \"https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839\",\n \"https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: use DEV_STATS_INC()\\n\\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\\nThis function can run from multiple cpus without mutual exclusion.\\n\\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\\n\\nHandles updates to dev->stats.tx_dropped while we are at it.\\n\\n[1]\\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\\n\\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\\nbr_nf_hook_thresh+0x1ed/0x220\\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\\nNF_HOOK include/linux/netfilter.h:304 [inline]\\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\\nnapi_poll net/core/dev.c:6594 [inline]\\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\\nkthread+0x1d7/0x210 kernel/kthread.c:388\\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\\nbr_nf_hook_thresh+0x1ed/0x220\\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\\nNF_HOOK include/linux/netfilter.h:304 [inline]\\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\\nnapi_poll net/core/dev.c:6594 [inline]\\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\\nprocess_one_work kernel/workqueue.c:2630 [inline]\\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\\nkthread+0x1d7/0x210 kernel/kthread.c:388\\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52578\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52582", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52582" + }, + { + "url": "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a" + }, + { + "url": "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412" + }, + { + "url": "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52582 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52582", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52582\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52582\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52582\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52582\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52582\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a\",\n \"https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412\",\n \"https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfs: Only call folio_start_fscache() one time for each folio\\n\\nIf a network filesystem using netfs implements a clamp_length()\\nfunction, it can set subrequest lengths smaller than a page size.\\n\\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\\nset any folios to be written back, we need to make sure we only\\ncall folio_start_fscache() once for each folio.\\n\\nOtherwise, this simple testcase:\\n\\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\\n 1+0 records in\\n 1+0 records out\\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\\n echo 3 > /proc/sys/vm/drop_caches\\n cat /mnt/nfs/file.bin > /dev/null\\n\\nwill trigger an oops similar to the following:\\n\\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\\n ------------[ cut here ]------------\\n kernel BUG at include/linux/netfs.h:44!\\n ...\\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\\n ...\\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\\n ...\\n Call Trace:\\n netfs_rreq_assess+0x497/0x660 [netfs]\\n netfs_subreq_terminated+0x32b/0x610 [netfs]\\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\\n nfs_read_completion+0x2f9/0x330 [nfs]\\n rpc_free_task+0x72/0xa0 [sunrpc]\\n rpc_async_release+0x46/0x70 [sunrpc]\\n process_one_work+0x3bd/0x710\\n worker_thread+0x89/0x610\\n kthread+0x181/0x1c0\\n ret_from_fork+0x29/0x50\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52582\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52584", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52584" + }, + { + "url": "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8" + }, + { + "url": "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e" + }, + { + "url": "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9" + }, + { + "url": "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52584 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52584", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52584\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52584\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52584\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52584\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52584\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8\",\n \"https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e\",\n \"https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9\",\n \"https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspmi: mediatek: Fix UAF on device remove\\n\\nThe pmif driver data that contains the clocks is allocated along with\\nspmi_controller.\\nOn device remove, spmi_controller will be freed first, and then devres\\n, including the clocks, will be cleanup.\\nThis leads to UAF because putting the clocks will access the clocks in\\nthe pmif driver data, which is already freed along with spmi_controller.\\n\\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\\nbuilding the kernel with KASAN.\\n\\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\\nclocks before freeing spmi_controller.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 3.8,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52584\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52585", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52585" + }, + { + "url": "https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a" + }, + { + "url": "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49" + }, + { + "url": "https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626" + }, + { + "url": "https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b" + }, + { + "url": "https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915" + }, + { + "url": "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680" + }, + { + "url": "https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52585 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52585", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52585\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52585\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52585\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52585\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52585\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a\",\n \"https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49\",\n \"https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626\",\n \"https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b\",\n \"https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915\",\n \"https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680\",\n \"https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\\n\\nReturn invalid error code -EINVAL for invalid block id.\\n\\nFixes the below:\\n\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52585\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52586", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52586" + }, + { + "url": "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f" + }, + { + "url": "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52586 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52586", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52586\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52586\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52586\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52586\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52586\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f\",\n \"https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dpu: Add mutex lock in control vblank irq\\n\\nAdd a mutex lock to control vblank irq to synchronize vblank\\nenable/disable operations happening from different threads to prevent\\nrace conditions while registering/unregistering the vblank irq callback.\\n\\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\\n parameter of dpu_encoder_phys.\\n -Switch from atomic refcnt to a simple int counter as mutex has\\n now been added\\nv3: Mistakenly did not change wording in last version. It is done now.\\nv2: Slightly changed wording of commit message\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/571854/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52586\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52589", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52589" + }, + { + "url": "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395" + }, + { + "url": "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe" + }, + { + "url": "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52589 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52589", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52589\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52589\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52589\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52589\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52589\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7\",\n \"https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395\",\n \"https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe\",\n \"https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: rkisp1: Fix IRQ disable race issue\\n\\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\\ninterrupts and then apparently assumes that the interrupt handler won't\\nbe running, and proceeds in the stop procedure. This is not the case, as\\nthe interrupt handler can already be running, which would lead to the\\nISP being disabled while the interrupt handler handling a captured\\nframe.\\n\\nThis brings up two issues: 1) the ISP could be powered off while the\\ninterrupt handler is still running and accessing registers, leading to\\nboard lockup, and 2) the interrupt handler code and the code that\\ndisables the streaming might do things that conflict.\\n\\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\\na suitable delay (or printk in my case) in the interrupt handler,\\nleading to board lockup.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52589\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52590", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52590" + }, + { + "url": "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc" + }, + { + "url": "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52590 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52590", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52590\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52590\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52590\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52590\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52590\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc\",\n \"https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: Avoid touching renamed directory if parent does not change\\n\\nThe VFS will not be locking moved directory if its parent does not\\nchange. Change ocfs2 rename code to avoid touching renamed directory if\\nits parent does not change as without locking that can corrupt the\\nfilesystem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52590\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52591", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52591" + }, + { + "url": "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc" + }, + { + "url": "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed" + }, + { + "url": "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52591 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52591", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52591\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52591\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52591\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52591\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52591\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc\",\n \"https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed\",\n \"https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nreiserfs: Avoid touching renamed directory if parent does not change\\n\\nThe VFS will not be locking moved directory if its parent does not\\nchange. Change reiserfs rename code to avoid touching renamed directory\\nif its parent does not change as without locking that can corrupt the\\nfilesystem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52591\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52593", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52593" + }, + { + "url": "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878" + }, + { + "url": "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03" + }, + { + "url": "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132" + }, + { + "url": "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52593 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52593", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52593\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52593\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52593\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52593\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52593\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878\",\n \"https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03\",\n \"https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132\",\n \"https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\\n\\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\\nshould check the return value before examining skb data. So convert\\nthe latter to return an appropriate error code and propagate it to\\nreturn from 'wfx_start_ap()' as well. Compile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52593\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52596", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52596" + }, + { + "url": "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede" + }, + { + "url": "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489" + }, + { + "url": "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52596 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52596", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52596\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52596\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52596\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52596\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52596\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede\",\n \"https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489\",\n \"https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysctl: Fix out of bounds access for empty sysctl registers\\n\\nWhen registering tables to the sysctl subsystem there is a check to see\\nif header is a permanently empty directory (used for mounts). This check\\nevaluates the first element of the ctl_table. This results in an out of\\nbounds evaluation when registering empty directories.\\n\\nThe function register_sysctl_mount_point now passes a ctl_table of size\\n1 instead of size 0. It now relies solely on the type to identify\\na permanently empty register.\\n\\nMake sure that the ctl_table has at least one element before testing for\\npermanent emptiness.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52596\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52621" + }, + { + "url": "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d" + }, + { + "url": "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d" + }, + { + "url": "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304" + }, + { + "url": "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d\",\n \"https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d\",\n \"https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304\",\n \"https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\\n\\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\\navailable for sleepable bpf program, so add the corresponding lock\\nassertion for sleepable bpf program, otherwise the following warning\\nwill be reported when a sleepable bpf program manipulates bpf map under\\ninterpreter mode (aka bpf_jit_enable=0):\\n\\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\\n ......\\n Call Trace:\\n \\n ? __warn+0xa5/0x240\\n ? bpf_map_lookup_elem+0x54/0x60\\n ? report_bug+0x1ba/0x1f0\\n ? handle_bug+0x40/0x80\\n ? exc_invalid_op+0x18/0x50\\n ? asm_exc_invalid_op+0x1b/0x20\\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\\n ? rcu_is_watching+0x23/0x50\\n ? bpf_map_lookup_elem+0x54/0x60\\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\\n ___bpf_prog_run+0x513/0x3b70\\n __bpf_prog_run32+0x9d/0xd0\\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\\n bpf_trampoline_6442580665+0x4d/0x1000\\n __x64_sys_getpgid+0x5/0x30\\n ? do_syscall_64+0x36/0xb0\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52624", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52624" + }, + { + "url": "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d" + }, + { + "url": "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52624 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52624", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52624\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52624\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52624\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52624\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52624\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d\",\n \"https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Wake DMCUB before executing GPINT commands\\n\\n[Why]\\nDMCUB can be in idle when we attempt to interface with the HW through\\nthe GPINT mailbox resulting in a system hang.\\n\\n[How]\\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\\nsequence.\\n\\nIf the GPINT executes successfully then DMCUB will be put back into\\nsleep after the optional response is returned.\\n\\nIt functions similar to the inbox command interface.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52624\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52625", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52625" + }, + { + "url": "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f" + }, + { + "url": "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52625 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52625", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52625\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52625\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52625\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52625\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52625\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f\",\n \"https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\\n\\n[Why]\\nWe can hang in place trying to send commands when the DMCUB isn't\\npowered on.\\n\\n[How]\\nWe need to exit out of the idle state prior to sending a command,\\nbut the process that performs the exit also invokes a command itself.\\n\\nFixing this issue involves the following:\\n\\n1. Using a software state to track whether or not we need to start\\n the process to exit idle or notify idle.\\n\\nIt's possible for the hardware to have exited an idle state without\\ndriver knowledge, but entering one is always restricted to a driver\\nallow - which makes the SW state vs HW state mismatch issue purely one\\nof optimization, which should seldomly be hit, if at all.\\n\\n2. Refactor any instances of exit/notify idle to use a single wrapper\\n that maintains this SW state.\\n\\nThis works simialr to dc_allow_idle_optimizations, but works at the\\nDMCUB level and makes sure the state is marked prior to any notify/exit\\nidle so we don't enter an infinite loop.\\n\\n3. Make sure we exit out of idle prior to sending any commands or\\n waiting for DMCUB idle.\\n\\nThis patch takes care of 1/2. A future patch will take care of wrapping\\nDMCUB command submission with calls to this new interface.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52625\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52629", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52629" + }, + { + "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65" + }, + { + "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52629 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52629", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52629\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52629\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52629\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52629\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52629\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65\",\n \"https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\\n\\nThe original code puts flush_work() before timer_shutdown_sync()\\nin switch_drv_remove(). Although we use flush_work() to stop\\nthe worker, it could be rescheduled in switch_timer(). As a result,\\na use-after-free bug can occur. The details are shown below:\\n\\n (cpu 0) | (cpu 1)\\nswitch_drv_remove() |\\n flush_work() |\\n ... | switch_timer // timer\\n | schedule_work(&psw->work)\\n timer_shutdown_sync() |\\n ... | switch_work_handler // worker\\n kfree(psw) // free |\\n | psw->state = 0 // use\\n\\nThis patch puts timer_shutdown_sync() before flush_work() to\\nmitigate the bugs. As a result, the worker and timer will be\\nstopped safely before the deallocate operations.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52629\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52632" + }, + { + "url": "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4" + }, + { + "url": "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340" + }, + { + "url": "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c" + }, + { + "url": "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4\",\n \"https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340\",\n \"https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c\",\n \"https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix lock dependency warning with srcu\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.5.0-kfd-yangp #2289 Not tainted\\n------------------------------------------------------\\nkworker/0:2/996 is trying to acquire lock:\\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\\n\\nbut task is already holding lock:\\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\\n\\tprocess_one_work+0x211/0x560\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\\n __flush_work+0x88/0x4f0\\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\\n kfd_ioctl+0x1d1/0x630 [amdgpu]\\n __x64_sys_ioctl+0x88/0xc0\\n\\n-> #2 (&info->lock#2){+.+.}-{3:3}:\\n __mutex_lock+0x99/0xc70\\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\\n restore_process_helper+0x22/0x80 [amdgpu]\\n restore_process_worker+0x2d/0xa0 [amdgpu]\\n process_one_work+0x29b/0x560\\n worker_thread+0x3d/0x3d0\\n\\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\\n __flush_work+0x88/0x4f0\\n __cancel_work_timer+0x12c/0x1c0\\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\\n __mmu_notifier_release+0xad/0x240\\n exit_mmap+0x6a/0x3a0\\n mmput+0x6a/0x120\\n do_exit+0x322/0xb90\\n do_group_exit+0x37/0xa0\\n __x64_sys_exit_group+0x18/0x20\\n do_syscall_64+0x38/0x80\\n\\n-> #0 (srcu){.+.+}-{0:0}:\\n __lock_acquire+0x1521/0x2510\\n lock_sync+0x5f/0x90\\n __synchronize_srcu+0x4f/0x1a0\\n __mmu_notifier_release+0x128/0x240\\n exit_mmap+0x6a/0x3a0\\n mmput+0x6a/0x120\\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\\n process_one_work+0x29b/0x560\\n worker_thread+0x3d/0x3d0\\n\\nother info that might help us debug this:\\nChain exists of:\\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\\n\\nPossible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock((work_completion)(&svms->deferred_list_work));\\n lock(&info->lock#2);\\n\\t\\t\\tlock((work_completion)(&svms->deferred_list_work));\\n sync(srcu);\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52634" + }, + { + "url": "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662" + }, + { + "url": "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662\",\n \"https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix disable_otg_wa logic\\n\\n[Why]\\nWhen switching to another HDMI mode, we are unnecesarilly\\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\\nthe same time when only HPO is supposed to be set.\\n\\nThis can lead to a system hang the next time we change refresh rates as\\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\\nit isn't supposed to be.\\n\\n[How]\\nRemoving the enable/disable FIFO entirely.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52639" + }, + { + "url": "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082" + }, + { + "url": "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc" + }, + { + "url": "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380" + }, + { + "url": "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52639", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082\",\n \"https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc\",\n \"https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380\",\n \"https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: s390: vsie: fix race during shadow creation\\n\\nRight now it is possible to see gmap->private being zero in\\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\\nfact that we add gmap->private == kvm after creation:\\n\\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\\n struct vsie_page *vsie_page)\\n{\\n[...]\\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\\n if (IS_ERR(gmap))\\n return PTR_ERR(gmap);\\n gmap->private = vcpu->kvm;\\n\\nLet children inherit the private field of the parent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52646", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52646" + }, + { + "url": "https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1" + }, + { + "url": "https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2" + }, + { + "url": "https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95" + }, + { + "url": "https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1" + }, + { + "url": "https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d" + }, + { + "url": "https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f" + }, + { + "url": "https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52646 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52646", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix mremap after fork null-deref\n\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\n\n[jmoyer@redhat.com: fix 80 column issue]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52646\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52646\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52646\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52646\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52646\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1\",\n \"https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2\",\n \"https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95\",\n \"https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1\",\n \"https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d\",\n \"https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f\",\n \"https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naio: fix mremap after fork null-deref\\n\\nCommit e4a0d3e720e7 (\\\"aio: Make it possible to remap aio ring\\\") introduced\\na null-deref if mremap is called on an old aio mapping after fork as\\nmm->ioctx_table will be set to NULL.\\n\\n[jmoyer@redhat.com: fix 80 column issue]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52646\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52648" + }, + { + "url": "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461" + }, + { + "url": "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92" + }, + { + "url": "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba" + }, + { + "url": "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461\",\n \"https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92\",\n \"https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba\",\n \"https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\\n\\nSwitch to a new plane state requires unreferencing of all held surfaces.\\nIn the work required for mob cursors the mapped surfaces started being\\ncached but the variable indicating whether the surface is currently\\nmapped was not being reset. This leads to crashes as the duplicated\\nstate, incorrectly, indicates the that surface is mapped even when\\nno surface is present. That's because after unreferencing the surface\\nit's perfectly possible for the plane to be backed by a bo instead of a\\nsurface.\\n\\nReset the surface mapped flag when unreferencing the plane state surface\\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\\n\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x7f/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\\n commit_tail+0xd1/0x130\\n drm_atomic_helper_commit+0x11a/0x140\\n drm_atomic_commit+0x97/0xd0\\n ? __pfx___drm_printfn_info+0x10/0x10\\n drm_atomic_helper_update_plane+0xf5/0x160\\n drm_mode_cursor_universal+0x10e/0x270\\n drm_mode_cursor_common+0x102/0x230\\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\\n drm_ioctl_kernel+0xb2/0x110\\n drm_ioctl+0x26d/0x4b0\\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\\n ? __pfx_drm_ioctl+0x10/0x10\\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\\n __x64_sys_ioctl+0x94/0xd0\\n do_syscall_64+0x61/0xe0\\n ? __x64_sys_ioctl+0xaf/0xd0\\n ? syscall_exit_to_user_mode+0x2b/0x40\\n ? do_syscall_64+0x70/0xe0\\n ? __x64_sys_ioctl+0xaf/0xd0\\n ? syscall_exit_to_user_mode+0x2b/0x40\\n ? do_syscall_64+0x70/0xe0\\n ? exc_page_fault+0x7f/0x180\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\nRIP: 0033:0x7f1e93f279ed\\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\\n \\nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\\nCR2: 0000000000000028\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\\nRBP: ffff969d4143\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52653", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52653" + }, + { + "url": "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4" + }, + { + "url": "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c" + }, + { + "url": "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822" + }, + { + "url": "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52653 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52653", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52653\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52653\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52653\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52653\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52653\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4\",\n \"https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c\",\n \"https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822\",\n \"https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: fix a memleak in gss_import_v2_context\\n\\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\\nwhich frees ctx on error.\\n\\nThus, this patch reform the last call of gss_import_v2_context to the\\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\\nformation.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52653\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52655", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52655" + }, + { + "url": "https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e" + }, + { + "url": "https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab" + }, + { + "url": "https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd" + }, + { + "url": "https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204" + }, + { + "url": "https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a" + }, + { + "url": "https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52655 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52655", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aqc111: check packet for fixup for true limit\n\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\n\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\n\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52655\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52655\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52655\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52655\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52655\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e\",\n \"https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab\",\n \"https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd\",\n \"https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204\",\n \"https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a\",\n \"https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: aqc111: check packet for fixup for true limit\\n\\nIf a device sends a packet that is inbetween 0\\nand sizeof(u64) the value passed to skb_trim()\\nas length will wrap around ending up as some very\\nlarge value.\\n\\nThe driver will then proceed to parse the header\\nlocated at that position, which will either oops or\\nprocess some random value.\\n\\nThe fix is to check against sizeof(u64) rather than\\n0, which the driver currently does. The issue exists\\nsince the introduction of the driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52655\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52657", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52657" + }, + { + "url": "https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94" + }, + { + "url": "https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488" + }, + { + "url": "https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f" + }, + { + "url": "https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52657 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52657", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/pm: resolve reboot exception for si oland\"\n\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\n\nThis causes hangs on SI when DC is enabled and errors on driver\nreboot and power off cycles.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52657\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52657\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52657\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52657\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52657\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94\",\n \"https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488\",\n \"https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f\",\n \"https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"drm/amd/pm: resolve reboot exception for si oland\\\"\\n\\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\\n\\nThis causes hangs on SI when DC is enabled and errors on driver\\nreboot and power off cycles.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52657\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52660", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52660" + }, + { + "url": "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63" + }, + { + "url": "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee" + }, + { + "url": "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587" + }, + { + "url": "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52660 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52660", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52660\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52660\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52660\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52660\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52660\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63\",\n \"https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee\",\n \"https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587\",\n \"https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\\n\\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\\nhandlers can be called at any time. If such a call happens while the ISP\\nis powered down, the SoC will hang as the driver tries to access the\\nISP registers.\\n\\nThis can be reproduced even without the platform sharing the IRQ line:\\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\\nhang.\\n\\nFix this by adding a new field, 'irqs_enabled', which is used to bail\\nout from the interrupt handler when the ISP is not operational.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52660\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52664", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52664" + }, + { + "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d" + }, + { + "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928" + }, + { + "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf" + }, + { + "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52664 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52664", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52664\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52664\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52664\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52664\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52664\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d\",\n \"https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928\",\n \"https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf\",\n \"https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: atlantic: eliminate double free in error handling logic\\n\\nDriver has a logic leak in ring data allocation/free,\\nwhere aq_ring_free could be called multiple times on same ring,\\nif system is under stress and got memory allocation error.\\n\\nRing pointer was used as an indicator of failure, but this is\\nnot correct since only ring data is allocated/deallocated.\\nRing itself is an array member.\\n\\nChanging ring allocation functions to return error code directly.\\nThis simplifies error handling and eliminates aq_ring_free\\non higher layer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52664\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52666", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52666" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52666 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52666", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52666\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52666\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52666\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52666\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52666\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52666\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52667" + }, + { + "url": "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8" + }, + { + "url": "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779" + }, + { + "url": "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1" + }, + { + "url": "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e" + }, + { + "url": "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft->g. However, its caller\nfs_any_create_table() will free ft->g again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft->g to NULL in fs_any_create_groups().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8\",\n \"https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779\",\n \"https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1\",\n \"https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e\",\n \"https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\\n\\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\\nfs_any_create_groups() will free ft->g. However, its caller\\nfs_any_create_table() will free ft->g again through calling\\nmlx5e_destroy_flow_table(), which will lead to a double-free.\\nFix this by setting ft->g to NULL in fs_any_create_groups().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52669", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52669" + }, + { + "url": "https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285" + }, + { + "url": "https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79" + }, + { + "url": "https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b" + }, + { + "url": "https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e" + }, + { + "url": "https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23" + }, + { + "url": "https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52669 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52669", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left. Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52669\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52669\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52669\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52669\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52669\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285\",\n \"https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79\",\n \"https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b\",\n \"https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e\",\n \"https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23\",\n \"https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: s390/aes - Fix buffer overread in CTR mode\\n\\nWhen processing the last block, the s390 ctr code will always read\\na whole block, even if there isn't a whole block of data left. Fix\\nthis by using the actual length left and copy it into a buffer first\\nfor processing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52669\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52670", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52670" + }, + { + "url": "https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08" + }, + { + "url": "https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6" + }, + { + "url": "https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a" + }, + { + "url": "https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30" + }, + { + "url": "https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43" + }, + { + "url": "https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687" + }, + { + "url": "https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d" + }, + { + "url": "https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52670 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52670", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52670\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52670\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52670\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52670\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52670\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08\",\n \"https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6\",\n \"https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a\",\n \"https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30\",\n \"https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43\",\n \"https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687\",\n \"https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d\",\n \"https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrpmsg: virtio: Free driver_override when rpmsg_remove()\\n\\nFree driver_override when rpmsg_remove(), otherwise\\nthe following memory leak will occur:\\n\\nunreferenced object 0xffff0000d55d7080 (size 128):\\n comm \\\"kworker/u8:2\\\", pid 56, jiffies 4294893188 (age 214.272s)\\n hex dump (first 32 bytes):\\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace:\\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\\n [<00000000228a60c3>] kstrndup+0x4c/0x90\\n [<0000000077158695>] driver_set_override+0xd0/0x164\\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\\n [<00000000443331cc>] really_probe+0xbc/0x2dc\\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\\n [<000000003b929a36>] __device_attach+0x9c/0x19c\\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\\n [<000000003c999637>] bus_probe_device+0xa0/0xac\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.6,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52670\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52671", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52671" + }, + { + "url": "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5" + }, + { + "url": "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239" + }, + { + "url": "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52671 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52671", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52671\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52671\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52671\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52671\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52671\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5\",\n \"https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239\",\n \"https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\\n\\n[Why]\\nUnder some circumstances, disabling an OPTC and attempting to reclaim\\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\\nnot being properly disconnected from the disabled OPTC.\\n\\n[How]\\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52671\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52672" + }, + { + "url": "https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8" + }, + { + "url": "https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9" + }, + { + "url": "https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24" + }, + { + "url": "https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55" + }, + { + "url": "https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f" + }, + { + "url": "https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner : rewrite to account for watch queues]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8\",\n \"https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9\",\n \"https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24\",\n \"https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55\",\n \"https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f\",\n \"https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npipe: wakeup wr_wait after setting max_usage\\n\\nCommit c73be61cede5 (\\\"pipe: Add general notification queue support\\\") a\\nregression was introduced that would lock up resized pipes under certain\\nconditions. See the reproducer in [1].\\n\\nThe commit resizing the pipe ring size was moved to a different\\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\\nraising pipe->max_usage. If a pipe was full before the resize occured it\\nwould result in the wakeup never actually triggering pipe_write.\\n\\nSet @max_usage and @nr_accounted before waking writers if this isn't a\\nwatch queue.\\n\\n[Christian Brauner : rewrite to account for watch queues]\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52673", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52673" + }, + { + "url": "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a" + }, + { + "url": "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52673 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52673", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52673\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52673\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52673\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52673\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52673\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a\",\n \"https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix a debugfs null pointer error\\n\\n[WHY & HOW]\\nCheck whether get_subvp_en() callback exists before calling it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52673\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52674", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52674" + }, + { + "url": "https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572" + }, + { + "url": "https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7" + }, + { + "url": "https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2" + }, + { + "url": "https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810" + }, + { + "url": "https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52674 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52674", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\n\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52674\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52674\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52674\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52674\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52674\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572\",\n \"https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7\",\n \"https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2\",\n \"https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810\",\n \"https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\\n\\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\\nscarlett2_mixer_values[].\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52674\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52675", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52675" + }, + { + "url": "https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032" + }, + { + "url": "https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3" + }, + { + "url": "https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34" + }, + { + "url": "https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05" + }, + { + "url": "https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3" + }, + { + "url": "https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec" + }, + { + "url": "https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6" + }, + { + "url": "https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52675 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52675", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52675\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52675\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52675\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52675\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52675\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032\",\n \"https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3\",\n \"https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34\",\n \"https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05\",\n \"https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3\",\n \"https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec\",\n \"https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6\",\n \"https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52675\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52676", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52676" + }, + { + "url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760" + }, + { + "url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2" + }, + { + "url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52676 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52676", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52676\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52676\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52676\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52676\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52676\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760\",\n \"https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2\",\n \"https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Guard stack limits against 32bit overflow\\n\\nThis patch promotes the arithmetic around checking stack bounds to be\\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\\nimplies adding together a 64-bit register with a int offset. The\\nregister was checked to be below 1<<29 when it was variable, but not\\nwhen it was fixed. The offset either comes from an instruction (in which\\ncase it is 16 bit), from another register (in which case the caller\\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\\nkfunc (in which case it can be a u32 [2]). Between the register being\\ninconsistently checked to be below 1<<29, and the offset being up to an\\nu32, it appears that we were open to overflowing the `int`s which were\\ncurrently used for arithmetic.\\n\\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52676\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52677", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52677" + }, + { + "url": "https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f" + }, + { + "url": "https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f" + }, + { + "url": "https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7" + }, + { + "url": "https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc" + }, + { + "url": "https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52677 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52677", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Check if the code to patch lies in the exit section\n\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52677\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52677\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52677\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52677\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52677\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f\",\n \"https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f\",\n \"https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7\",\n \"https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc\",\n \"https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: Check if the code to patch lies in the exit section\\n\\nOtherwise we fall through to vmalloc_to_page() which panics since the\\naddress does not lie in the vmalloc region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52677\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52679", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52679" + }, + { + "url": "https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db" + }, + { + "url": "https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21" + }, + { + "url": "https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b" + }, + { + "url": "https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2" + }, + { + "url": "https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8" + }, + { + "url": "https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd" + }, + { + "url": "https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7" + }, + { + "url": "https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52679 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52679", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52679\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52679\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52679\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52679\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52679\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db\",\n \"https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21\",\n \"https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b\",\n \"https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2\",\n \"https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8\",\n \"https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd\",\n \"https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7\",\n \"https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: Fix double free in of_parse_phandle_with_args_map\\n\\nIn of_parse_phandle_with_args_map() the inner loop that\\niterates through the map entries calls of_node_put(new)\\nto free the reference acquired by the previous iteration\\nof the inner loop. This assumes that the value of \\\"new\\\" is\\nNULL on the first iteration of the inner loop.\\n\\nMake sure that this is true in all iterations of the outer\\nloop by setting \\\"new\\\" to NULL after its value is assigned to \\\"cur\\\".\\n\\nExtend the unittest to detect the double free and add an additional\\ntest case that actually triggers this path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52679\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52680", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52680" + }, + { + "url": "https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51" + }, + { + "url": "https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e" + }, + { + "url": "https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3" + }, + { + "url": "https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3" + }, + { + "url": "https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52680 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52680", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52680\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52680\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52680\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52680\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52680\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51\",\n \"https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e\",\n \"https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3\",\n \"https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3\",\n \"https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add missing error checks to *_ctl_get()\\n\\nThe *_ctl_get() functions which call scarlett2_update_*() were not\\nchecking the return value. Fix to check the return value and pass to\\nthe caller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52680\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52682", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52682" + }, + { + "url": "https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2" + }, + { + "url": "https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00" + }, + { + "url": "https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3" + }, + { + "url": "https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52682 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52682", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52682\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52682\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52682\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52682\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52682\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2\",\n \"https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00\",\n \"https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3\",\n \"https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to wait on block writeback for post_read case\\n\\nIf inode is compressed, but not encrypted, it missed to call\\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\\nin IPU write path.\\n\\nThread A\\t\\t\\t\\tGC-Thread\\n\\t\\t\\t\\t\\t- f2fs_gc\\n\\t\\t\\t\\t\\t - do_garbage_collect\\n\\t\\t\\t\\t\\t - gc_data_segment\\n\\t\\t\\t\\t\\t - move_data_block\\n\\t\\t\\t\\t\\t - f2fs_submit_page_write\\n\\t\\t\\t\\t\\t migrate normal cluster's block via\\n\\t\\t\\t\\t\\t meta_inode's page cache\\n- f2fs_write_single_data_page\\n - f2fs_do_write_data_page\\n - f2fs_inplace_write_data\\n - f2fs_submit_page_bio\\n\\nIRQ\\n- f2fs_read_end_io\\n\\t\\t\\t\\t\\tIRQ\\n\\t\\t\\t\\t\\told data overrides new data due to\\n\\t\\t\\t\\t\\tout-of-order GC and common IO.\\n\\t\\t\\t\\t\\t- f2fs_read_end_io\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52682\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52683", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52683" + }, + { + "url": "https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782" + }, + { + "url": "https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee" + }, + { + "url": "https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad" + }, + { + "url": "https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de" + }, + { + "url": "https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae" + }, + { + "url": "https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1" + }, + { + "url": "https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4" + }, + { + "url": "https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52683 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52683", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52683\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52683\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52683\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52683\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52683\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782\",\n \"https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee\",\n \"https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad\",\n \"https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de\",\n \"https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae\",\n \"https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1\",\n \"https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4\",\n \"https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: LPIT: Avoid u32 multiplication overflow\\n\\nIn lpit_update_residency() there is a possibility of overflow\\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\\n\\nChange multiplication to mul_u32_u32().\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52683\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52685", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52685" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52685 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52685", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52685\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52685\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52685\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52685\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52685\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52685\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52686" + }, + { + "url": "https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4" + }, + { + "url": "https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050" + }, + { + "url": "https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9" + }, + { + "url": "https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877" + }, + { + "url": "https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7" + }, + { + "url": "https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42" + }, + { + "url": "https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf" + }, + { + "url": "https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4\",\n \"https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050\",\n \"https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9\",\n \"https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877\",\n \"https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7\",\n \"https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42\",\n \"https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf\",\n \"https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check in opal_event_init()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52690", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52690" + }, + { + "url": "https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b" + }, + { + "url": "https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19" + }, + { + "url": "https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742" + }, + { + "url": "https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13" + }, + { + "url": "https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9" + }, + { + "url": "https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2" + }, + { + "url": "https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52690 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52690", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52690\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52690\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52690\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52690\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52690\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b\",\n \"https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19\",\n \"https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742\",\n \"https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13\",\n \"https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9\",\n \"https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2\",\n \"https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\\nAdd a null pointer check, and release 'ent' to avoid memory leaks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52690\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52691" + }, + { + "url": "https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706" + }, + { + "url": "https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334" + }, + { + "url": "https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30" + }, + { + "url": "https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4" + }, + { + "url": "https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0" + }, + { + "url": "https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a" + }, + { + "url": "https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2" + }, + { + "url": "https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706\",\n \"https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334\",\n \"https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30\",\n \"https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4\",\n \"https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0\",\n \"https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a\",\n \"https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2\",\n \"https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: fix a double-free in si_dpm_init\\n\\nWhen the allocation of\\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\\namdgpu_free_extended_power_table is called to free some fields of adev.\\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\\nlabel dpm_failed and calls si_dpm_fini, which calls\\namdgpu_free_extended_power_table again and free those fields again. Thus\\na double-free is triggered.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52692", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52692" + }, + { + "url": "https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3" + }, + { + "url": "https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99" + }, + { + "url": "https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467" + }, + { + "url": "https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88" + }, + { + "url": "https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52692 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52692", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52692\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52692\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52692\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52692\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52692\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3\",\n \"https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99\",\n \"https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467\",\n \"https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88\",\n \"https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\\n\\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\\nchecking the result. Return the error if it fails rather than\\ncontinuing with an invalid value.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52692\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52693", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52693" + }, + { + "url": "https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3" + }, + { + "url": "https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95" + }, + { + "url": "https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c" + }, + { + "url": "https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af" + }, + { + "url": "https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8" + }, + { + "url": "https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f" + }, + { + "url": "https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f" + }, + { + "url": "https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52693 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52693", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52693\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52693\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52693\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52693\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52693\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3\",\n \"https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95\",\n \"https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c\",\n \"https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af\",\n \"https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8\",\n \"https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f\",\n \"https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f\",\n \"https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: video: check for error while searching for backlight device parent\\n\\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\\nfails, for example, because acpi_ut_acquire_mutex() fails inside\\nacpi_get_parent), this can lead to incorrect (uninitialized)\\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\\nthe parent pci device.\\n\\nCheck acpi_get_parent() result and set parent device only in case of success.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52693\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52694", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52694" + }, + { + "url": "https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5" + }, + { + "url": "https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205" + }, + { + "url": "https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1" + }, + { + "url": "https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2" + }, + { + "url": "https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114" + }, + { + "url": "https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52694 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52694", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52694\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52694\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52694\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52694\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52694\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5\",\n \"https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205\",\n \"https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1\",\n \"https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2\",\n \"https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114\",\n \"https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\\n\\nWith tpd12s015_remove() marked with __exit this function is discarded\\nwhen the driver is compiled as a built-in. The result is that when the\\ndriver unbinds there is no cleanup done which results in resource\\nleakage or worse.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52694\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52696", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52696" + }, + { + "url": "https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664" + }, + { + "url": "https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219" + }, + { + "url": "https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc" + }, + { + "url": "https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1" + }, + { + "url": "https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab" + }, + { + "url": "https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d" + }, + { + "url": "https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52696 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52696", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52696\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52696\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52696\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52696\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52696\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664\",\n \"https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219\",\n \"https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc\",\n \"https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1\",\n \"https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab\",\n \"https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d\",\n \"https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52696\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52698", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52698" + }, + { + "url": "https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149" + }, + { + "url": "https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53" + }, + { + "url": "https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031" + }, + { + "url": "https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01" + }, + { + "url": "https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da" + }, + { + "url": "https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded" + }, + { + "url": "https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99" + }, + { + "url": "https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52698 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52698", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: fix memory leak in netlbl_calipso_add_pass()\n\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\n\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n hex dump (first 32 bytes):\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<...>] kmalloc include/linux/slab.h:552 [inline]\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\n\n[PM: merged via the LSM tree at Jakub Kicinski request]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52698\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52698\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52698\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52698\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52698\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149\",\n \"https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53\",\n \"https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031\",\n \"https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01\",\n \"https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da\",\n \"https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded\",\n \"https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99\",\n \"https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncalipso: fix memory leak in netlbl_calipso_add_pass()\\n\\nIf IPv6 support is disabled at boot (ipv6.disable=1),\\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\\nand the netlbl_calipso_ops_get() function always returns NULL.\\nIn this case, the netlbl_calipso_add_pass() function allocates memory\\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\\n\\nBUG: memory leak\\nunreferenced object 0xffff888011d68180 (size 64):\\n comm \\\"syz-executor.1\\\", pid 10746, jiffies 4295410986 (age 17.928s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace:\\n [<...>] kmalloc include/linux/slab.h:552 [inline]\\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\\n\\nFound by InfoTeCS on behalf of Linux Verification Center\\n(linuxtesting.org) with Syzkaller\\n\\n[PM: merged via the LSM tree at Jakub Kicinski request]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52698\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52699" + }, + { + "url": "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76" + }, + { + "url": "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f" + }, + { + "url": "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09" + }, + { + "url": "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1" + }, + { + "url": "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac" + }, + { + "url": "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3" + }, + { + "url": "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e" + }, + { + "url": "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76\",\n \"https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f\",\n \"https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09\",\n \"https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1\",\n \"https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac\",\n \"https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3\",\n \"https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e\",\n \"https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysv: don't call sb_bread() with pointers_lock held\\n\\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\\nsb_bread() is called with rw_spinlock held.\\n\\nA \\\"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\\\" bug\\nand a \\\"sb_bread() with write_lock(&pointers_lock)\\\" bug were introduced by\\n\\\"Replace BKL for chain locking with sysvfs-private rwlock\\\" in Linux 2.5.12.\\n\\nThen, \\\"[PATCH] err1-40: sysvfs locking fix\\\" in Linux 2.6.8 fixed the\\nformer bug by moving pointers_lock lock to the callers, but instead\\nintroduced a \\\"sb_bread() with read_lock(&pointers_lock)\\\" bug (which made\\nthis problem easier to hit).\\n\\nAl Viro suggested that why not to do like get_branch()/get_block()/\\nfind_shared() in Minix filesystem does. And doing like that is almost a\\nrevert of \\\"[PATCH] err1-40: sysvfs locking fix\\\" except that get_branch()\\n from with find_shared() is called without write_lock(&pointers_lock).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52700" + }, + { + "url": "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc" + }, + { + "url": "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc\",\n \"https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix kernel warning when sending SYN message\\n\\nWhen sending a SYN message, this kernel stack trace is observed:\\n\\n...\\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\\n...\\n[ 13.398494] Call Trace:\\n[ 13.398630] \\n[ 13.398630] ? __alloc_skb+0xed/0x1a0\\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\\n[ 13.398630] ? __sys_connect+0x9f/0xd0\\n[ 13.398630] __sys_connect+0x9f/0xd0\\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\\n[ 13.398630] __x64_sys_connect+0x16/0x20\\n[ 13.398630] do_syscall_64+0x42/0x90\\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nIt is because commit a41dad905e5a (\\\"iov_iter: saner checks for attempt\\nto copy to/from iterator\\\") has introduced sanity check for copying\\nfrom/to iov iterator. Lacking of copy direction from the iterator\\nviewpoint would lead to kernel stack trace like above.\\n\\nThis commit fixes this issue by initializing the iov iterator with\\nthe correct copy direction when sending SYN or ACK without data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52701", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52701" + }, + { + "url": "https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5" + }, + { + "url": "https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52701 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52701", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use a bounce buffer for copying skb->mark\n\nsyzbot found arm64 builds would crash in sock_recv_mark()\nwhen CONFIG_HARDENED_USERCOPY=y\n\nx86 and powerpc are not detecting the issue because\nthey define user_access_begin.\nThis will be handled in a different patch,\nbecause a check_object_size() is missing.\n\nOnly data from skb->cb[] can be copied directly to/from user space,\nas explained in commit 79a8a642bf05 (\"net: Whitelist\nthe skbuff_head_cache \"cb\" field\")\n\nsyzbot report was:\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nsp : ffff80000fb9b9a0\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\nCall trace:\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\ncheck_heap_object mm/usercopy.c:196 [inline]\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\ncheck_object_size include/linux/thread_info.h:199 [inline]\n__copy_to_user include/linux/uaccess.h:115 [inline]\nput_cmsg+0x408/0x464 net/core/scm.c:238\nsock_recv_mark net/socket.c:975 [inline]\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\n____sys_recvmsg+0x110/0x3a0\n___sys_recvmsg net/socket.c:2737 [inline]\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\n__do_sys_recvmsg net/socket.c:2777 [inline]\n__se_sys_recvmsg net/socket.c:2774 [inline]\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52701\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52701\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52701\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52701\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52701\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5\",\n \"https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: use a bounce buffer for copying skb->mark\\n\\nsyzbot found arm64 builds would crash in sock_recv_mark()\\nwhen CONFIG_HARDENED_USERCOPY=y\\n\\nx86 and powerpc are not detecting the issue because\\nthey define user_access_begin.\\nThis will be handled in a different patch,\\nbecause a check_object_size() is missing.\\n\\nOnly data from skb->cb[] can be copied directly to/from user space,\\nas explained in commit 79a8a642bf05 (\\\"net: Whitelist\\nthe skbuff_head_cache \\\"cb\\\" field\\\")\\n\\nsyzbot report was:\\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\\n------------[ cut here ]------------\\nkernel BUG at mm/usercopy.c:102 !\\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\\nsp : ffff80000fb9b9a0\\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\\nCall trace:\\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\\ncheck_heap_object mm/usercopy.c:196 [inline]\\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\\ncheck_object_size include/linux/thread_info.h:199 [inline]\\n__copy_to_user include/linux/uaccess.h:115 [inline]\\nput_cmsg+0x408/0x464 net/core/scm.c:238\\nsock_recv_mark net/socket.c:975 [inline]\\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\\n____sys_recvmsg+0x110/0x3a0\\n___sys_recvmsg net/socket.c:2737 [inline]\\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\\n__do_sys_recvmsg net/socket.c:2777 [inline]\\n__se_sys_recvmsg net/socket.c:2774 [inline]\\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52701\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52702", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52702" + }, + { + "url": "https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536" + }, + { + "url": "https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5" + }, + { + "url": "https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6" + }, + { + "url": "https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52702 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52702", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\n\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52702\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52702\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52702\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52702\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52702\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536\",\n \"https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5\",\n \"https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6\",\n \"https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\\n\\nold_meter needs to be free after it is detached regardless of whether\\nthe new meter is successfully attached.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52702\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52703", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52703" + }, + { + "url": "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc" + }, + { + "url": "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5" + }, + { + "url": "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb" + }, + { + "url": "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030" + }, + { + "url": "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081" + }, + { + "url": "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042" + }, + { + "url": "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52703 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52703", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52703\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52703\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52703\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52703\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52703\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc\",\n \"https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5\",\n \"https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb\",\n \"https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030\",\n \"https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081\",\n \"https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042\",\n \"https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\\n\\nsyzbot reported that act_len in kalmia_send_init_packet() is\\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\\nPirko noted that it's pointless to pass it in the error path, and that\\nthe value that would be printed in the second error path would be the\\nvalue of act_len from the first call to usb_bulk_msg.[1]\\n\\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\\npaths.\\n\\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52703\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52705", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52705" + }, + { + "url": "https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5" + }, + { + "url": "https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b" + }, + { + "url": "https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f" + }, + { + "url": "https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d" + }, + { + "url": "https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205" + }, + { + "url": "https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4" + }, + { + "url": "https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52705 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52705", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes. Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks. This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord state:D stack:23456 pid:5067 ppid:2\n flags:0x00004000\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n schedule+0xc3/0x190 kernel/sched/core.c:6682\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n kthread+0x270/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n ...\n Call Trace:\n \n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52705\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52705\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52705\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52705\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52705\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5\",\n \"https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b\",\n \"https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f\",\n \"https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d\",\n \"https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205\",\n \"https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4\",\n \"https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix underflow in second superblock position calculations\\n\\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\\nsuperblock, underflows when the argument device size is less than 4096\\nbytes. Therefore, when using this macro, it is necessary to check in\\nadvance that the device size is not less than a lower limit, or at least\\nthat underflow does not occur.\\n\\nThe current nilfs2 implementation lacks this check, causing out-of-bound\\nblock access when mounting devices smaller than 4096 bytes:\\n\\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\\n phys_seg 1 prio class 2\\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\\n\\nIn addition, when trying to resize the filesystem to a size below 4096\\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\\nnumber of segments in superblocks. This causes excessive loop iterations\\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\\nsemaphore ns_segctor_sem to block for a long time and hang the writer\\nthread:\\n\\n INFO: task segctord:5067 blocked for more than 143 seconds.\\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:segctord state:D stack:23456 pid:5067 ppid:2\\n flags:0x00004000\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\\n schedule+0xc3/0x190 kernel/sched/core.c:6682\\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\\n kthread+0x270/0x300 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n ...\\n Call Trace:\\n \\n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\\n ...\\n\\nThis fixes these issues by inserting appropriate minimum device size\\nchecks or anti-underflow checks, depending on where the macro is used.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52705\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52707", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52707" + }, + { + "url": "https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38" + }, + { + "url": "https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe" + }, + { + "url": "https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a" + }, + { + "url": "https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a" + }, + { + "url": "https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52707 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52707", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\n\nIf a non-root cgroup gets removed when there is a thread that registered\ntrigger and is polling on a pressure file within the cgroup, the polling\nwaitqueue gets freed in the following path:\n\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n\nHowever, the polling thread still has a reference to the pressure file and\nwill access the freed waitqueue when the file is closed or upon exit:\n\n fput\n ep_eventpoll_release\n ep_free\n ep_remove_wait_queue\n remove_wait_queue\n\nThis results in use-after-free as pasted below.\n\nThe fundamental problem here is that cgroup_file_release() (and\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\nwith the comment at commit 42288cb44c4b (\"wait: add wake_up_pollfree()\")\nsince the waitqueue's lifetime is not tied to file's one and can be\nconsidered as another special case. While this would be fixable by somehow\nmaking cgroup_file_release() be tied to the fput(), it would require\nsizable refactoring at cgroups or higher layer which might be more\njustifiable if we identify more cases like this.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\n\n\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\n\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\n\tCall Trace:\n\t\n\tdump_stack_lvl+0x73/0xa0\n\tprint_report+0x16c/0x4e0\n\tkasan_report+0xc3/0xf0\n\tkasan_check_range+0x2d2/0x310\n\t_raw_spin_lock_irqsave+0x60/0xc0\n\tremove_wait_queue+0x1a/0xa0\n\tep_free+0x12c/0x170\n\tep_eventpoll_release+0x26/0x30\n\t__fput+0x202/0x400\n\ttask_work_run+0x11d/0x170\n\tdo_exit+0x495/0x1130\n\tdo_group_exit+0x100/0x100\n\tget_signal+0xd67/0xde0\n\tarch_do_signal_or_restart+0x2a/0x2b0\n\texit_to_user_mode_prepare+0x94/0x100\n\tsyscall_exit_to_user_mode+0x20/0x40\n\tdo_syscall_64+0x52/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\t\n\n Allocated by task 4404:\n\n\tkasan_set_track+0x3d/0x60\n\t__kasan_kmalloc+0x85/0x90\n\tpsi_trigger_create+0x113/0x3e0\n\tpressure_write+0x146/0x2e0\n\tcgroup_file_write+0x11c/0x250\n\tkernfs_fop_write_iter+0x186/0x220\n\tvfs_write+0x3d8/0x5c0\n\tksys_write+0x90/0x110\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Freed by task 4407:\n\n\tkasan_set_track+0x3d/0x60\n\tkasan_save_free_info+0x27/0x40\n\t____kasan_slab_free+0x11d/0x170\n\tslab_free_freelist_hook+0x87/0x150\n\t__kmem_cache_free+0xcb/0x180\n\tpsi_trigger_destroy+0x2e8/0x310\n\tcgroup_file_release+0x4f/0xb0\n\tkernfs_drain_open_files+0x165/0x1f0\n\tkernfs_drain+0x162/0x1a0\n\t__kernfs_remove+0x1fb/0x310\n\tkernfs_remove_by_name_ns+0x95/0xe0\n\tcgroup_addrm_files+0x67f/0x700\n\tcgroup_destroy_locked+0x283/0x3c0\n\tcgroup_rmdir+0x29/0x100\n\tkernfs_iop_rmdir+0xd1/0x140\n\tvfs_rmdir+0xfe/0x240\n\tdo_rmdir+0x13d/0x280\n\t__x64_sys_rmdir+0x2c/0x30\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52707\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52707\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52707\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52707\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52707\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38\",\n \"https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe\",\n \"https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a\",\n \"https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a\",\n \"https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\\n\\nIf a non-root cgroup gets removed when there is a thread that registered\\ntrigger and is polling on a pressure file within the cgroup, the polling\\nwaitqueue gets freed in the following path:\\n\\n do_rmdir\\n cgroup_rmdir\\n kernfs_drain_open_files\\n cgroup_file_release\\n cgroup_pressure_release\\n psi_trigger_destroy\\n\\nHowever, the polling thread still has a reference to the pressure file and\\nwill access the freed waitqueue when the file is closed or upon exit:\\n\\n fput\\n ep_eventpoll_release\\n ep_free\\n ep_remove_wait_queue\\n remove_wait_queue\\n\\nThis results in use-after-free as pasted below.\\n\\nThe fundamental problem here is that cgroup_file_release() (and\\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\\nwith the comment at commit 42288cb44c4b (\\\"wait: add wake_up_pollfree()\\\")\\nsince the waitqueue's lifetime is not tied to file's one and can be\\nconsidered as another special case. While this would be fixable by somehow\\nmaking cgroup_file_release() be tied to the fput(), it would require\\nsizable refactoring at cgroups or higher layer which might be more\\njustifiable if we identify more cases like this.\\n\\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\\n\\n\\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\\n\\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\\n\\tCall Trace:\\n\\t\\n\\tdump_stack_lvl+0x73/0xa0\\n\\tprint_report+0x16c/0x4e0\\n\\tkasan_report+0xc3/0xf0\\n\\tkasan_check_range+0x2d2/0x310\\n\\t_raw_spin_lock_irqsave+0x60/0xc0\\n\\tremove_wait_queue+0x1a/0xa0\\n\\tep_free+0x12c/0x170\\n\\tep_eventpoll_release+0x26/0x30\\n\\t__fput+0x202/0x400\\n\\ttask_work_run+0x11d/0x170\\n\\tdo_exit+0x495/0x1130\\n\\tdo_group_exit+0x100/0x100\\n\\tget_signal+0xd67/0xde0\\n\\tarch_do_signal_or_restart+0x2a/0x2b0\\n\\texit_to_user_mode_prepare+0x94/0x100\\n\\tsyscall_exit_to_user_mode+0x20/0x40\\n\\tdo_syscall_64+0x52/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\t\\n\\n Allocated by task 4404:\\n\\n\\tkasan_set_track+0x3d/0x60\\n\\t__kasan_kmalloc+0x85/0x90\\n\\tpsi_trigger_create+0x113/0x3e0\\n\\tpressure_write+0x146/0x2e0\\n\\tcgroup_file_write+0x11c/0x250\\n\\tkernfs_fop_write_iter+0x186/0x220\\n\\tvfs_write+0x3d8/0x5c0\\n\\tksys_write+0x90/0x110\\n\\tdo_syscall_64+0x43/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\n Freed by task 4407:\\n\\n\\tkasan_set_track+0x3d/0x60\\n\\tkasan_save_free_info+0x27/0x40\\n\\t____kasan_slab_free+0x11d/0x170\\n\\tslab_free_freelist_hook+0x87/0x150\\n\\t__kmem_cache_free+0xcb/0x180\\n\\tpsi_trigger_destroy+0x2e8/0x310\\n\\tcgroup_file_release+0x4f/0xb0\\n\\tkernfs_drain_open_files+0x165/0x1f0\\n\\tkernfs_drain+0x162/0x1a0\\n\\t__kernfs_remove+0x1fb/0x310\\n\\tkernfs_remove_by_name_ns+0x95/0xe0\\n\\tcgroup_addrm_files+0x67f/0x700\\n\\tcgroup_destroy_locked+0x283/0x3c0\\n\\tcgroup_rmdir+0x29/0x100\\n\\tkernfs_iop_rmdir+0xd1/0x140\\n\\tvfs_rmdir+0xfe/0x240\\n\\tdo_rmdir+0x13d/0x280\\n\\t__x64_sys_rmdir+0x2c/0x30\\n\\tdo_syscall_64+0x43/0x90\\n\\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52707\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52708", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52708" + }, + { + "url": "https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be" + }, + { + "url": "https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f" + }, + { + "url": "https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714" + }, + { + "url": "https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd" + }, + { + "url": "https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52708 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52708", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\n\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\n\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52708\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52708\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52708\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52708\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52708\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be\",\n \"https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f\",\n \"https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714\",\n \"https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd\",\n \"https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\\n\\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\\nor it will cause null-ptr-deref, because of deleting a not added\\ndevice in mmc_remove_host().\\n\\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\\nand change the label 'fail_add_host' to 'fail_gpiod_request'.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52708\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52730", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52730" + }, + { + "url": "https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd" + }, + { + "url": "https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931" + }, + { + "url": "https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a" + }, + { + "url": "https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded" + }, + { + "url": "https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e" + }, + { + "url": "https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58" + }, + { + "url": "https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52730 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52730", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52730\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52730\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52730\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52730\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52730\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd\",\n \"https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931\",\n \"https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a\",\n \"https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded\",\n \"https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e\",\n \"https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58\",\n \"https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: sdio: fix possible resource leaks in some error paths\\n\\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\\nnot release the resources, because the sdio function is not presented\\nin these two cases, it won't call of_node_put() or put_device().\\n\\nTo fix these leaks, make sdio_func_present() only control whether\\ndevice_del() needs to be called or not, then always call of_node_put()\\nand put_device().\\n\\nIn error case in sdio_init_func(), the reference of 'card->dev' is\\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\\nit can keep the get/put function be balanced.\\n\\nWithout this patch, while doing fault inject test, it can get the\\nfollowing leak reports, after this fix, the leak is gone.\\n\\nunreferenced object 0xffff888112514000 (size 2048):\\n comm \\\"kworker/3:2\\\", pid 65, jiffies 4294741614 (age 124.774s)\\n hex dump (first 32 bytes):\\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\\n backtrace:\\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\\n\\nunreferenced object 0xffff888112511000 (size 2048):\\n comm \\\"kworker/3:2\\\", pid 65, jiffies 4294741623 (age 124.766s)\\n hex dump (first 32 bytes):\\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\\n backtrace:\\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52730\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52732", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52732" + }, + { + "url": "https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c" + }, + { + "url": "https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52732 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52732", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: blocklist the kclient when receiving corrupted snap trace\n\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\n\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\n\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52732\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52732\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52732\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52732\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52732\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c\",\n \"https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nceph: blocklist the kclient when receiving corrupted snap trace\\n\\nWhen received corrupted snap trace we don't know what exactly has\\nhappened in MDS side. And we shouldn't continue IOs and metadatas\\naccess to MDS, which may corrupt or get incorrect contents.\\n\\nThis patch will just block all the further IO/MDS requests\\nimmediately and then evict the kclient itself.\\n\\nThe reason why we still need to evict the kclient just after\\nblocking all the further IOs is that the MDS could revoke the caps\\nfaster.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52732\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52733", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52733" + }, + { + "url": "https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb" + }, + { + "url": "https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2" + }, + { + "url": "https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b" + }, + { + "url": "https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9" + }, + { + "url": "https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52733 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52733", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/decompressor: specify __decompress() buf len to avoid overflow\n\nHistorically calls to __decompress() didn't specify \"out_len\" parameter\non many architectures including s390, expecting that no writes beyond\nuncompressed kernel image are performed. This has changed since commit\n2aa14b1ab2c4 (\"zstd: import usptream v1.5.2\") which includes zstd library\ncommit 6a7ede3dfccb (\"Reduce size of dctx by reutilizing dst buffer\n(#2751)\"). Now zstd decompression code might store literal buffer in\nthe unwritten portion of the destination buffer. Since \"out_len\" is\nnot set, it is considered to be unlimited and hence free to use for\noptimization needs. On s390 this might corrupt initrd or ipl report\nwhich are often placed right after the decompressor buffer. Luckily the\nsize of uncompressed kernel image is already known to the decompressor,\nso to avoid the problem simply specify it in the \"out_len\" parameter.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52733\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52733\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52733\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52733\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52733\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb\",\n \"https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2\",\n \"https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b\",\n \"https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9\",\n \"https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/decompressor: specify __decompress() buf len to avoid overflow\\n\\nHistorically calls to __decompress() didn't specify \\\"out_len\\\" parameter\\non many architectures including s390, expecting that no writes beyond\\nuncompressed kernel image are performed. This has changed since commit\\n2aa14b1ab2c4 (\\\"zstd: import usptream v1.5.2\\\") which includes zstd library\\ncommit 6a7ede3dfccb (\\\"Reduce size of dctx by reutilizing dst buffer\\n(#2751)\\\"). Now zstd decompression code might store literal buffer in\\nthe unwritten portion of the destination buffer. Since \\\"out_len\\\" is\\nnot set, it is considered to be unlimited and hence free to use for\\noptimization needs. On s390 this might corrupt initrd or ipl report\\nwhich are often placed right after the decompressor buffer. Luckily the\\nsize of uncompressed kernel image is already known to the decompressor,\\nso to avoid the problem simply specify it in the \\\"out_len\\\" parameter.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52733\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52734", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52734" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52734 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52734", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52734\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52734\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52734\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52734\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52734\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52734\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52735", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52735" + }, + { + "url": "https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9" + }, + { + "url": "https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49" + }, + { + "url": "https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52735 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52735", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\n\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\n\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52735\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52735\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52735\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52735\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52735\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9\",\n \"https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49\",\n \"https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\\n\\nsock_map proto callbacks should never call themselves by design. Protect\\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\\noverflow in favor of a resource leak.\\n\\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52735\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52736", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52736" + }, + { + "url": "https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0" + }, + { + "url": "https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8" + }, + { + "url": "https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a" + }, + { + "url": "https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52736 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52736", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Do not unset preset when cleaning up codec\n\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\n\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\n\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52736\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52736\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52736\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52736\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52736\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0\",\n \"https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8\",\n \"https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a\",\n \"https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: Do not unset preset when cleaning up codec\\n\\nSeveral functions that take part in codec's initialization and removal\\nare re-used by ASoC codec drivers implementations. Drivers mimic the\\nbehavior of hda_codec_driver_probe/remove() found in\\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\\n\\nOne of the reasons for that is the expectation of\\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\\nstruct snd_card. This expectation can be met only once sound card\\ncomponents probing commences.\\n\\nAs ASoC sound card may be unbound without codec device being actually\\nremoved from the system, unsetting ->preset in\\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\\nscenario causing null-ptr-deref. Preset is assigned only once, during\\ndevice/driver matching whereas ASoC codec driver's module reloading may\\noccur several times throughout the lifetime of an audio stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52736\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52737", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52737" + }, + { + "url": "https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508" + }, + { + "url": "https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52737 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52737", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52737\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52737\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52737\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52737\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52737\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508\",\n \"https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: lock the inode in shared mode before starting fiemap\\n\\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\\na file range in the inode's io tree. This however can lead to a deadlock\\nif we have a concurrent fsync on the file and fiemap code triggers a fault\\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\\nsyzbot and triggers a trace like the following:\\n\\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\\n schedule+0xcb/0x190 kernel/sched/core.c:6682\\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\\n generic_write_sync include/linux/fs.h:2885 [inline]\\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\\n call_write_iter include/linux/fs.h:2189 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\\n ksys_write+0x177/0x2a0 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n RIP: 0033:0x7f7d4054e9b9\\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\\n \\n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\\n Call Trace:\\n \\n context_switch kernel/sched/core.c:5293 [inline]\\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\\n schedule+0xcb/0x190 kernel/sched/core.c:6682\\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\\n handle_pte_fault mm/memory.c:4949 [inline]\\n __handle_mm_fault mm/memory.c:5073 [inline]\\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\\n Code: 74 0a 89 (...)\\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52737\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52738", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52738" + }, + { + "url": "https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b" + }, + { + "url": "https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd" + }, + { + "url": "https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52738 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52738", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52738\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52738\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52738\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52738\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52738\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b\",\n \"https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd\",\n \"https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\\n\\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\\nroutine - such function is expected to be called only after the\\nrespective init function - drm_sched_init() - was executed successfully.\\n\\nHappens that we faced a driver probe failure in the Steam Deck\\nrecently, and the function drm_sched_fini() was called even without\\nits counter-part had been previously called, causing the following oops:\\n\\namdgpu: probe of 0000:04:00.0 failed with error -110\\nBUG: kernel NULL pointer dereference, address: 0000000000000090\\nPGD 0 P4D 0\\nOops: 0002 [#1] PREEMPT SMP NOPTI\\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\\n[...]\\nCall Trace:\\n \\n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\\n devm_drm_dev_init_release+0x49/0x70\\n [...]\\n\\nTo prevent that, check if the drm_sched was properly initialized for a\\ngiven ring before calling its fini counter-part.\\n\\nNotice ideally we'd use sched.ready for that; such field is set as the latest\\nthing on drm_sched_init(). But amdgpu seems to \\\"override\\\" the meaning of such\\nfield - in the above oops for example, it was a GFX ring causing the crash, and\\nthe sched.ready field was set to true in the ring init routine, regardless of\\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\\nChristian's suggestion [0], and also removed the no_scheduler check [1].\\n\\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52738\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52739" + }, + { + "url": "https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23" + }, + { + "url": "https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5" + }, + { + "url": "https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673" + }, + { + "url": "https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52739", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23\",\n \"https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5\",\n \"https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673\",\n \"https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nFix page corruption caused by racy check in __free_pages\\n\\nWhen we upgraded our kernel, we started seeing some page corruption like\\nthe following consistently:\\n\\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\\n flags: 0x17ffffc0000000()\\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\\n page dumped because: nonzero mapcount\\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\\n Call Trace:\\n dump_stack+0x74/0x96\\n bad_page.cold+0x63/0x94\\n check_new_page_bad+0x6d/0x80\\n rmqueue+0x46e/0x970\\n get_page_from_freelist+0xcb/0x3f0\\n ? _cond_resched+0x19/0x40\\n __alloc_pages_nodemask+0x164/0x300\\n alloc_pages_current+0x87/0xf0\\n skb_page_frag_refill+0x84/0x110\\n ...\\n\\nSometimes, it would also show up as corruption in the free list pointer\\nand cause crashes.\\n\\nAfter bisecting the issue, we found the issue started from commit\\ne320d3012d25 (\\\"mm/page_alloc.c: fix freeing non-compound pages\\\"):\\n\\n\\tif (put_page_testzero(page))\\n\\t\\tfree_the_page(page, order);\\n\\telse if (!PageHead(page))\\n\\t\\twhile (order-- > 0)\\n\\t\\t\\tfree_the_page(page + (1 << order), order);\\n\\nSo the problem is the check PageHead is racy because at this point we\\nalready dropped our reference to the page. So even if we came in with\\ncompound page, the page can already be freed and PageHead can return\\nfalse and we will end up freeing all the tail pages causing double free.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52740" + }, + { + "url": "https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1" + }, + { + "url": "https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673" + }, + { + "url": "https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52740", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\n\nThe RFI and STF security mitigation options can flip the\ninterrupt_exit_not_reentrant static branch condition concurrently with\nthe interrupt exit code which tests that branch.\n\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\nagain in the case a soft-masked interrupt is found pending, to recover\nthe MSR so the interrupt can be replayed before attempting to exit\nagain. If the condition changes between these two tests, the MSR and irq\nsoft-mask state will become corrupted, leading to warnings and possible\ncrashes. For example, if the branch is initially true then false,\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\nenabled, leading to warnings in irq_64.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1\",\n \"https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673\",\n \"https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\\n\\nThe RFI and STF security mitigation options can flip the\\ninterrupt_exit_not_reentrant static branch condition concurrently with\\nthe interrupt exit code which tests that branch.\\n\\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\\nagain in the case a soft-masked interrupt is found pending, to recover\\nthe MSR so the interrupt can be replayed before attempting to exit\\nagain. If the condition changes between these two tests, the MSR and irq\\nsoft-mask state will become corrupted, leading to warnings and possible\\ncrashes. For example, if the branch is initially true then false,\\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\\nenabled, leading to warnings in irq_64.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52741", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52741" + }, + { + "url": "https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0" + }, + { + "url": "https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e" + }, + { + "url": "https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211" + }, + { + "url": "https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52741 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52741", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages()\n\nWhen the network status is unstable, use-after-free may occur when\nread data from the server.\n\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\n\n Call Trace:\n \n dump_stack_lvl+0x38/0x4c\n print_report+0x16f/0x4a6\n kasan_report+0xb7/0x130\n readpages_fill_pages+0x14c/0x7e0\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n \n\n Allocated by task 2535:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x82/0x90\n cifs_readdata_direct_alloc+0x2c/0x110\n cifs_readdata_alloc+0x2d/0x60\n cifs_readahead+0x393/0xfe0\n read_pages+0x12f/0x470\n page_cache_ra_unbounded+0x1b1/0x240\n filemap_get_pages+0x1c8/0x9a0\n filemap_read+0x1c0/0x540\n cifs_strict_readv+0x21b/0x240\n vfs_read+0x395/0x4b0\n ksys_read+0xb8/0x150\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 79:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2e/0x50\n __kasan_slab_free+0x10e/0x1a0\n __kmem_cache_free+0x7a/0x1a0\n cifs_readdata_release+0x49/0x60\n process_one_work+0x46c/0x760\n worker_thread+0x2a4/0x6f0\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\n Last potentially related work creation:\n kasan_save_stack+0x22/0x50\n __kasan_record_aux_stack+0x95/0xb0\n insert_work+0x2b/0x130\n __queue_work+0x1fe/0x660\n queue_work_on+0x4b/0x60\n smb2_readv_callback+0x396/0x800\n cifs_abort_connection+0x474/0x6a0\n cifs_reconnect+0x5cb/0xa50\n cifs_readv_from_socket.cold+0x22/0x6c\n cifs_read_page_from_socket+0xc1/0x100\n readpages_fill_pages.cold+0x2f/0x46\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\nThe following function calls will cause UAF of the rdata pointer.\n\nreadpages_fill_pages\n cifs_read_page_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n __cifs_reconnect\n cifs_abort_connection\n mid->callback() --> smb2_readv_callback\n queue_work(&rdata->work) # if the worker completes first,\n # the rdata is freed\n cifs_readv_complete\n kref_put\n cifs_readdata_release\n kfree(rdata)\n return rdata->... # UAF in readpages_fill_pages()\n\nSimilarly, this problem also occurs in the uncache_fill_pages().\n\nFix this by adjusts the order of condition judgment in the return\nstatement.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52741\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52741\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0\",\n \"https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e\",\n \"https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211\",\n \"https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: Fix use-after-free in rdata->read_into_pages()\\n\\nWhen the network status is unstable, use-after-free may occur when\\nread data from the server.\\n\\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\\n\\n Call Trace:\\n \\n dump_stack_lvl+0x38/0x4c\\n print_report+0x16f/0x4a6\\n kasan_report+0xb7/0x130\\n readpages_fill_pages+0x14c/0x7e0\\n cifs_readv_receive+0x46d/0xa40\\n cifs_demultiplex_thread+0x121c/0x1490\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n \\n\\n Allocated by task 2535:\\n kasan_save_stack+0x22/0x50\\n kasan_set_track+0x25/0x30\\n __kasan_kmalloc+0x82/0x90\\n cifs_readdata_direct_alloc+0x2c/0x110\\n cifs_readdata_alloc+0x2d/0x60\\n cifs_readahead+0x393/0xfe0\\n read_pages+0x12f/0x470\\n page_cache_ra_unbounded+0x1b1/0x240\\n filemap_get_pages+0x1c8/0x9a0\\n filemap_read+0x1c0/0x540\\n cifs_strict_readv+0x21b/0x240\\n vfs_read+0x395/0x4b0\\n ksys_read+0xb8/0x150\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\n Freed by task 79:\\n kasan_save_stack+0x22/0x50\\n kasan_set_track+0x25/0x30\\n kasan_save_free_info+0x2e/0x50\\n __kasan_slab_free+0x10e/0x1a0\\n __kmem_cache_free+0x7a/0x1a0\\n cifs_readdata_release+0x49/0x60\\n process_one_work+0x46c/0x760\\n worker_thread+0x2a4/0x6f0\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n\\n Last potentially related work creation:\\n kasan_save_stack+0x22/0x50\\n __kasan_record_aux_stack+0x95/0xb0\\n insert_work+0x2b/0x130\\n __queue_work+0x1fe/0x660\\n queue_work_on+0x4b/0x60\\n smb2_readv_callback+0x396/0x800\\n cifs_abort_connection+0x474/0x6a0\\n cifs_reconnect+0x5cb/0xa50\\n cifs_readv_from_socket.cold+0x22/0x6c\\n cifs_read_page_from_socket+0xc1/0x100\\n readpages_fill_pages.cold+0x2f/0x46\\n cifs_readv_receive+0x46d/0xa40\\n cifs_demultiplex_thread+0x121c/0x1490\\n kthread+0x16b/0x1a0\\n ret_from_fork+0x2c/0x50\\n\\nThe following function calls will cause UAF of the rdata pointer.\\n\\nreadpages_fill_pages\\n cifs_read_page_from_socket\\n cifs_readv_from_socket\\n cifs_reconnect\\n __cifs_reconnect\\n cifs_abort_connection\\n mid->callback() --> smb2_readv_callback\\n queue_work(&rdata->work) # if the worker completes first,\\n # the rdata is freed\\n cifs_readv_complete\\n kref_put\\n cifs_readdata_release\\n kfree(rdata)\\n return rdata->... # UAF in readpages_fill_pages()\\n\\nSimilarly, this problem also occurs in the uncache_fill_pages().\\n\\nFix this by adjusts the order of condition judgment in the return\\nstatement.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52741\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52742" + }, + { + "url": "https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc" + }, + { + "url": "https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727" + }, + { + "url": "https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1" + }, + { + "url": "https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9" + }, + { + "url": "https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63" + }, + { + "url": "https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f" + }, + { + "url": "https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52742", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc\",\n \"https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727\",\n \"https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1\",\n \"https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9\",\n \"https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63\",\n \"https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f\",\n \"https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: USB: Fix wrong-direction WARNING in plusb.c\\n\\nThe syzbot fuzzer detected a bug in the plusb network driver: A\\nzero-length control-OUT transfer was treated as a read instead of a\\nwrite. In modern kernels this error provokes a WARNING:\\n\\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\\nModules linked in:\\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\\n01/12/2023\\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:870 [inline]\\n __se_sys_ioctl fs/ioctl.c:856 [inline]\\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\\nremove the USB_DIR_IN flag.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52743", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52743" + }, + { + "url": "https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255" + }, + { + "url": "https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39" + }, + { + "url": "https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634" + }, + { + "url": "https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede" + }, + { + "url": "https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52743 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52743", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] \n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52743\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52743\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52743\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52743\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52743\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255\",\n \"https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39\",\n \"https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634\",\n \"https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede\",\n \"https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\\n\\nWhen both ice and the irdma driver are loaded, a warning in\\ncheck_flush_dependency is being triggered. This is due to ice driver\\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\\nis not.\\n\\nAccording to kernel documentation, this flag should be set if the\\nworkqueue will be involved in the kernel's memory reclamation flow.\\nSince it is not, there is no need for the ice driver's WQ to have this\\nflag set so remove it.\\n\\nExample trace:\\n\\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\\n[ +0.000161] [last unloaded: bonding]\\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\\n[ +0.000003] Workqueue: ice ice_service_task [ice]\\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ +0.000002] PKRU: 55555554\\n[ +0.000003] Call Trace:\\n[ +0.000002] \\n[ +0.000003] __flush_workqueue+0x203/0x840\\n[ +0.000006] ? mutex_unlock+0x84/0xd0\\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\\n[ +0.000006] ? mutex_lock+0xa3/0xf0\\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\\n[ +0.000059] ? up_write+0x5c/0x90\\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\\n[ +0.000007] device_r\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52743\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52744" + }, + { + "url": "https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d" + }, + { + "url": "https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e" + }, + { + "url": "https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52744", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix potential NULL-ptr-dereference\n\nin_dev_get() can return NULL which will cause a failure once idev is\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\ncheck for NULL value in idev beforehand.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d\",\n \"https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e\",\n \"https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/irdma: Fix potential NULL-ptr-dereference\\n\\nin_dev_get() can return NULL which will cause a failure once idev is\\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\\ncheck for NULL value in idev beforehand.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52745", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52745" + }, + { + "url": "https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6" + }, + { + "url": "https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f" + }, + { + "url": "https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc" + }, + { + "url": "https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf" + }, + { + "url": "https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52745 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52745", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\n\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\n\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52745\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52745\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52745\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52745\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52745\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6\",\n \"https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f\",\n \"https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc\",\n \"https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf\",\n \"https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\\n\\nThe cited commit creates child PKEY interfaces over netlink will\\nmultiple tx and rx queues, but some devices doesn't support more than 1\\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\\nPKEY interface due to the parent having a single queue but the child\\nhaving multiple queues.\\n\\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\\nearliest possible point in time.\\n\\nBUG: kernel NULL pointer dereference, address: 000000000000036b\\nPGD 0 P4D 0\\nOops: 0000 [#1] SMP\\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n skb_clone+0x55/0xd0\\n ip6_finish_output2+0x3fe/0x690\\n ip6_finish_output+0xfa/0x310\\n ip6_send_skb+0x1e/0x60\\n udp_v6_send_skb+0x1e5/0x420\\n udpv6_sendmsg+0xb3c/0xe60\\n ? ip_mc_finish_output+0x180/0x180\\n ? __switch_to_asm+0x3a/0x60\\n ? __switch_to_asm+0x34/0x60\\n sock_sendmsg+0x33/0x40\\n __sys_sendto+0x103/0x160\\n ? _copy_to_user+0x21/0x30\\n ? kvm_clock_get_cycles+0xd/0x10\\n ? ktime_get_ts64+0x49/0xe0\\n __x64_sys_sendto+0x25/0x30\\n do_syscall_64+0x3d/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\nRIP: 0033:0x7f9374f1ed14\\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52745\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52746", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52746" + }, + { + "url": "https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d" + }, + { + "url": "https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5" + }, + { + "url": "https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0" + }, + { + "url": "https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52746 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52746", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\n\n int type = nla_type(nla);\n\n if (type > XFRMA_MAX) {\n return -EOPNOTSUPP;\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\n if (nla_len(nla) < compat_policy[type].len) {\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52746\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52746\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52746\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52746\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52746\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d\",\n \"https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5\",\n \"https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0\",\n \"https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\\n\\n int type = nla_type(nla);\\n\\n if (type > XFRMA_MAX) {\\n return -EOPNOTSUPP;\\n }\\n\\n@type is then used as an array index and can be used\\nas a Spectre v1 gadget.\\n\\n if (nla_len(nla) < compat_policy[type].len) {\\n\\narray_index_nospec() can be used to prevent leaking\\ncontent of kernel memory to malicious users.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52746\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52747", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52747" + }, + { + "url": "https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45" + }, + { + "url": "https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae" + }, + { + "url": "https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68" + }, + { + "url": "https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321" + }, + { + "url": "https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef" + }, + { + "url": "https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52747 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52747", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Restore allocated resources on failed copyout\n\nFix a resource leak if an error occurs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52747\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52747\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52747\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52747\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52747\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45\",\n \"https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae\",\n \"https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68\",\n \"https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321\",\n \"https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef\",\n \"https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/hfi1: Restore allocated resources on failed copyout\\n\\nFix a resource leak if an error occurs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52747\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52748", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52748" + }, + { + "url": "https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f" + }, + { + "url": "https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79" + }, + { + "url": "https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00" + }, + { + "url": "https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f" + }, + { + "url": "https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063" + }, + { + "url": "https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52748 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52748", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid format-overflow warning\n\nWith gcc and W=1 option, there's a warning like this:\n\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\n\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52748\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52748\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52748\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52748\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52748\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f\",\n \"https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79\",\n \"https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00\",\n \"https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f\",\n \"https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063\",\n \"https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: avoid format-overflow warning\\n\\nWith gcc and W=1 option, there's a warning like this:\\n\\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\\n1 and 7 bytes into a region of size between 5 and 8\\n[-Werror=format-overflow=]\\n 1984 | sprintf(slab_name, \\\"f2fs_page_array_entry-%u:%u\\\", MAJOR(dev),\\n\\t\\tMINOR(dev));\\n | ^~\\n\\nString \\\"f2fs_page_array_entry-%u:%u\\\" can up to 35. The first \\\"%u\\\" can up\\nto 4 and the second \\\"%u\\\" can up to 7, so total size is \\\"24 + 4 + 7 = 35\\\".\\nslab_name's size should be 35 rather than 32.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52748\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52749", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52749" + }, + { + "url": "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068" + }, + { + "url": "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e" + }, + { + "url": "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52749 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52749", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr->cur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52749\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52749\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52749\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52749\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52749\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068\",\n \"https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e\",\n \"https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: Fix null dereference on suspend\\n\\nA race condition exists where a synchronous (noqueue) transfer can be\\nactive during a system suspend. This can cause a null pointer\\ndereference exception to occur when the system resumes.\\n\\nExample order of events leading to the exception:\\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\\n ctlr->cur_msg\\n2. Spi transfer begins via spi_transfer_one_message()\\n3. System is suspended interrupting the transfer context\\n4. System is resumed\\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\\n to NULL\\n7. Spi transfer context resumes and spi_finalize_current_message() is\\n called which dereferences cur_msg (which is now NULL)\\n\\nWait for synchronous transfers to complete before suspending by\\nacquiring the bus mutex and setting/checking a suspend flag.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52749\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52750", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52750" + }, + { + "url": "https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848" + }, + { + "url": "https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28" + }, + { + "url": "https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9" + }, + { + "url": "https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a" + }, + { + "url": "https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a" + }, + { + "url": "https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52750 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52750", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\n\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\n\nThis went unnoticed until commit:\n\n 34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\n\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\n\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\n\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x13c/0x340\n| el1t_64_irq_handler+0x0/0x1c\n| el1_abort+0x0/0x5c\n| el1h_64_sync+0x64/0x68\n| __pi_strcmp+0x1c/0x150\n| unflatten_dt_nodes+0x1e8/0x2d8\n| __unflatten_device_tree+0x5c/0x15c\n| unflatten_device_tree+0x38/0x50\n| setup_arch+0x164/0x1e0\n| start_kernel+0x64/0x38c\n| __primary_switched+0xbc/0xc4\n\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52750\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52750\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52750\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52750\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52750\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848\",\n \"https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28\",\n \"https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9\",\n \"https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a\",\n \"https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a\",\n \"https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\\n\\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\\nbyte-swap NOP when compiling for big-endian, and the resulting series of\\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\\n\\nThis went unnoticed until commit:\\n\\n 34f66c4c4d5518c1 (\\\"arm64: Use a positive cpucap for FP/SIMD\\\")\\n\\nPrior to that commit, the kernel would always enable the use of FPSIMD\\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\\nFNMADD within the kernel was not detected, but could result in the\\ncorruption of user or kernel FPSIMD state.\\n\\nAfter that commit, the instructions happen to trap during boot prior to\\nFPSIMD being detected and enabled, e.g.\\n\\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\\n| Hardware name: linux,dummy-virt (DT)\\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n| pc : __pi_strcmp+0x1c/0x150\\n| lr : populate_properties+0xe4/0x254\\n| sp : ffffd014173d3ad0\\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\\n| Kernel panic - not syncing: Unhandled exception\\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\\n| Hardware name: linux,dummy-virt (DT)\\n| Call trace:\\n| dump_backtrace+0xec/0x108\\n| show_stack+0x18/0x2c\\n| dump_stack_lvl+0x50/0x68\\n| dump_stack+0x18/0x24\\n| panic+0x13c/0x340\\n| el1t_64_irq_handler+0x0/0x1c\\n| el1_abort+0x0/0x5c\\n| el1h_64_sync+0x64/0x68\\n| __pi_strcmp+0x1c/0x150\\n| unflatten_dt_nodes+0x1e8/0x2d8\\n| __unflatten_device_tree+0x5c/0x15c\\n| unflatten_device_tree+0x38/0x50\\n| setup_arch+0x164/0x1e0\\n| start_kernel+0x64/0x38c\\n| __primary_switched+0xbc/0xc4\\n\\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\\ncommit.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52750\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52751", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52751" + }, + { + "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b" + }, + { + "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9" + }, + { + "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52751 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52751", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52751\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52751\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52751\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52751\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52751\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b\",\n \"https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9\",\n \"https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix use-after-free in smb2_query_info_compound()\\n\\nThe following UAF was triggered when running fstests generic/072 with\\nKASAN enabled against Windows Server 2022 and mount options\\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\\n\\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\\n\\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\\n Call Trace:\\n dump_stack_lvl+0x4a/0x80\\n print_report+0xcf/0x650\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __phys_addr+0x46/0x90\\n kasan_report+0xda/0x110\\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\\n smb2_query_info_compound+0x423/0x6d0 [cifs]\\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __stack_depot_save+0x39/0x480\\n ? kasan_save_stack+0x33/0x60\\n ? kasan_set_track+0x25/0x30\\n ? ____kasan_slab_free+0x126/0x170\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\\n ? __pfx___lock_acquire+0x10/0x10\\n smb311_queryfs+0x210/0x220 [cifs]\\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? __lock_acquire+0x480/0x26c0\\n ? lock_release+0x1ed/0x640\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? do_raw_spin_unlock+0x9b/0x100\\n cifs_statfs+0x18c/0x4b0 [cifs]\\n statfs_by_dentry+0x9b/0xf0\\n fd_statfs+0x4e/0xb0\\n __do_sys_fstatfs+0x7f/0xe0\\n ? __pfx___do_sys_fstatfs+0x10/0x10\\n ? srso_alias_return_thunk+0x5/0x7f\\n ? lockdep_hardirqs_on_prepare+0x136/0x200\\n ? srso_alias_return_thunk+0x5/0x7f\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n\\n Allocated by task 27534:\\n kasan_save_stack+0x33/0x60\\n kasan_set_track+0x25/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n open_cached_dir+0x71b/0x1240 [cifs]\\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n smb311_queryfs+0x210/0x220 [cifs]\\n cifs_statfs+0x18c/0x4b0 [cifs]\\n statfs_by_dentry+0x9b/0xf0\\n fd_statfs+0x4e/0xb0\\n __do_sys_fstatfs+0x7f/0xe0\\n do_syscall_64+0x3f/0x90\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n\\n Freed by task 27534:\\n kasan_save_stack+0x33/0x60\\n kasan_set_track+0x25/0x30\\n kasan_save_free_info+0x2b/0x50\\n ____kasan_slab_free+0x126/0x170\\n slab_free_freelist_hook+0xd0/0x1e0\\n __kmem_cache_free+0x9d/0x1b0\\n open_cached_dir+0xff5/0x1240 [cifs]\\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\\n smb2_queryfs+0xc2/0x2c0 [cifs]\\n\\nThis is a race between open_cached_dir() and cached_dir_lease_break()\\nwhere the cache entry for the open directory handle receives a lease\\nbreak while creating it. And before returning from open_cached_dir(),\\nwe put the last reference of the new @cfid because of\\n!@cfid->has_lease.\\n\\nBesides the UAF, while running xfstests a lot of missed lease breaks\\nhave been noticed in tests that run several concurrent statfs(2) calls\\non those cached fids\\n\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test No task to wake, unknown frame...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\\n CIFS: VFS: Dump pending requests:\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test No task to wake, unknown frame...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\\n CIFS: VFS: \\\\\\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\\n ...\\n\\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\\nright before sending out compounded request so that any potential\\nlease break will be get processed by demultiplex thread while we're\\nstill caching @cfid. And, if open failed for some reason, re-check\\n@cfid->has_lease to decide whether or not put lease reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52751\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52752", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52752" + }, + { + "url": "https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a" + }, + { + "url": "https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7" + }, + { + "url": "https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09" + }, + { + "url": "https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52752 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52752", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52752\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52752\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52752\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52752\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52752\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a\",\n \"https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7\",\n \"https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09\",\n \"https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\\n\\nSkip SMB sessions that are being teared down\\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\\nto avoid use-after-free in @ses.\\n\\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\\nwhile mounting and umounting\\n\\n [ 816.251274] general protection fault, probably for non-canonical\\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\\n ...\\n [ 816.260138] Call Trace:\\n [ 816.260329] \\n [ 816.260499] ? die_addr+0x36/0x90\\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\\n [ 816.262689] ? seq_read_iter+0x379/0x470\\n [ 816.262995] seq_read_iter+0x118/0x470\\n [ 816.263291] proc_reg_read_iter+0x53/0x90\\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\\n [ 816.263945] vfs_read+0x201/0x350\\n [ 816.264211] ksys_read+0x75/0x100\\n [ 816.264472] do_syscall_64+0x3f/0x90\\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n [ 816.265135] RIP: 0033:0x7fd5e669d381\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52752\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52753", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52753" + }, + { + "url": "https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd" + }, + { + "url": "https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9" + }, + { + "url": "https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68" + }, + { + "url": "https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db" + }, + { + "url": "https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c" + }, + { + "url": "https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6" + }, + { + "url": "https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89" + }, + { + "url": "https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52753 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52753", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52753\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52753\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52753\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52753\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52753\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd\",\n \"https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9\",\n \"https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68\",\n \"https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db\",\n \"https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c\",\n \"https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6\",\n \"https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89\",\n \"https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Avoid NULL dereference of timing generator\\n\\n[Why & How]\\nCheck whether assigned timing generator is NULL or not before\\naccessing its funcs to prevent NULL dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52753\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52754", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52754" + }, + { + "url": "https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f" + }, + { + "url": "https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9" + }, + { + "url": "https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f" + }, + { + "url": "https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a" + }, + { + "url": "https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52754 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52754", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: fix access to invalid resource for the second interface\n\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver. It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor. Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\n\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52754\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52754\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52754\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52754\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52754\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f\",\n \"https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9\",\n \"https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f\",\n \"https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a\",\n \"https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7\",\n \"https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: imon: fix access to invalid resource for the second interface\\n\\nimon driver probes two USB interfaces, and at the probe of the second\\ninterface, the driver assumes blindly that the first interface got\\nbound with the same imon driver. It's usually true, but it's still\\npossible that the first interface is bound with another driver via a\\nmalformed descriptor. Then it may lead to a memory corruption, as\\nspotted by syzkaller; imon driver accesses the data from drvdata as\\nstruct imon_context object although it's a completely different one\\nthat was assigned by another driver.\\n\\nThis patch adds a sanity check -- whether the first interface is\\nreally bound with the imon driver or not -- for avoiding the problem\\nabove at the probe time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52754\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52755", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52755" + }, + { + "url": "https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70" + }, + { + "url": "https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb" + }, + { + "url": "https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa" + }, + { + "url": "https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819" + }, + { + "url": "https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52755 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52755", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52755\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52755\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52755\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52755\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52755\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70\",\n \"https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb\",\n \"https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa\",\n \"https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819\",\n \"https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\\n\\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\\nallocation size. This patch add the check to validate 3 offsets using\\nallocation size.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52755\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52756", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52756" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52756 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52756", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52756\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52756\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52756\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52756\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52756\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52756\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52757", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52757" + }, + { + "url": "https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29" + }, + { + "url": "https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf" + }, + { + "url": "https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26" + }, + { + "url": "https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52757 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52757", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0 CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\n release_mid()\n spin_lock(&server->mid_lock);\n spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t spin_lock(&server->mid_lock)\n __release_mid()\n smb2_find_smb_tcon()\n spin_lock(&cifs_tcp_ses_lock) *deadlock*", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52757\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52757\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52757\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52757\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52757\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29\",\n \"https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf\",\n \"https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26\",\n \"https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential deadlock when releasing mids\\n\\nAll release_mid() callers seem to hold a reference of @mid so there is\\nno need to call kref_put(&mid->refcount, __release_mid) under\\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\\nwould have occurred anyways.\\n\\nBy getting rid of such spinlock also fixes a potential deadlock as\\nshown below\\n\\nCPU 0 CPU 1\\n------------------------------------------------------------------\\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\\n release_mid()\\n spin_lock(&server->mid_lock);\\n spin_lock(&cifs_tcp_ses_lock)\\n\\t\\t\\t\\t spin_lock(&server->mid_lock)\\n __release_mid()\\n smb2_find_smb_tcon()\\n spin_lock(&cifs_tcp_ses_lock) *deadlock*\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52757\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52759", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52759" + }, + { + "url": "https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b" + }, + { + "url": "https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4" + }, + { + "url": "https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c" + }, + { + "url": "https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae" + }, + { + "url": "https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2" + }, + { + "url": "https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5" + }, + { + "url": "https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3" + }, + { + "url": "https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3" + }, + { + "url": "https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52759 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52759", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: ignore negated quota changes\n\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\n\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\n\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\n\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\n\ngfs2_quota_change\n do_qc\n qd_hold\n slot_hold\n\nLater, when the changes are to be synced:\n\ngfs2_quota_sync\n qd_fish\n qd_check_sync\n gets qd ref via lockref_get_not_dead\n do_sync\n do_qc(QC_SYNC)\n qd_put\n\t lockref_put_or_lock\n qd_unlock\n qd_put\n lockref_put_or_lock\n\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52759\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52759\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52759\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52759\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52759\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b\",\n \"https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4\",\n \"https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c\",\n \"https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae\",\n \"https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2\",\n \"https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5\",\n \"https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3\",\n \"https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3\",\n \"https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: ignore negated quota changes\\n\\nWhen lots of quota changes are made, there may be cases in which an\\ninode's quota information is increased and then decreased, such as when\\nblocks are added to a file, then deleted from it. If the timing is\\nright, function do_qc can add pending quota changes to a transaction,\\nthen later, another call to do_qc can negate those changes, resulting\\nin a net gain of 0. The quota_change information is recorded in the qc\\nbuffer (and qd element of the inode as well). The buffer is added to the\\ntransaction by the first call to do_qc, but a subsequent call changes\\nthe value from non-zero back to zero. At that point it's too late to\\nremove the buffer_head from the transaction. Later, when the quota sync\\ncode is called, the zero-change qd element is discovered and flagged as\\nan assert warning. If the fs is mounted with errors=panic, the kernel\\nwill panic.\\n\\nThis is usually seen when files are truncated and the quota changes are\\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\\nand gfs2_quota_unlock which automatically do quota sync.\\n\\nThis patch solves the problem by adding a check to qd_check_sync such\\nthat net-zero quota changes already added to the transaction are no\\nlonger deemed necessary to be synced, and skipped.\\n\\nIn this case references are taken for the qd and the slot from do_qc\\nso those need to be put. The normal sequence of events for a normal\\nnon-zero quota change is as follows:\\n\\ngfs2_quota_change\\n do_qc\\n qd_hold\\n slot_hold\\n\\nLater, when the changes are to be synced:\\n\\ngfs2_quota_sync\\n qd_fish\\n qd_check_sync\\n gets qd ref via lockref_get_not_dead\\n do_sync\\n do_qc(QC_SYNC)\\n qd_put\\n\\t lockref_put_or_lock\\n qd_unlock\\n qd_put\\n lockref_put_or_lock\\n\\nIn the net-zero change case, we add a check to qd_check_sync so it puts\\nthe qd and slot references acquired in gfs2_quota_change and skip the\\nunneeded sync.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52759\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52760", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52760" + }, + { + "url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81" + }, + { + "url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba" + }, + { + "url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52760 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52760", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52760\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52760\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52760\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52760\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52760\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81\",\n \"https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba\",\n \"https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\\n\\nIn gfs2_put_super(), whether withdrawn or not, the quota should\\nbe cleaned up by gfs2_quota_cleanup().\\n\\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\\ncallback) has run for all gfs2_quota_data objects, resulting in\\nuse-after-free.\\n\\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\\ngfs2_make_fs_ro(), there is no need to call them again.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52760\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52761", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52761" + }, + { + "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788" + }, + { + "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76" + }, + { + "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52761 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52761", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52761\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52761\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52761\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52761\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52761\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788\",\n \"https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76\",\n \"https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: VMAP_STACK overflow detection thread-safe\\n\\ncommit 31da94c25aea (\\\"riscv: add VMAP_STACK overflow detection\\\") added\\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\\n`shadow_stack` temporarily before switching finally to per-cpu\\n`overflow_stack`.\\n\\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\\nor both will end up corrupting each other state because `shadow_stack` is\\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\\n\\nFollowing are the changes in this patch\\n\\n - Defines an asm macro to obtain per-cpu symbols in destination\\n register.\\n - In entry.S, when overflow is detected, per-cpu overflow stack is\\n located using per-cpu asm macro. Computing per-cpu symbol requires\\n a temporary register. x31 is saved away into CSR_SCRATCH\\n (CSR_SCRATCH is anyways zero since we're in kernel).\\n\\nPlease see Links for additional relevant disccussion and alternative\\nsolution.\\n\\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\\nKernel crash log below\\n\\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n epc : __memset+0x60/0xfc\\n ra : recursive_loop+0x48/0xc6 [lkdtm]\\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\\n Kernel panic - not syncing: Kernel stack overflow\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n Call Trace:\\n [] dump_backtrace+0x30/0x38\\n [] show_stack+0x40/0x4c\\n [] dump_stack_lvl+0x44/0x5c\\n [] dump_stack+0x18/0x20\\n [] panic+0x126/0x2fe\\n [] walk_stackframe+0x0/0xf0\\n [] recursive_loop+0x48/0xc6 [lkdtm]\\n SMP: stopping secondary CPUs\\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52761\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52762", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52762" + }, + { + "url": "https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9" + }, + { + "url": "https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48" + }, + { + "url": "https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b" + }, + { + "url": "https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90" + }, + { + "url": "https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52762 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52762", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\n\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\n\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52762\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52762\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52762\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52762\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52762\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9\",\n \"https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48\",\n \"https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b\",\n \"https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90\",\n \"https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\\n\\nThe following codes have an implicit conversion from size_t to u32:\\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\\n\\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\\ninstead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52762\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52763", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52763" + }, + { + "url": "https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442" + }, + { + "url": "https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781" + }, + { + "url": "https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b" + }, + { + "url": "https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9" + }, + { + "url": "https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52763 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52763", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\n\nThe `i3c_master_bus_init` function may attach the I2C devices before the\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\nthe DAT `cleanup` will execute before the device is detached, which will\nexecue DAT `free_entry` function. The above scenario can cause the driver\nto use DAT_data when it is NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52763\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52763\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52763\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52763\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52763\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442\",\n \"https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781\",\n \"https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b\",\n \"https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9\",\n \"https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\\n\\nThe `i3c_master_bus_init` function may attach the I2C devices before the\\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\\nthe DAT `cleanup` will execute before the device is detached, which will\\nexecue DAT `free_entry` function. The above scenario can cause the driver\\nto use DAT_data when it is NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52763\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52764", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52764" + }, + { + "url": "https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953" + }, + { + "url": "https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26" + }, + { + "url": "https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb" + }, + { + "url": "https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060" + }, + { + "url": "https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b" + }, + { + "url": "https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809" + }, + { + "url": "https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177" + }, + { + "url": "https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a" + }, + { + "url": "https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52764 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52764", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\n\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\n\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52764\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52764\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52764\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52764\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52764\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953\",\n \"https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26\",\n \"https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb\",\n \"https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060\",\n \"https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b\",\n \"https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809\",\n \"https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177\",\n \"https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a\",\n \"https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\\n\\nSyzkaller reported the following issue:\\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\\nshift exponent 245 is too large for 32-bit type 'int'\\n\\nWhen the value of the variable \\\"sd->params.exposure.gain\\\" exceeds the\\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\\nis triggered because the variable \\\"currentexp\\\" cannot be left-shifted by\\nmore than the number of bits in an integer. In order to avoid invalid\\nrange during left-shift, the conditional expression is added.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52764\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52766", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52766" + }, + { + "url": "https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574" + }, + { + "url": "https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65" + }, + { + "url": "https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6" + }, + { + "url": "https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b" + }, + { + "url": "https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52766 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52766", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\n\nDo not loop over ring headers in hci_dma_irq_handler() that are not\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\nwill occur from rings->headers[i] access when i >= number of allocated\nring headers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52766\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52766\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52766\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52766\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52766\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574\",\n \"https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65\",\n \"https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6\",\n \"https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b\",\n \"https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\\n\\nDo not loop over ring headers in hci_dma_irq_handler() that are not\\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\\nwill occur from rings->headers[i] access when i >= number of allocated\\nring headers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52766\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52768", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52768" + }, + { + "url": "https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3" + }, + { + "url": "https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c" + }, + { + "url": "https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27" + }, + { + "url": "https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8" + }, + { + "url": "https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52768 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52768", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: use vmm_table as array in wilc struct\n\nEnabling KASAN and running some iperf tests raises some memory issues with\nvmm_table:\n\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\n\nKASAN detects that we are writing data beyond range allocated to vmm_table.\nThere is indeed a mismatch between the size passed to allocator in\nwilc_wlan_init, and the range of possible indexes used later: allocation\nsize is missing a multiplication by sizeof(u32)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52768\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52768\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52768\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52768\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52768\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3\",\n \"https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c\",\n \"https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27\",\n \"https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8\",\n \"https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wilc1000: use vmm_table as array in wilc struct\\n\\nEnabling KASAN and running some iperf tests raises some memory issues with\\nvmm_table:\\n\\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\\n\\nKASAN detects that we are writing data beyond range allocated to vmm_table.\\nThere is indeed a mismatch between the size passed to allocator in\\nwilc_wlan_init, and the range of possible indexes used later: allocation\\nsize is missing a multiplication by sizeof(u32)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52768\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52772", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52772" + }, + { + "url": "https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce" + }, + { + "url": "https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d" + }, + { + "url": "https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef" + }, + { + "url": "https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700" + }, + { + "url": "https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52772 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52772", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52772\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52772\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52772\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52772\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52772\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce\",\n \"https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d\",\n \"https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef\",\n \"https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700\",\n \"https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: fix use-after-free in unix_stream_read_actor()\\n\\nsyzbot reported the following crash [1]\\n\\nAfter releasing unix socket lock, u->oob_skb can be changed\\nby another thread. We must temporarily increase skb refcount\\nto make sure this other thread will not free the skb under us.\\n\\n[1]\\n\\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\\n\\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\\nCall Trace:\\n\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\\nprint_address_description mm/kasan/report.c:364 [inline]\\nprint_report+0xc4/0x620 mm/kasan/report.c:475\\nkasan_report+0xda/0x110 mm/kasan/report.c:588\\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\\nsock_recvmsg_nosec net/socket.c:1044 [inline]\\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\\nRIP: 0033:0x7fc67492c559\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\\n\\n\\nAllocated by task 5295:\\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\\nslab_post_alloc_hook mm/slab.h:763 [inline]\\nslab_alloc_node mm/slub.c:3478 [inline]\\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\\nalloc_skb include/linux/skbuff.h:1286 [inline]\\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\\nqueue_oob net/unix/af_unix.c:2147 [inline]\\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\\nsock_sendmsg_nosec net/socket.c:730 [inline]\\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nFreed by task 5295:\\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\\n____kasan_slab_free mm/kasan/common.c:236 [inline]\\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\\nkasan_slab_free include/linux/kasan.h:164 [inline]\\nslab_free_hook mm/slub.c:1800 [inline]\\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\\nslab_free mm/slub.c:3809 [inline]\\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\\n__kfree_skb net/core/skbuff.c:1073 [inline]\\nconsume_skb net/core/skbuff.c:1288 [inline]\\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\\nqueue_oob net/unix/af_unix.c:2178 [inline]\\nu\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52772\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52774", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52774" + }, + { + "url": "https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250" + }, + { + "url": "https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240" + }, + { + "url": "https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a" + }, + { + "url": "https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885" + }, + { + "url": "https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be" + }, + { + "url": "https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f" + }, + { + "url": "https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d" + }, + { + "url": "https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52774 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52774", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52774\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52774\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52774\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52774\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52774\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250\",\n \"https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240\",\n \"https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a\",\n \"https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885\",\n \"https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be\",\n \"https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f\",\n \"https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d\",\n \"https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: protect device queue against concurrent access\\n\\nIn dasd_profile_start() the amount of requests on the device queue are\\ncounted. The access to the device queue is unprotected against\\nconcurrent access. With a lot of parallel I/O, especially with alias\\ndevices enabled, the device queue can change while dasd_profile_start()\\nis accessing the queue. In the worst case this leads to a kernel panic\\ndue to incorrect pointer accesses.\\n\\nFix this by taking the device lock before accessing the queue and\\ncounting the requests. Additionally the check for a valid profile data\\npointer can be done earlier to avoid unnecessary locking in a hot path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52774\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52775", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52775" + }, + { + "url": "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c" + }, + { + "url": "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1" + }, + { + "url": "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c" + }, + { + "url": "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add" + }, + { + "url": "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52775 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52775", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n ¦ clc proposal\n ------------->\n ¦ clc accept\n <-------------\n ¦ clc confirm\n ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n ¦failed llc confirm\n ¦ x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n ¦ decline\n -------------->\n ¦ decline\n <--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52775\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52775\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52775\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52775\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52775\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c\",\n \"https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1\",\n \"https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c\",\n \"https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add\",\n \"https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: avoid data corruption caused by decline\\n\\nWe found a data corruption issue during testing of SMC-R on Redis\\napplications.\\n\\nThe benchmark has a low probability of reporting a strange error as\\nshown below.\\n\\n\\\"Error: Protocol error, got \\\"\\\\xe2\\\" as reply type byte\\\"\\n\\nFinally, we found that the retrieved error data was as follows:\\n\\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\\n\\nIt is quite obvious that this is a SMC DECLINE message, which means that\\nthe applications received SMC protocol message.\\nWe found that this was caused by the following situations:\\n\\nclient server\\n ¦ clc proposal\\n ------------->\\n ¦ clc accept\\n <-------------\\n ¦ clc confirm\\n ------------->\\nwait llc confirm\\n\\t\\t\\tsend llc confirm\\n ¦failed llc confirm\\n ¦ x------\\n(after 2s)timeout\\n wait llc confirm rsp\\n\\nwait decline\\n\\n(after 1s) timeout\\n (after 2s) timeout\\n ¦ decline\\n -------------->\\n ¦ decline\\n <--------------\\n\\nAs a result, a decline message was sent in the implementation, and this\\nmessage was read from TCP by the already-fallback connection.\\n\\nThis patch double the client timeout as 2x of the server value,\\nWith this simple change, the Decline messages should never cross or\\ncollide (during Confirm link timeout).\\n\\nThis issue requires an immediate solution, since the protocol updates\\ninvolve a more long-term solution.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52775\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52781", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52781" + }, + { + "url": "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702" + }, + { + "url": "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8" + }, + { + "url": "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc" + }, + { + "url": "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223" + }, + { + "url": "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52781 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52781", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a 'goto' statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52781\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52781\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52781\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52781\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52781\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702\",\n \"https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8\",\n \"https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc\",\n \"https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223\",\n \"https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\\n\\nThe BOS descriptor defines a root descriptor and is the base descriptor for\\naccessing a family of related descriptors.\\n\\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\\nthe same descriptor being read repeatedly.\\n\\nTo address this issue, a 'goto' statement is introduced to ensure that the\\npointer and the amount read is updated correctly. This ensures that the\\nfunction iterates to the next descriptor instead of reading the same\\ndescriptor repeatedly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52781\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52784", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52784" + }, + { + "url": "https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4" + }, + { + "url": "https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc" + }, + { + "url": "https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2" + }, + { + "url": "https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c" + }, + { + "url": "https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c" + }, + { + "url": "https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe" + }, + { + "url": "https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52784 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52784", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: stop the device in bond_setup_by_slave()\n\nCommit 9eed321cde22 (\"net: lapbether: only support ethernet devices\")\nhas been able to keep syzbot away from net/lapb, until today.\n\nIn the following splat [1], the issue is that a lapbether device has\nbeen created on a bonding device without members. Then adding a non\nARPHRD_ETHER member forced the bonding master to change its type.\n\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\nso that the potential linked lapbether devices (or any other devices\nhaving assumptions on the physical device) are removed.\n\nA similar bug has been addressed in commit 40baec225765\n(\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\")\n\n[1]\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\nkernel BUG at net/core/skbuff.c:192 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic net/core/skbuff.c:188 [inline]\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nlr : skb_panic net/core/skbuff.c:188 [inline]\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nsp : ffff800096a06aa0\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\nCall trace:\nskb_panic net/core/skbuff.c:188 [inline]\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\ndev_hard_header include/linux/netdevice.h:3136 [inline]\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\ndev_ifsioc+0x754/0x9ac\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52784\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52784\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52784\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52784\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52784\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4\",\n \"https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc\",\n \"https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2\",\n \"https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c\",\n \"https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c\",\n \"https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe\",\n \"https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: stop the device in bond_setup_by_slave()\\n\\nCommit 9eed321cde22 (\\\"net: lapbether: only support ethernet devices\\\")\\nhas been able to keep syzbot away from net/lapb, until today.\\n\\nIn the following splat [1], the issue is that a lapbether device has\\nbeen created on a bonding device without members. Then adding a non\\nARPHRD_ETHER member forced the bonding master to change its type.\\n\\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\\nso that the potential linked lapbether devices (or any other devices\\nhaving assumptions on the physical device) are removed.\\n\\nA similar bug has been addressed in commit 40baec225765\\n(\\\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\\\")\\n\\n[1]\\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\\nkernel BUG at net/core/skbuff.c:192 !\\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : skb_panic net/core/skbuff.c:188 [inline]\\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nlr : skb_panic net/core/skbuff.c:188 [inline]\\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nsp : ffff800096a06aa0\\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\\nCall trace:\\nskb_panic net/core/skbuff.c:188 [inline]\\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\\ndev_hard_header include/linux/netdevice.h:3136 [inline]\\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\\ndev_close+0x174/0x250 net/core/dev.c:1585\\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\\ndev_close+0x174/0x250 net/core/dev.c:1585\\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\\ndev_ifsioc+0x754/0x9ac\\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\\nvfs_ioctl fs/ioctl.c:51 [inline]\\n__do_\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52784\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52788", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52788" + }, + { + "url": "https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98" + }, + { + "url": "https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1" + }, + { + "url": "https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83" + }, + { + "url": "https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e" + }, + { + "url": "https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52788 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52788", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\n\nWhen i915 perf interface is not available dereferencing it will lead to\nNULL dereferences.\n\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\navailable.\n\n[tursulin: added stable tag]\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52788\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52788\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52788\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52788\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52788\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98\",\n \"https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1\",\n \"https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83\",\n \"https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e\",\n \"https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\\n\\nWhen i915 perf interface is not available dereferencing it will lead to\\nNULL dereferences.\\n\\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\\navailable.\\n\\n[tursulin: added stable tag]\\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52788\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52789", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52789" + }, + { + "url": "https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3" + }, + { + "url": "https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac" + }, + { + "url": "https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9" + }, + { + "url": "https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc" + }, + { + "url": "https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06" + }, + { + "url": "https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2" + }, + { + "url": "https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a" + }, + { + "url": "https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200" + }, + { + "url": "https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52789 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52789", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vcc: Add check for kstrdup() in vcc_probe()\n\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52789\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52789\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52789\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52789\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52789\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3\",\n \"https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac\",\n \"https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9\",\n \"https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc\",\n \"https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06\",\n \"https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2\",\n \"https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a\",\n \"https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200\",\n \"https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: vcc: Add check for kstrdup() in vcc_probe()\\n\\nAdd check for the return value of kstrdup() and return the error, if it\\nfails in order to avoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52789\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52791", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52791" + }, + { + "url": "https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c" + }, + { + "url": "https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0" + }, + { + "url": "https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809" + }, + { + "url": "https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91" + }, + { + "url": "https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1" + }, + { + "url": "https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02" + }, + { + "url": "https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52791 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52791", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Run atomic i2c xfer when !preemptible\n\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\n\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\n\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\n\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52791\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52791\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52791\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c\",\n \"https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0\",\n \"https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809\",\n \"https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91\",\n \"https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1\",\n \"https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02\",\n \"https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: core: Run atomic i2c xfer when !preemptible\\n\\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\\nwait_for_completion() while waiting for the DMA).\\n\\npanic() calls preempt_disable_notrace() before calling\\nemergency_restart(). Therefore, if an i2c device is used for the\\nrestart, the xfer should be atomic. This avoids warnings like:\\n\\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\\n...\\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\\n...\\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\\n\\nUse !preemptible() instead, which is basically the same check as\\npre-v5.2.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52791\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52796", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52796" + }, + { + "url": "https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458" + }, + { + "url": "https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2" + }, + { + "url": "https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f" + }, + { + "url": "https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02" + }, + { + "url": "https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542" + }, + { + "url": "https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a" + }, + { + "url": "https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760" + }, + { + "url": "https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52796 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52796", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: add ipvlan_route_v6_outbound() helper\n\nInspired by syzbot reports using a stack of multiple ipvlan devices.\n\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\n\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\n\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\n\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n\n\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[] cpu_online include/linux/cpumask.h:1092 [inline]\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\n[ 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n<#DF>\\n\\n\\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\\n[] cpu_online include/linux/cpumask.h:1092 [inline]\\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\\n[] xmit_one net/core/dev.c:3644 [inline]\\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\\n[dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52799\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52799\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52799\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52799\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52799\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20f9310a18e3e99fc031e036fcbed67105ae1859\",\n \"https://git.kernel.org/stable/c/22cad8bc1d36547cdae0eef316c47d917ce3147c\",\n \"https://git.kernel.org/stable/c/81aa58cd8495b8c3b527f58ccbe19478d8087f61\",\n \"https://git.kernel.org/stable/c/86df90f3fea7c5591f05c8a0010871d435e83046\",\n \"https://git.kernel.org/stable/c/87c681ab49e99039ff2dd3e71852417381b13878\",\n \"https://git.kernel.org/stable/c/88b7894a8f8705bf4e7ea90b10229376abf14514\",\n \"https://git.kernel.org/stable/c/a50b796d36719757526ee094c703378895ab5e67\",\n \"https://git.kernel.org/stable/c/da3da5e1e6f71c21d8e6149d7076d936ef5d4cb9\",\n \"https://git.kernel.org/stable/c/ecfb47f13b08b02cf28b7b50d4941eefa21954d2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix array-index-out-of-bounds in dbFindLeaf\\n\\nCurrently while searching for dmtree_t for sufficient free blocks there\\nis an array out of bounds while getting element in tp->dm_stree. To add\\nthe required check for out of bound we first need to determine the type\\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\\nof tree can be determined and the required check can be applied.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52799\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52800", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52800" + }, + { + "url": "https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679" + }, + { + "url": "https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e" + }, + { + "url": "https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d" + }, + { + "url": "https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8" + }, + { + "url": "https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c" + }, + { + "url": "https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52800 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52800", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52800\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52800\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52800\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52800\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52800\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679\",\n \"https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e\",\n \"https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d\",\n \"https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8\",\n \"https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c\",\n \"https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: fix htt pktlog locking\\n\\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\\nread-side critical section.\\n\\nMark the code in question as an RCU read-side critical section to avoid\\nany potential use-after-free issues.\\n\\nCompile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52800\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52802", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52802" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52802 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52802", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52802\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52802\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52802\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52802\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52802\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52802\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52803" + }, + { + "url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a" + }, + { + "url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df" + }, + { + "url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618" + }, + { + "url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680" + }, + { + "url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5" + }, + { + "url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264" + }, + { + "url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a" + }, + { + "url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52803", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a\",\n \"https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df\",\n \"https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618\",\n \"https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680\",\n \"https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5\",\n \"https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264\",\n \"https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a\",\n \"https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\\n\\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\\nworkqueue,which takes care about pipefs superblock locking.\\nIn some special scenarios, when kernel frees the pipefs sb of the\\ncurrent client and immediately alloctes a new pipefs sb,\\nrpc_remove_pipedir function would misjudge the existence of pipefs\\nsb which is not the one it used to hold. As a result,\\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\\n\\nTo fix this issue, rpc_remove_pipedir should check whether the\\ncurrent pipefs sb is consistent with the original pipefs sb.\\n\\nThis error can be catched by KASAN:\\n=========================================================\\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\\n[ 250.500549] Workqueue: events rpc_free_client_work\\n[ 250.501001] Call Trace:\\n[ 250.502880] kasan_report+0xb6/0xf0\\n[ 250.503209] ? dget_parent+0x195/0x200\\n[ 250.503561] dget_parent+0x195/0x200\\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\\n[ 250.505195] rpc_free_client_work+0xe4/0x230\\n[ 250.505598] process_one_work+0x8ee/0x13b0\\n...\\n[ 22.039056] Allocated by task 244:\\n[ 22.039390] kasan_save_stack+0x22/0x50\\n[ 22.039758] kasan_set_track+0x25/0x30\\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\\n[ 22.040889] __d_alloc+0x31/0x8e0\\n[ 22.041207] d_alloc+0x44/0x1f0\\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\\n[ 22.042459] rpc_create_client_dir+0x34/0x150\\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\\n[ 22.043284] rpc_client_register+0x136/0x4e0\\n[ 22.043689] rpc_new_client+0x911/0x1020\\n[ 22.044057] rpc_create_xprt+0xcb/0x370\\n[ 22.044417] rpc_create+0x36b/0x6c0\\n...\\n[ 22.049524] Freed by task 0:\\n[ 22.049803] kasan_save_stack+0x22/0x50\\n[ 22.050165] kasan_set_track+0x25/0x30\\n[ 22.050520] kasan_save_free_info+0x2b/0x50\\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\\n[ 22.051306] kmem_cache_free+0xa5/0x390\\n[ 22.051667] rcu_core+0x62c/0x1930\\n[ 22.051995] __do_softirq+0x165/0x52a\\n[ 22.052347]\\n[ 22.052503] Last potentially related work creation:\\n[ 22.052952] kasan_save_stack+0x22/0x50\\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\\n[ 22.054209] dentry_free+0xb2/0x140\\n[ 22.054540] __dentry_kill+0x3be/0x540\\n[ 22.054900] shrink_dentry_list+0x199/0x510\\n[ 22.055293] shrink_dcache_parent+0x190/0x240\\n[ 22.055703] do_one_tree+0x11/0x40\\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\\n[ 22.056461] generic_shutdown_super+0x70/0x590\\n[ 22.056879] kill_anon_super+0x3a/0x60\\n[ 22.057234] rpc_kill_sb+0x121/0x200\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52804", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52804" + }, + { + "url": "https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e" + }, + { + "url": "https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f" + }, + { + "url": "https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b" + }, + { + "url": "https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f" + }, + { + "url": "https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e" + }, + { + "url": "https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb" + }, + { + "url": "https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a" + }, + { + "url": "https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809" + }, + { + "url": "https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52804 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52804", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add validity check for db_maxag and db_agpref\n\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\n\nThe following is related bug reported by Syzbot:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\n\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52804\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52804\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52804\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52804\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52804\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e\",\n \"https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f\",\n \"https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b\",\n \"https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f\",\n \"https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e\",\n \"https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb\",\n \"https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a\",\n \"https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809\",\n \"https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/jfs: Add validity check for db_maxag and db_agpref\\n\\nBoth db_maxag and db_agpref are used as the index of the\\ndb_agfree array, but there is currently no validity check for\\ndb_maxag and db_agpref, which can lead to errors.\\n\\nThe following is related bug reported by Syzbot:\\n\\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\\nindex 7936 is out of range for type 'atomic_t[128]'\\n\\nAdd checking that the values of db_maxag and db_agpref are valid\\nindexes for the db_agfree array.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52804\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52805", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52805" + }, + { + "url": "https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483" + }, + { + "url": "https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8" + }, + { + "url": "https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1" + }, + { + "url": "https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9" + }, + { + "url": "https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641" + }, + { + "url": "https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777" + }, + { + "url": "https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c" + }, + { + "url": "https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d" + }, + { + "url": "https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52805 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52805", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52805\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52805\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52805\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52805\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52805\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483\",\n \"https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8\",\n \"https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1\",\n \"https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9\",\n \"https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641\",\n \"https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777\",\n \"https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c\",\n \"https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d\",\n \"https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix array-index-out-of-bounds in diAlloc\\n\\nCurrently there is not check against the agno of the iag while\\nallocating new inodes to avoid fragmentation problem. Added the check\\nwhich is required.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52805\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52806", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52806" + }, + { + "url": "https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250" + }, + { + "url": "https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7" + }, + { + "url": "https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4" + }, + { + "url": "https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd" + }, + { + "url": "https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e" + }, + { + "url": "https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323" + }, + { + "url": "https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b" + }, + { + "url": "https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236" + }, + { + "url": "https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52806 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52806", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52806\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52806\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52806\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52806\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52806\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250\",\n \"https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7\",\n \"https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4\",\n \"https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd\",\n \"https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e\",\n \"https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323\",\n \"https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b\",\n \"https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236\",\n \"https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\\n\\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\\nnothing blocks a user to attempt to assign a COUPLED stream. As\\nsupplied substream instance may be a stub, what is the case when\\ncode-loading, such scenario ends with null-ptr-deref.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52806\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52808" + }, + { + "url": "https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec" + }, + { + "url": "https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be" + }, + { + "url": "https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db" + }, + { + "url": "https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be" + }, + { + "url": "https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\n\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\n\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000] down_write+0x24/0x70\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175] pci_device_remove+0x48/0xd8\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\n[ 1669.993282] device_release_driver+0x28/0x38\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244] remove_store+0xfc/0x140\n[ 1670.010802] dev_attr_store+0x44/0x60\n[ 1670.014448] sysfs_kf_write+0x58/0x80\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000] __vfs_write+0x60/0x190\n[ 1670.025472] vfs_write+0xac/0x1c0\n[ 1670.028771] ksys_write+0x6c/0xd8\n[ 1670.032071] __arm64_sys_write+0x24/0x30\n[ 1670.035977] el0_svc_common+0x78/0x130\n[ 1670.039710] el0_svc_handler+0x38/0x78\n[ 1670.043442] el0_svc+0x8/0xc\n\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec\",\n \"https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be\",\n \"https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db\",\n \"https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be\",\n \"https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\\n\\nIf init debugfs failed during device registration due to memory allocation\\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\\nnot set to NULL. debugfs_remove_recursive() will be called again during\\ndevice removal. As a result, illegal pointer is accessed.\\n\\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\\n...\\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\\n[ 1669.872669] pc : down_write+0x24/0x70\\n[ 1669.876315] lr : down_write+0x1c/0x70\\n[ 1669.879961] sp : ffff000036f53a30\\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\\n[ 1669.962563] Call trace:\\n[ 1669.965000] down_write+0x24/0x70\\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\\n[ 1669.984175] pci_device_remove+0x48/0xd8\\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\\n[ 1669.993282] device_release_driver+0x28/0x38\\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\\n[ 1670.007244] remove_store+0xfc/0x140\\n[ 1670.010802] dev_attr_store+0x44/0x60\\n[ 1670.014448] sysfs_kf_write+0x58/0x80\\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\\n[ 1670.022000] __vfs_write+0x60/0x190\\n[ 1670.025472] vfs_write+0xac/0x1c0\\n[ 1670.028771] ksys_write+0x6c/0xd8\\n[ 1670.032071] __arm64_sys_write+0x24/0x30\\n[ 1670.035977] el0_svc_common+0x78/0x130\\n[ 1670.039710] el0_svc_handler+0x38/0x78\\n[ 1670.043442] el0_svc+0x8/0xc\\n\\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52809", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52809" + }, + { + "url": "https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba" + }, + { + "url": "https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f" + }, + { + "url": "https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b" + }, + { + "url": "https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106" + }, + { + "url": "https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa" + }, + { + "url": "https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e" + }, + { + "url": "https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00" + }, + { + "url": "https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01" + }, + { + "url": "https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52809 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52809", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52809\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52809\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52809\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52809\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52809\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba\",\n \"https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f\",\n \"https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b\",\n \"https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106\",\n \"https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa\",\n \"https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e\",\n \"https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00\",\n \"https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01\",\n \"https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\\n\\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\\nwhich can return NULL and would cause a NULL pointer dereference. Address\\nthis issue by checking return value of fc_rport_create() and log error\\nmessage on fc_rport_create() failed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52809\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52810", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52810" + }, + { + "url": "https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6" + }, + { + "url": "https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b" + }, + { + "url": "https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45" + }, + { + "url": "https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907" + }, + { + "url": "https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa" + }, + { + "url": "https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f" + }, + { + "url": "https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc" + }, + { + "url": "https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1" + }, + { + "url": "https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52810 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52810", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add check for negative db_l2nbperpage\n\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\n\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\n\nSyzbot reported this bug:\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52810\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52810\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52810\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52810\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52810\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6\",\n \"https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b\",\n \"https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45\",\n \"https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907\",\n \"https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa\",\n \"https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f\",\n \"https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc\",\n \"https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1\",\n \"https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/jfs: Add check for negative db_l2nbperpage\\n\\nl2nbperpage is log2(number of blks per page), and the minimum legal\\nvalue should be 0, not negative.\\n\\nIn the case of l2nbperpage being negative, an error will occur\\nwhen subsequently used as shift exponent.\\n\\nSyzbot reported this bug:\\n\\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\\nshift exponent -16777216 is negative\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52810\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52811" + }, + { + "url": "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4" + }, + { + "url": "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d" + }, + { + "url": "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f" + }, + { + "url": "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8" + }, + { + "url": "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue's event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4\",\n \"https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d\",\n \"https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f\",\n \"https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8\",\n \"https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\\n\\nIn practice the driver should never send more commands than are allocated\\nto a queue's event pool. In the unlikely event that this happens, the code\\nasserts a BUG_ON, and in the case that the kernel is not configured to\\ncrash on panic returns a junk event pointer from the empty event list\\ncausing things to spiral from there. This BUG_ON is a historical artifact\\nof the ibmvfc driver first being upstreamed, and it is well known now that\\nthe use of BUG_ON is bad practice except in the most unrecoverable\\nscenario. There is nothing about this scenario that prevents the driver\\nfrom recovering and carrying on.\\n\\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\\npointer in the case of an empty event pool. Update all call sites to\\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\\nfailure or recovery action.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52812", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52812" + }, + { + "url": "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a" + }, + { + "url": "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec" + }, + { + "url": "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52812 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52812", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52812\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52812\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52812\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52812\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52812\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a\",\n \"https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec\",\n \"https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: check num of link levels when update pcie param\\n\\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\\nbe 0, and num_of_levels - 1 will cause array index out of bounds\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52812\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52813" + }, + { + "url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0" + }, + { + "url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28" + }, + { + "url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316" + }, + { + "url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523" + }, + { + "url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e" + }, + { + "url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7" + }, + { + "url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf" + }, + { + "url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d" + }, + { + "url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst->flags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst->flags & PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0\",\n \"https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28\",\n \"https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316\",\n \"https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523\",\n \"https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e\",\n \"https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7\",\n \"https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf\",\n \"https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d\",\n \"https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\\n\\nWe found a hungtask bug in test_aead_vec_cfg as follows:\\n\\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\\n\\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\nCall trace:\\n __switch_to+0x98/0xe0\\n __schedule+0x6c4/0xf40\\n schedule+0xd8/0x1b4\\n schedule_timeout+0x474/0x560\\n wait_for_common+0x368/0x4e0\\n wait_for_completion+0x20/0x30\\n wait_for_completion+0x20/0x30\\n test_aead_vec_cfg+0xab4/0xd50\\n test_aead+0x144/0x1f0\\n alg_test_aead+0xd8/0x1e0\\n alg_test+0x634/0x890\\n cryptomgr_test+0x40/0x70\\n kthread+0x1e0/0x220\\n ret_from_fork+0x10/0x18\\n Kernel panic - not syncing: hung_task: blocked tasks\\n\\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\\nhung at wait_for_completion(&wait->completion), which will cause\\nhungtask.\\n\\nThe problem comes as following:\\n(padata_do_parallel) |\\n rcu_read_lock_bh(); |\\n err = -EINVAL; | (padata_replace)\\n | pinst->flags |= PADATA_RESET;\\n err = -EBUSY |\\n if (pinst->flags & PADATA_RESET) |\\n rcu_read_unlock_bh() |\\n return err\\n\\nIn order to resolve the problem, we replace the return err -EBUSY with\\n-EAGAIN, which means parallel_data is changing, and the caller should call\\nit again.\\n\\nv3:\\nremove retry and just change the return err.\\nv2:\\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\\npcrypt_aead_decrypt to solve the hungtask.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52815", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52815" + }, + { + "url": "https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f" + }, + { + "url": "https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a" + }, + { + "url": "https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34" + }, + { + "url": "https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c" + }, + { + "url": "https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52815 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52815", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52815\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52815\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52815\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52815\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52815\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f\",\n \"https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a\",\n \"https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34\",\n \"https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c\",\n \"https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/vkms: fix a possible null pointer dereference\\n\\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_cvt_mode(). Add a check to avoid null pointer\\ndereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52815\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52816", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52816" + }, + { + "url": "https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c" + }, + { + "url": "https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5" + }, + { + "url": "https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f" + }, + { + "url": "https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c" + }, + { + "url": "https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52816 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52816", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix shift out-of-bounds issue\n\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\n[ 567.614748] Call Trace:\n[ 567.614750] \n[ 567.614753] dump_stack_lvl+0x48/0x70\n[ 567.614761] dump_stack+0x10/0x20\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\n[ 567.615286] do_swap_page+0x7b6/0xa30\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615294] ? __free_pages+0x119/0x130\n[ 567.615299] handle_pte_fault+0x227/0x280\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\n[ 567.615311] handle_mm_fault+0x119/0x330\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\n[ 567.615323] exc_page_fault+0x81/0x1b0\n[ 567.615328] asm_exc_page_fault+0x27/0x30\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52816\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52816\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52816\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52816\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52816\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c\",\n \"https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5\",\n \"https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f\",\n \"https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c\",\n \"https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix shift out-of-bounds issue\\n\\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\\n[ 567.614748] Call Trace:\\n[ 567.614750] \\n[ 567.614753] dump_stack_lvl+0x48/0x70\\n[ 567.614761] dump_stack+0x10/0x20\\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\\n[ 567.615286] do_swap_page+0x7b6/0xa30\\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\\n[ 567.615294] ? __free_pages+0x119/0x130\\n[ 567.615299] handle_pte_fault+0x227/0x280\\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\\n[ 567.615311] handle_mm_fault+0x119/0x330\\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\\n[ 567.615323] exc_page_fault+0x81/0x1b0\\n[ 567.615328] asm_exc_page_fault+0x27/0x30\\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52816\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52817" + }, + { + "url": "https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455" + }, + { + "url": "https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9" + }, + { + "url": "https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad" + }, + { + "url": "https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736" + }, + { + "url": "https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996" + }, + { + "url": "https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398" + }, + { + "url": "https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455\",\n \"https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9\",\n \"https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad\",\n \"https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736\",\n \"https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288\",\n \"https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996\",\n \"https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398\",\n \"https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\\n\\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\\n\\n1. Navigate to the directory: /sys/kernel/debug/dri/0\\n2. Execute command: cat amdgpu_regs_smc\\n3. Exception Log::\\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\\n[4005007.702567] #PF: error_code(0x0010) - not-present page\\n[4005007.702570] PGD 0 P4D 0\\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\\n[4005007.702590] RIP: 0010:0x0\\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\\n[4005007.702633] Call Trace:\\n[4005007.702636] \\n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\\n[4005007.703002] full_proxy_read+0x5c/0x80\\n[4005007.703011] vfs_read+0x9f/0x1a0\\n[4005007.703019] ksys_read+0x67/0xe0\\n[4005007.703023] __x64_sys_read+0x19/0x20\\n[4005007.703028] do_syscall_64+0x5c/0xc0\\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\\n[4005007.703052] ? irqentry_exit+0x19/0x30\\n[4005007.703057] ? exc_page_fault+0x89/0x160\\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[4005007.703075] RIP: 0033:0x7f5e07672992\\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\\n[4005007.703105] \\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\\n[4005007.703184] CR2: 0000000000000000\\n[4005007.703188] ---[ en\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52818", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52818" + }, + { + "url": "https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94" + }, + { + "url": "https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3" + }, + { + "url": "https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4" + }, + { + "url": "https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97" + }, + { + "url": "https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47" + }, + { + "url": "https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f" + }, + { + "url": "https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928" + }, + { + "url": "https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498" + }, + { + "url": "https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52818 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52818", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52818\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52818\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52818\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52818\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52818\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94\",\n \"https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3\",\n \"https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4\",\n \"https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97\",\n \"https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47\",\n \"https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f\",\n \"https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928\",\n \"https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498\",\n \"https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\\n\\nFor pptable structs that use flexible array sizes, use flexible arrays.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52818\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52819" + }, + { + "url": "https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356" + }, + { + "url": "https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6" + }, + { + "url": "https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216" + }, + { + "url": "https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92" + }, + { + "url": "https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1" + }, + { + "url": "https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e" + }, + { + "url": "https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18" + }, + { + "url": "https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4" + }, + { + "url": "https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356\",\n \"https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6\",\n \"https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216\",\n \"https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92\",\n \"https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1\",\n \"https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e\",\n \"https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18\",\n \"https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4\",\n \"https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\\n\\nFor pptable structs that use flexible array sizes, use flexible arrays.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52821", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52821" + }, + { + "url": "https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190" + }, + { + "url": "https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4" + }, + { + "url": "https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402" + }, + { + "url": "https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992" + }, + { + "url": "https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229" + }, + { + "url": "https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52821 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52821", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52821\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52821\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52821\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52821\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52821\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190\",\n \"https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4\",\n \"https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402\",\n \"https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992\",\n \"https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229\",\n \"https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel: fix a possible null pointer dereference\\n\\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52821\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52825" + }, + { + "url": "https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e" + }, + { + "url": "https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74" + }, + { + "url": "https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34" + }, + { + "url": "https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf" + }, + { + "url": "https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52825", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\n\nprange->svm_bo unref can happen in both mmu callback and a callback after\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\nunref operation to avoid random \"use-after-free\".", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e\",\n \"https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74\",\n \"https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34\",\n \"https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf\",\n \"https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\\n\\nprange->svm_bo unref can happen in both mmu callback and a callback after\\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\\nunref operation to avoid random \\\"use-after-free\\\".\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52826", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52826" + }, + { + "url": "https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea" + }, + { + "url": "https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c" + }, + { + "url": "https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc" + }, + { + "url": "https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca" + }, + { + "url": "https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f" + }, + { + "url": "https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52826 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52826", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea\",\n \"https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c\",\n \"https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc\",\n \"https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca\",\n \"https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f\",\n \"https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\\n\\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52826\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52828", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52828" + }, + { + "url": "https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5" + }, + { + "url": "https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18" + }, + { + "url": "https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21" + }, + { + "url": "https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922" + }, + { + "url": "https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f" + }, + { + "url": "https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5\",\n \"https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18\",\n \"https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21\",\n \"https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922\",\n \"https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f\",\n \"https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Detect IP == ksym.end as part of BPF program\\n\\nNow that bpf_throw kfunc is the first such call instruction that has\\nnoreturn semantics within the verifier, this also kicks in dead code\\nelimination in unprecedented ways. For one, any instruction following\\na bpf_throw call will never be marked as seen. Moreover, if a callchain\\nends up throwing, any instructions after the call instruction to the\\neventually throwing subprog in callers will also never be marked as\\nseen.\\n\\nThe tempting way to fix this would be to emit extra 'int3' instructions\\nwhich bump the jited_len of a program, and ensure that during runtime\\nwhen a program throws, we can discover its boundaries even if the call\\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\\nas the final instruction in the program.\\n\\nAn example of such a program would be this:\\n\\ndo_something():\\n\\t...\\n\\tr0 = 0\\n\\texit\\n\\nfoo():\\n\\tr1 = 0\\n\\tcall bpf_throw\\n\\tr0 = 0\\n\\texit\\n\\nbar(cond):\\n\\tif r1 != 0 goto pc+2\\n\\tcall do_something\\n\\texit\\n\\tcall foo\\n\\tr0 = 0 // Never seen by verifier\\n\\texit\\t//\\n\\nmain(ctx):\\n\\tr1 = ...\\n\\tcall bar\\n\\tr0 = 0\\n\\texit\\n\\nHere, if we do end up throwing, the stacktrace would be the following:\\n\\nbpf_throw\\nfoo\\nbar\\nmain\\n\\nIn bar, the final instruction emitted will be the call to foo, as such,\\nthe return address will be the subsequent instruction (which the JIT\\nemits as int3 on x86). This will end up lying outside the jited_len of\\nthe program, thus, when unwinding, we will fail to discover the return\\naddress as belonging to any program and end up in a panic due to the\\nunreliable stack unwinding of BPF programs that we never expect.\\n\\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\\npart of the BPF program, so that is_bpf_text_address returns true when\\nsuch a case occurs, and we are able to unwind reliably when the final\\ninstruction ends up being a call instruction.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52829", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52829" + }, + { + "url": "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e" + }, + { + "url": "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c" + }, + { + "url": "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52829 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52829", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52829\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52829\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52829\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52829\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52829\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e\",\n \"https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c\",\n \"https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\\n\\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\\nin case some errors happen. As a result out-of-bound write may occur to\\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\\n\\nThis is found during code review.\\n\\nCompile tested only.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52829\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52831", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52831" + }, + { + "url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63" + }, + { + "url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13" + }, + { + "url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908" + }, + { + "url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52831 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52831", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don't offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(&doms, &attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52831\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52831\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63\",\n \"https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13\",\n \"https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908\",\n \"https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpu/hotplug: Don't offline the last non-isolated CPU\\n\\nIf a system has isolated CPUs via the \\\"isolcpus=\\\" command line parameter,\\nthen an attempt to offline the last housekeeping CPU will result in a\\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\\nto and unhandled empty CPU mas in partition_sched_domains_locked().\\n\\ncpuset_hotplug_workfn()\\n rebuild_sched_domains_locked()\\n ndoms = generate_sched_domains(&doms, &attr);\\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\\n\\nThus results in an empty CPU mask which triggers the warning and then the\\nsubsequent crash:\\n\\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\\nCall trace:\\n build_sched_domains+0x120c/0x1408\\n partition_sched_domains_locked+0x234/0x880\\n rebuild_sched_domains_locked+0x37c/0x798\\n rebuild_sched_domains+0x30/0x58\\n cpuset_hotplug_workfn+0x2a8/0x930\\n\\nUnable to handle kernel paging request at virtual address fffe80027ab37080\\n partition_sched_domains_locked+0x318/0x880\\n rebuild_sched_domains_locked+0x37c/0x798\\n\\nAside of the resulting crash, it does not make any sense to offline the last\\nlast housekeeping CPU.\\n\\nPrevent this by masking out the non-housekeeping CPUs when selecting a\\ntarget CPU for initiating the CPU unplug operation via the work queue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52831\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52832" + }, + { + "url": "https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f" + }, + { + "url": "https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846" + }, + { + "url": "https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62" + }, + { + "url": "https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6" + }, + { + "url": "https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7" + }, + { + "url": "https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea" + }, + { + "url": "https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a" + }, + { + "url": "https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f" + }, + { + "url": "https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f\",\n \"https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846\",\n \"https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62\",\n \"https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6\",\n \"https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7\",\n \"https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea\",\n \"https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a\",\n \"https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f\",\n \"https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\\n\\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\\nINT_MIN value mac80211 internally uses for \\\"unset power level\\\".\\n\\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\\n -2147483648 * 100 cannot be represented in type 'int'\\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\\n Call Trace:\\n dump_stack+0x74/0x92\\n ubsan_epilogue+0x9/0x50\\n handle_overflow+0x8d/0xd0\\n __ubsan_handle_mul_overflow+0xe/0x10\\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\\n [...]\\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\\n [...]\\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\\n\\nIn this case, simply return an error instead, to indicate\\nthat no data is available.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52833" + }, + { + "url": "https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30" + }, + { + "url": "https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a" + }, + { + "url": "https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9" + }, + { + "url": "https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3" + }, + { + "url": "https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0" + }, + { + "url": "https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30\",\n \"https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a\",\n \"https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9\",\n \"https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3\",\n \"https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0\",\n \"https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: btusb: Add date->evt_skb is NULL check\\n\\nfix crash because of null pointers\\n\\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\\n[ 6104.969667] #PF: supervisor read access in kernel mode\\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\\n[ 6104.969670] PGD 0 P4D 0\\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\\n[ 6104.969701] PKRU: 55555554\\n[ 6104.969702] Call Trace:\\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\\n[ 6104.969753] rfkill_set_block+0x92/0x160\\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\\n[ 6104.969759] __vfs_write+0x18/0x40\\n[ 6104.969761] vfs_write+0xdf/0x1c0\\n[ 6104.969763] ksys_write+0xb1/0xe0\\n[ 6104.969765] __x64_sys_write+0x1a/0x20\\n[ 6104.969769] do_syscall_64+0x51/0x180\\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52834" + }, + { + "url": "https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb" + }, + { + "url": "https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa" + }, + { + "url": "https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6" + }, + { + "url": "https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf" + }, + { + "url": "https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\natl1c: Work around the DMA RX overflow issue\n\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\n\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\n\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\n\nTested on AR8131 on Acer 4540.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb\",\n \"https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa\",\n \"https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6\",\n \"https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf\",\n \"https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\natl1c: Work around the DMA RX overflow issue\\n\\nThis is based on alx driver commit 881d0327db37 (\\\"net: alx: Work around\\nthe DMA RX overflow issue\\\").\\n\\nThe alx and atl1c drivers had RX overflow error which was why a custom\\nallocator was created to avoid certain addresses. The simpler workaround\\nthen created for alx driver, but not for atl1c due to lack of tester.\\n\\nInstead of using a custom allocator, check the allocated skb address and\\nuse skb_reserve() to move away from problematic 0x...fc0 address.\\n\\nTested on AR8131 on Acer 4540.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52835" + }, + { + "url": "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece" + }, + { + "url": "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a" + }, + { + "url": "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb" + }, + { + "url": "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916" + }, + { + "url": "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734" + }, + { + "url": "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f" + }, + { + "url": "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a" + }, + { + "url": "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece\",\n \"https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a\",\n \"https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb\",\n \"https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916\",\n \"https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734\",\n \"https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f\",\n \"https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a\",\n \"https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf/core: Bail out early if the request AUX area is out of bound\\n\\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\\n\\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\\n failed to mmap with 12 (Cannot allocate memory)\\n\\nand it reveals a WARNING with __alloc_pages():\\n\\n\\t------------[ cut here ]------------\\n\\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\\n\\tCall trace:\\n\\t __alloc_pages+0x1ec/0x248\\n\\t __kmalloc_large_node+0xc0/0x1f8\\n\\t __kmalloc_node+0x134/0x1e8\\n\\t rb_alloc_aux+0xe0/0x298\\n\\t perf_mmap+0x440/0x660\\n\\t mmap_region+0x308/0x8a8\\n\\t do_mmap+0x3c0/0x528\\n\\t vm_mmap_pgoff+0xf4/0x1b8\\n\\t ksys_mmap_pgoff+0x18c/0x218\\n\\t __arm64_sys_mmap+0x38/0x58\\n\\t invoke_syscall+0x50/0x128\\n\\t el0_svc_common.constprop.0+0x58/0x188\\n\\t do_el0_svc+0x34/0x50\\n\\t el0_svc+0x34/0x108\\n\\t el0t_64_sync_handler+0xb8/0xc0\\n\\t el0t_64_sync+0x1a4/0x1a8\\n\\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\\nmaintains AUX trace pages. The allocated page for this array is physically\\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\\nWARNING.\\n\\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\\ne.g.:\\n\\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\\n failed to mmap with 12 (Cannot allocate memory)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52836", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52836" + }, + { + "url": "https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479" + }, + { + "url": "https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75" + }, + { + "url": "https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e" + }, + { + "url": "https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc" + }, + { + "url": "https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389" + }, + { + "url": "https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715" + }, + { + "url": "https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5" + }, + { + "url": "https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c" + }, + { + "url": "https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52836 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52836", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/ww_mutex/test: Fix potential workqueue corruption\n\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\n\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\n\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\n\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\n\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\n\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52836\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52836\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52836\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52836\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52836\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479\",\n \"https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75\",\n \"https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e\",\n \"https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc\",\n \"https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389\",\n \"https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715\",\n \"https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5\",\n \"https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c\",\n \"https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlocking/ww_mutex/test: Fix potential workqueue corruption\\n\\nIn some cases running with the test-ww_mutex code, I was seeing\\nodd behavior where sometimes it seemed flush_workqueue was\\nreturning before all the work threads were finished.\\n\\nOften this would cause strange crashes as the mutexes would be\\nfreed while they were being used.\\n\\nLooking at the code, there is a lifetime problem as the\\ncontrolling thread that spawns the work allocates the\\n\\\"struct stress\\\" structures that are passed to the workqueue\\nthreads. Then when the workqueue threads are finished,\\nthey free the stress struct that was passed to them.\\n\\nUnfortunately the workqueue work_struct node is in the stress\\nstruct. Which means the work_struct is freed before the work\\nthread returns and while flush_workqueue is waiting.\\n\\nIt seems like a better idea to have the controlling thread\\nboth allocate and free the stress structures, so that we can\\nbe sure we don't corrupt the workqueue by freeing the structure\\nprematurely.\\n\\nSo this patch reworks the test to do so, and with this change\\nI no longer see the early flush_workqueue returns.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52836\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52837" + }, + { + "url": "https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b" + }, + { + "url": "https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3" + }, + { + "url": "https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe" + }, + { + "url": "https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_open\n\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\n\nFix this by implementing ->free_disk and free private data in it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b\",\n \"https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3\",\n \"https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe\",\n \"https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: fix uaf in nbd_open\\n\\nCommit 4af5f2e03013 (\\\"nbd: use blk_mq_alloc_disk and\\nblk_cleanup_disk\\\") cleans up disk by blk_cleanup_disk() and it won't set\\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\\nif someone tries to open nbd device right after nbd_put() since nbd has\\nbeen free in nbd_dev_remove().\\n\\nFix this by implementing ->free_disk and free private data in it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52838", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52838" + }, + { + "url": "https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a" + }, + { + "url": "https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485" + }, + { + "url": "https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d" + }, + { + "url": "https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d" + }, + { + "url": "https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513" + }, + { + "url": "https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4" + }, + { + "url": "https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b" + }, + { + "url": "https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52838 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52838", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imsttfb: fix a resource leak in probe\n\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52838\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52838\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52838\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52838\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52838\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a\",\n \"https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485\",\n \"https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d\",\n \"https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d\",\n \"https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513\",\n \"https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4\",\n \"https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b\",\n \"https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbdev: imsttfb: fix a resource leak in probe\\n\\nI've re-written the error handling but the bug is that if init_imstt()\\nfails we need to call iounmap(par->cmap_regs).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52838\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52840" + }, + { + "url": "https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f" + }, + { + "url": "https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2" + }, + { + "url": "https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff" + }, + { + "url": "https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5" + }, + { + "url": "https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f" + }, + { + "url": "https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585" + }, + { + "url": "https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683" + }, + { + "url": "https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\n\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f\",\n \"https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2\",\n \"https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff\",\n \"https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5\",\n \"https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f\",\n \"https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585\",\n \"https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683\",\n \"https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\\n\\nThe put_device() calls rmi_release_function() which frees \\\"fn\\\" so the\\ndereference on the next line \\\"fn->num_of_irqs\\\" is a use after free.\\nMove the put_device() to the end to fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52841" + }, + { + "url": "https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78" + }, + { + "url": "https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb" + }, + { + "url": "https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68" + }, + { + "url": "https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4" + }, + { + "url": "https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785" + }, + { + "url": "https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52841 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52841", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: mux: Add check and kfree for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52841\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52841\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78\",\n \"https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb\",\n \"https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68\",\n \"https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4\",\n \"https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785\",\n \"https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: vidtv: mux: Add check and kfree for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\\nMoreover, use kfree() in the later error handling in order to avoid\\nmemory leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52841\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52843", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52843" + }, + { + "url": "https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a" + }, + { + "url": "https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b" + }, + { + "url": "https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779" + }, + { + "url": "https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b" + }, + { + "url": "https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535" + }, + { + "url": "https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c" + }, + { + "url": "https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f" + }, + { + "url": "https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29" + }, + { + "url": "https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52843 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52843", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: verify mac len before reading mac header\n\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\n\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\n\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\n\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\n\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\n\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\n\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\n\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52843\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52843\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52843\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52843\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52843\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a\",\n \"https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b\",\n \"https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779\",\n \"https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b\",\n \"https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535\",\n \"https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c\",\n \"https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f\",\n \"https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29\",\n \"https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nllc: verify mac len before reading mac header\\n\\nLLC reads the mac header with eth_hdr without verifying that the skb\\nhas an Ethernet header.\\n\\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\\npackets without mac len and with user configurable skb->protocol\\n(passing a tun_pi header when not configuring IFF_NO_PI).\\n\\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\\n\\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\\n\\nThere are further uses in include/net/llc_pdu.h. All these are\\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\\nprotect against this tun scenario.\\n\\nBut the mac_len test added in this patch in llc_fixup_skb will\\nindirectly protect those too. That is called from llc_rcv before any\\nother LLC code.\\n\\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\\nnot sure whether that could break valid LLC paths that do not assume\\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\\nprotocols in principle. The below referenced commit shows that used\\nto, on top of Token Ring.\\n\\nAt least one of the three eth_hdr uses goes back to before the start\\nof git history. But the one that syzbot exercises is introduced in\\nthis commit. That commit is old enough (2008), that effectively all\\nstable kernels should receive this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52843\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52844" + }, + { + "url": "https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9" + }, + { + "url": "https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0" + }, + { + "url": "https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad" + }, + { + "url": "https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d" + }, + { + "url": "https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a" + }, + { + "url": "https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: psi: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9\",\n \"https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0\",\n \"https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad\",\n \"https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d\",\n \"https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a\",\n \"https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: vidtv: psi: Add check for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52845", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52845" + }, + { + "url": "https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579" + }, + { + "url": "https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0" + }, + { + "url": "https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6" + }, + { + "url": "https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8" + }, + { + "url": "https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4" + }, + { + "url": "https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709" + }, + { + "url": "https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d" + }, + { + "url": "https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04" + }, + { + "url": "https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52845 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52845", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\n\nsyzbot reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\n\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\n\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52845\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52845\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52845\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52845\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52845\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579\",\n \"https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0\",\n \"https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6\",\n \"https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8\",\n \"https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4\",\n \"https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709\",\n \"https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d\",\n \"https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04\",\n \"https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\\n\\nsyzbot reported the following uninit-value access issue [1]:\\n\\n=====================================================\\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\\n strlen lib/string.c:418 [inline]\\n strstr+0xb8/0x2f0 lib/string.c:756\\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n sock_sendmsg net/socket.c:753 [inline]\\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\\n __sys_sendmsg net/socket.c:2624 [inline]\\n __do_sys_sendmsg net/socket.c:2633 [inline]\\n __se_sys_sendmsg net/socket.c:2631 [inline]\\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nUninit was created at:\\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\\n slab_alloc_node mm/slub.c:3478 [inline]\\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\\n alloc_skb include/linux/skbuff.h:1286 [inline]\\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n sock_sendmsg net/socket.c:753 [inline]\\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\\n __sys_sendmsg net/socket.c:2624 [inline]\\n __do_sys_sendmsg net/socket.c:2633 [inline]\\n __se_sys_sendmsg net/socket.c:2631 [inline]\\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nTIPC bearer-related names including link names must be null-terminated\\nstrings. If a link name which is not null-terminated is passed through\\nnetlink, strstr() and similar functions can cause buffer overrun. This\\ncauses the above issue.\\n\\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\\nnull-terminated strings are accepted as bearer-related names.\\n\\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\\nroot cause of this issue is that a non-null-terminated bearer name was\\npassed. This patch also resolved this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52845\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52846" + }, + { + "url": "https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18" + }, + { + "url": "https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db" + }, + { + "url": "https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d" + }, + { + "url": "https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da" + }, + { + "url": "https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363" + }, + { + "url": "https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Prevent use after free in prp_create_tagged_frame()\n\nThe prp_fill_rct() function can fail. In that situation, it frees the\nskb and returns NULL. Meanwhile on the success path, it returns the\noriginal skb. So it's straight forward to fix bug by using the returned\nvalue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18\",\n \"https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db\",\n \"https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d\",\n \"https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da\",\n \"https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363\",\n \"https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhsr: Prevent use after free in prp_create_tagged_frame()\\n\\nThe prp_fill_rct() function can fail. In that situation, it frees the\\nskb and returns NULL. Meanwhile on the success path, it returns the\\noriginal skb. So it's straight forward to fix bug by using the returned\\nvalue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52847" + }, + { + "url": "https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267" + }, + { + "url": "https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226" + }, + { + "url": "https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b" + }, + { + "url": "https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574" + }, + { + "url": "https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132" + }, + { + "url": "https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a" + }, + { + "url": "https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9" + }, + { + "url": "https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bttv: fix use after free error due to btv->timeout timer\n\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\n\nThis bug is found by static analysis, it may be false positive.\n\nFix it by adding del_timer_sync invoking to the remove function.\n\ncpu0 cpu1\n bttv_probe\n ->timer_setup\n ->bttv_set_dma\n ->mod_timer;\nbttv_remove\n ->kfree(btv);\n ->bttv_irq_timeout\n ->USE btv", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267\",\n \"https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226\",\n \"https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b\",\n \"https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574\",\n \"https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132\",\n \"https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a\",\n \"https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9\",\n \"https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: bttv: fix use after free error due to btv->timeout timer\\n\\nThere may be some a race condition between timer function\\nbttv_irq_timeout and bttv_remove. The timer is setup in\\nprobe and there is no timer_delete operation in remove\\nfunction. When it hit kfree btv, the function might still be\\ninvoked, which will cause use after free bug.\\n\\nThis bug is found by static analysis, it may be false positive.\\n\\nFix it by adding del_timer_sync invoking to the remove function.\\n\\ncpu0 cpu1\\n bttv_probe\\n ->timer_setup\\n ->bttv_set_dma\\n ->mod_timer;\\nbttv_remove\\n ->kfree(btv);\\n ->bttv_irq_timeout\\n ->USE btv\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52849" + }, + { + "url": "https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c" + }, + { + "url": "https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f" + }, + { + "url": "https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b" + }, + { + "url": "https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209" + }, + { + "url": "https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that removing cxl_mock_mem causes a crash with the following\ntrace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000044\n [..]\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x29/0x40 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n device_unregister+0x13/0x60\n devm_release_action+0x4d/0x90\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\n delete_endpoint+0x121/0x130 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n ? lock_release+0x142/0x290\n cdev_device_del+0x15/0x50\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\n\nThis crash is due to the clearing out the cxl_memdev's driver context\n(@cxlds) before the subsystem is done with it. This is ultimately due to\nthe region(s), that this memdev is a member, being torn down and expecting\nto be able to de-reference @cxlds, like here:\n\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\n...\n if (cxlds->rcd)\n goto endpoint_reset;\n...\n\nFix it by keeping the driver context valid until memdev-device\nunregistration, and subsequently the entire stack of related\ndependencies, unwinds.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c\",\n \"https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f\",\n \"https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b\",\n \"https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209\",\n \"https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/mem: Fix shutdown order\\n\\nIra reports that removing cxl_mock_mem causes a crash with the following\\ntrace:\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000044\\n [..]\\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\\n [..]\\n Call Trace:\\n \\n cxl_region_detach+0xe8/0x210 [cxl_core]\\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\\n cxld_unregister+0x29/0x40 [cxl_core]\\n devres_release_all+0xb8/0x110\\n device_unbind_cleanup+0xe/0x70\\n device_release_driver_internal+0x1d2/0x210\\n bus_remove_device+0xd7/0x150\\n device_del+0x155/0x3e0\\n device_unregister+0x13/0x60\\n devm_release_action+0x4d/0x90\\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\\n delete_endpoint+0x121/0x130 [cxl_core]\\n devres_release_all+0xb8/0x110\\n device_unbind_cleanup+0xe/0x70\\n device_release_driver_internal+0x1d2/0x210\\n bus_remove_device+0xd7/0x150\\n device_del+0x155/0x3e0\\n ? lock_release+0x142/0x290\\n cdev_device_del+0x15/0x50\\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\\n\\nThis crash is due to the clearing out the cxl_memdev's driver context\\n(@cxlds) before the subsystem is done with it. This is ultimately due to\\nthe region(s), that this memdev is a member, being torn down and expecting\\nto be able to de-reference @cxlds, like here:\\n\\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\\n...\\n if (cxlds->rcd)\\n goto endpoint_reset;\\n...\\n\\nFix it by keeping the driver context valid until memdev-device\\nunregistration, and subsequently the entire stack of related\\ndependencies, unwinds.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52852", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52852" + }, + { + "url": "https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5" + }, + { + "url": "https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401" + }, + { + "url": "https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c" + }, + { + "url": "https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2" + }, + { + "url": "https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52852 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52852", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52852\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52852\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52852\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52852\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52852\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5\",\n \"https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401\",\n \"https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c\",\n \"https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2\",\n \"https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to avoid use-after-free on dic\\n\\nCall trace:\\n __memcpy+0x128/0x250\\n f2fs_read_multi_pages+0x940/0xf7c\\n f2fs_mpage_readpages+0x5a8/0x624\\n f2fs_readahead+0x5c/0x110\\n page_cache_ra_unbounded+0x1b8/0x590\\n do_sync_mmap_readahead+0x1dc/0x2e4\\n filemap_fault+0x254/0xa8c\\n f2fs_filemap_fault+0x2c/0x104\\n __do_fault+0x7c/0x238\\n do_handle_mm_fault+0x11bc/0x2d14\\n do_mem_abort+0x3a8/0x1004\\n el0_da+0x3c/0xa0\\n el0t_64_sync_handler+0xc4/0xec\\n el0t_64_sync+0x1b4/0x1b8\\n\\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\\nwe hit cached page in compress_inode's cache, dic may be released, it needs\\nbreak the loop rather than continuing it, in order to avoid accessing\\ninvalid dic pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52852\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52853" + }, + { + "url": "https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf" + }, + { + "url": "https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd" + }, + { + "url": "https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819" + }, + { + "url": "https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38" + }, + { + "url": "https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6" + }, + { + "url": "https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42" + }, + { + "url": "https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c" + }, + { + "url": "https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf\",\n \"https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd\",\n \"https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819\",\n \"https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38\",\n \"https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6\",\n \"https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42\",\n \"https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c\",\n \"https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhid: cp2112: Fix duplicate workqueue initialization\\n\\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\\nworkqueue on subsequent IRQ startups following an initial request. This\\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\\nNULL dereference within process_one_work in workqueue.c.\\n\\nInitialize the workqueue within _probe instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52854" + }, + { + "url": "https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5" + }, + { + "url": "https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b" + }, + { + "url": "https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f" + }, + { + "url": "https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d" + }, + { + "url": "https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f" + }, + { + "url": "https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix refcnt handling in padata_free_shell()\n\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\n\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\n\n```c\nstruct request {\n struct padata_priv padata;\n struct completion *done;\n};\n\nvoid parallel(struct padata_priv *padata) {\n do_something();\n}\n\nvoid serial(struct padata_priv *padata) {\n struct request *request = container_of(padata,\n \t\t\t\tstruct request,\n\t\t\t\tpadata);\n complete(request->done);\n}\n\nvoid user_function() {\n DECLARE_COMPLETION(done)\n padata->parallel = parallel;\n padata->serial = serial;\n padata_do_parallel();\n wait_for_completion(&done);\n padata_free_shell();\n}\n```\n\nIn the corresponding padata.c file, there's the following code:\n\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n ...\n cnt = 0;\n\n while (!list_empty(&local_list)) {\n ...\n padata->serial(padata);\n cnt++;\n }\n\n local_bh_enable();\n\n if (refcount_sub_and_test(cnt, &pd->refcnt))\n padata_free_pd(pd);\n}\n```\n\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\n\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5\",\n \"https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b\",\n \"https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f\",\n \"https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d\",\n \"https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f\",\n \"https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: Fix refcnt handling in padata_free_shell()\\n\\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\\nthe pcrypt_aead01 function call, I'll describe the problem scenario\\nusing a simplified model:\\n\\nSuppose there's a user of padata named `user_function` that adheres to\\nthe padata requirement of calling `padata_free_shell` after `serial()`\\nhas been invoked, as demonstrated in the following code:\\n\\n```c\\nstruct request {\\n struct padata_priv padata;\\n struct completion *done;\\n};\\n\\nvoid parallel(struct padata_priv *padata) {\\n do_something();\\n}\\n\\nvoid serial(struct padata_priv *padata) {\\n struct request *request = container_of(padata,\\n \\t\\t\\t\\tstruct request,\\n\\t\\t\\t\\tpadata);\\n complete(request->done);\\n}\\n\\nvoid user_function() {\\n DECLARE_COMPLETION(done)\\n padata->parallel = parallel;\\n padata->serial = serial;\\n padata_do_parallel();\\n wait_for_completion(&done);\\n padata_free_shell();\\n}\\n```\\n\\nIn the corresponding padata.c file, there's the following code:\\n\\n```c\\nstatic void padata_serial_worker(struct work_struct *serial_work) {\\n ...\\n cnt = 0;\\n\\n while (!list_empty(&local_list)) {\\n ...\\n padata->serial(padata);\\n cnt++;\\n }\\n\\n local_bh_enable();\\n\\n if (refcount_sub_and_test(cnt, &pd->refcnt))\\n padata_free_pd(pd);\\n}\\n```\\n\\nBecause of the high system load and the accumulation of unexecuted\\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\\n`pd` has already been released by `padata_free_shell()`, resulting\\nin a UAF issue with `pd->refcnt`.\\n\\nThe fix is straightforward: add `refcount_dec_and_test` before calling\\n`padata_free_pd` in `padata_free_shell`.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52855", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52855" + }, + { + "url": "https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72" + }, + { + "url": "https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d" + }, + { + "url": "https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e" + }, + { + "url": "https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790" + }, + { + "url": "https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90" + }, + { + "url": "https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6" + }, + { + "url": "https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6" + }, + { + "url": "https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001" + }, + { + "url": "https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52855 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52855", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\n\nIn _dwc2_hcd_urb_enqueue(), \"urb->hcpriv = NULL\" is executed without\nholding the lock \"hsotg->lock\". In _dwc2_hcd_urb_dequeue():\n\n spin_lock_irqsave(&hsotg->lock, flags);\n ...\n\tif (!urb->hcpriv) {\n\t\tdev_dbg(hsotg->dev, \"## urb->hcpriv is NULL ##\\n\");\n\t\tgoto out;\n\t}\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\n ...\nout:\n spin_unlock_irqrestore(&hsotg->lock, flags);\n\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\nconcurrently executed, the NULL check of \"urb->hcpriv\" can be executed\nbefore \"urb->hcpriv = NULL\". After urb->hcpriv is NULL, it can be used\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\npointer dereference.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by myself. This tool analyzes the locking APIs to extract\nfunction pairs that can be concurrently executed, and then analyzes the\ninstructions in the paired functions to identify possible concurrency\nbugs including data races and atomicity violations. The above possible\nbug is reported, when my tool analyzes the source code of Linux 6.5.\n\nTo fix this possible bug, \"urb->hcpriv = NULL\" should be executed with\nholding the lock \"hsotg->lock\". After using this patch, my tool never\nreports the possible bug, with the kernelconfiguration allyesconfig for\nx86_64. Because I have no associated hardware, I cannot test the patch\nin runtime testing, and just verify it according to the code logic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52855\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52855\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52855\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52855\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52855\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72\",\n \"https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d\",\n \"https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e\",\n \"https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790\",\n \"https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90\",\n \"https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6\",\n \"https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6\",\n \"https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001\",\n \"https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\\n\\nIn _dwc2_hcd_urb_enqueue(), \\\"urb->hcpriv = NULL\\\" is executed without\\nholding the lock \\\"hsotg->lock\\\". In _dwc2_hcd_urb_dequeue():\\n\\n spin_lock_irqsave(&hsotg->lock, flags);\\n ...\\n\\tif (!urb->hcpriv) {\\n\\t\\tdev_dbg(hsotg->dev, \\\"## urb->hcpriv is NULL ##\\\\n\\\");\\n\\t\\tgoto out;\\n\\t}\\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\\n ...\\nout:\\n spin_unlock_irqrestore(&hsotg->lock, flags);\\n\\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\\nconcurrently executed, the NULL check of \\\"urb->hcpriv\\\" can be executed\\nbefore \\\"urb->hcpriv = NULL\\\". After urb->hcpriv is NULL, it can be used\\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\\npointer dereference.\\n\\nThis possible bug is found by an experimental static analysis tool\\ndeveloped by myself. This tool analyzes the locking APIs to extract\\nfunction pairs that can be concurrently executed, and then analyzes the\\ninstructions in the paired functions to identify possible concurrency\\nbugs including data races and atomicity violations. The above possible\\nbug is reported, when my tool analyzes the source code of Linux 6.5.\\n\\nTo fix this possible bug, \\\"urb->hcpriv = NULL\\\" should be executed with\\nholding the lock \\\"hsotg->lock\\\". After using this patch, my tool never\\nreports the possible bug, with the kernelconfiguration allyesconfig for\\nx86_64. Because I have no associated hardware, I cannot test the patch\\nin runtime testing, and just verify it according to the code logic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52855\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52856" + }, + { + "url": "https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e" + }, + { + "url": "https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347" + }, + { + "url": "https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a" + }, + { + "url": "https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6" + }, + { + "url": "https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52856", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: lt8912b: Fix crash on bridge detach\n\nThe lt8912b driver, in its bridge detach function, calls\ndrm_connector_unregister() and drm_connector_cleanup().\n\ndrm_connector_unregister() should be called only for connectors\nexplicitly registered with drm_connector_register(), which is not the\ncase in lt8912b.\n\nThe driver's drm_connector_funcs.destroy hook is set to\ndrm_connector_cleanup().\n\nThus the driver should not call either drm_connector_unregister() nor\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\ncrash on bridge detach:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\nsp : ffff800082ed3a90\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n drm_connector_cleanup+0x78/0x2d4 [drm]\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\n drm_bridge_detach+0x44/0x84 [drm]\n drm_encoder_cleanup+0x40/0xb8 [drm]\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\n drm_managed_release+0xac/0x148 [drm]\n drm_dev_put.part.0+0x88/0xb8 [drm]\n devm_drm_dev_init_release+0x14/0x24 [drm]\n devm_action_release+0x14/0x20\n release_nodes+0x5c/0x90\n devres_release_all+0x8c/0xe0\n device_unbind_cleanup+0x18/0x68\n device_release_driver_internal+0x208/0x23c\n driver_detach+0x4c/0x94\n bus_remove_driver+0x70/0xf4\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\n __arm64_sys_delete_module+0x1a0/0x2b4\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x60/0x10c\n do_el0_svc_compat+0x1c/0x40\n el0_svc_compat+0x40/0xac\n el0t_32_sync_handler+0xb0/0x138\n el0t_32_sync+0x194/0x198\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e\",\n \"https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347\",\n \"https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a\",\n \"https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6\",\n \"https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: lt8912b: Fix crash on bridge detach\\n\\nThe lt8912b driver, in its bridge detach function, calls\\ndrm_connector_unregister() and drm_connector_cleanup().\\n\\ndrm_connector_unregister() should be called only for connectors\\nexplicitly registered with drm_connector_register(), which is not the\\ncase in lt8912b.\\n\\nThe driver's drm_connector_funcs.destroy hook is set to\\ndrm_connector_cleanup().\\n\\nThus the driver should not call either drm_connector_unregister() nor\\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\\ncrash on bridge detach:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\nMem abort info:\\n ESR = 0x0000000096000006\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x06: level 2 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\\nsp : ffff800082ed3a90\\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\\nCall trace:\\n drm_connector_cleanup+0x78/0x2d4 [drm]\\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\\n drm_bridge_detach+0x44/0x84 [drm]\\n drm_encoder_cleanup+0x40/0xb8 [drm]\\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\\n drm_managed_release+0xac/0x148 [drm]\\n drm_dev_put.part.0+0x88/0xb8 [drm]\\n devm_drm_dev_init_release+0x14/0x24 [drm]\\n devm_action_release+0x14/0x20\\n release_nodes+0x5c/0x90\\n devres_release_all+0x8c/0xe0\\n device_unbind_cleanup+0x18/0x68\\n device_release_driver_internal+0x208/0x23c\\n driver_detach+0x4c/0x94\\n bus_remove_driver+0x70/0xf4\\n driver_unregister+0x30/0x60\\n platform_driver_unregister+0x14/0x20\\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\\n __arm64_sys_delete_module+0x1a0/0x2b4\\n invoke_syscall+0x48/0x110\\n el0_svc_common.constprop.0+0x60/0x10c\\n do_el0_svc_compat+0x1c/0x40\\n el0_svc_compat+0x40/0xac\\n el0t_32_sync_handler+0xb0/0x138\\n el0t_32_sync+0x194/0x198\\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52857", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52857" + }, + { + "url": "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396" + }, + { + "url": "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c" + }, + { + "url": "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52857", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396\",\n \"https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c\",\n \"https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\\n\\n1. Instead of multiplying 2 variable of different types. Change to\\nassign a value of one variable and then multiply the other variable.\\n\\n2. Add a int variable for multiplier calculation instead of calculating\\ndifferent types multiplier with dma_addr_t variable directly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52858", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52858" + }, + { + "url": "https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0" + }, + { + "url": "https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa" + }, + { + "url": "https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee" + }, + { + "url": "https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d" + }, + { + "url": "https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0" + }, + { + "url": "https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e" + }, + { + "url": "https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52858", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0\",\n \"https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa\",\n \"https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee\",\n \"https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d\",\n \"https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0\",\n \"https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e\",\n \"https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52859", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52859" + }, + { + "url": "https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2" + }, + { + "url": "https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda" + }, + { + "url": "https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63" + }, + { + "url": "https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5" + }, + { + "url": "https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52859 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52859", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: hisi: Fix use-after-free when register pmu fails\n\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52859\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52859\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52859\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52859\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52859\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2\",\n \"https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda\",\n \"https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63\",\n \"https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5\",\n \"https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: hisi: Fix use-after-free when register pmu fails\\n\\nWhen we fail to register the uncore pmu, the pmu context may not been\\nallocated. The error handing will call cpuhp_state_remove_instance()\\nto call uncore pmu offline callback, which migrate the pmu context.\\nSince that's liable to lead to some kind of use-after-free.\\n\\nUse cpuhp_state_remove_instance_nocalls() instead of\\ncpuhp_state_remove_instance() so that the notifiers don't execute after\\nthe PMU device has been failed to register.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52859\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52863" + }, + { + "url": "https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0" + }, + { + "url": "https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105" + }, + { + "url": "https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a" + }, + { + "url": "https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062" + }, + { + "url": "https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb" + }, + { + "url": "https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\n\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0\",\n \"https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105\",\n \"https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a\",\n \"https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062\",\n \"https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb\",\n \"https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\\n\\naxi_fan_control_irq_handler(), dependent on the private\\naxi_fan_control_data structure, might be called before the hwmon\\ndevice is registered. That will cause an \\\"Unable to handle kernel\\nNULL pointer dereference\\\" error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52864" + }, + { + "url": "https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e" + }, + { + "url": "https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e" + }, + { + "url": "https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203" + }, + { + "url": "https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6" + }, + { + "url": "https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453" + }, + { + "url": "https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097" + }, + { + "url": "https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6" + }, + { + "url": "https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52864", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: wmi: Fix opening of char device\n\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\n\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e\",\n \"https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e\",\n \"https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203\",\n \"https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6\",\n \"https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453\",\n \"https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097\",\n \"https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6\",\n \"https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/x86: wmi: Fix opening of char device\\n\\nSince commit fa1f68db6ca7 (\\\"drivers: misc: pass miscdevice pointer via\\nfile private data\\\"), the miscdevice stores a pointer to itself inside\\nfilp->private_data, which means that private_data will not be NULL when\\nwmi_char_open() is called. This might cause memory corruption should\\nwmi_char_open() be unable to find its driver, something which can\\nhappen when the associated WMI device is deleted in wmi_free_devices().\\n\\nFix the problem by using the miscdevice pointer to retrieve the WMI\\ndevice data associated with a char device using container_of(). This\\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\\ndriver with the same name as the original driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52865", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52865" + }, + { + "url": "https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478" + }, + { + "url": "https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3" + }, + { + "url": "https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c" + }, + { + "url": "https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4" + }, + { + "url": "https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836" + }, + { + "url": "https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2" + }, + { + "url": "https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf" + }, + { + "url": "https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235" + }, + { + "url": "https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52865 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52865", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52865\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52865\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52865\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52865\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52865\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478\",\n \"https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3\",\n \"https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c\",\n \"https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4\",\n \"https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836\",\n \"https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2\",\n \"https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf\",\n \"https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235\",\n \"https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52865\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52867" + }, + { + "url": "https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783" + }, + { + "url": "https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45" + }, + { + "url": "https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58" + }, + { + "url": "https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94" + }, + { + "url": "https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896" + }, + { + "url": "https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f" + }, + { + "url": "https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855" + }, + { + "url": "https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4" + }, + { + "url": "https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: possible buffer overflow\n\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783\",\n \"https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45\",\n \"https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58\",\n \"https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94\",\n \"https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896\",\n \"https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f\",\n \"https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855\",\n \"https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4\",\n \"https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: possible buffer overflow\\n\\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\\nchecked after access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52868" + }, + { + "url": "https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97" + }, + { + "url": "https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb" + }, + { + "url": "https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c" + }, + { + "url": "https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c" + }, + { + "url": "https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521" + }, + { + "url": "https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8" + }, + { + "url": "https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8" + }, + { + "url": "https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5" + }, + { + "url": "https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: prevent potential string overflow\n\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX. If it's too high then these sprintf()s will overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97\",\n \"https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb\",\n \"https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c\",\n \"https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c\",\n \"https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521\",\n \"https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8\",\n \"https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8\",\n \"https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5\",\n \"https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal: core: prevent potential string overflow\\n\\nThe dev->id value comes from ida_alloc() so it's a number between zero\\nand INT_MAX. If it's too high then these sprintf()s will overflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52869" + }, + { + "url": "https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a" + }, + { + "url": "https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688" + }, + { + "url": "https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9" + }, + { + "url": "https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c" + }, + { + "url": "https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f" + }, + { + "url": "https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/platform: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a\",\n \"https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688\",\n \"https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9\",\n \"https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c\",\n \"https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f\",\n \"https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore/platform: Add check for kstrdup\\n\\nAdd check for the return value of kstrdup() and return the error\\nif it fails in order to avoid NULL pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52870" + }, + { + "url": "https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480" + }, + { + "url": "https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a" + }, + { + "url": "https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946" + }, + { + "url": "https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc" + }, + { + "url": "https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830" + }, + { + "url": "https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480\",\n \"https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a\",\n \"https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946\",\n \"https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc\",\n \"https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830\",\n \"https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52871" + }, + { + "url": "https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493" + }, + { + "url": "https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2" + }, + { + "url": "https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0" + }, + { + "url": "https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c" + }, + { + "url": "https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c" + }, + { + "url": "https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8" + }, + { + "url": "https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: llcc: Handle a second device without data corruption\n\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493\",\n \"https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2\",\n \"https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0\",\n \"https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c\",\n \"https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c\",\n \"https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8\",\n \"https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: llcc: Handle a second device without data corruption\\n\\nUsually there is only one llcc device. But if there were a second, even\\na failed probe call would modify the global drv_data pointer. So check\\nif drv_data is valid before overwriting it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52872" + }, + { + "url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890" + }, + { + "url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243" + }, + { + "url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444" + }, + { + "url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a" + }, + { + "url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890\",\n \"https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243\",\n \"https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444\",\n \"https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a\",\n \"https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: fix race condition in status line change on dead connections\\n\\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\\ntimers, removing the virtual tty devices and clearing the data queues.\\nThis procedure, however, may cause subsequent changes of the virtual modem\\nstatus lines of a DLCI. More data is being added the outgoing data queue\\nand the deleted kick timer is restarted to handle this. At this point many\\nresources have already been removed by the cleanup procedure. Thus, a\\nkernel panic occurs.\\n\\nFix this by proving in gsm_modem_update() that the cleanup procedure has\\nnot been started and the mux is still alive.\\n\\nNote that writing to a virtual tty is already protected by checks against\\nthe DLCI specific connection state.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52873" + }, + { + "url": "https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0" + }, + { + "url": "https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a" + }, + { + "url": "https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e" + }, + { + "url": "https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b" + }, + { + "url": "https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e" + }, + { + "url": "https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b" + }, + { + "url": "https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0\",\n \"https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a\",\n \"https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e\",\n \"https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b\",\n \"https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e\",\n \"https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b\",\n \"https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52875" + }, + { + "url": "https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96" + }, + { + "url": "https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3" + }, + { + "url": "https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d" + }, + { + "url": "https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7" + }, + { + "url": "https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802" + }, + { + "url": "https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739" + }, + { + "url": "https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055" + }, + { + "url": "https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95" + }, + { + "url": "https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96\",\n \"https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3\",\n \"https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d\",\n \"https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7\",\n \"https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802\",\n \"https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739\",\n \"https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055\",\n \"https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95\",\n \"https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52876", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52876" + }, + { + "url": "https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9" + }, + { + "url": "https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7" + }, + { + "url": "https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22" + }, + { + "url": "https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783" + }, + { + "url": "https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592" + }, + { + "url": "https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b" + }, + { + "url": "https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52876 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52876", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52876\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52876\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52876\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52876\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52876\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9\",\n \"https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7\",\n \"https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22\",\n \"https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783\",\n \"https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592\",\n \"https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b\",\n \"https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\\n\\nAdd the check for the return value of mtk_alloc_clk_data() in order to\\navoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52876\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52877" + }, + { + "url": "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b" + }, + { + "url": "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08" + }, + { + "url": "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b" + }, + { + "url": "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac" + }, + { + "url": "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port->partner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port->partner to avoid dereferencing a NULL pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b\",\n \"https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08\",\n \"https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b\",\n \"https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac\",\n \"https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\\n\\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\\nWhen port->partner is an error, a NULL pointer dereference may occur as\\nshown below.\\n\\n[91222.095236][ T319] typec port0: failed to register partner (-17)\\n...\\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\\nat virtual address 000000000000039f\\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\\n[91225.308067][ T319] Call trace:\\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\\n[91225.355902][ T319] kthread+0x150/0x200\\n[91225.355905][ T319] ret_from_fork+0x10/0x30\\n\\nAdd a check for port->partner to avoid dereferencing a NULL pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52878" + }, + { + "url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4" + }, + { + "url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc" + }, + { + "url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057" + }, + { + "url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444" + }, + { + "url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4\",\n \"https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc\",\n \"https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057\",\n \"https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444\",\n \"https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\\n\\nIf the \\\"struct can_priv::echoo_skb\\\" is accessed out of bounds, this\\nwould cause a kernel crash. Instead, issue a meaningful warning\\nmessage and return with an error.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52879" + }, + { + "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706" + }, + { + "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976" + }, + { + "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d" + }, + { + "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e" + }, + { + "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f" + }, + { + "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4" + }, + { + "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\n \"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\n \"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\n \"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\n \"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\n \"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\n \"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have trace_event_file have ref counters\\n\\nThe following can crash the kernel:\\n\\n # cd /sys/kernel/tracing\\n # echo 'p:sched schedule' > kprobe_events\\n # exec 5>>events/kprobes/sched/enable\\n # > kprobe_events\\n # exec 5>&-\\n\\nThe above commands:\\n\\n 1. Change directory to the tracefs directory\\n 2. Create a kprobe event (doesn't matter what one)\\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\\n 4. Delete the kprobe event (removes the files too)\\n 5. Close the bash file descriptor 5\\n\\nThe above causes a crash!\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000028\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP PTI\\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n RIP: 0010:tracing_release_file_tr+0xc/0x50\\n\\nWhat happens here is that the kprobe event creates a trace_event_file\\n\\\"file\\\" descriptor that represents the file in tracefs to the event. It\\nmaintains state of the event (is it enabled for the given instance?).\\nOpening the \\\"enable\\\" file gets a reference to the event \\\"file\\\" descriptor\\nvia the open file descriptor. When the kprobe event is deleted, the file is\\nalso deleted from the tracefs system which also frees the event \\\"file\\\"\\ndescriptor.\\n\\nBut as the tracefs file is still opened by user space, it will not be\\ntotally removed until the final dput() is called on it. But this is not\\ntrue with the event \\\"file\\\" descriptor that is already freed. If the user\\ndoes a write to or simply closes the file descriptor it will reference the\\nevent \\\"file\\\" descriptor that was just freed, causing a use-after-free bug.\\n\\nTo solve this, add a ref count to the event \\\"file\\\" descriptor as well as a\\nnew flag called \\\"FREED\\\". The \\\"file\\\" will not be freed until the last\\nreference is released. But the FREE flag will be set when the event is\\nremoved to prevent any more modifications to that event from happening,\\neven if there's still a reference to the event \\\"file\\\" descriptor.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52880", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52880" + }, + { + "url": "https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167" + }, + { + "url": "https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a" + }, + { + "url": "https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88" + }, + { + "url": "https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58" + }, + { + "url": "https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed" + }, + { + "url": "https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167\",\n \"https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a\",\n \"https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88\",\n \"https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58\",\n \"https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed\",\n \"https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\\n\\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\\nCAP_NET_ADMIN to create a GSM network anyway.\\n\\nRequire initial namespace CAP_NET_ADMIN to do that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52881", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52881" + }, + { + "url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440" + }, + { + "url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc" + }, + { + "url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757" + }, + { + "url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27" + }, + { + "url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a" + }, + { + "url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57" + }, + { + "url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0" + }, + { + "url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52881 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52881", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK < SND.UNA wouldn't be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\n\ntp->bytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52881\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52881\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52881\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52881\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52881\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440\",\n \"https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc\",\n \"https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757\",\n \"https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27\",\n \"https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a\",\n \"https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57\",\n \"https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0\",\n \"https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: do not accept ACK of bytes we never sent\\n\\nThis patch is based on a detailed report and ideas from Yepeng Pan\\nand Christian Rossow.\\n\\nACK seq validation is currently following RFC 5961 5.2 guidelines:\\n\\n The ACK value is considered acceptable only if\\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\\n above condition MUST be discarded and an ACK sent back. It needs to\\n be noted that RFC 793 on page 72 (fifth check) says: \\\"If the ACK is a\\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\\n ACK, drop the segment, and return\\\". The \\\"ignored\\\" above implies that\\n the processing of the incoming data segment continues, which means\\n the ACK value is treated as acceptable. This mitigation makes the\\n ACK check more stringent since any ACK < SND.UNA wouldn't be\\n accepted, instead only ACKs that are in the range ((SND.UNA -\\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\\n\\nThis can be refined for new (and possibly spoofed) flows,\\nby not accepting ACK for bytes that were never sent.\\n\\nThis greatly improves TCP security at a little cost.\\n\\nI added a Fixes: tag to make sure this patch will reach stable trees,\\neven if the 'blamed' patch was adhering to the RFC.\\n\\ntp->bytes_acked was added in linux-4.2\\n\\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\\nthe issue at hand:\\n\\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\\n+0 bind(3, ..., ...) = 0\\n+0 listen(3, 1024) = 0\\n\\n// ---------------- Handshake ------------------- //\\n\\n// when window scale is set to 14 the window size can be extended to\\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\\n// ,though this ack number acknowledges some data never\\n// sent by the server.\\n\\n+0 < S 0:0(0) win 65535 \\n+0 > S. 0:0(0) ack 1 <...>\\n+0 < . 1:1(0) ack 1 win 65535\\n+0 accept(3, ..., ...) = 4\\n\\n// For the established connection, we send an ACK packet,\\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\\n// where 2^32 is used to wrap around.\\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\\n// edge cases.\\n// 1 - 1073725300 + 2^32 = 3221241997\\n\\n// Oops, old kernels happily accept this packet.\\n+0 < . 1:1001(1000) ack 3221241997 win 65535\\n\\n// After the kernel fix the following will be replaced by a challenge ACK,\\n// and prior malicious frame would be dropped.\\n+0 > . 1:1(0) ack 1001\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52881\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52882", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52882" + }, + { + "url": "https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a" + }, + { + "url": "https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069" + }, + { + "url": "https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff" + }, + { + "url": "https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90" + }, + { + "url": "https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175" + }, + { + "url": "https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019" + }, + { + "url": "https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52882 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52882", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52882\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52882\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52882\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52882\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52882\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a\",\n \"https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069\",\n \"https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff\",\n \"https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90\",\n \"https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175\",\n \"https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019\",\n \"https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\\n\\nWhile PLL CPUX clock rate change when CPU is running from it works in\\nvast majority of cases, now and then it causes instability. This leads\\nto system crashes and other undefined behaviour. After a lot of testing\\n(30+ hours) while also doing a lot of frequency switches, we can't\\nobserve any instability issues anymore when doing reparenting to stable\\nclock like 24 MHz oscillator.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52882\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52884" + }, + { + "url": "https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6" + }, + { + "url": "https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7" + }, + { + "url": "https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd" + }, + { + "url": "https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc" + }, + { + "url": "https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6\",\n \"https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7\",\n \"https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd\",\n \"https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc\",\n \"https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nInput: cyapa - add missing input core locking to suspend/resume functions\\n\\nGrab input->mutex during suspend/resume functions like it is done in\\nother input drivers. This fixes the following warning during system\\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\\nModules linked in: ...\\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound async_run_entry_fn\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x58/0x70\\n dump_stack_lvl from __warn+0x1a8/0x1cc\\n __warn from warn_slowpath_fmt+0x18c/0x1b4\\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\\n cyapa_reinitialize from cyapa_resume+0x48/0x98\\n cyapa_resume from dpm_run_callback+0x90/0x298\\n dpm_run_callback from device_resume+0xb4/0x258\\n device_resume from async_resume+0x20/0x64\\n async_resume from async_run_entry_fn+0x40/0x15c\\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\\n process_scheduled_works from worker_thread+0x188/0x454\\n worker_thread from kthread+0x108/0x140\\n kthread from ret_from_fork+0x14/0x28\\nException stack(0xf1625fb0 to 0xf1625ff8)\\n...\\n---[ end trace 0000000000000000 ]---\\n...\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\\nModules linked in: ...\\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound async_run_entry_fn\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x58/0x70\\n dump_stack_lvl from __warn+0x1a8/0x1cc\\n __warn from warn_slowpath_fmt+0x18c/0x1b4\\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\\n cyapa_reinitialize from cyapa_resume+0x48/0x98\\n cyapa_resume from dpm_run_callback+0x90/0x298\\n dpm_run_callback from device_resume+0xb4/0x258\\n device_resume from async_resume+0x20/0x64\\n async_resume from async_run_entry_fn+0x40/0x15c\\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\\n process_scheduled_works from worker_thread+0x188/0x454\\n worker_thread from kthread+0x108/0x140\\n kthread from ret_from_fork+0x14/0x28\\nException stack(0xf1625fb0 to 0xf1625ff8)\\n...\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52885" + }, + { + "url": "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b" + }, + { + "url": "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f" + }, + { + "url": "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428" + }, + { + "url": "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065" + }, + { + "url": "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254" + }, + { + "url": "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e" + }, + { + "url": "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee" + }, + { + "url": "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n \n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n \n \n ...\n \n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b\",\n \"https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f\",\n \"https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428\",\n \"https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065\",\n \"https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254\",\n \"https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e\",\n \"https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee\",\n \"https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\\n\\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\\nfor the established child sock, there is a window that the newsock\\nretaining a freed listener svc_sock in sk_user_data which cloning from\\nparent. In the race window, if data is received on the newsock, we will\\nobserve use-after-free report in svc_tcp_listen_data_ready().\\n\\nReproduce by two tasks:\\n\\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\\n2. while :; do echo \\\"\\\" | ncat -4 127.0.0.1 2049 ; done\\n\\nKASAN report:\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\\n Read of size 8 at addr ffff888139d96228 by task nc/102553\\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\\n Call Trace:\\n \\n dump_stack_lvl+0x33/0x50\\n print_address_description.constprop.0+0x27/0x310\\n print_report+0x3e/0x70\\n kasan_report+0xae/0xe0\\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\\n tcp_data_queue+0x9f4/0x20e0\\n tcp_rcv_established+0x666/0x1f60\\n tcp_v4_do_rcv+0x51c/0x850\\n tcp_v4_rcv+0x23fc/0x2e80\\n ip_protocol_deliver_rcu+0x62/0x300\\n ip_local_deliver_finish+0x267/0x350\\n ip_local_deliver+0x18b/0x2d0\\n ip_rcv+0x2fb/0x370\\n __netif_receive_skb_one_core+0x166/0x1b0\\n process_backlog+0x24c/0x5e0\\n __napi_poll+0xa2/0x500\\n net_rx_action+0x854/0xc90\\n __do_softirq+0x1bb/0x5de\\n do_softirq+0xcb/0x100\\n \\n \\n ...\\n \\n\\n Allocated by task 102371:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n __kasan_kmalloc+0x7b/0x90\\n svc_setup_socket+0x52/0x4f0 [sunrpc]\\n svc_addsock+0x20d/0x400 [sunrpc]\\n __write_ports_addfd+0x209/0x390 [nfsd]\\n write_ports+0x239/0x2c0 [nfsd]\\n nfsctl_transaction_write+0xac/0x110 [nfsd]\\n vfs_write+0x1c3/0xae0\\n ksys_write+0xed/0x1c0\\n do_syscall_64+0x38/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\n Freed by task 102551:\\n kasan_save_stack+0x1e/0x40\\n kasan_set_track+0x21/0x30\\n kasan_save_free_info+0x2a/0x50\\n __kasan_slab_free+0x106/0x190\\n __kmem_cache_free+0x133/0x270\\n svc_xprt_free+0x1e2/0x350 [sunrpc]\\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\\n nfsd_put+0x125/0x240 [nfsd]\\n nfsd_svc+0x2cb/0x3c0 [nfsd]\\n write_threads+0x1ac/0x2a0 [nfsd]\\n nfsctl_transaction_write+0xac/0x110 [nfsd]\\n vfs_write+0x1c3/0xae0\\n ksys_write+0xed/0x1c0\\n do_syscall_64+0x38/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n\\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\\nchild socket.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52886" + }, + { + "url": "https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5" + }, + { + "url": "https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee" + }, + { + "url": "https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f" + }, + { + "url": "https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848" + }, + { + "url": "https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5" + }, + { + "url": "https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5\",\n \"https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee\",\n \"https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f\",\n \"https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848\",\n \"https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5\",\n \"https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\\n\\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\\n\\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\\n\\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\\n print_report mm/kasan/report.c:462 [inline]\\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\\n...\\nAllocated by task 758:\\n...\\n __do_kmalloc_node mm/slab_common.c:966 [inline]\\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\\n kmalloc include/linux/slab.h:563 [inline]\\n kzalloc include/linux/slab.h:680 [inline]\\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\\n\\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\\nread_descriptors() and hub_port_init(): The first routine uses a field\\nin udev->descriptor, not expecting it to change, while the second\\noverwrites it.\\n\\nPrior to commit 45bf39f8df7f (\\\"USB: core: Don't hold device lock while\\nreading the \\\"descriptors\\\" sysfs file\\\") this race couldn't occur,\\nbecause the routines were mutually exclusive thanks to the device\\nlocking. Removing that locking from read_descriptors() exposed it to\\nthe race.\\n\\nThe best way to fix the bug is to keep hub_port_init() from changing\\nudev->descriptor once udev has been initialized and registered.\\nDrivers expect the descriptors stored in the kernel to be immutable;\\nwe should not undermine this expectation. In fact, this change should\\nhave been made long ago.\\n\\nSo now hub_port_init() will take an additional argument, specifying a\\nbuffer in which to store the device descriptor it reads. (If udev has\\nnot yet been initialized, the buffer pointer will be NULL and then\\nhub_port_init() will store the device descriptor in udev as before.)\\nThis eliminates the data race responsible for the out-of-bounds read.\\n\\nThe changes to hub_port_init() appear more extensive than they really\\nare, because of indentation changes resulting from an attempt to avoid\\nwriting to other parts of the usb_device structure after it has been\\ninitialized. Similar changes should be made to the code that reads\\nthe BOS descriptor, but that can be handled in a separate patch later\\non. This patch is sufficient to fix the bug found by syzbot.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52887" + }, + { + "url": "https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed" + }, + { + "url": "https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea" + }, + { + "url": "https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4" + }, + { + "url": "https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2" + }, + { + "url": "https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb" + }, + { + "url": "https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9" + }, + { + "url": "https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\n\nThis patch enhances error handling in scenarios with RTS (Request to\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\nbacktraces with a new error handling method. This provides clearer error\nmessages and allows for the early termination of problematic sessions.\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\n\nPotentially this could be reproduced with something like:\ntestj1939 -r vcan0:0x80 &\nwhile true; do\n\t# send first RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send second RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send abort\n\tcansend vcan0 18EC8090#ff00000000002301;\ndone", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed\",\n \"https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea\",\n \"https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4\",\n \"https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2\",\n \"https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb\",\n \"https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9\",\n \"https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\\n\\nThis patch enhances error handling in scenarios with RTS (Request to\\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\\nbacktraces with a new error handling method. This provides clearer error\\nmessages and allows for the early termination of problematic sessions.\\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\\n\\nPotentially this could be reproduced with something like:\\ntestj1939 -r vcan0:0x80 &\\nwhile true; do\\n\\t# send first RTS\\n\\tcansend vcan0 18EC8090#1014000303002301;\\n\\t# send second RTS\\n\\tcansend vcan0 18EC8090#1014000303002301;\\n\\t# send abort\\n\\tcansend vcan0 18EC8090#ff00000000002301;\\ndone\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52888", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52888" + }, + { + "url": "https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04" + }, + { + "url": "https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91" + }, + { + "url": "https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52888", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn't do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04\",\n \"https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91\",\n \"https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\\n\\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\\ncalled only when the buffer to free exists, there are some instances\\nthat didn't do the check and triggered warnings in practice.\\n\\nWe believe those checks were forgotten unintentionally. Add the checks\\nback to fix the warnings.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52889" + }, + { + "url": "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1" + }, + { + "url": "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697" + }, + { + "url": "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81" + }, + { + "url": "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2" + }, + { + "url": "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961" + }, + { + "url": "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2" + }, + { + "url": "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n BUG: kernel NULL pointer dereference, address: 000000000000004c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n RIP: 0010:aa_label_next_confined+0xb/0x40\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? aa_label_next_confined+0xb/0x40\n apparmor_secmark_check+0xec/0x330\n security_sock_rcv_skb+0x35/0x50\n sk_filter_trim_cap+0x47/0x250\n sock_queue_rcv_skb_reason+0x20/0x60\n raw_rcv+0x13c/0x210\n raw_local_deliver+0x1f3/0x250\n ip_protocol_deliver_rcu+0x4f/0x2f0\n ip_local_deliver_finish+0x76/0xa0\n __netif_receive_skb_one_core+0x89/0xa0\n netif_receive_skb+0x119/0x170\n ? __netdev_alloc_skb+0x3d/0x140\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n __napi_poll+0x28/0x1b0\n net_rx_action+0x2a4/0x380\n __do_softirq+0xd1/0x2c8\n __irq_exit_rcu+0xbb/0xf0\n common_interrupt+0x86/0xa0\n \n \n asm_common_interrupt+0x26/0x40\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n ? __pfx_apparmor_socket_post_create+0x10/0x10\n security_socket_post_create+0x4b/0x80\n __sock_create+0x176/0x1f0\n __sys_socket+0x89/0x100\n __x64_sys_socket+0x17/0x20\n do_syscall_64+0x5d/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1\",\n \"https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697\",\n \"https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81\",\n \"https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2\",\n \"https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961\",\n \"https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2\",\n \"https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\napparmor: Fix null pointer deref when receiving skb during sock creation\\n\\nThe panic below is observed when receiving ICMP packets with secmark set\\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\\nin apparmor_socket_post_create(), but the packet is delivered to the\\nsocket before that, causing the null pointer dereference.\\nDrop the packet if label context is not set.\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000004c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\\n RIP: 0010:aa_label_next_confined+0xb/0x40\\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\\n PKRU: 55555554\\n Call Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x7f/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? aa_label_next_confined+0xb/0x40\\n apparmor_secmark_check+0xec/0x330\\n security_sock_rcv_skb+0x35/0x50\\n sk_filter_trim_cap+0x47/0x250\\n sock_queue_rcv_skb_reason+0x20/0x60\\n raw_rcv+0x13c/0x210\\n raw_local_deliver+0x1f3/0x250\\n ip_protocol_deliver_rcu+0x4f/0x2f0\\n ip_local_deliver_finish+0x76/0xa0\\n __netif_receive_skb_one_core+0x89/0xa0\\n netif_receive_skb+0x119/0x170\\n ? __netdev_alloc_skb+0x3d/0x140\\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\\n __napi_poll+0x28/0x1b0\\n net_rx_action+0x2a4/0x380\\n __do_softirq+0xd1/0x2c8\\n __irq_exit_rcu+0xbb/0xf0\\n common_interrupt+0x86/0xa0\\n \\n \\n asm_common_interrupt+0x26/0x40\\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\\n ? __pfx_apparmor_socket_post_create+0x10/0x10\\n security_socket_post_create+0x4b/0x80\\n __sock_create+0x176/0x1f0\\n __sys_socket+0x89/0x100\\n __x64_sys_socket+0x17/0x20\\n do_syscall_64+0x5d/0x90\\n ? do_syscall_64+0x6c/0x90\\n ? do_syscall_64+0x6c/0x90\\n ? do_syscall_64+0x6c/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52893" + }, + { + "url": "https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a" + }, + { + "url": "https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393" + }, + { + "url": "https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8" + }, + { + "url": "https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd" + }, + { + "url": "https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2" + }, + { + "url": "https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b" + }, + { + "url": "https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a\",\n \"https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393\",\n \"https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8\",\n \"https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd\",\n \"https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2\",\n \"https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b\",\n \"https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngsmi: fix null-deref in gsmi_get_variable\\n\\nWe can get EFI variables without fetching the attribute, so we must\\nallow for that in gsmi.\\n\\ncommit 859748255b43 (\\\"efi: pstore: Omit efivars caching EFI varstore\\naccess layer\\\") added a new get_variable call with attr=NULL, which\\ntriggers panic in gsmi.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52894" + }, + { + "url": "https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497" + }, + { + "url": "https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763" + }, + { + "url": "https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6" + }, + { + "url": "https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea" + }, + { + "url": "https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2" + }, + { + "url": "https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7" + }, + { + "url": "https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497\",\n \"https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763\",\n \"https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6\",\n \"https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea\",\n \"https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2\",\n \"https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7\",\n \"https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\\n\\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\\n\\nAFAICT the source code is at:\\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\\n\\nThe call stack is:\\n ncm_close() -> ncm_notify() -> ncm_do_notify()\\nwith the crash at:\\n ncm_do_notify+0x98/0x270\\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\\n\\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\\n\\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\\n 0B 0D 00 79 strh w11, [x8, #6]\\n\\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\\n 6C 0A 00 B9 str w12, [x19, #8]\\n\\n // x10 (NULL) was read here from offset 0 of valid pointer x9\\n // IMHO we're reading 'cdev->gadget' and getting NULL\\n // gadget is indeed at offset 0 of struct usb_composite_dev\\n 2A 01 40 F9 ldr x10, [x9]\\n\\n // loading req->buf pointer, which is at offset 0 of struct usb_request\\n 69 02 40 F9 ldr x9, [x19]\\n\\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\\n\\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\\n\\n event->wLength = cpu_to_le16(8);\\n req->length = NCM_STATUS_BYTECOUNT;\\n\\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\\n data = req->buf + sizeof *event;\\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\\n\\nMy analysis of registers and NULL ptr deref crash offset\\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\\nwhich calls:\\n ncm_bitrate(NULL)\\nwhich then calls:\\n gadget_is_superspeed(NULL)\\nwhich reads\\n ((struct usb_gadget *)NULL)->max_speed\\nand hits a panic.\\n\\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\\n\\nIt's not at all clear to me how this is all supposed to work...\\nbut returning 0 seems much better than panic-ing...\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52896" + }, + { + "url": "https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1" + }, + { + "url": "https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a" + }, + { + "url": "https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd" + }, + { + "url": "https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233" + }, + { + "url": "https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1\",\n \"https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a\",\n \"https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd\",\n \"https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233\",\n \"https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\\n\\nIf we have one task trying to start the quota rescan worker while another\\none is trying to disable quotas, we can end up hitting a race that results\\nin the quota rescan worker doing a NULL pointer dereference. The steps for\\nthis are the following:\\n\\n1) Quotas are enabled;\\n\\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\\n transaction and commits it;\\n\\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\\n rescan worker is not yet running.\\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\\n\\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\\n\\n5) The rescan worker starts, and calls rescan_should_stop() at the start\\n of its while loop, which results in 0 iterations of the loop, since\\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\\n task B at step 3);\\n\\n6) Task B sets fs_info->quota_root to NULL;\\n\\n7) The rescan worker tries to start a transaction and uses\\n fs_info->quota_root as the root argument for btrfs_start_transaction().\\n This results in a NULL pointer dereference down the call chain of\\n btrfs_start_transaction(). The stack trace is something like the one\\n reported in Link tag below:\\n\\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\\n Code: 48 89 fb 48 (...)\\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n \\n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\\n kthread+0x266/0x300 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n Modules linked in:\\n\\nSo fix this by having the rescan worker function not attempt to start a\\ntransaction if it didn't do any rescan work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52898" + }, + { + "url": "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e" + }, + { + "url": "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368" + }, + { + "url": "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1" + }, + { + "url": "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7" + }, + { + "url": "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea" + }, + { + "url": "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e\",\n \"https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368\",\n \"https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1\",\n \"https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7\",\n \"https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea\",\n \"https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: Fix null pointer dereference when host dies\\n\\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\\nand cause null pointer dereference when host suddenly dies.\\n\\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\\nloop through all the device's endpoints, checking if there are any\\ncancelled urbs left to give back.\\n\\nhold the xhci spinlock while freeing the virt device\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52899" + }, + { + "url": "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833" + }, + { + "url": "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d" + }, + { + "url": "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96" + }, + { + "url": "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e" + }, + { + "url": "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87" + }, + { + "url": "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833\",\n \"https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d\",\n \"https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96\",\n \"https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e\",\n \"https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87\",\n \"https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nAdd exception protection processing for vd in axi_chan_handle_err function\\n\\nSince there is no protection for vd, a kernel panic will be\\ntriggered here in exceptional cases.\\n\\nYou can refer to the processing of axi_chan_block_xfer_complete function\\n\\nThe triggered kernel panic is as follows:\\n\\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\\n[ 67.848447] Mem abort info:\\n[ 67.848449] ESR = 0x96000004\\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 67.848454] SET = 0, FnV = 0\\n[ 67.848456] EA = 0, S1PTW = 0\\n[ 67.848458] Data abort info:\\n[ 67.848460] ISV = 0, ISS = 0x00000004\\n[ 67.848462] CM = 0, WnR = 0\\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\\n[ 67.848475] Modules linked in: dmatest\\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\\n[ 67.848493] sp : ffff0803fe55ae50\\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\\n[ 67.848559] Call trace:\\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\\n[ 67.848573] handle_irq_event+0x64/0x120\\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\\n[ 67.848580] __handle_domain_irq+0x80/0xe0\\n[ 67.848583] gic_handle_irq+0xc0/0x138\\n[ 67.848585] el1_irq+0xc8/0x180\\n[ 67.848588] arch_cpu_idle+0x14/0x2c\\n[ 67.848591] default_idle_call+0x40/0x16c\\n[ 67.848594] do_idle+0x1f0/0x250\\n[ 67.848597] cpu_startup_entry+0x2c/0x60\\n[ 67.848600] rest_init+0xc0/0xcc\\n[ 67.848603] arch_call_rest_init+0x14/0x1c\\n[ 67.848606] start_kernel+0x4cc/0x500\\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\\n[ 67.848613] ---[ end trace 585a97036f88203a ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52900" + }, + { + "url": "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04" + }, + { + "url": "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545" + }, + { + "url": "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062" + }, + { + "url": "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243" + }, + { + "url": "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051" + }, + { + "url": "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d" + }, + { + "url": "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04\",\n \"https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545\",\n \"https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062\",\n \"https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243\",\n \"https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051\",\n \"https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d\",\n \"https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix general protection fault in nilfs_btree_insert()\\n\\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\\nblock by calling __nilfs_btree_get_block() against an invalid virtual\\nblock address, it returns -ENOENT because conversion of the virtual block\\naddress to a disk block address fails. However, this return value is the\\nsame as the internal code that b-tree lookup routines return to indicate\\nthat the block being searched does not exist, so functions that operate on\\nthat b-tree may misbehave.\\n\\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\\nsuccessful and continues the insert operation using incomplete lookup path\\ndata, causing the following crash:\\n\\n general protection fault, probably for non-canonical address\\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\\n ...\\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\\n ...\\n Call Trace:\\n \\n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\\n __block_write_begin fs/buffer.c:2041 [inline]\\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\\n call_write_iter include/linux/fs.h:2186 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\\n ksys_write+0x177/0x2a0 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n ...\\n \\n\\nThis patch fixes the root cause of this problem by replacing the error\\ncode that __nilfs_btree_get_block() returns on block address conversion\\nfailure from -ENOENT to another internal code -EINVAL which means that the\\nb-tree metadata is corrupted.\\n\\nBy returning -EINVAL, it propagates without glitches, and for all relevant\\nb-tree operations, functions in the upper bmap layer output an error\\nmessage indicating corrupted b-tree metadata via\\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\\nit should be.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52901" + }, + { + "url": "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f" + }, + { + "url": "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5" + }, + { + "url": "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a" + }, + { + "url": "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c" + }, + { + "url": "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766" + }, + { + "url": "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654" + }, + { + "url": "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f\",\n \"https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5\",\n \"https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a\",\n \"https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c\",\n \"https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766\",\n \"https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654\",\n \"https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: xhci: Check endpoint is valid before dereferencing it\\n\\nWhen the host controller is not responding, all URBs queued to all\\nendpoints need to be killed. This can cause a kernel panic if we\\ndereference an invalid endpoint.\\n\\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\\nchecking if the endpoint is valid before dereferencing it.\\n\\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\\n\\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\\n\\n[233311.854077] Call trace:\\n[233311.854085] xhci_hc_died+0x10c/0x270\\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\\n[233311.854105] call_timer_fn+0x50/0x2d4\\n[233311.854112] expire_timers+0xac/0x2e4\\n[233311.854118] run_timer_softirq+0x300/0xabc\\n[233311.854127] __do_softirq+0x148/0x528\\n[233311.854135] irq_exit+0x194/0x1a8\\n[233311.854143] __handle_domain_irq+0x164/0x1d0\\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\\n[233311.854156] el1_irq+0xfc/0x1a8\\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\\n[233311.854194] do_idle+0x594/0x6ac\\n[233311.854201] cpu_startup_entry+0x7c/0x80\\n[233311.854209] secondary_start_kernel+0x170/0x198\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52903" + }, + { + "url": "https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7" + }, + { + "url": "https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b" + }, + { + "url": "https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4" + }, + { + "url": "https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7\",\n \"https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b\",\n \"https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4\",\n \"https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: lock overflowing for IOPOLL\\n\\nsyzbot reports an issue with overflow filling for IOPOLL:\\n\\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\\nWorkqueue: events_unbound io_ring_exit_work\\nCall trace:\\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\\n kthread+0x12c/0x158 kernel/kthread.c:376\\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\\n\\nThere is no real problem for normal IOPOLL as flush is also called with\\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52904" + }, + { + "url": "https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8" + }, + { + "url": "https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8\",\n \"https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\\n\\nThe subs function argument may be NULL, so do not use it before the NULL check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52905" + }, + { + "url": "https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3" + }, + { + "url": "https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3\",\n \"https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocteontx2-pf: Fix resource leakage in VF driver unbind\\n\\nresources allocated like mcam entries to support the Ntuple feature\\nand hash tables for the tc feature are not getting freed in driver\\nunbind. This patch fixes the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52906" + }, + { + "url": "https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61" + }, + { + "url": "https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457" + }, + { + "url": "https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644" + }, + { + "url": "https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2" + }, + { + "url": "https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61\",\n \"https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457\",\n \"https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644\",\n \"https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2\",\n \"https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mpls: Fix warning during failed attribute validation\\n\\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\\ncombination according to the comment above 'struct nla_policy':\\n\\n\\\"\\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\\n NLA_BINARY Validation function called for the attribute.\\n All other Unused - but note that it's a union\\n\\\"\\n\\nThis can trigger the warning [1] in nla_get_range_unsigned() when\\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\\nassociated 'min'/'max' fields in the policy are negative as they are\\naliased by the 'validate' field.\\n\\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\\nAs a result, move the length validation to the validation function.\\n\\nNo regressions in MPLS tests:\\n\\n # ./tdc.py -f tc-tests/actions/mpls.json\\n [...]\\n # echo $?\\n 0\\n\\n[1]\\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\\nModules linked in:\\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\\n[...]\\nCall Trace:\\n \\n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\\n sock_sendmsg_nosec net/socket.c:714 [inline]\\n sock_sendmsg net/socket.c:734 [inline]\\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\\n ___sys_sendmsg net/socket.c:2536 [inline]\\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\\n __do_sys_sendmsg net/socket.c:2574 [inline]\\n __se_sys_sendmsg net/socket.c:2572 [inline]\\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52907" + }, + { + "url": "https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a" + }, + { + "url": "https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0" + }, + { + "url": "https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2" + }, + { + "url": "https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1" + }, + { + "url": "https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4" + }, + { + "url": "https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b" + }, + { + "url": "https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a\",\n \"https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0\",\n \"https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2\",\n \"https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1\",\n \"https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4\",\n \"https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b\",\n \"https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\\n\\nFix a use-after-free that occurs in hcd when in_urb sent from\\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\\nfrees the skb data in pn533_send_async_complete() that is used as a\\ntransfer buffer of out_urb. Wait before sending in_urb until the\\ncallback of out_urb is called. To modify the callback of out_urb alone,\\nseparate the complete function of out_urb and ack_urb.\\n\\nFound by a modified version of syzkaller.\\n\\nBUG: KASAN: use-after-free in dummy_timer\\nCall Trace:\\n memcpy (mm/kasan/shadow.c:65)\\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\\n static_key_false (include/linux/jump_label.h:207)\\n timer_expire_exit (include/trace/events/timer.h:127)\\n call_timer_fn (kernel/time/timer.c:1475)\\n expire_timers (kernel/time/timer.c:1519)\\n __run_timers (kernel/time/timer.c:1790)\\n run_timer_softirq (kernel/time/timer.c:1803)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52910" + }, + { + "url": "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f" + }, + { + "url": "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e" + }, + { + "url": "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f\",\n \"https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e\",\n \"https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/iova: Fix alloc iova overflows issue\\n\\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\\noverflow. As a result, if the retry logic is executed, low_pfn is\\nupdated to 0, and then new_pfn < low_pfn returns false to make the\\nallocation successful.\\n\\nThis issue occurs in the following two situations:\\n1. The first iova size exceeds the domain size. When initializing\\niova domain, iovad->cached_node is assigned as iovad->anchor. For\\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\\nand the iova size allocated for the first time is 11M. The\\nfollowing is the log information, new->pfn_lo is smaller than\\niovad->cached_node.\\n\\nExample log as follows:\\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\\n\\n2. The node with the largest iova->pfn_lo value in the iova domain\\nis deleted, iovad->cached_node will be updated to iovad->anchor,\\nand then the alloc iova size exceeds the maximum iova size that can\\nbe allocated in the domain.\\n\\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\\nto fix the overflow issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52911" + }, + { + "url": "https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e" + }, + { + "url": "https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [] lr : [] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e\",\n \"https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm: another fix for the headless Adreno GPU\\n\\nFix another oops reproducible when rebooting the board with the Adreno\\nGPU working in the headless mode (e.g. iMX platforms).\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\\nInternal error: Oops: 17 [#1] ARM\\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\\nHardware name: Freescale i.MX53 (Device Tree Support)\\nPC is at msm_atomic_commit_tail+0x50/0x970\\nLR is at commit_tail+0x9c/0x188\\npc : [] lr : [] psr: 600e0013\\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\\nr10: 00000058 r9 : c2193014 r8 : c4310000\\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\\nControl: 10c5387d Table: 74910019 DAC: 00000051\\nRegister r0 information: NULL pointer\\nRegister r1 information: NULL pointer\\nRegister r2 information: NULL pointer\\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\\nRegister r4 information: NULL pointer\\nRegister r5 information: NULL pointer\\nRegister r6 information: non-paged memory\\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\\nRegister r9 information: non-slab/vmalloc memory\\nRegister r10 information: non-paged memory\\nRegister r11 information: non-paged memory\\nRegister r12 information: non-paged memory\\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\\nStack: (0xe0851d30 to 0xe0852000)\\n1d20: c4759380 fbd77200 000005ff 002b9c70\\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\\n commit_tail from drm_atomic_helper_commit+0x160/0x188\\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\\n device_shutdown from kernel_restart+0x38/0x90\\n kernel_restart from __do_sys_reboot+0x\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52912" + }, + { + "url": "https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199" + }, + { + "url": "https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] \n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199\",\n \"https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\\n\\nFixed bug on error when unloading amdgpu.\\n\\nThe error message is as follows:\\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 377.706361] Call Trace:\\n[ 377.706365] \\n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\\n[ 377.707006] release_nodes+0x35/0xb0\\n[ 377.707014] devres_release_all+0x8b/0xc0\\n[ 377.707020] device_unbind_cleanup+0xe/0x70\\n[ 377.707027] device_release_driver_internal+0xee/0x160\\n[ 377.707033] driver_detach+0x44/0x90\\n[ 377.707039] bus_remove_driver+0x55/0xe0\\n[ 377.707045] pci_unregister_driver+0x3b/0x90\\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\\n[ 377.707215] do_syscall_64+0x38/0x90\\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-52913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-52913" + }, + { + "url": "https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa" + }, + { + "url": "https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-52913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-52913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-52913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-52913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-52913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-52913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa\",\n \"https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915: Fix potential context UAFs\\n\\ngem_context_register() makes the context visible to userspace, and which\\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\\nSo we need to ensure that nothing uses the ctx ptr after this. And we\\nneed to ensure that adding the ctx to the xarray is the *last* thing\\nthat gem_context_register() does with the ctx pointer.\\n\\n[tursulin: Stable and fixes tags add/tidy.]\\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-52913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6240", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6240" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3414" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3421" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3618" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3627" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + }, + { + "url": "https://people.redhat.com/~hkario/marvin/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240628-0002/" + }, + { + "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6240 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6240", + "desc": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:1881\",\n \"https://access.redhat.com/errata/RHSA-2024:1882\",\n \"https://access.redhat.com/errata/RHSA-2024:2758\",\n \"https://access.redhat.com/errata/RHSA-2024:3414\",\n \"https://access.redhat.com/errata/RHSA-2024:3421\",\n \"https://access.redhat.com/errata/RHSA-2024:3618\",\n \"https://access.redhat.com/errata/RHSA-2024:3627\",\n \"https://access.redhat.com/security/cve/CVE-2023-6240\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2250843\",\n \"https://people.redhat.com/~hkario/marvin/\",\n \"https://security.netapp.com/advisory/ntap-20240628-0002/\",\n \"https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/\"\n ],\n \"description\": \"A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6240\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6356", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6356" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6356" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0002/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6356 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6356", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6356\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6356\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6356\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6356\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6356\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6356\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254054\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0002/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6356\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6535", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6535" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6535" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0003/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6535 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6535", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6535\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6535\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6535\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6535\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6535\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6535\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254053\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0003/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6535\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6536", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6536" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3810" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6536" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254052" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0001/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6536 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6536", + "desc": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6536\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6536\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6536\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6536\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6536\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/errata/RHSA-2024:3810\",\n \"https://access.redhat.com/security/cve/CVE-2023-6536\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254052\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\n \"https://security.netapp.com/advisory/ntap-20240415-0001/\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6536\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6610", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6610" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0723" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0725" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1404" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2094" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6610" + }, + { + "url": "https://bugzilla.kernel.org/show_bug.cgi?id=218219" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253614" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6610 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6610", + "desc": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6610\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6610\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6610\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6610\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6610\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:0723\",\n \"https://access.redhat.com/errata/RHSA-2024:0724\",\n \"https://access.redhat.com/errata/RHSA-2024:0725\",\n \"https://access.redhat.com/errata/RHSA-2024:0881\",\n \"https://access.redhat.com/errata/RHSA-2024:0897\",\n \"https://access.redhat.com/errata/RHSA-2024:1248\",\n \"https://access.redhat.com/errata/RHSA-2024:1404\",\n \"https://access.redhat.com/errata/RHSA-2024:2094\",\n \"https://access.redhat.com/security/cve/CVE-2023-6610\",\n \"https://bugzilla.kernel.org/show_bug.cgi?id=218219\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2253614\"\n ],\n \"description\": \"An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6610\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2023-6915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2023-6915" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2950" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:3138" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6915" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254982" + }, + { + "url": "https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2023-6915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2023-6915", + "desc": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2023-6915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2023-6915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2023-6915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2023-6915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-6915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/errata/RHSA-2024:2394\",\n \"https://access.redhat.com/errata/RHSA-2024:2950\",\n \"https://access.redhat.com/errata/RHSA-2024:3138\",\n \"https://access.redhat.com/security/cve/CVE-2023-6915\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2254982\",\n \"https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\"\n ],\n \"description\": \"A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2023-6915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-0564", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-0564" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + }, + { + "url": "https://link.springer.com/conference/wisa" + }, + { + "url": "https://wisa.or.kr/accepted" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-0564 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-0564", + "desc": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-0564\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-0564\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-0564\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-0564\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-0564\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://access.redhat.com/security/cve/CVE-2024-0564\",\n \"https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513\",\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2258514\",\n \"https://link.springer.com/conference/wisa\",\n \"https://wisa.or.kr/accepted\"\n ],\n \"description\": \"A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \\\"max page sharing=256\\\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \\\"max page share\\\". Through these operations, the attacker can leak the victim's page.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"secalert@redhat.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-0564\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-21803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-21803" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8081" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-21803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-21803", + "desc": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-21803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-21803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-21803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-21803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8081\"\n ],\n \"description\": \"Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\\n\\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-21803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-21823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-21823" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/15/1" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-21823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-21823", + "desc": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-21823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-21823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-21823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-21823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/15/1\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\",\n \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html\"\n ],\n \"description\": \"Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access\",\n \"cvss\": [\n {\n \"source\": \"secure@intel.com\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.1,\n \"impactScore\": 5.8\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-21823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-2193", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-2193" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/12/14" + }, + { + "url": "https://download.vusec.net/papers/ghostrace_sec24.pdf" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace" + }, + { + "url": "https://kb.cert.org/vuls/id/488902" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html" + }, + { + "url": "https://www.kb.cert.org/vuls/id/488902" + }, + { + "url": "https://www.vusec.net/projects/ghostrace/" + }, + { + "url": "https://xenbits.xen.org/xsa/advisory-453.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-2193 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-2193", + "desc": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-2193\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-2193\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-2193\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-2193\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-2193\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/03/12/14\",\n \"https://download.vusec.net/papers/ghostrace_sec24.pdf\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23\",\n \"https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace\",\n \"https://kb.cert.org/vuls/id/488902\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html\",\n \"https://www.kb.cert.org/vuls/id/488902\",\n \"https://www.vusec.net/projects/ghostrace/\",\n \"https://xenbits.xen.org/xsa/advisory-453.html\"\n ],\n \"description\": \"A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-2193\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-22386", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-22386" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8147" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-22386 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-22386", + "desc": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-22386\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-22386\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-22386\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-22386\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-22386\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8147\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-22386\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-23307", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-23307" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=7975" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-23307 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-23307", + "desc": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-23307\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-23307\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-23307\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-23307\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23307\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=7975\"\n ],\n \"description\": \"Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.7,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-23307\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-23848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-23848" + }, + { + "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-23848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-23848", + "desc": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-23848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-23848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-23848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-23848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/\"\n ],\n \"description\": \"In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-23848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24856" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8764" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24856", + "desc": "The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\nsuccessful allocation, but the subsequent code directly dereferences the\npointer that receives it, which may lead to null pointer dereference.\n\nTo fix this issue, a null pointer check should be added. If it is null, \nreturn exception code AE_NO_MEMORY.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8764\"\n ],\n \"description\": \"The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\\nsuccessful allocation, but the subsequent code directly dereferences the\\npointer that receives it, which may lead to null pointer dereference.\\n\\nTo fix this issue, a null pointer check should be added. If it is null, \\nreturn exception code AE_NO_MEMORY.\",\n \"cvss\": [\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24857", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24857" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8155" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24857", + "desc": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8155\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24858", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24858" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8154" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24858", + "desc": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8154\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24859", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24859" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8153" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24859 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24859", + "desc": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24859\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24859\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24859\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24859\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24859\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8153\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\\n\\n\\n\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.8,\n \"exploitabilityScore\": 1.2,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 4.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24859\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24861" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24861", + "desc": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8150\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.3,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 2.5\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24862", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24862" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24862 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24862", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24862\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24862\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24862\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24862\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24862\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24862\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24863" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24863", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\nCVE-2024-24863 has been replaced by CVE-2024-36014.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\\nCVE-2024-24863 has been replaced by CVE-2024-36014.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-24864", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-24864" + }, + { + "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=8178" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-24864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-24864", + "desc": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-24864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-24864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-24864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-24864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://bugzilla.openanolis.cn/show_bug.cgi?id=8178\"\n ],\n \"description\": \"A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\\n\\n\\n\\n\\n\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"security@openanolis.org\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.3,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-24864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25739" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9" + }, + { + "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://www.spinics.net/lists/kernel/msg5074816.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25739", + "desc": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9\",\n \"https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://www.spinics.net/lists/kernel/msg5074816.html\"\n ],\n \"description\": \"create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25740" + }, + { + "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25740", + "desc": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/\"\n ],\n \"description\": \"A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25741", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25741" + }, + { + "url": "https://www.spinics.net/lists/linux-usb/msg252167.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25741 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25741", + "desc": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25741\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25741\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25741\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25741\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25741\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://www.spinics.net/lists/linux-usb/msg252167.html\"\n ],\n \"description\": \"printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25741\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25742" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f" + }, + { + "url": "https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25742", + "desc": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9\",\n \"https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f\",\n \"https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html\"\n ],\n \"description\": \"In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25743", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25743" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270836" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1223307" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25743 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25743", + "desc": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25743\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25743\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25743\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25743\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25743\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://bugzilla.redhat.com/show_bug.cgi?id=2270836\",\n \"https://bugzilla.suse.com/show_bug.cgi?id=1223307\",\n \"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html\"\n ],\n \"description\": \"In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25743\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-25744", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-25744" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-25744 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-25744", + "desc": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-25744\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-25744\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-25744\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-25744\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25744\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7\",\n \"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30\"\n ],\n \"description\": \"In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-25744\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26595", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26595" + }, + { + "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + }, + { + "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + }, + { + "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26595 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26595", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26595\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26595\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26595\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26595\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26595\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39\",\n \"https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f\",\n \"https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\\n\\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\\nfailing to attach the region to an ACL group, we hit a NULL pointer\\ndereference upon 'region->group->tcam' [1].\\n\\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\\n\\n[1]\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\n[...]\\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\\n[...]\\nCall Trace:\\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\\n mlxsw_sp_acl_rule_add+0x47/0x240\\n mlxsw_sp_flower_replace+0x1a9/0x1d0\\n tc_setup_cb_add+0xdc/0x1c0\\n fl_hw_replace_filter+0x146/0x1f0\\n fl_change+0xc17/0x1360\\n tc_new_tfilter+0x472/0xb90\\n rtnetlink_rcv_msg+0x313/0x3b0\\n netlink_rcv_skb+0x58/0x100\\n netlink_unicast+0x244/0x390\\n netlink_sendmsg+0x1e4/0x440\\n ____sys_sendmsg+0x164/0x260\\n ___sys_sendmsg+0x9a/0xe0\\n __sys_sendmsg+0x7a/0xc0\\n do_syscall_64+0x40/0xe0\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26595\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26605", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26605" + }, + { + "url": "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3" + }, + { + "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + }, + { + "url": "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c" + }, + { + "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26605 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26605", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26605\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26605\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26605\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26605\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26605\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3\",\n \"https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20\",\n \"https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c\",\n \"https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/ASPM: Fix deadlock when enabling ASPM\\n\\nA last minute revert in 6.7-final introduced a potential deadlock when\\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\\nlockdep:\\n\\n ============================================\\n WARNING: possible recursive locking detected\\n 6.7.0 #40 Not tainted\\n --------------------------------------------\\n kworker/u16:5/90 is trying to acquire lock:\\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\\n\\n but task is already holding lock:\\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\\n\\n other info that might help us debug this:\\n Possible unsafe locking scenario:\\n\\n CPU0\\n ----\\n lock(pci_bus_sem);\\n lock(pci_bus_sem);\\n\\n *** DEADLOCK ***\\n\\n Call trace:\\n print_deadlock_bug+0x25c/0x348\\n __lock_acquire+0x10a4/0x2064\\n lock_acquire+0x1e8/0x318\\n down_read+0x60/0x184\\n pcie_aspm_pm_state_change+0x58/0xdc\\n pci_set_full_power_state+0xa8/0x114\\n pci_set_power_state+0xc4/0x120\\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\\n pci_walk_bus+0x64/0xbc\\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\\n\\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\\nX13s by adding a delay to increase the race window during asynchronous\\nprobe where another thread can take a write lock.\\n\\nAdd a new pci_set_power_state_locked() and associated helper functions that\\ncan be called with the PCI bus semaphore held to avoid taking the read lock\\ntwice.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26605\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26607", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26607" + }, + { + "url": "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9" + }, + { + "url": "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c" + }, + { + "url": "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1" + }, + { + "url": "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26607 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26607", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26607\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26607\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26607\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26607\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26607\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9\",\n \"https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c\",\n \"https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1\",\n \"https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: sii902x: Fix probing race issue\\n\\nA null pointer dereference crash has been observed rarely on TI\\nplatforms using sii9022 bridge:\\n\\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\\n[ 53.341174] platform_probe+0x68/0xc4\\n[ 53.344841] really_probe+0x188/0x3c4\\n[ 53.348501] __driver_probe_device+0x7c/0x16c\\n[ 53.352854] driver_probe_device+0x3c/0x10c\\n[ 53.357033] __device_attach_driver+0xbc/0x158\\n[ 53.361472] bus_for_each_drv+0x88/0xe8\\n[ 53.365303] __device_attach+0xa0/0x1b4\\n[ 53.369135] device_initial_probe+0x14/0x20\\n[ 53.373314] bus_probe_device+0xb0/0xb4\\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\\n[ 53.381757] process_one_work+0x1f0/0x518\\n[ 53.385770] worker_thread+0x1e8/0x3dc\\n[ 53.389519] kthread+0x11c/0x120\\n[ 53.392750] ret_from_fork+0x10/0x20\\n\\nThe issue here is as follows:\\n\\n- tidss probes, but is deferred as sii902x is still missing.\\n- sii902x starts probing and enters sii902x_init().\\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\\n DRM's perspective.\\n- sii902x calls sii902x_audio_codec_init() and\\n platform_device_register_data()\\n- The registration of the audio platform device causes probing of the\\n deferred devices.\\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\\n called.\\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\\n However, the sii902x driver has not set up the i2c part yet, leading\\n to the crash.\\n\\nFix this by moving the drm_bridge_add() to the end of the\\nsii902x_init(), which is also at the very end of sii902x_probe().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26607\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26629", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26629" + }, + { + "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098" + }, + { + "url": "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f" + }, + { + "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b" + }, + { + "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a" + }, + { + "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03" + }, + { + "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26629 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26629", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26629\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26629\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26629\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26629\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26629\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098\",\n \"https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f\",\n \"https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b\",\n \"https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a\",\n \"https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03\",\n \"https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfsd: fix RELEASE_LOCKOWNER\\n\\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\\nharmful. Revert to using check_for_locks(), changing that to not sleep.\\n\\nFirst: harmful.\\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\\ntest on so_count can transiently return a false positive resulting in a\\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\\nclearly a protocol violation and with the Linux NFS client it can cause\\nincorrect behaviour.\\n\\nIf RELEASE_LOCKOWNER is sent while some other thread is still\\nprocessing a LOCK request which failed because, at the time that request\\nwas received, the given owner held a conflicting lock, then the nfsd\\nthread processing that LOCK request can hold a reference (conflock) to\\nthe lock owner that causes nfsd4_release_lockowner() to return an\\nincorrect error.\\n\\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\\nit knows that the error is impossible. It assumes the lock owner was in\\nfact released so it feels free to use the same lock owner identifier in\\nsome later locking request.\\n\\nWhen it does reuse a lock owner identifier for which a previous RELEASE\\nfailed, it will naturally use a lock_seqid of zero. However the server,\\nwhich didn't release the lock owner, will expect a larger lock_seqid and\\nso will respond with NFS4ERR_BAD_SEQID.\\n\\nSo clearly it is harmful to allow a false positive, which testing\\nso_count allows.\\n\\nThe test is nonsense because ... well... it doesn't mean anything.\\n\\nso_count is the sum of three different counts.\\n1/ the set of states listed on so_stateids\\n2/ the set of active vfs locks owned by any of those states\\n3/ various transient counts such as for conflicting locks.\\n\\nWhen it is tested against '2' it is clear that one of these is the\\ntransient reference obtained by find_lockowner_str_locked(). It is not\\nclear what the other one is expected to be.\\n\\nIn practice, the count is often 2 because there is precisely one state\\non so_stateids. If there were more, this would fail.\\n\\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\\nall the lock states being removed, and so the lockowner being discarded\\n(it is removed when there are no more references which usually happens\\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\\nthat the lock owner doesn't exist, it returns success.\\n\\nThe other case shows an so_count of '2' and precisely one state listed\\nin so_stateid. It appears that the Linux client uses a separate lock\\nowner for each file resulting in one lock state per lock owner, so this\\ntest on '2' is safe. For another client it might not be safe.\\n\\nSo this patch changes check_for_locks() to use the (newish)\\nfind_any_file_locked() so that it doesn't take a reference on the\\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\\nthis check is it safe to restore the use of check_for_locks() rather\\nthan testing so_count against the mysterious '2'.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26629\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26639", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26639" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26639 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26639", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26639\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26639\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26639\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26639\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26639\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26639\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26642", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26642" + }, + { + "url": "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1" + }, + { + "url": "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a" + }, + { + "url": "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199" + }, + { + "url": "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7" + }, + { + "url": "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12" + }, + { + "url": "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9" + }, + { + "url": "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f" + }, + { + "url": "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26642 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26642", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26642\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26642\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26642\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26642\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26642\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1\",\n \"https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a\",\n \"https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199\",\n \"https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7\",\n \"https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12\",\n \"https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9\",\n \"https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f\",\n \"https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: disallow anonymous set with timeout flag\\n\\nAnonymous sets are never used with timeout from userspace, reject this.\\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26642\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26647", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26647" + }, + { + "url": "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207" + }, + { + "url": "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c" + }, + { + "url": "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26647 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26647", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26647\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26647\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26647\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26647\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26647\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207\",\n \"https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c\",\n \"https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\\n\\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\\nNULL pointer check.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26647\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26648", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26648" + }, + { + "url": "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935" + }, + { + "url": "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c" + }, + { + "url": "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26648 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26648", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26648\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26648\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26648\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26648\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26648\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935\",\n \"https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c\",\n \"https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\\n\\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26648\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26654", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26654" + }, + { + "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457" + }, + { + "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04" + }, + { + "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2" + }, + { + "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901" + }, + { + "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5" + }, + { + "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046" + }, + { + "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845" + }, + { + "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3" + }, + { + "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26654 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26654", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26654\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26654\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26654\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26654\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26654\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457\",\n \"https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04\",\n \"https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2\",\n \"https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901\",\n \"https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5\",\n \"https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046\",\n \"https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845\",\n \"https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3\",\n \"https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\\n\\nThe dreamcastcard->timer could schedule the spu_dma_work and the\\nspu_dma_work could also arm the dreamcastcard->timer.\\n\\nWhen the snd_pcm_substream is closing, the aica_channel will be\\ndeallocated. But it could still be dereferenced in the worker\\nthread. The reason is that del_timer() will return directly\\nregardless of whether the timer handler is running or not and\\nthe worker could be rescheduled in the timer handler. As a result,\\nthe UAF bug will happen. The racy situation is shown below:\\n\\n (Thread 1) | (Thread 2)\\nsnd_aicapcm_pcm_close() |\\n ... | run_spu_dma() //worker\\n | mod_timer()\\n flush_work() |\\n del_timer() | aica_period_elapsed() //timer\\n kfree(dreamcastcard->channel) | schedule_work()\\n | run_spu_dma() //worker\\n ... | dreamcastcard->channel-> //USE\\n\\nIn order to mitigate this bug and other possible corner cases,\\ncall mod_timer() conditionally in run_spu_dma(), then implement\\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\\nop will be called from PCM core appropriately when needed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26654\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26656", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26656" + }, + { + "url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e" + }, + { + "url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c" + }, + { + "url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c" + }, + { + "url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26656 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26656", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26656\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26656\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26656\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26656\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26656\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e\",\n \"https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c\",\n \"https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c\",\n \"https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix use-after-free bug\\n\\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\\nThe bug was reported by Joonkyo Jung .\\nFor example the following code:\\n\\nstatic void Syzkaller1(int fd)\\n{\\n\\tstruct drm_amdgpu_gem_userptr arg;\\n\\tint ret;\\n\\n\\targ.addr = 0xffffffffffff0000;\\n\\targ.size = 0x80000000; /*2 Gb*/\\n\\targ.flags = 0x7;\\n\\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\\n}\\n\\nDue to the address and size are not valid there is a failure in\\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\\nThe following stack is below when the issue is reproduced when Kazan is enabled:\\n\\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\\n[ +0.000010] Call Trace:\\n[ +0.000006] \\n[ +0.000007] ? show_regs+0x6a/0x80\\n[ +0.000018] ? __warn+0xa5/0x1b0\\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000018] ? report_bug+0x24a/0x290\\n[ +0.000022] ? handle_bug+0x46/0x90\\n[ +0.000015] ? exc_invalid_op+0x19/0x50\\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\\n[ +0.000017] ? kasan_save_stack+0x26/0x50\\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\\n[ +0.000013] ? __kasan_check_read+0x11/0x20\\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26656\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26658", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26658" + }, + { + "url": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec" + }, + { + "url": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26658 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26658", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26658\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26658\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26658\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26658\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26658\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec\",\n \"https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: grab s_umount only if snapshotting\\n\\nWhen I was testing mongodb over bcachefs with compression,\\nthere is a lockdep warning when snapshotting mongodb data volume.\\n\\n$ cat test.sh\\nprog=bcachefs\\n\\n$prog subvolume create /mnt/data\\n$prog subvolume create /mnt/data/snapshots\\n\\nwhile true;do\\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\\n sleep 1s\\ndone\\n\\n$ cat /etc/mongodb.conf\\nsystemLog:\\n destination: file\\n logAppend: true\\n path: /mnt/data/mongod.log\\n\\nstorage:\\n dbPath: /mnt/data/\\n\\nlockdep reports:\\n[ 3437.452330] ======================================================\\n[ 3437.452750] WARNING: possible circular locking dependency detected\\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\\n[ 3437.453562] ------------------------------------------------------\\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\\n[ 3437.454875]\\n but task is already holding lock:\\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\\n[ 3437.456009]\\n which lock already depends on the new lock.\\n\\n[ 3437.456553]\\n the existing dependency chain (in reverse order) is:\\n[ 3437.457054]\\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\\n[ 3437.457507] down_read+0x3e/0x170\\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\\n[ 3437.458498] do_syscall_64+0x42/0xf0\\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.459155]\\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\\n[ 3437.459615] down_read+0x3e/0x170\\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\\n[ 3437.460686] notify_change+0x1f1/0x4a0\\n[ 3437.461283] do_truncate+0x7f/0xd0\\n[ 3437.461555] path_openat+0xa57/0xce0\\n[ 3437.461836] do_filp_open+0xb4/0x160\\n[ 3437.462116] do_sys_openat2+0x91/0xc0\\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\\n[ 3437.462701] do_syscall_64+0x42/0xf0\\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.463359]\\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\\n[ 3437.463843] down_write+0x3b/0xc0\\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\\n[ 3437.464493] vfs_write+0x21b/0x4c0\\n[ 3437.464653] ksys_write+0x69/0xf0\\n[ 3437.464839] do_syscall_64+0x42/0xf0\\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.465231]\\n -> #0 (sb_writers#10){.+.+}-{0:0}:\\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\\n[ 3437.465656] lock_acquire+0xc6/0x2b0\\n[ 3437.465822] mnt_want_write+0x46/0x1a0\\n[ 3437.465996] filename_create+0x62/0x190\\n[ 3437.466175] user_path_create+0x2d/0x50\\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\\n[ 3437.466791] do_syscall_64+0x42/0xf0\\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 3437.467180]\\n other info that might help us debug this:\\n\\n[ 3437.469670] 2 locks held by bcachefs/35533:\\n other info that might help us debug this:\\n\\n[ 3437.467507] Chain exists of:\\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\\n\\n[ 3437.467979] Possible unsafe locking scenario:\\n\\n[ 3437.468223] CPU0 CPU1\\n[ 3437.468405] ---- ----\\n[ 3437.468585] rlock(&type->s_umount_key#48);\\n[ 3437.468758] lock(&c->snapshot_create_lock);\\n[ 3437.469030] lock(&type->s_umount_key#48);\\n[ 3437.469291] rlock(sb_writers#10);\\n[ 3437.469434]\\n *** DEADLOCK ***\\n\\n[ 3437.469\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26658\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26661" + }, + { + "url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a" + }, + { + "url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667" + }, + { + "url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a\",\n \"https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667\",\n \"https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\\n\\nIn \\\"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\\\"\\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\\nensure the tg is not NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26662", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26662" + }, + { + "url": "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5" + }, + { + "url": "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d" + }, + { + "url": "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26662 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26662", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26662\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26662\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26662\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26662\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26662\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5\",\n \"https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d\",\n \"https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\\n\\n'panel_cntl' structure used to control the display panel could be null,\\ndereferencing it could lead to a null pointer access.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26662\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26669", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26669" + }, + { + "url": "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8" + }, + { + "url": "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97" + }, + { + "url": "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26669 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26669", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26669\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26669\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26669\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26669\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26669\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8\",\n \"https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97\",\n \"https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: flower: Fix chain template offload\\n\\nWhen a qdisc is deleted from a net device the stack instructs the\\nunderlying driver to remove its flow offload callback from the\\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\\nthen continues to replay the removal of the filters in the block for\\nthis driver by iterating over the chains in the block and invoking the\\n'reoffload' operation of the classifier being used. In turn, the\\nclassifier in its 'reoffload' operation prepares and emits a\\n'FLOW_CLS_DESTROY' command for each filter.\\n\\nHowever, the stack does not do the same for chain templates and the\\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\\na qdisc is deleted. This results in a memory leak [1] which can be\\nreproduced using [2].\\n\\nFix by introducing a 'tmplt_reoffload' operation and have the stack\\ninvoke it with the appropriate arguments as part of the replay.\\nImplement the operation in the sole classifier that supports chain\\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\\ncommand based on whether a flow offload callback is being bound to a\\nfilter block or being unbound from one.\\n\\nAs far as I can tell, the issue happens since cited commit which\\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\\nin __tcf_block_put(). The order cannot be reversed as the filter block\\nis expected to be freed after flushing all the chains.\\n\\n[1]\\nunreferenced object 0xffff888107e28800 (size 2048):\\n comm \\\"tc\\\", pid 1079, jiffies 4294958525 (age 3074.287s)\\n hex dump (first 32 bytes):\\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e8/0x320\\n [] __kmalloc+0x4e/0x90\\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\\n [] tc_setup_cb_call+0x183/0x340\\n [] fl_tmplt_create+0x3da/0x4c0\\n [] tc_ctl_chain+0xa15/0x1170\\n [] rtnetlink_rcv_msg+0x3cc/0xed0\\n [] netlink_rcv_skb+0x170/0x440\\n [] netlink_unicast+0x540/0x820\\n [] netlink_sendmsg+0x8d8/0xda0\\n [] ____sys_sendmsg+0x30f/0xa80\\n [] ___sys_sendmsg+0x13a/0x1e0\\n [] __sys_sendmsg+0x11c/0x1f0\\n [] do_syscall_64+0x40/0xe0\\nunreferenced object 0xffff88816d2c0400 (size 1024):\\n comm \\\"tc\\\", pid 1079, jiffies 4294958525 (age 3074.287s)\\n hex dump (first 32 bytes):\\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e8/0x320\\n [] __kmalloc_node+0x51/0x90\\n [] kvmalloc_node+0xa6/0x1f0\\n [] bucket_table_alloc.isra.0+0x83/0x460\\n [] rhashtable_init+0x43b/0x7c0\\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\\n [] tc_setup_cb_call+0x183/0x340\\n [] fl_tmplt_create+0x3da/0x4c0\\n [] tc_ctl_chain+0xa15/0x1170\\n [] rtnetlink_rcv_msg+0x3cc/0xed0\\n [] netlink_rcv_skb+0x170/0x440\\n [] netlink_unicast+0x540/0x820\\n [] netlink_sendmsg+0x8d8/0xda0\\n [] ____sys_sendmsg+0x30f/0xa80\\n\\n[2]\\n # tc qdisc add dev swp1 clsact\\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\\n # tc qdisc del dev\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26669\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26672", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26672" + }, + { + "url": "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0" + }, + { + "url": "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26672 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26672", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26672\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26672\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26672\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26672\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26672\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0\",\n \"https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\\n\\nFixes the below:\\n\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\\n\\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\\n\\t\\t\\t\\t enum amdgpu_mca_error_type type,\\n358 int idx, struct mca_bank_entry *entry)\\n359 {\\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\\n\\t\\t\\t\\t\\t\\tadev->mca.mca_funcs;\\n361 int count;\\n362\\n363 switch (type) {\\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\\n365 count = mca_funcs->max_ue_count;\\n\\nmca_funcs is dereferenced here.\\n\\n366 break;\\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\\n368 count = mca_funcs->max_ce_count;\\n\\nmca_funcs is dereferenced here.\\n\\n369 break;\\n370 default:\\n371 return -EINVAL;\\n372 }\\n373\\n374 if (idx >= count)\\n375 return -EINVAL;\\n376\\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\\n\\t ^^^^^^^^^\\n\\nChecked too late!\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26672\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26677", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26677" + }, + { + "url": "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2" + }, + { + "url": "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae" + }, + { + "url": "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26677 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26677", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26677\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26677\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26677\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26677\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26677\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2\",\n \"https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae\",\n \"https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrxrpc: Fix delayed ACKs to not set the reference serial number\\n\\nFix the construction of delayed ACKs to not set the reference serial number\\nas they can't be used as an RTT reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26677\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26680", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26680" + }, + { + "url": "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56" + }, + { + "url": "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887" + }, + { + "url": "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12" + }, + { + "url": "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26680 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26680", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26680\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26680\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26680\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26680\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26680\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56\",\n \"https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887\",\n \"https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12\",\n \"https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: atlantic: Fix DMA mapping for PTP hwts ring\\n\\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\\ninto account.\\nCreate and use a specific function to free HWTS ring to fix this\\nissue.\\n\\nTrace:\\n[ 215.351607] ------------[ cut here ]------------\\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\\n...\\n[ 215.581176] Call Trace:\\n[ 215.583632] \\n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\\n[ 215.599305] ? check_unmap+0xa6f/0x2360\\n[ 215.603147] ? __warn+0xca/0x1d0\\n[ 215.606391] ? check_unmap+0xa6f/0x2360\\n[ 215.610237] ? report_bug+0x1ef/0x370\\n[ 215.613921] ? handle_bug+0x3c/0x70\\n[ 215.617423] ? exc_invalid_op+0x14/0x50\\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\\n[ 215.625480] ? check_unmap+0xa6f/0x2360\\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\\n[ 215.648060] dma_free_attrs+0x6d/0x130\\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\\n...\\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\\n[ 216.132160] DMA-API: Mapped at:\\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26680\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26686", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26686" + }, + { + "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" + }, + { + "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" + }, + { + "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26686 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26686", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26686\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26686\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26686\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26686\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26686\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071\",\n \"https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305\",\n \"https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\\n\\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\\ndo_task_stat() at the same time and the process has NR_THREADS, it will\\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\\n\\nChange do_task_stat() to use sig->stats_lock to gather the statistics\\noutside of ->siglock protected section, in the likely case this code will\\nrun lockless.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26686\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26687", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26687" + }, + { + "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" + }, + { + "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" + }, + { + "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" + }, + { + "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" + }, + { + "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" + }, + { + "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26687 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26687", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26687\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26687\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26687\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26687\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26687\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd\",\n \"https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4\",\n \"https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5\",\n \"https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44\",\n \"https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b\",\n \"https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3\",\n \"https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen/events: close evtchn after mapping cleanup\\n\\nshutdown_pirq and startup_pirq are not taking the\\nirq_mapping_update_lock because they can't due to lock inversion. Both\\nare called with the irq_desc->lock being taking. The lock order,\\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\\n\\nThis opens multiple races:\\n- shutdown_pirq can be interrupted by a function that allocates an event\\n channel:\\n\\n CPU0 CPU1\\n shutdown_pirq {\\n xen_evtchn_close(e)\\n __startup_pirq {\\n EVTCHNOP_bind_pirq\\n -> returns just freed evtchn e\\n set_evtchn_to_irq(e, irq)\\n }\\n xen_irq_info_cleanup() {\\n set_evtchn_to_irq(e, -1)\\n }\\n }\\n\\n Assume here event channel e refers here to the same event channel\\n number.\\n After this race the evtchn_to_irq mapping for e is invalid (-1).\\n\\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\\n this case even though the event channel is allocated, its mapping can\\n be unset in evtchn_to_irq.\\n\\nThe fix is to first cleanup the mappings and then close the event\\nchannel. In this way, when an event channel gets allocated it's\\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\\nThis is also the reverse order of the allocation where first the event\\nchannel is allocated and then the mappings are setup.\\n\\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\\\"xen/events: modify internal\\n[un]bind interfaces\\\"), we hit a BUG like the following during probing of NVMe\\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\\nis called for every device which results in a call to shutdown_pirq.\\nWith many nvme devices it's therefore likely to hit this race during\\nboot because there will be multiple calls to shutdown_pirq and\\nstartup_pirq are running potentially in parallel.\\n\\n ------------[ cut here ]------------\\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\\n kernel BUG at drivers/xen/events/events_base.c:499!\\n invalid opcode: 0000 [#1] SMP PTI\\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\\n Workqueue: nvme-reset-wq nvme_reset_work\\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n ? show_trace_log_lvl+0x1c1/0x2d9\\n ? show_trace_log_lvl+0x1c1/0x2d9\\n ? set_affinity_irq+0xdc/0x1c0\\n ? __die_body.cold+0x8/0xd\\n ? die+0x2b/0x50\\n ? do_trap+0x90/0x110\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? do_error_trap+0x65/0x80\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? exc_invalid_op+0x4e/0x70\\n ? bind_evtchn_to_cpu+0xdf/0xf0\\n ? asm_exc_invalid_op+0x12/0x20\\n ? bind_evtchn_to_cpu+0xdf/0x\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26687\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26691", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26691" + }, + { + "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" + }, + { + "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" + }, + { + "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26691 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26691", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26691\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26691\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26691\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26691\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26691\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc\",\n \"https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc\",\n \"https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: Fix circular locking dependency\\n\\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\\nthe kvm->lock while already holding the vcpu->mutex lock from\\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\\nprotecting the hyp vm handle with the config_lock, much like we already\\ndo for other forms of VM-scoped data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26691\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26699", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26699" + }, + { + "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" + }, + { + "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26699 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26699", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26699\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26699\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26699\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26699\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26699\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc\",\n \"https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\\n\\n[Why]\\nThere is a potential memory access violation while\\niterating through array of dcn35 clks.\\n\\n[How]\\nLimit iteration per array size.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26699\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26700", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26700" + }, + { + "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" + }, + { + "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" + }, + { + "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" + }, + { + "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26700 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26700", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26700\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26700\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26700\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26700\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26700\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238\",\n \"https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f\",\n \"https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5\",\n \"https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix MST Null Ptr for RV\\n\\nThe change try to fix below error specific to RV platform:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\nPGD 0 P4D 0\\nOops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? plist_add+0xbe/0x100\\n ? exc_page_fault+0x7c/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n drm_atomic_check_only+0x5c5/0xa40\\n drm_mode_atomic_ioctl+0x76e/0xbc0\\n ? _copy_to_user+0x25/0x30\\n ? drm_ioctl+0x296/0x4b0\\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\\n drm_ioctl_kernel+0xcd/0x170\\n drm_ioctl+0x26d/0x4b0\\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n __x64_sys_ioctl+0x94/0xd0\\n do_syscall_64+0x60/0x90\\n ? do_syscall_64+0x6c/0x90\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\nRIP: 0033:0x7f4dad17f76f\\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\\n \\nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\\nCR2: 0000000000000008\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26700\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26714", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26714" + }, + { + "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" + }, + { + "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" + }, + { + "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" + }, + { + "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26714 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26714", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26714\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26714\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26714\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26714\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26714\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7\",\n \"https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0\",\n \"https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0\",\n \"https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\\n\\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\\nthe UFS controller) loses its connection to the rest of the SoC,\\nresulting in a hang of the platform, accompanied by a spectacular\\nlogspam.\\n\\nMark it as keepalive to prevent such cases.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26714\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26718", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26718" + }, + { + "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" + }, + { + "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" + }, + { + "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" + }, + { + "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26718 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26718", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26718\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26718\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26718\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26718\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26718\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189\",\n \"https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257\",\n \"https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94\",\n \"https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-crypt, dm-verity: disable tasklets\\n\\nTasklets have an inherent problem with memory corruption. The function\\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\\nthe structure that contains the tasklet or if it calls some code that may\\nfree it, tasklet_unlock will write into free memory.\\n\\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\\nit is not a sufficient fix and the data corruption can still happen [1].\\nThere is no fix for dm-verity and dm-verity will write into free memory\\nwith every tasklet-processed bio.\\n\\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\\nwill have better interface and they will not suffer from the memory\\ncorruption problem.\\n\\nBut we need something that stops the memory corruption now and that can be\\nbackported to the stable kernels. So, I'm proposing this commit that\\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\\nremove the tasklet support, because the tasklet code will be reused when\\natomic workqueues will be implemented.\\n\\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26718\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26719", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26719" + }, + { + "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" + }, + { + "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" + }, + { + "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26719 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26719", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26719\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26719\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26719\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26719\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26719\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0\",\n \"https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9\",\n \"https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: offload fence uevents work to workqueue\\n\\nThis should break the deadlock between the fctx lock and the irq lock.\\n\\nThis offloads the processing off the work from the irq into a workqueue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26719\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26726", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26726" + }, + { + "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" + }, + { + "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" + }, + { + "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" + }, + { + "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26726 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26726", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26726\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26726\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26726\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26726\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26726\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555\",\n \"https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade\",\n \"https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7\",\n \"https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: don't drop extent_map for free space inode on write error\\n\\nWhile running the CI for an unrelated change I hit the following panic\\nwith generic/648 on btrfs_holes_spacecache.\\n\\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\\n------------[ cut here ]------------\\nkernel BUG at fs/btrfs/extent_io.c:1385!\\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\\nCall Trace:\\n \\n extent_write_cache_pages+0x2ac/0x8f0\\n extent_writepages+0x87/0x110\\n do_writepages+0xd5/0x1f0\\n filemap_fdatawrite_wbc+0x63/0x90\\n __filemap_fdatawrite_range+0x5c/0x80\\n btrfs_fdatawrite_range+0x1f/0x50\\n btrfs_write_out_cache+0x507/0x560\\n btrfs_write_dirty_block_groups+0x32a/0x420\\n commit_cowonly_roots+0x21b/0x290\\n btrfs_commit_transaction+0x813/0x1360\\n btrfs_sync_file+0x51a/0x640\\n __x64_sys_fdatasync+0x52/0x90\\n do_syscall_64+0x9c/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nThis happens because we fail to write out the free space cache in one\\ninstance, come back around and attempt to write it again. However on\\nthe second pass through we go to call btrfs_get_extent() on the inode to\\nget the extent mapping. Because this is a new block group, and with the\\nfree space inode we always search the commit root to avoid deadlocking\\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\\nrequested range.\\n\\nThis happens because the first time we try to write the space cache out\\nwe hit an error, and on an error we drop the extent mapping. This is\\nnormal for normal files, but the free space cache inode is special. We\\nalways expect the extent map to be correct. Thus the second time\\nthrough we end up with a bogus extent map.\\n\\nSince we're deprecating this feature, the most straightforward way to\\nfix this is to simply skip dropping the extent map range for this failed\\nrange.\\n\\nI shortened the test by using error injection to stress the area to make\\nit easier to reproduce. With this patch in place we no longer panic\\nwith my error injection test.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26726\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26727", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26727" + }, + { + "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" + }, + { + "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" + }, + { + "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" + }, + { + "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" + }, + { + "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" + }, + { + "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26727 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26727", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26727\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26727\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26727\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26727\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26727\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f\",\n \"https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468\",\n \"https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d\",\n \"https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430\",\n \"https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb\",\n \"https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: do not ASSERT() if the newly created subvolume already got read\\n\\n[BUG]\\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\\ncreation:\\n\\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\\n ------------[ cut here ]------------\\n kernel BUG at fs/btrfs/disk-io.c:1319!\\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\\n \\n btrfs_get_new_fs_root+0xd3/0xf0\\n create_subvol+0xd02/0x1650\\n btrfs_mksubvol+0xe95/0x12b0\\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\\n btrfs_ioctl_snap_create+0x16b/0x200\\n btrfs_ioctl+0x35f0/0x5cf0\\n __x64_sys_ioctl+0x19d/0x210\\n do_syscall_64+0x3f/0xe0\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n ---[ end trace 0000000000000000 ]---\\n\\n[CAUSE]\\nDuring create_subvol(), after inserting root item for the newly created\\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\\nbtrfs_root of that subvolume.\\n\\nThe idea here is, we have preallocated an anonymous device number for\\nthe subvolume, thus we can assign it to the new subvolume.\\n\\nBut there is really nothing preventing things like backref walk to read\\nthe new subvolume.\\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\\nwould be read out, with a new anonymous device number assigned already.\\n\\nIn that case, we would trigger ASSERT(), as we really expect no one to\\nread out that subvolume (which is not yet accessible from the fs).\\nBut things like backref walk is still possible to trigger the read on\\nthe subvolume.\\n\\nThus our assumption on the ASSERT() is not correct in the first place.\\n\\n[FIX]\\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\\nto 0, and continue.\\n\\nIf the subvolume tree is read out by something else, it should have\\nalready get a new anon_dev assigned thus we only need to free the\\npreallocated one.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26727\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26739", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26739" + }, + { + "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" + }, + { + "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" + }, + { + "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26739 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26739", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26739\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26739\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26739\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26739\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26739\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210\",\n \"https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d\",\n \"https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: don't override retval if we already lost the skb\\n\\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\\nyet, we need to tell the core to drop the skb by setting the retcode\\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\\nis out of our hands and returning SHOT will lead to UaF.\\n\\nMove the retval override to the error path which actually need it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26739\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26740", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26740" + }, + { + "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" + }, + { + "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" + }, + { + "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26740 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26740", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26740\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26740\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26740\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26740\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26740\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\",\n \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\",\n \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: use the backlog for mirred ingress\\n\\nThe test Davide added in commit ca22da2fbd69 (\\\"act_mirred: use the backlog\\nfor nested calls to mirred ingress\\\") hangs our testing VMs every 10 or so\\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\\nlockdep.\\n\\nThe problem as previously described by Davide (see Link) is that\\nif we reverse flow of traffic with the redirect (egress -> ingress)\\nwe may reach the same socket which generated the packet. And we may\\nstill be holding its socket lock. The common solution to such deadlocks\\nis to put the packet in the Rx backlog, rather than run the Rx path\\ninline. Do that for all egress -> ingress reversals, not just once\\nwe started to nest mirred calls.\\n\\nIn the past there was a concern that the backlog indirection will\\nlead to loss of error reporting / less accurate stats. But the current\\nworkaround does not seem to address the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26740\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26742", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26742" + }, + { + "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" + }, + { + "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" + }, + { + "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" + }, + { + "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26742 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26742", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26742\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26742\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26742\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26742\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26742\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe\",\n \"https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df\",\n \"https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a\",\n \"https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: smartpqi: Fix disable_managed_interrupts\\n\\nCorrect blk-mq registration issue with module parameter\\ndisable_managed_interrupts enabled.\\n\\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\\nundefined behavior.\\n\\nStack Trace:\\n[ 7.860089] scsi host2: smartpqi\\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\\n[ 7.963026] Workqueue: events work_for_cpu_fn\\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 8.172818] PKRU: 55555554\\n[ 8.172819] Call Trace:\\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\\n[ 8.323286] local_pci_probe+0x42/0x80\\n[ 8.337855] work_for_cpu_fn+0x16/0x20\\n[ 8.351193] process_one_work+0x1a7/0x360\\n[ 8.364462] ? create_worker+0x1a0/0x1a0\\n[ 8.379252] worker_thread+0x1ce/0x390\\n[ 8.392623] ? create_worker+0x1a0/0x1a0\\n[ 8.406295] kthread+0x10a/0x120\\n[ 8.418428] ? set_kthread_struct+0x50/0x50\\n[ 8.431532] ret_from_fork+0x1f/0x40\\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26742\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26756", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26756" + }, + { + "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" + }, + { + "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26756 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26756", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26756\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26756\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26756\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26756\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26756\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417\",\n \"https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't register sync_thread for reshape directly\\n\\nCurrently, if reshape is interrupted, then reassemble the array will\\nregister sync_thread directly from pers->run(), in this case\\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\\n\\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\\nhowever, following hang can still be triggered by dm-raid test\\nshell/lvconvert-raid-reshape.sh occasionally:\\n\\n[root@fedora ~]# cat /proc/1982/stack\\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\\n[<0>] dev_remove+0x165/0x290 [dm_mod]\\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\\n[<0>] vfs_ioctl+0x21/0x60\\n[<0>] __x64_sys_ioctl+0xb9/0xe0\\n[<0>] do_syscall_64+0xc6/0x230\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\\n\\nMeanwhile mddev->recovery is:\\nMD_RECOVERY_RUNNING |\\nMD_RECOVERY_INTR |\\nMD_RECOVERY_RESHAPE |\\nMD_RECOVERY_FROZEN\\n\\nFix this problem by remove the code to register sync_thread directly\\nfrom raid10 and raid5. And let md_check_recovery() to register\\nsync_thread.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26756\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26757", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26757" + }, + { + "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" + }, + { + "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26757 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26757", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26757\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26757\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26757\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26757\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26757\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3\",\n \"https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't ignore read-only array in md_check_recovery()\\n\\nUsually if the array is not read-write, md_check_recovery() won't\\nregister new sync_thread in the first place. And if the array is\\nread-write and sync_thread is registered, md_set_readonly() will\\nunregister sync_thread before setting the array read-only. md/raid\\nfollow this behavior hence there is no problem.\\n\\nAfter commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), following\\nhang can be triggered by test shell/integrity-caching.sh:\\n\\n1) array is read-only. dm-raid update super block:\\nrs_update_sbs\\n ro = mddev->ro\\n mddev->ro = 0\\n -> set array read-write\\n md_update_sb\\n\\n2) register new sync thread concurrently.\\n\\n3) dm-raid set array back to read-only:\\nrs_update_sbs\\n mddev->ro = ro\\n\\n4) stop the array:\\nraid_dtr\\n md_stop\\n stop_sync_thread\\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\\n md_wakeup_thread_directly(mddev->sync_thread);\\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\\n\\n5) sync thread done:\\n md_do_sync\\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\\n md_wakeup_thread(mddev->thread);\\n\\n6) daemon thread can't unregister sync thread:\\n md_check_recovery\\n if (!md_is_rdwr(mddev) &&\\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\\n return;\\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\\n\\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\\nhowever, dm-raid really should stop sync thread before setting the\\narray read-only. Unfortunately, I need to read more code before I\\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\\nthe problem the easy way for now to prevent dm-raid regression.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26757\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26758", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26758" + }, + { + "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" + }, + { + "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26758 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26758", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26758\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26758\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26758\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26758\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26758\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757\",\n \"https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: Don't ignore suspended array in md_check_recovery()\\n\\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\\nignore suspended array in md_check_recovery(), which might cause\\nsync_thread can't be unregistered.\\n\\nAfter commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), following\\nhang can be triggered by test shell/integrity-caching.sh:\\n\\n1) suspend the array:\\nraid_postsuspend\\n mddev_suspend\\n\\n2) stop the array:\\nraid_dtr\\n md_stop\\n __md_stop_writes\\n stop_sync_thread\\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\\n md_wakeup_thread_directly(mddev->sync_thread);\\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\\n\\n3) sync thread done:\\nmd_do_sync\\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\\n md_wakeup_thread(mddev->thread);\\n\\n4) daemon thread can't unregister sync thread:\\nmd_check_recovery\\n if (mddev->suspended)\\n return; -> return directly\\n md_read_sync_thread\\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\\n\\nThis problem is not just related to dm-raid, fix it by ignoring\\nsuspended array in md_check_recovery(). And follow up patches will\\nimprove dm-raid better to frozen sync thread during suspend.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26758\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26759", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26759" + }, + { + "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" + }, + { + "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" + }, + { + "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" + }, + { + "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26759 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26759", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26759\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26759\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26759\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26759\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26759\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458\",\n \"https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95\",\n \"https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a\",\n \"https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/swap: fix race when skipping swapcache\\n\\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\\nswapin the same entry at the same time, they get different pages (A, B). \\nBefore one thread (T0) finishes the swapin and installs page (A) to the\\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\\nentry, then swap out the possibly modified page reusing the same entry. \\nIt breaks the pte_same check in (T0) because PTE value is unchanged,\\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\\nPTE and cause data corruption.\\n\\nOne possible callstack is like this:\\n\\nCPU0 CPU1\\n---- ----\\ndo_swap_page() do_swap_page() with same entry\\n \\n \\nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\\n \\n... set_pte_at()\\n swap_free() <- entry is free\\n \\n \\npte_same() <- Check pass, PTE seems\\n unchanged, but page A\\n is stalled!\\nswap_free() <- page B content lost!\\nset_pte_at() <- staled page A installed!\\n\\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\\nentry content, so even if page (B) is not modified, if swap_read_folio()\\non CPU0 happens later than swap_free() on CPU1, it may also cause data\\nloss.\\n\\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\\nthe cache flag, and allow only one thread to swap it in, also prevent any\\nparallel code from putting the entry in the cache. Release the pin after\\nPT unlocked.\\n\\nRacers just loop and wait since it's a rare and very short event. A\\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\\nfaults wasting too much CPU, causing livelock or adding too much noise to\\nperf statistics. A similar livelock issue was described in commit\\n029c4628b2eb (\\\"mm: swap: get rid of livelock in swapin readahead\\\")\\n\\nReproducer:\\n\\nThis race issue can be triggered easily using a well constructed\\nreproducer and patched brd (with a delay in read path) [1]:\\n\\nWith latest 6.8 mainline, race caused data loss can be observed easily:\\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\\n Polulating 32MB of memory region...\\n Keep swapping out...\\n Starting round 0...\\n Spawning 65536 workers...\\n 32746 workers spawned, wait for done...\\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\\n Round 0 Failed, 15 data loss!\\n\\nThis reproducer spawns multiple threads sharing the same memory region\\nusing a small swap device. Every two threads updates mapped pages one by\\none in opposite direction trying to create a race, with one dedicated\\nthread keep swapping out the data out using madvise.\\n\\nThe reproducer created a reproduce rate of about once every 5 minutes, so\\nthe race should be totally possible in production.\\n\\nAfter this patch, I ran the reproducer for over a few hundred rounds and\\nno data loss observed.\\n\\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\\nzram:\\n\\nBefore: 10934698 us\\nAfter: 11157121 us\\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\\n\\n[kasong@tencent.com: v4]\\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26759\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26767", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26767" + }, + { + "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" + }, + { + "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" + }, + { + "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26767 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26767", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26767\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26767\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26767\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26767\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26767\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738\",\n \"https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375\",\n \"https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fixed integer types and null check locations\\n\\n[why]:\\nissues fixed:\\n- comparison with wider integer type in loop condition which can cause\\ninfinite loops\\n- pointer dereference before null check\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26767\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26770", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26770" + }, + { + "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" + }, + { + "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" + }, + { + "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26770 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26770", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26770\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26770\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26770\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26770\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26770\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100\",\n \"https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183\",\n \"https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\\n\\ndevm_kasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\\n\\n[jkosina@suse.com: tweak changelog a bit]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26770\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26775", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26775" + }, + { + "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" + }, + { + "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" + }, + { + "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" + }, + { + "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26775 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26775", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26775\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26775\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26775\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26775\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26775\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77\",\n \"https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26\",\n \"https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c\",\n \"https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naoe: avoid potential deadlock at set_capacity\\n\\nMove set_capacity() outside of the section procected by (&d->lock).\\nTo avoid possible interrupt unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n[1] lock(&bdev->bd_size_lock);\\n local_irq_disable();\\n [2] lock(&d->lock);\\n [3] lock(&bdev->bd_size_lock);\\n \\n[4] lock(&d->lock);\\n\\n *** DEADLOCK ***\\n\\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\\nIn this situation an attempt to acquire [4]lock(&d->lock) from\\naoecmd_cfg_rsp() will lead to deadlock.\\n\\nSo the simplest solution is breaking lock dependency\\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\\noutside.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26775\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26800", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26800" + }, + { + "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" + }, + { + "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" + }, + { + "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" + }, + { + "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26800 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26800", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26800\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26800\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26800\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26800\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26800\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0\",\n \"https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1\",\n \"https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe\",\n \"https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: fix use-after-free on failed backlog decryption\\n\\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\\nreturns -EBUSY, tls_do_decryption will wait until all async\\ndecryptions have completed. If one of them fails, tls_do_decryption\\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\\nreleasing all the pages. But the pages have been passed to the async\\ncallback, and have already been released by tls_decrypt_done.\\n\\nThe only true async case is when crypto_aead_decrypt returns\\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\\ntls_sw_recvmsg that the data is available for immediate copy, but we\\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\\nmemory has already been released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26800\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26807", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26807" + }, + { + "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" + }, + { + "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" + }, + { + "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26807 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26807", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe ->probe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during ->probe(), as ->probe() enables the device using PM\nruntime, leading the ->runtime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26807\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26807\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26807\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61\",\n \"https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc\",\n \"https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\\nimplementations start with:\\n\\n\\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\\n\\tstruct spi_controller *host = dev_get_drvdata(dev);\\n\\nThis obviously cannot be correct, unless \\\"struct cqspi_st\\\" is the\\nfirst member of \\\" struct spi_controller\\\", or the other way around, but\\nit is not the case. \\\"struct spi_controller\\\" is allocated by\\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\\nprivate data, used to store \\\"struct cqspi_st\\\".\\n\\nThe ->probe() function of the cadence-quadspi driver then sets the\\ndevice drvdata to store the address of the \\\"struct cqspi_st\\\"\\nstructure. Therefore:\\n\\n\\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\\n\\nis correct, but:\\n\\n\\tstruct spi_controller *host = dev_get_drvdata(dev);\\n\\nis not, as it makes \\\"host\\\" point not to a \\\"struct spi_controller\\\" but\\nto the same \\\"struct cqspi_st\\\" structure as above.\\n\\nThis obviously leads to bad things (memory corruption, kernel crashes)\\ndirectly during ->probe(), as ->probe() enables the device using PM\\nruntime, leading the ->runtime_resume() hook being called, which in\\nturns calls spi_controller_resume() with the wrong pointer.\\n\\nThis has at least been reported [0] to cause a kernel crash, but the\\nexact behavior will depend on the memory contents.\\n\\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\\n\\nThis issue potentially affects all platforms that are currently using\\nthe cadence-quadspi driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26807\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26810", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26810" + }, + { + "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf" + }, + { + "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651" + }, + { + "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3" + }, + { + "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5" + }, + { + "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40" + }, + { + "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7" + }, + { + "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26810 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26810", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26810\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26810\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26810\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26810\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26810\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf\",\n \"https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651\",\n \"https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42\",\n \"https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3\",\n \"https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5\",\n \"https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40\",\n \"https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7\",\n \"https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Lock external INTx masking ops\\n\\nMask operations through config space changes to DisINTx may race INTx\\nconfiguration changes via ioctl. Create wrappers that add locking for\\npaths outside of the core interrupt code.\\n\\nIn particular, irq_type is updated holding igate, therefore testing\\nis_intx() requires holding igate. For example clearing DisINTx from\\nconfig space can otherwise race changes of the interrupt configuration.\\n\\nThis aligns interfaces which may trigger the INTx eventfd into two\\ncamps, one side serialized by igate and the other only enabled while\\nINTx is configured. A subsequent patch introduces synchronization for\\nthe latter flows.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26810\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26811" + }, + { + "url": "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd" + }, + { + "url": "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896" + }, + { + "url": "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300" + }, + { + "url": "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c" + }, + { + "url": "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd\",\n \"https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896\",\n \"https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300\",\n \"https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c\",\n \"https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate payload size in ipc response\\n\\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\\nresponse to ksmbd kernel server. ksmbd should validate payload size of\\nipc response from ksmbd.mountd to avoid memory overrun or\\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26812", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26812" + }, + { + "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034" + }, + { + "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d" + }, + { + "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897" + }, + { + "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834" + }, + { + "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c" + }, + { + "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e" + }, + { + "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3" + }, + { + "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26812 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26812", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26812\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26812\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26812\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26812\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26812\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034\",\n \"https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d\",\n \"https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897\",\n \"https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834\",\n \"https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c\",\n \"https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e\",\n \"https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3\",\n \"https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Create persistent INTx handler\\n\\nA vulnerability exists where the eventfd for INTx signaling can be\\ndeconfigured, which unregisters the IRQ handler but still allows\\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\\nor through unmask irqfd if the device interrupt is pending.\\n\\nIdeally this could be solved with some additional locking; the igate\\nmutex serializes the ioctl and config space accesses, and the interrupt\\nhandler is unregistered relative to the trigger, but the irqfd path\\nruns asynchronous to those. The igate mutex cannot be acquired from the\\natomic context of the eventfd wake function. Disabling the irqfd\\nrelative to the eventfd registration is potentially incompatible with\\nexisting userspace.\\n\\nAs a result, the solution implemented here moves configuration of the\\nINTx interrupt handler to track the lifetime of the INTx context object\\nand irq_type configuration, rather than registration of a particular\\ntrigger eventfd. Synchronization is added between the ioctl path and\\neventfd_signal() wrapper such that the eventfd trigger can be\\ndynamically updated relative to in-flight interrupts or irqfd callbacks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26812\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26813" + }, + { + "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e" + }, + { + "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5" + }, + { + "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29" + }, + { + "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086" + }, + { + "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375" + }, + { + "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362" + }, + { + "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a" + }, + { + "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e\",\n \"https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5\",\n \"https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29\",\n \"https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086\",\n \"https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375\",\n \"https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362\",\n \"https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a\",\n \"https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/platform: Create persistent IRQ handlers\\n\\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\\nan interrupt before a signaling eventfd has been configured by the user,\\nwhich thereby allows a NULL pointer dereference.\\n\\nRather than register the IRQ relative to a valid trigger, register all\\nIRQs in a disabled state in the device open path. This allows mask\\noperations on the IRQ to nest within the overall enable state governed\\nby a valid eventfd signal. This decouples @masked, protected by the\\n@locked spinlock from @trigger, protected via the @igate mutex.\\n\\nIn doing so, it's guaranteed that changes to @trigger cannot race the\\nIRQ handlers because the IRQ handler is synchronously disabled before\\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\\nsafe due to serialization with trigger changes via igate.\\n\\nFor compatibility, request_irq() failures are maintained to be local to\\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\\nThis allows, for example, a userspace driver with polling mode support\\nto continue to work regardless of moving the request_irq() call site.\\nThis necessarily blocks all SET_IRQS access to the failed index.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26814", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26814" + }, + { + "url": "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417" + }, + { + "url": "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d" + }, + { + "url": "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9" + }, + { + "url": "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012" + }, + { + "url": "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede" + }, + { + "url": "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d" + }, + { + "url": "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26814 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26814", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26814\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26814\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26814\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26814\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26814\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417\",\n \"https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d\",\n \"https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9\",\n \"https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012\",\n \"https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede\",\n \"https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d\",\n \"https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/fsl-mc: Block calling interrupt handler without trigger\\n\\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\\ninitially NULL and may become NULL if the user sets the trigger\\neventfd to -1. The interrupt handler itself is guaranteed that\\ntrigger is always valid between request_irq() and free_irq(), but\\nthe loopback testing mechanisms to invoke the handler function\\nneed to test the trigger. The triggering and setting ioctl paths\\nboth make use of igate and are therefore mutually exclusive.\\n\\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\\nsupport any sort of masking operations, therefore unlike vfio-pci\\nand vfio-platform, the flow can remain essentially unchanged.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26814\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26817" + }, + { + "url": "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a" + }, + { + "url": "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7" + }, + { + "url": "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0" + }, + { + "url": "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad" + }, + { + "url": "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751" + }, + { + "url": "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a" + }, + { + "url": "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a\",\n \"https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7\",\n \"https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29\",\n \"https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0\",\n \"https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad\",\n \"https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751\",\n \"https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a\",\n \"https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\namdkfd: use calloc instead of kzalloc to avoid integer overflow\\n\\nThis uses calloc instead of doing the multiplication which might\\noverflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26822", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26822" + }, + { + "url": "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157" + }, + { + "url": "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb" + }, + { + "url": "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26822 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26822", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26822\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26822\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26822\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26822\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26822\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157\",\n \"https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb\",\n \"https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: set correct id, uid and cruid for multiuser automounts\\n\\nWhen uid, gid and cruid are not specified, we need to dynamically\\nset them into the filesystem context used for automounting otherwise\\nthey'll end up reusing the values from the parent mount.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26822\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26828", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26828" + }, + { + "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512" + }, + { + "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204" + }, + { + "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301" + }, + { + "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512\",\n \"https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204\",\n \"https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301\",\n \"https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: fix underflow in parse_server_interfaces()\\n\\nIn this loop, we step through the buffer and after each item we check\\nif the size_left is greater than the minimum size we need. However,\\nthe problem is that \\\"bytes_left\\\" is type ssize_t while sizeof() is type\\nsize_t. That means that because of type promotion, the comparison is\\ndone as an unsigned and if we have negative bytes left the loop\\ncontinues instead of ending.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26830", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26830" + }, + { + "url": "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893" + }, + { + "url": "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc" + }, + { + "url": "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404" + }, + { + "url": "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26830 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26830", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26830\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26830\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26830\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26830\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26830\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893\",\n \"https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc\",\n \"https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404\",\n \"https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Do not allow untrusted VF to remove administratively set MAC\\n\\nCurrently when PF administratively sets VF's MAC address and the VF\\nis put down (VF tries to delete all MACs) then the MAC is removed\\nfrom MAC filters and primary VF MAC is zeroed.\\n\\nDo not allow untrusted VF to remove primary MAC when it was set\\nadministratively by PF.\\n\\nReproducer:\\n1) Create VF\\n2) Set VF interface up\\n3) Administratively set the VF's MAC\\n4) Put VF interface down\\n\\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\\n[root@host ~]# ip link set enp2s0f0v0 up\\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\\n[root@host ~]# ip link show enp2s0f0\\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\\n[root@host ~]# ip link set enp2s0f0v0 down\\n[root@host ~]# ip link show enp2s0f0\\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26830\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26837" + }, + { + "url": "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f" + }, + { + "url": "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db" + }, + { + "url": "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b" + }, + { + "url": "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f\",\n \"https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db\",\n \"https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b\",\n \"https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\\n\\nBefore this change, generation of the list of MDB events to replay\\nwould race against the creation of new group memberships, either from\\nthe IGMP/MLD snooping logic or from user configuration.\\n\\nWhile new memberships are immediately visible to walkers of\\nbr->mdb_list, the notification of their existence to switchdev event\\nsubscribers is deferred until a later point in time. So if a replay\\nlist was generated during a time that overlapped with such a window,\\nit would also contain a replay of the not-yet-delivered event.\\n\\nThe driver would thus receive two copies of what the bridge internally\\nconsidered to be one single event. On destruction of the bridge, only\\na single membership deletion event was therefore sent. As a\\nconsequence of this, drivers which reference count memberships (at\\nleast DSA), would be left with orphan groups in their hardware\\ndatabase when the bridge was destroyed.\\n\\nThis is only an issue when replaying additions. While deletion events\\nmay still be pending on the deferred queue, they will already have\\nbeen removed from br->mdb_list, so no duplicates can be generated in\\nthat scenario.\\n\\nTo a user this meant that old group memberships, from a bridge in\\nwhich a port was previously attached, could be reanimated (in\\nhardware) when the port joined a new bridge, without the new bridge's\\nknowledge.\\n\\nFor example, on an mv88e6xxx system, create a snooping bridge and\\nimmediately add a port to it:\\n\\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\\\\n > ip link set dev x3 up master br0\\n\\nAnd then destroy the bridge:\\n\\n root@infix-06-0b-00:~$ ip link del dev br0\\n root@infix-06-0b-00:~$ mvls atu\\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\\n DEV:0 Marvell 88E6393X\\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\\n root@infix-06-0b-00:~$\\n\\nThe two IPv6 groups remain in the hardware database because the\\nport (x3) is notified of the host's membership twice: once via the\\noriginal event and once via a replay. Since only a single delete\\nnotification is sent, the count remains at 1 when the bridge is\\ndestroyed.\\n\\nThen add the same port (or another port belonging to the same hardware\\ndomain) to a new bridge, this time with snooping disabled:\\n\\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\\\\n > ip link set dev x3 up master br1\\n\\nAll multicast, including the two IPv6 groups from br0, should now be\\nflooded, according to the policy of br1. But instead the old\\nmemberships are still active in the hardware database, causing the\\nswitch to only forward traffic to those groups towards the CPU (port\\n0).\\n\\nEliminate the race in two steps:\\n\\n1. Grab the write-side lock of the MDB while generating the replay\\n list.\\n\\nThis prevents new memberships from showing up while we are generating\\nthe replay list. But it leaves the scenario in which a deferred event\\nwas already generated, but not delivered, before we grabbed the\\nlock. Therefore:\\n\\n2. Make sure that no deferred version of a replay event is already\\n enqueued to the switchdev deferred queue, before adding it to the\\n replay list, when replaying additions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26842", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26842" + }, + { + "url": "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe" + }, + { + "url": "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb" + }, + { + "url": "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26842 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26842", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26842\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26842\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26842\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26842\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26842\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe\",\n \"https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb\",\n \"https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\\n\\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\\n\\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\\n[name:mrdump&]PHYS_OFFSET: 0x80000000\\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\\n[name:mrdump&]sp : ffffffc0081471b0\\n\\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\\nCall trace:\\n dump_backtrace+0xf8/0x144\\n show_stack+0x18/0x24\\n dump_stack_lvl+0x78/0x9c\\n dump_stack+0x18/0x44\\n mrdump_common_die+0x254/0x480 [mrdump]\\n ipanic_die+0x20/0x30 [mrdump]\\n notify_die+0x15c/0x204\\n die+0x10c/0x5f8\\n arm64_notify_die+0x74/0x13c\\n do_debug_exception+0x164/0x26c\\n el1_dbg+0x64/0x80\\n el1h_64_sync_handler+0x3c/0x90\\n el1h_64_sync+0x68/0x6c\\n ufshcd_clear_cmd+0x280/0x288\\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\\n ufshcd_verify_dev_init+0x84/0x1c8\\n ufshcd_probe_hba+0x724/0x1ce0\\n ufshcd_host_reset_and_restore+0x260/0x574\\n ufshcd_reset_and_restore+0x138/0xbd0\\n ufshcd_err_handler+0x1218/0x2f28\\n process_one_work+0x5fc/0x1140\\n worker_thread+0x7d8/0xe20\\n kthread+0x25c/0x468\\n ret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26842\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26844" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956" + }, + { + "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6" + }, + { + "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b" + }, + { + "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956\",\n \"https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6\",\n \"https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b\",\n \"https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: Fix WARNING in _copy_from_iter\\n\\nSyzkaller reports a warning in _copy_from_iter because an\\niov_iter is supposedly used in the wrong direction. The reason\\nis that syzcaller managed to generate a request with\\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\\nthe kernel to copy user buffers into the kernel, read into\\nthe copied buffers and then copy the data back to user space.\\n\\nThus the iovec is used in both directions.\\n\\nDetect this situation in the block layer and construct a new\\niterator with the correct direction for the copy-in.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26848" + }, + { + "url": "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470" + }, + { + "url": "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05" + }, + { + "url": "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4" + }, + { + "url": "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31" + }, + { + "url": "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4" + }, + { + "url": "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863" + }, + { + "url": "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b" + }, + { + "url": "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a" + }, + { + "url": "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0" + }, + { + "url": "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809" + }, + { + "url": "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27" + }, + { + "url": "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064" + }, + { + "url": "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a" + }, + { + "url": "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26848", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470\",\n \"https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05\",\n \"https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4\",\n \"https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31\",\n \"https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4\",\n \"https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863\",\n \"https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b\",\n \"https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a\",\n \"https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0\",\n \"https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809\",\n \"https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27\",\n \"https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064\",\n \"https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a\",\n \"https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nafs: Fix endless loop in directory parsing\\n\\nIf a directory has a block with only \\\".__afsXXXX\\\" files in it (from\\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\\nadvancing the file position in the dir_context. This leads to\\nafs_dir_iterate() repeating the block again and again.\\n\\nFix this by making the code that skips the .__afsXXXX file also manually\\nadvance the file position.\\n\\nThe symptoms are a soft lookup:\\n\\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\\n ...\\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\\n ...\\n ? watchdog_timer_fn+0x1a6/0x213\\n ...\\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\\n ? afs_dir_iterate_block+0x39/0x1fd\\n afs_dir_iterate+0x10a/0x148\\n afs_readdir+0x30/0x4a\\n iterate_dir+0x93/0xd3\\n __do_sys_getdents64+0x6b/0xd4\\n\\nThis is almost certainly the actual fix for:\\n\\n https://bugzilla.kernel.org/show_bug.cgi?id=218496\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26853" + }, + { + "url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f" + }, + { + "url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2" + }, + { + "url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a" + }, + { + "url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f\",\n \"https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2\",\n \"https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a\",\n \"https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nigc: avoid returning frame twice in XDP_REDIRECT\\n\\nWhen a frame can not be transmitted in XDP_REDIRECT\\n(e.g. due to a full queue), it is necessary to free\\nit by calling xdp_return_frame_rx_napi.\\n\\nHowever, this is the responsibility of the caller of\\nthe ndo_xdp_xmit (see for example bq_xmit_all in\\nkernel/bpf/devmap.c) and thus calling it inside\\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\\ndriver) as well will lead to memory corruption.\\n\\nIn fact, bq_xmit_all expects that it can return all\\nframes after the last successfully transmitted one.\\nTherefore, break for the first not transmitted frame,\\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\\nThis is equally implemented in other Intel drivers\\nsuch as the igb.\\n\\nThere are two alternatives to this that were rejected:\\n1. Return num_frames as all the frames would have been\\n transmitted and release them inside igc_xdp_xmit.\\n While it might work technically, it is not what\\n the return value is meant to represent (i.e. the\\n number of SUCCESSFULLY transmitted packets).\\n2. Rework kernel/bpf/devmap.c and all drivers to\\n support non-consecutively dropped packets.\\n Besides being complex, it likely has a negative\\n performance impact without a significant gain\\n since it is anyway unlikely that the next frame\\n can be transmitted if the previous one was dropped.\\n\\nThe memory corruption can be reproduced with\\nthe following script which leads to a kernel panic\\nafter a few seconds. It basically generates more\\ntraffic than a i225 NIC can transmit and pushes it\\nvia XDP_REDIRECT from a virtual interface to the\\nphysical interface where frames get dropped.\\n\\n #!/bin/bash\\n INTERFACE=enp4s0\\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\\n\\n sudo ip link add dev veth1 type veth peer name veth2\\n sudo ip link set up $INTERFACE\\n sudo ip link set up veth1\\n sudo ip link set up veth2\\n\\n cat << EOF > redirect.bpf.c\\n\\n SEC(\\\"prog\\\")\\n int redirect(struct xdp_md *ctx)\\n {\\n return bpf_redirect($INTERFACE_IDX, 0);\\n }\\n\\n char _license[] SEC(\\\"license\\\") = \\\"GPL\\\";\\n EOF\\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\\n sudo ip link set veth2 xdp obj redirect.bpf.o\\n\\n cat << EOF > pass.bpf.c\\n\\n SEC(\\\"prog\\\")\\n int pass(struct xdp_md *ctx)\\n {\\n return XDP_PASS;\\n }\\n\\n char _license[] SEC(\\\"license\\\") = \\\"GPL\\\";\\n EOF\\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\\n\\n cat << EOF > trafgen.cfg\\n\\n {\\n /* Ethernet Header */\\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\\n const16(ETH_P_IP),\\n\\n /* IPv4 Header */\\n 0b01000101, 0, # IPv4 version, IHL, TOS\\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\\n const16(2), # IPv4 ident\\n 0b01000000, 0, # IPv4 flags, fragmentation off\\n 64, # IPv4 TTL\\n 17, # Protocol UDP\\n csumip(14, 33), # IPv4 checksum\\n\\n /* UDP Header */\\n 10, 0, 1, 1, # IP Src - adapt as needed\\n 10, 0, 1, 2, # IP Dest - adapt as needed\\n const16(6666), # UDP Src Port\\n const16(6666), # UDP Dest Port\\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\\n csumudp(14, 34), # UDP checksum\\n\\n /* Payload */\\n fill('W', 1000),\\n }\\n EOF\\n\\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26866" + }, + { + "url": "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f" + }, + { + "url": "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861" + }, + { + "url": "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68" + }, + { + "url": "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f\",\n \"https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861\",\n \"https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68\",\n \"https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: lpspi: Avoid potential use-after-free in probe()\\n\\nfsl_lpspi_probe() is allocating/disposing memory manually with\\nspi_alloc_host()/spi_alloc_target(), but uses\\ndevm_spi_register_controller(). In case of error after the latter call the\\nmemory will be explicitly freed in the probe function by\\nspi_controller_put() call, but used afterwards by \\\"devm\\\" management outside\\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\\n...\\nCall trace:\\n kernfs_find_ns\\n kernfs_find_and_get_ns\\n sysfs_remove_group\\n sysfs_remove_groups\\n device_remove_attrs\\n device_del\\n spi_unregister_controller\\n devm_spi_unregister\\n release_nodes\\n devres_release_all\\n really_probe\\n driver_probe_device\\n __device_attach_driver\\n bus_for_each_drv\\n __device_attach\\n device_initial_probe\\n bus_probe_device\\n deferred_probe_work_func\\n process_one_work\\n worker_thread\\n kthread\\n ret_from_fork\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26869" + }, + { + "url": "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253" + }, + { + "url": "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189" + }, + { + "url": "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65" + }, + { + "url": "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253\",\n \"https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189\",\n \"https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65\",\n \"https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to truncate meta inode pages forcely\\n\\nBelow race case can cause data corruption:\\n\\nThread A\\t\\t\\t\\tGC thread\\n\\t\\t\\t\\t\\t- gc_data_segment\\n\\t\\t\\t\\t\\t - ra_data_block\\n\\t\\t\\t\\t\\t - locked meta_inode page\\n- f2fs_inplace_write_data\\n - invalidate_mapping_pages\\n : fail to invalidate meta_inode page\\n due to lock failure or dirty|writeback\\n status\\n - f2fs_submit_page_bio\\n : write last dirty data to old blkaddr\\n\\t\\t\\t\\t\\t - move_data_block\\n\\t\\t\\t\\t\\t - load old data from meta_inode page\\n\\t\\t\\t\\t\\t - f2fs_submit_page_write\\n\\t\\t\\t\\t\\t : write old data to new blkaddr\\n\\nBecause invalidate_mapping_pages() will skip invalidating page which\\nhas unclear status including locked, dirty, writeback and so on, so\\nwe need to use truncate_inode_pages_range() instead of\\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26876", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26876" + }, + { + "url": "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e" + }, + { + "url": "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c" + }, + { + "url": "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26876 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26876", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26876\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26876\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26876\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26876\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26876\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e\",\n \"https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c\",\n \"https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/bridge: adv7511: fix crash on irq during probe\\n\\nMoved IRQ registration down to end of adv7511_probe().\\n\\nIf an IRQ already is pending during adv7511_probe\\n(before adv7511_cec_init) then cec_received_msg_ts\\ncould crash using uninitialized data:\\n\\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\\n Call trace:\\n cec_received_msg_ts+0x48/0x990 [cec]\\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\\n adv7511_irq_process+0xd8/0x120 [adv7511]\\n adv7511_irq_handler+0x1c/0x30 [adv7511]\\n irq_thread_fn+0x30/0xa0\\n irq_thread+0x14c/0x238\\n kthread+0x190/0x1a8\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26876\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26886" + }, + { + "url": "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" + }, + { + "url": "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c" + }, + { + "url": "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7" + }, + { + "url": "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955\",\n \"https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c\",\n \"https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7\",\n \"https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae\",\n \"https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: af_bluetooth: Fix deadlock\\n\\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\\non bt_sock_ioctl to avoid the UAF:\\n\\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\\n Not tainted 6.7.6-lemon #183\\nWorkqueue: hci0 hci_rx_work\\nCall Trace:\\n \\n __schedule+0x37d/0xa00\\n schedule+0x32/0xe0\\n __lock_sock+0x68/0xa0\\n ? __pfx_autoremove_wake_function+0x10/0x10\\n lock_sock_nested+0x43/0x50\\n l2cap_sock_recv_cb+0x21/0xa0\\n l2cap_recv_frame+0x55b/0x30a0\\n ? psi_task_switch+0xeb/0x270\\n ? finish_task_switch.isra.0+0x93/0x2a0\\n hci_rx_work+0x33a/0x3f0\\n process_one_work+0x13a/0x2f0\\n worker_thread+0x2f0/0x410\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe0/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x2c/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26893" + }, + { + "url": "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4" + }, + { + "url": "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773" + }, + { + "url": "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d" + }, + { + "url": "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4\",\n \"https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c\",\n \"https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773\",\n \"https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d\",\n \"https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\\n\\nWhen the generic SCMI code tears down a channel, it calls the chan_free\\ncallback function, defined by each transport. Since multiple protocols\\nmight share the same transport_info member, chan_free() might want to\\nclean up the same member multiple times within the given SCMI transport\\nimplementation. In this case, it is SMC transport. This will lead to a NULL\\npointer dereference at the second time:\\n\\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\\n | arm-scmi firmware:scmi: unable to communicate with SCMI\\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n | Mem abort info:\\n | ESR = 0x0000000096000004\\n | EC = 0x25: DABT (current EL), IL = 32 bits\\n | SET = 0, FnV = 0\\n | EA = 0, S1PTW = 0\\n | FSC = 0x04: level 0 translation fault\\n | Data abort info:\\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\\n | Modules linked in:\\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\\n | Hardware name: FVP Base RevC (DT)\\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n | pc : smc_chan_free+0x3c/0x6c\\n | lr : smc_chan_free+0x3c/0x6c\\n | Call trace:\\n | smc_chan_free+0x3c/0x6c\\n | idr_for_each+0x68/0xf8\\n | scmi_cleanup_channels.isra.0+0x2c/0x58\\n | scmi_probe+0x434/0x734\\n | platform_probe+0x68/0xd8\\n | really_probe+0x110/0x27c\\n | __driver_probe_device+0x78/0x12c\\n | driver_probe_device+0x3c/0x118\\n | __driver_attach+0x74/0x128\\n | bus_for_each_dev+0x78/0xe0\\n | driver_attach+0x24/0x30\\n | bus_add_driver+0xe4/0x1e8\\n | driver_register+0x60/0x128\\n | __platform_driver_register+0x28/0x34\\n | scmi_driver_init+0x84/0xc0\\n | do_one_initcall+0x78/0x33c\\n | kernel_init_freeable+0x2b8/0x51c\\n | kernel_init+0x24/0x130\\n | ret_from_fork+0x10/0x20\\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\\n | ---[ end trace 0000000000000000 ]---\\n\\nSimply check for the struct pointer being NULL before trying to access\\nits members, to avoid this situation.\\n\\nThis was found when a transport doesn't really work (for instance no SMC\\nservice), the probe routines then tries to clean up, and triggers a crash.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26896", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26896" + }, + { + "url": "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3" + }, + { + "url": "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b" + }, + { + "url": "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3" + }, + { + "url": "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc" + }, + { + "url": "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3\",\n \"https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b\",\n \"https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3\",\n \"https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc\",\n \"https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wfx: fix memory leak when starting AP\\n\\nKmemleak reported this error:\\n\\n unreferenced object 0xd73d1180 (size 184):\\n comm \\\"wpa_supplicant\\\", pid 1559, jiffies 13006305 (age 964.245s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\\n backtrace:\\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\\n [<127bdd74>] __alloc_skb+0x144/0x170\\n [] __netdev_alloc_skb+0x50/0x180\\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\\n [<6b7c977a>] genl_rcv+0x34/0x44\\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\\n [] netlink_sendmsg+0x1e8/0x428\\n [] ____sys_sendmsg+0x1e0/0x274\\n [] ___sys_sendmsg+0x80/0xb4\\n [<69954f45>] __sys_sendmsg+0x64/0xa8\\n unreferenced object 0xce087000 (size 1024):\\n comm \\\"wpa_supplicant\\\", pid 1559, jiffies 13006305 (age 964.246s)\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\\n backtrace:\\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\\n [] kmalloc_reserve.constprop.0+0x30/0x74\\n [] __alloc_skb+0xa0/0x170\\n [] __netdev_alloc_skb+0x50/0x180\\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\\n [<6b7c977a>] genl_rcv+0x34/0x44\\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\\n [] netlink_sendmsg+0x1e8/0x428\\n [] ____sys_sendmsg+0x1e0/0x274\\n [] ___sys_sendmsg+0x80/0xb4\\n\\nHowever, since the kernel is build optimized, it seems the stack is not\\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\\nis obvious in this function: memory allocated by ieee80211_beacon_get()\\nis never released. Fixing this leak makes kmemleak happy.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26900" + }, + { + "url": "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366" + }, + { + "url": "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4" + }, + { + "url": "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea" + }, + { + "url": "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995" + }, + { + "url": "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9" + }, + { + "url": "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9" + }, + { + "url": "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366\",\n \"https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4\",\n \"https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea\",\n \"https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995\",\n \"https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9\",\n \"https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9\",\n \"https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: fix kmemleak of rdev->serial\\n\\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\\nalloc not be freed, and kmemleak occurs.\\n\\nunreferenced object 0xffff88815a350000 (size 49152):\\n comm \\\"mdadm\\\", pid 789, jiffies 4294716910\\n hex dump (first 32 bytes):\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n backtrace (crc f773277a):\\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26905" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26905", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26917", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26917" + }, + { + "url": "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b" + }, + { + "url": "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21" + }, + { + "url": "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783" + }, + { + "url": "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5" + }, + { + "url": "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0" + }, + { + "url": "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b" + }, + { + "url": "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6" + }, + { + "url": "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26917 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26917", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26917\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26917\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26917\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26917\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26917\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b\",\n \"https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21\",\n \"https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783\",\n \"https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5\",\n \"https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0\",\n \"https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b\",\n \"https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6\",\n \"https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: Revert \\\"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\\\"\\n\\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\\n\\nThis commit causes interrupts to be lost for FCoE devices, since it changed\\nsping locks from \\\"bh\\\" to \\\"irqsave\\\".\\n\\nInstead, a work queue should be used, and will be addressed in a separate\\ncommit.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26917\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26921", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26921" + }, + { + "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272" + }, + { + "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325" + }, + { + "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981" + }, + { + "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26921 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26921", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26921\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26921\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26921\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26921\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26921\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272\",\n \"https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325\",\n \"https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981\",\n \"https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninet: inet_defrag: prevent sk release while still in use\\n\\nip_local_out() and other functions can pass skb->sk as function argument.\\n\\nIf the skb is a fragment and reassembly happens before such function call\\nreturns, the sk must not be released.\\n\\nThis affects skb fragments reassembled via netfilter or similar\\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\\n\\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\\n Calling ip_defrag() in output path is also implying skb_orphan(),\\n which is buggy because output path relies on sk not disappearing.\\n\\n A relevant old patch about the issue was :\\n 8282f27449bf (\\\"inet: frag: Always orphan skbs inside ip_defrag()\\\")\\n\\n [..]\\n\\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\\n inet socket, not an arbitrary one.\\n\\n If we orphan the packet in ipvlan, then downstream things like FQ\\n packet scheduler will not work properly.\\n\\n We need to change ip_defrag() to only use skb_orphan() when really\\n needed, ie whenever frag_list is going to be used.\\n\\nEric suggested to stash sk in fragment queue and made an initial patch.\\nHowever there is a problem with this:\\n\\nIf skb is refragmented again right after, ip_do_fragment() will copy\\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\\nfully reassembled skb, else wmem will underflow.\\n\\nThis change moves the orphan down into the core, to last possible moment.\\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\\noffset into the FRAG_CB, else skb->sk gets clobbered.\\n\\nThis allows to delay the orphaning long enough to learn if the skb has\\nto be queued or if the skb is completing the reasm queue.\\n\\nIn the former case, things work as before, skb is orphaned. This is\\nsafe because skb gets queued/stolen and won't continue past reasm engine.\\n\\nIn the latter case, we will steal the skb->sk reference, reattach it to\\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26921\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26922" + }, + { + "url": "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d" + }, + { + "url": "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284" + }, + { + "url": "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75" + }, + { + "url": "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2" + }, + { + "url": "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa" + }, + { + "url": "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d" + }, + { + "url": "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee" + }, + { + "url": "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d\",\n \"https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284\",\n \"https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75\",\n \"https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2\",\n \"https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa\",\n \"https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d\",\n \"https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee\",\n \"https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\\n\\nVerify the parameters of\\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26923", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26923" + }, + { + "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3" + }, + { + "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f" + }, + { + "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51" + }, + { + "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9" + }, + { + "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423" + }, + { + "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009" + }, + { + "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26923 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26923", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3\",\n \"https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f\",\n \"https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51\",\n \"https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9\",\n \"https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423\",\n \"https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c\",\n \"https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009\",\n \"https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix garbage collector racing against connect()\\n\\nGarbage collector does not take into account the risk of embryo getting\\nenqueued during the garbage collection. If such embryo has a peer that\\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\\ndifferent set of children. Leading to an incorrectly elevated inflight\\ncount, and then a dangling pointer within the gc_inflight_list.\\n\\nsockets are AF_UNIX/SOCK_STREAM\\nS is an unconnected socket\\nL is a listening in-flight socket bound to addr, not in fdtable\\nV's fd will be passed via sendmsg(), gets inflight count bumped\\n\\nconnect(S, addr)\\tsendmsg(S, [V]); close(V)\\t__unix_gc()\\n----------------\\t-------------------------\\t-----------\\n\\nNS = unix_create1()\\nskb1 = sock_wmalloc(NS)\\nL = unix_find_other(addr)\\nunix_state_lock(L)\\nunix_peer(S) = NS\\n\\t\\t\\t// V count=1 inflight=0\\n\\n \\t\\t\\tNS = unix_peer(S)\\n \\t\\t\\tskb2 = sock_alloc()\\n\\t\\t\\tskb_queue_tail(NS, skb2[V])\\n\\n\\t\\t\\t// V became in-flight\\n\\t\\t\\t// V count=2 inflight=1\\n\\n\\t\\t\\tclose(V)\\n\\n\\t\\t\\t// V count=1 inflight=1\\n\\t\\t\\t// GC candidate condition met\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_inflight_list:\\n\\t\\t\\t\\t\\t\\t if (total_refs == inflight_refs)\\n\\t\\t\\t\\t\\t\\t add u to gc_candidates\\n\\n\\t\\t\\t\\t\\t\\t// gc_candidates={L, V}\\n\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t scan_children(u, dec_inflight)\\n\\n\\t\\t\\t\\t\\t\\t// embryo (skb1) was not\\n\\t\\t\\t\\t\\t\\t// reachable from L yet, so V's\\n\\t\\t\\t\\t\\t\\t// inflight remains unchanged\\n__skb_queue_tail(L, skb1)\\nunix_state_unlock(L)\\n\\t\\t\\t\\t\\t\\tfor u in gc_candidates:\\n\\t\\t\\t\\t\\t\\t if (u.inflight)\\n\\t\\t\\t\\t\\t\\t scan_children(u, inc_inflight_move_tail)\\n\\n\\t\\t\\t\\t\\t\\t// V count=1 inflight=2 (!)\\n\\nIf there is a GC-candidate listening socket, lock/unlock its state. This\\nmakes GC wait until the end of any ongoing connect() to that socket. After\\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\\nthis point, unix_inflight() can not happen because unix_gc_lock is already\\ntaken. Inflight graph remains unaffected.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26923\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26925", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26925" + }, + { + "url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27" + }, + { + "url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494" + }, + { + "url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428" + }, + { + "url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30" + }, + { + "url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae" + }, + { + "url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1" + }, + { + "url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26925 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26925", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26925\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26925\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26925\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26925\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26925\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27\",\n \"https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494\",\n \"https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428\",\n \"https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30\",\n \"https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae\",\n \"https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1\",\n \"https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\\n\\nThe commit mutex should not be released during the critical section\\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\\nworker could collect expired objects and get the released commit lock\\nwithin the same GC sequence.\\n\\nnf_tables_module_autoload() temporarily releases the mutex to load\\nmodule dependencies, then it goes back to replay the transaction again.\\nMove it at the end of the abort phase after nft_gc_seq_end() is called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26925\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26926", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26926" + }, + { + "url": "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc" + }, + { + "url": "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc" + }, + { + "url": "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12" + }, + { + "url": "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c" + }, + { + "url": "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76" + }, + { + "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40" + }, + { + "url": "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26926 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26926", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26926\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26926\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26926\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26926\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26926\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc\",\n \"https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc\",\n \"https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12\",\n \"https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c\",\n \"https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76\",\n \"https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40\",\n \"https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: check offset alignment in binder_get_object()\\n\\nCommit 6d98eb95b450 (\\\"binder: avoid potential data leakage when copying\\ntxn\\\") introduced changes to how binder objects are copied. In doing so,\\nit unintentionally removed an offset alignment check done through calls\\nto binder_alloc_copy_from_buffer() -> check_buffer().\\n\\nThese calls were replaced in binder_get_object() with copy_from_user(),\\nso now an explicit offset alignment check is needed here. This avoids\\nlater complications when unwinding the objects gets harder.\\n\\nIt is worth noting this check existed prior to commit 7a67a39320df\\n(\\\"binder: add function to copy binder object from buffer\\\"), likely\\nremoved due to redundancy at the time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26926\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26928" + }, + { + "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88" + }, + { + "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1" + }, + { + "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d" + }, + { + "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88\",\n \"https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1\",\n \"https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d\",\n \"https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26929" + }, + { + "url": "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e" + }, + { + "url": "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525" + }, + { + "url": "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774" + }, + { + "url": "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b" + }, + { + "url": "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04" + }, + { + "url": "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e\",\n \"https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525\",\n \"https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774\",\n \"https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b\",\n \"https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04\",\n \"https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix double free of fcport\\n\\nThe server was crashing after LOGO because fcport was getting freed twice.\\n\\n -----------[ cut here ]-----------\\n kernel BUG at mm/slub.c:371!\\n invalid opcode: 0000 1 SMP PTI\\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\\n RIP: 0010:set_freepointer.part.57+0x0/0x10\\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n kfree+0x238/0x250\\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\\n ? kernfs_fop_write+0x11e/0x1a0\\n\\nRemove one of the free calls and add check for valid fcport. Also use\\nfunction qla2x00_free_fcport() instead of kfree().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26931" + }, + { + "url": "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211" + }, + { + "url": "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac" + }, + { + "url": "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d" + }, + { + "url": "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d" + }, + { + "url": "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1" + }, + { + "url": "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a" + }, + { + "url": "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a" + }, + { + "url": "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9" + }, + { + "url": "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211\",\n \"https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac\",\n \"https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d\",\n \"https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d\",\n \"https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1\",\n \"https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a\",\n \"https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a\",\n \"https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9\",\n \"https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix command flush on cable pull\\n\\nSystem crash due to command failed to flush back to SCSI layer.\\n\\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\\n PGD 0 P4D 0\\n Oops: 0000 [#1] SMP NOPTI\\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\\n RIP: 0010:__wake_up_common+0x4c/0x190\\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n __wake_up_common_lock+0x7c/0xc0\\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\\n ? __switch_to+0x10c/0x450\\n ? process_one_work+0x1a7/0x360\\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\\n ? worker_thread+0x1ce/0x390\\n ? create_worker+0x1a0/0x1a0\\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\\n ? kthread+0x10a/0x120\\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\\n ? set_kthread_struct+0x40/0x40\\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\\n ? ret_from_fork+0x1f/0x40\\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\\n\\nThe system was under memory stress where driver was not able to allocate an\\nSRB to carry out error recovery of cable pull. The failure to flush causes\\nupper layer to start modifying scsi_cmnd. When the system frees up some\\nmemory, the subsequent cable pull trigger another command flush. At this\\npoint the driver access a null pointer when attempting to DMA unmap the\\nSGL.\\n\\nAdd a check to make sure commands are flush back on session tear down to\\nprevent the null pointer access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26934" + }, + { + "url": "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6" + }, + { + "url": "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384" + }, + { + "url": "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947" + }, + { + "url": "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a" + }, + { + "url": "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5" + }, + { + "url": "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f" + }, + { + "url": "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057" + }, + { + "url": "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6\",\n \"https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384\",\n \"https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947\",\n \"https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a\",\n \"https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5\",\n \"https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f\",\n \"https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5\",\n \"https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057\",\n \"https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix deadlock in usb_deauthorize_interface()\\n\\nAmong the attribute file callback routines in\\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\\nthe only one which acquires a device lock on an ancestor device: It\\ncalls usb_deauthorize_interface(), which locks the interface's parent\\nUSB device.\\n\\nThe will lead to deadlock if another process already owns that lock\\nand tries to remove the interface, whether through a configuration\\nchange or because the device has been disconnected. As part of the\\nremoval procedure, device_del() waits for all ongoing sysfs attribute\\ncallbacks to complete. But usb_deauthorize_interface() can't complete\\nuntil the device lock has been released, and the lock won't be\\nreleased until the removal has finished.\\n\\nThe mechanism provided by sysfs to prevent this kind of deadlock is\\nto use the sysfs_break_active_protection() function, which tells sysfs\\nnot to wait for the attribute callback.\\n\\nReported-and-tested by: Yue Sun \\nReported by: xingwei lee \",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26935" + }, + { + "url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac" + }, + { + "url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889" + }, + { + "url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1" + }, + { + "url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee" + }, + { + "url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c" + }, + { + "url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320" + }, + { + "url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84" + }, + { + "url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac\",\n \"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889\",\n \"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1\",\n \"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee\",\n \"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c\",\n \"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320\",\n \"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84\",\n \"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix unremoved procfs host directory regression\\n\\nCommit fc663711b944 (\\\"scsi: core: Remove the /proc/scsi/${proc_name}\\ndirectory earlier\\\") fixed a bug related to modules loading/unloading, by\\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\\nto a potential duplicate call to the hostdir_rm() routine, since it's also\\ncalled from scsi_host_dev_release(). That triggered a regression report,\\nwhich was then fixed by commit be03df3d4bfe (\\\"scsi: core: Fix a procfs host\\ndirectory removal regression\\\"). The fix just dropped the hostdir_rm() call\\nfrom dev_release().\\n\\nBut it happens that this proc directory is created on scsi_host_alloc(),\\nand that function \\\"pairs\\\" with scsi_host_dev_release(), while\\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\\nreason for removing the proc directory on dev_release() was meant to cover\\ncases in which a SCSI host structure was allocated, but the call to\\nscsi_add_host() didn't happen. And that pattern happens to exist in some\\nerror paths, for example.\\n\\nSyzkaller causes that by using USB raw gadget device, error'ing on\\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\\nallocation, but there's no call to scsi_add_host() in such path. That leads\\nto messages like this in dmesg (and a leak of the SCSI host proc\\nstructure):\\n\\nusb-storage 4-1:87.51: USB Mass Storage device detected\\nproc_dir_entry 'scsi/usb-storage' already registered\\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\\n\\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\\nbut guard that with the state check for SHOST_CREATED; there is even a\\ncomment in scsi_host_dev_release() detailing that: such conditional is\\nmeant for cases where the SCSI host was allocated but there was no calls to\\n{add,remove}_host(), like the usb-storage case.\\n\\nThis is what we propose here and with that, the error path of usb-storage\\ndoes not trigger the warning anymore.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26936", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26936" + }, + { + "url": "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a" + }, + { + "url": "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674" + }, + { + "url": "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6" + }, + { + "url": "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11" + }, + { + "url": "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26936 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26936", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26936\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26936\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26936\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26936\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26936\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a\",\n \"https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674\",\n \"https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6\",\n \"https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11\",\n \"https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\\n\\nThe response buffer should be allocated in smb2_allocate_rsp_buf\\nbefore validating request. But the fields in payload as well as smb2 header\\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\\nvalidation to avoid potencial out-of-bounds in request buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26936\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26937" + }, + { + "url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325" + }, + { + "url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895" + }, + { + "url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a" + }, + { + "url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62" + }, + { + "url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c" + }, + { + "url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f" + }, + { + "url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703" + }, + { + "url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325\",\n \"https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895\",\n \"https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a\",\n \"https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62\",\n \"https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c\",\n \"https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f\",\n \"https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703\",\n \"https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Reset queue_priority_hint on parking\\n\\nOriginally, with strict in order execution, we could complete execution\\nonly when the queue was empty. Preempt-to-busy allows replacement of an\\nactive request that may complete before the preemption is processed by\\nHW. If that happens, the request is retired from the queue, but the\\nqueue_priority_hint remains set, preventing direct submission until\\nafter the next CS interrupt is processed.\\n\\nThis preempt-to-busy race can be triggered by the heartbeat, which will\\nalso act as the power-management barrier and upon completion allow us to\\nidle the HW. We may process the completion of the heartbeat, and begin\\nparking the engine before the CS event that restores the\\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\\n\\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\\n<0>[ 166.210781] Dumping ftrace buffer:\\n<0>[ 166.210795] ---------------------------------\\n...\\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\\n<0>[ 167.303811] ---------------------------------\\n<4>[ 167.304722] ------------[ cut here ]------------\\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\\n<4>[ 16\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26938" + }, + { + "url": "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549" + }, + { + "url": "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6" + }, + { + "url": "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac" + }, + { + "url": "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f" + }, + { + "url": "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549\",\n \"https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6\",\n \"https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac\",\n \"https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f\",\n \"https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\\n\\nIf we have no VBT, or the VBT didn't declare the encoder\\nin question, we won't have the 'devdata' for the encoder.\\nInstead of oopsing just bail early.\\n\\nWe won't be able to tell whether the port is DP++ or not,\\nbut so be it.\\n\\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26944" + }, + { + "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302" + }, + { + "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302\",\n \"https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: zoned: fix use-after-free in do_zone_finish()\\n\\nShinichiro reported the following use-after-free triggered by the device\\nreplace operation in fstests btrfs/070.\\n\\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\\n\\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\\n Call Trace:\\n \\n dump_stack_lvl+0x5b/0x90\\n print_report+0xcf/0x670\\n ? __virt_addr_valid+0x200/0x3e0\\n kasan_report+0xd8/0x110\\n ? do_zone_finish+0x91a/0xb90 [btrfs]\\n ? do_zone_finish+0x91a/0xb90 [btrfs]\\n do_zone_finish+0x91a/0xb90 [btrfs]\\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\\n ? btrfs_put_root+0x2d/0x220 [btrfs]\\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\\n cleaner_kthread+0x21e/0x380 [btrfs]\\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\\n kthread+0x2e3/0x3c0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x70\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\n Allocated by task 3493983:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0xaa/0xb0\\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\\n __x64_sys_ioctl+0x134/0x1b0\\n do_syscall_64+0x99/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\n Freed by task 3494056:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3f/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x32/0x70\\n kfree+0x11b/0x320\\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\\n __x64_sys_ioctl+0x134/0x1b0\\n do_syscall_64+0x99/0x190\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\n The buggy address belongs to the object at ffff8881543c8000\\n which belongs to the cache kmalloc-1k of size 1024\\n The buggy address is located 96 bytes inside of\\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\\n\\n The buggy address belongs to the physical page:\\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\\n page_type: 0xffffffff()\\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\\n page dumped because: kasan: bad access detected\\n\\n Memory state around the buggy address:\\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ^\\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\nThis UAF happens because we're accessing stale zone information of a\\nalready removed btrfs_device in do_zone_finish().\\n\\nThe sequence of events is as follows:\\n\\nbtrfs_dev_replace_start\\n btrfs_scrub_dev\\n btrfs_dev_replace_finishing\\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\\n btrfs_rm_dev_replace_free_srcdev\\n btrfs_free_device <-- device freed\\n\\ncleaner_kthread\\n btrfs_delete_unused_bgs\\n btrfs_zone_finish\\n do_zone_finish <-- refers the freed device\\n\\nThe reason for this is that we're using a\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26945" + }, + { + "url": "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7" + }, + { + "url": "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7\",\n \"https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: iaa - Fix nr_cpus < nr_iaa case\\n\\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\\ncauses a divide-by-0 in rebalance_wq_table().\\n\\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\\nparanoia.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26947" + }, + { + "url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff" + }, + { + "url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc" + }, + { + "url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7" + }, + { + "url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff\",\n \"https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc\",\n \"https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7\",\n \"https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\\n\\nSince commit a4d5613c4dc6 (\\\"arm: extend pfn_valid to take into account\\nfreed memory map alignment\\\") changes the semantics of pfn_valid() to check\\npresence of the memory map for a PFN. A valid page for an address which\\nis reserved but not mapped by the kernel[1], the system crashed during\\nsome uio test with the following memory layout:\\n\\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\\n the uio layout is:0xc0900000, 0x100000\\n\\nthe crash backtrace like:\\n\\n Unable to handle kernel paging request at virtual address bff00000\\n [...]\\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\\n Hardware name: Generic DT based system\\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\\n LR is at __sync_icache_dcache+0x6c/0x98\\n [...]\\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\\n ---[ end trace 09cf0734c3805d52 ]---\\n Kernel panic - not syncing: Fatal exception\\n\\nSo check if PG_reserved was set to solve this issue.\\n\\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26948" + }, + { + "url": "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98" + }, + { + "url": "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98\",\n \"https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\\n\\n[How]\\nCheck wheather state is NULL before releasing it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26950" + }, + { + "url": "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5" + }, + { + "url": "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068" + }, + { + "url": "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5" + }, + { + "url": "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f" + }, + { + "url": "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996" + }, + { + "url": "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37" + }, + { + "url": "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5\",\n \"https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068\",\n \"https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5\",\n \"https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f\",\n \"https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996\",\n \"https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37\",\n \"https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: netlink: access device through ctx instead of peer\\n\\nThe previous commit fixed a bug that led to a NULL peer->device being\\ndereferenced. It's actually easier and faster performance-wise to\\ninstead get the device from ctx->wg. This semantically makes more sense\\ntoo, since ctx->wg->peer_allowedips.seq is compared with\\nctx->allowedips_seq, basing them both in ctx. This also acts as a\\ndefence in depth provision against freed peers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26951" + }, + { + "url": "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04" + }, + { + "url": "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d" + }, + { + "url": "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4" + }, + { + "url": "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87" + }, + { + "url": "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b" + }, + { + "url": "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac" + }, + { + "url": "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04\",\n \"https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d\",\n \"https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4\",\n \"https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87\",\n \"https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b\",\n \"https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac\",\n \"https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\\n\\nIf all peers are removed via wg_peer_remove_all(), rather than setting\\npeer_list to empty, the peer is added to a temporary list with a head on\\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\\ncursored peer is one that has been removed via wg_peer_remove_all(), it\\nwill iterate from that peer and then attempt to dump freed peers.\\n\\nFix this by instead checking peer->is_dead, which was explictly created\\nfor this purpose. Also move up the device_update_lock lockdep assertion,\\nsince reading is_dead relies on that.\\n\\nIt can be reproduced by a small script like:\\n\\n echo \\\"Setting config...\\\"\\n ip link add dev wg0 type wireguard\\n wg setconf wg0 /big-config\\n (\\n while true; do\\n echo \\\"Showing config...\\\"\\n wg showconf wg0 > /dev/null\\n done\\n ) &\\n sleep 4\\n wg setconf wg0 <(printf \\\"[Peer]\\\\nPublicKey=$(wg genkey)\\\\n\\\")\\n\\nResulting in:\\n\\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\\n Read of size 8 at addr ffff88811956ec70 by task wg/59\\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\\n Call Trace:\\n \\n dump_stack_lvl+0x47/0x70\\n print_address_description.constprop.0+0x2c/0x380\\n print_report+0xab/0x250\\n kasan_report+0xba/0xf0\\n __lock_acquire+0x182a/0x1b20\\n lock_acquire+0x191/0x4b0\\n down_read+0x80/0x440\\n get_peer+0x140/0xcb0\\n wg_get_device_dump+0x471/0x1130\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26952", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26952" + }, + { + "url": "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5" + }, + { + "url": "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63" + }, + { + "url": "https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e" + }, + { + "url": "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26952 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26952", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5\",\n \"https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63\",\n \"https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e\",\n \"https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\\n\\nI found potencial out-of-bounds when buffer offset fields of a few requests\\nis invalid. This patch set the minimum value of buffer offset field to\\n->Buffer offset to validate buffer length.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26952\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26953" + }, + { + "url": "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45" + }, + { + "url": "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664" + }, + { + "url": "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34" + }, + { + "url": "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45\",\n \"https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664\",\n \"https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34\",\n \"https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: esp: fix bad handling of pages from page_pool\\n\\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\\ncoming from the original skb fragments are supposed to be released back\\nto the system through put_page. But if the skb fragment pages are\\noriginating from a page_pool, calling put_page on them will trigger a\\npage_pool leak which will eventually result in a crash.\\n\\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\\nipsec + gre (non offloaded) forwarding:\\n\\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\\n flags: 0x200000000000000(node=0|zone=2)\\n page_type: 0xffffffff()\\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\\n page dumped because: page_pool leak\\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n Call Trace:\\n \\n dump_stack_lvl+0x36/0x50\\n bad_page+0x70/0xf0\\n free_unref_page_prepare+0x27a/0x460\\n free_unref_page+0x38/0x120\\n esp_ssg_unref.isra.0+0x15f/0x200\\n esp_output_tail+0x66d/0x780\\n esp_xmit+0x2c5/0x360\\n validate_xmit_xfrm+0x313/0x370\\n ? validate_xmit_skb+0x1d/0x330\\n validate_xmit_skb_list+0x4c/0x70\\n sch_direct_xmit+0x23e/0x350\\n __dev_queue_xmit+0x337/0xba0\\n ? nf_hook_slow+0x3f/0xd0\\n ip_finish_output2+0x25e/0x580\\n iptunnel_xmit+0x19b/0x240\\n ip_tunnel_xmit+0x5fb/0xb60\\n ipgre_xmit+0x14d/0x280 [ip_gre]\\n dev_hard_start_xmit+0xc3/0x1c0\\n __dev_queue_xmit+0x208/0xba0\\n ? nf_hook_slow+0x3f/0xd0\\n ip_finish_output2+0x1ca/0x580\\n ip_sublist_rcv_finish+0x32/0x40\\n ip_sublist_rcv+0x1b2/0x1f0\\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\\n ip_list_rcv+0x103/0x130\\n __netif_receive_skb_list_core+0x181/0x1e0\\n netif_receive_skb_list_internal+0x1b3/0x2c0\\n napi_gro_receive+0xc8/0x200\\n gro_cell_poll+0x52/0x90\\n __napi_poll+0x25/0x1a0\\n net_rx_action+0x28e/0x300\\n __do_softirq+0xc3/0x276\\n ? sort_range+0x20/0x20\\n run_ksoftirqd+0x1e/0x30\\n smpboot_thread_fn+0xa6/0x130\\n kthread+0xcd/0x100\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork+0x31/0x50\\n ? kthread_complete_and_exit+0x20/0x20\\n ret_from_fork_asm+0x11/0x20\\n \\n\\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\\ncovers page refcounting for page_pool pages as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26954" + }, + { + "url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57" + }, + { + "url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178" + }, + { + "url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57\",\n \"https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178\",\n \"https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\\n\\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\\nThis patch set the minimum value of the name offset to the buffer offset\\nto validate name length of smb2_create_req().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26955" + }, + { + "url": "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c" + }, + { + "url": "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5" + }, + { + "url": "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20" + }, + { + "url": "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07" + }, + { + "url": "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39" + }, + { + "url": "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d" + }, + { + "url": "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183" + }, + { + "url": "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c" + }, + { + "url": "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c\",\n \"https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5\",\n \"https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20\",\n \"https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07\",\n \"https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39\",\n \"https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d\",\n \"https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183\",\n \"https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c\",\n \"https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: prevent kernel bug at submit_bh_wbc()\\n\\nFix a bug where nilfs_get_block() returns a successful status when\\nsearching and inserting the specified block both fail inconsistently. If\\nthis inconsistent behavior is not due to a previously fixed bug, then an\\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\\n\\nThis prevents callers such as __block_write_begin_int() from requesting a\\nread into a buffer that is not mapped, which would cause the BUG_ON check\\nfor the BH_Mapped flag in submit_bh_wbc() to fail.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26956" + }, + { + "url": "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84" + }, + { + "url": "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7" + }, + { + "url": "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4" + }, + { + "url": "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e" + }, + { + "url": "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713" + }, + { + "url": "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35" + }, + { + "url": "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb" + }, + { + "url": "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba" + }, + { + "url": "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84\",\n \"https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7\",\n \"https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4\",\n \"https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e\",\n \"https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713\",\n \"https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35\",\n \"https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb\",\n \"https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba\",\n \"https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\\n\\nPatch series \\\"nilfs2: fix kernel bug at submit_bh_wbc()\\\".\\n\\nThis resolves a kernel BUG reported by syzbot. Since there are two\\nflaws involved, I've made each one a separate patch.\\n\\nThe first patch alone resolves the syzbot-reported bug, but I think\\nboth fixes should be sent to stable, so I've tagged them as such.\\n\\n\\nThis patch (of 2):\\n\\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\\nto a nilfs2 file system whose metadata is corrupted.\\n\\nThere are two flaws involved in this issue.\\n\\nThe first flaw is that when nilfs_get_block() locates a data block using\\nbtree or direct mapping, if the disk address translation routine\\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\\ncorruption, it can be passed back to nilfs_get_block(). This causes\\nnilfs_get_block() to misidentify an existing block as non-existent,\\ncausing both data block lookup and insertion to fail inconsistently.\\n\\nThe second flaw is that nilfs_get_block() returns a successful status in\\nthis inconsistent state. This causes the caller __block_write_begin_int()\\nor others to request a read even though the buffer is not mapped,\\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\\nfailing.\\n\\nThis fixes the first issue by changing the return value to code -EINVAL\\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\\nconflicting condition that leads to the kernel bug described above. Here,\\ncode -EINVAL indicates that metadata corruption was detected during the\\nblock lookup, which will be properly handled as a file system error and\\nconverted to -EIO when passing through the nilfs2 bmap layer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26957" + }, + { + "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484" + }, + { + "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c" + }, + { + "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd" + }, + { + "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058" + }, + { + "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55" + }, + { + "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6" + }, + { + "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca" + }, + { + "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d" + }, + { + "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484\",\n \"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c\",\n \"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd\",\n \"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058\",\n \"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55\",\n \"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6\",\n \"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca\",\n \"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d\",\n \"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/zcrypt: fix reference counting on zcrypt card objects\\n\\nTests with hot-plugging crytpo cards on KVM guests with debug\\nkernel build revealed an use after free for the load field of\\nthe struct zcrypt_card. The reason was an incorrect reference\\nhandling of the zcrypt card object which could lead to a free\\nof the zcrypt card object while it was still in use.\\n\\nThis is an example of the slab message:\\n\\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\\n kernel: kmalloc_trace+0x3f2/0x470\\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\\n kernel: ap_device_probe+0x15c/0x290\\n kernel: really_probe+0xd2/0x468\\n kernel: driver_probe_device+0x40/0xf0\\n kernel: __device_attach_driver+0xc0/0x140\\n kernel: bus_for_each_drv+0x8c/0xd0\\n kernel: __device_attach+0x114/0x198\\n kernel: bus_probe_device+0xb4/0xc8\\n kernel: device_add+0x4d2/0x6e0\\n kernel: ap_scan_adapter+0x3d0/0x7c0\\n kernel: ap_scan_bus+0x5a/0x3b0\\n kernel: ap_scan_bus_wq_callback+0x40/0x60\\n kernel: process_one_work+0x26e/0x620\\n kernel: worker_thread+0x21c/0x440\\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\\n kernel: kfree+0x37e/0x418\\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\\n kernel: ap_device_remove+0x4c/0xe0\\n kernel: device_release_driver_internal+0x1c4/0x270\\n kernel: bus_remove_device+0x100/0x188\\n kernel: device_del+0x164/0x3c0\\n kernel: device_unregister+0x30/0x90\\n kernel: ap_scan_adapter+0xc8/0x7c0\\n kernel: ap_scan_bus+0x5a/0x3b0\\n kernel: ap_scan_bus_wq_callback+0x40/0x60\\n kernel: process_one_work+0x26e/0x620\\n kernel: worker_thread+0x21c/0x440\\n kernel: kthread+0x150/0x168\\n kernel: __ret_from_fork+0x3c/0x58\\n kernel: ret_from_fork+0xa/0x30\\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\\n kernel: Call Trace:\\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\\n kernel: \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26958" + }, + { + "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af" + }, + { + "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab" + }, + { + "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3" + }, + { + "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5" + }, + { + "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f" + }, + { + "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95" + }, + { + "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af\",\n \"https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab\",\n \"https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3\",\n \"https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5\",\n \"https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f\",\n \"https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95\",\n \"https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfs: fix UAF in direct writes\\n\\nIn production we have been hitting the following warning consistently\\n\\n------------[ cut here ]------------\\nrefcount_t: underflow; use-after-free.\\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __warn+0x9f/0x130\\n ? refcount_warn_saturate+0x9c/0xe0\\n ? report_bug+0xcc/0x150\\n ? handle_bug+0x3d/0x70\\n ? exc_invalid_op+0x16/0x40\\n ? asm_exc_invalid_op+0x16/0x20\\n ? refcount_warn_saturate+0x9c/0xe0\\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\\n process_one_work+0x12f/0x4a0\\n worker_thread+0x14e/0x3b0\\n ? ZSTD_getCParams_internal+0x220/0x220\\n kthread+0xdc/0x120\\n ? __btf_name_valid+0xa0/0xa0\\n ret_from_fork+0x1f/0x30\\n\\nThis is because we're completing the nfs_direct_request twice in a row.\\n\\nThe source of this is when we have our commit requests to submit, we\\nprocess them and send them off, and then in the completion path for the\\ncommit requests we have\\n\\nif (nfs_commit_end(cinfo.mds))\\n\\tnfs_direct_write_complete(dreq);\\n\\nHowever since we're submitting asynchronous requests we sometimes have\\none that completes before we submit the next one, so we end up calling\\ncomplete on the nfs_direct_request twice.\\n\\nThe only other place we use nfs_generic_commit_list() is in\\n__nfs_commit_inode, which wraps this call in a\\n\\nnfs_commit_begin();\\nnfs_commit_end();\\n\\nWhich is a common pattern for this style of completion handling, one\\nthat is also repeated in the direct code with get_dreq()/put_dreq()\\ncalls around where we process events as well as in the completion paths.\\n\\nFix this by using the same pattern for the commit requests.\\n\\nBefore with my 200 node rocksdb stress running this warning would pop\\nevery 10ish minutes. With my patch the stress test has been running for\\nseveral hours without popping.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26960", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26960" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a" + }, + { + "url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a" + }, + { + "url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e" + }, + { + "url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b" + }, + { + "url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39" + }, + { + "url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e" + }, + { + "url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a\",\n \"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a\",\n \"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e\",\n \"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b\",\n \"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39\",\n \"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e\",\n \"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: swap: fix race between free_swap_and_cache() and swapoff()\\n\\nThere was previously a theoretical window where swapoff() could run and\\nteardown a swap_info_struct while a call to free_swap_and_cache() was\\nrunning in another thread. This could cause, amongst other bad\\npossibilities, swap_page_trans_huge_swapped() (called by\\nfree_swap_and_cache()) to access the freed memory for swap_map.\\n\\nThis is a theoretical problem and I haven't been able to provoke it from a\\ntest case. But there has been agreement based on code review that this is\\npossible (see link below).\\n\\nFix it by using get_swap_device()/put_swap_device(), which will stall\\nswapoff(). There was an extra check in _swap_info_get() to confirm that\\nthe swap entry was not free. This isn't present in get_swap_device()\\nbecause it doesn't make sense in general due to the race between getting\\nthe reference and swapoff. So I've added an equivalent check directly in\\nfree_swap_and_cache().\\n\\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\\nfor deriving this):\\n\\n--8<-----\\n\\n__swap_entry_free() might be the last user and result in\\n\\\"count == SWAP_HAS_CACHE\\\".\\n\\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\\n\\nSo the question is: could someone reclaim the folio and turn\\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\\n\\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\\nstill references by swap entries.\\n\\nProcess 1 still references subpage 0 via swap entry.\\nProcess 2 still references subpage 1 via swap entry.\\n\\nProcess 1 quits. Calls free_swap_and_cache().\\n-> count == SWAP_HAS_CACHE\\n[then, preempted in the hypervisor etc.]\\n\\nProcess 2 quits. Calls free_swap_and_cache().\\n-> count == SWAP_HAS_CACHE\\n\\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\\n__try_to_reclaim_swap().\\n\\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\\nswap_entry_free()->swap_range_free()->\\n...\\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\\n\\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\\n\\n--8<-----\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26961" + }, + { + "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531" + }, + { + "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d" + }, + { + "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1" + }, + { + "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88" + }, + { + "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821" + }, + { + "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f" + }, + { + "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26961", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531\",\n \"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d\",\n \"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1\",\n \"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88\",\n \"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821\",\n \"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f\",\n \"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\\n\\nmac802154_llsec_key_del() can free resources of a key directly without\\nfollowing the RCU rules for waiting before the end of a grace period. This\\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\\nlist of keys in parallel with a key deletion:\\n\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\\nModules linked in:\\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\\nCall Trace:\\n \\n llsec_lookup_key.isra.0+0x890/0x9e0\\n mac802154_llsec_encrypt+0x30c/0x9c0\\n ieee802154_subif_start_xmit+0x24/0x1e0\\n dev_hard_start_xmit+0x13e/0x690\\n sch_direct_xmit+0x2ae/0xbc0\\n __dev_queue_xmit+0x11dd/0x3c20\\n dgram_sendmsg+0x90b/0xd60\\n __sys_sendto+0x466/0x4c0\\n __x64_sys_sendto+0xe0/0x1c0\\n do_syscall_64+0x45/0xf0\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nAlso, ieee802154_llsec_key_entry structures are not freed by\\nmac802154_llsec_key_del():\\n\\nunreferenced object 0xffff8880613b6980 (size 64):\\n comm \\\"iwpan\\\", pid 2176, jiffies 4294761134 (age 60.475s)\\n hex dump (first 32 bytes):\\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\\\".......\\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\\n backtrace:\\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\\n [] kmalloc_trace+0x25/0xc0\\n [] mac802154_llsec_key_add+0xac9/0xcf0\\n [] ieee802154_add_llsec_key+0x5a/0x80\\n [] nl802154_add_llsec_key+0x426/0x5b0\\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\\n [] genl_rcv_msg+0x531/0x7d0\\n [] netlink_rcv_skb+0x169/0x440\\n [] genl_rcv+0x28/0x40\\n [] netlink_unicast+0x53c/0x820\\n [] netlink_sendmsg+0x93b/0xe60\\n [] ____sys_sendmsg+0xac5/0xca0\\n [] ___sys_sendmsg+0x11d/0x1c0\\n [] __sys_sendmsg+0xfa/0x1d0\\n [] do_syscall_64+0x45/0xf0\\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nHandle the proper resource release in the RCU callback function\\nmac802154_llsec_key_del_rcu().\\n\\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\\nllsec_key_get() and locally copies key id from key_entry (which is a\\nlist element). So it's safe to call llsec_key_put() and free the list\\nentry after the RCU grace period elapses.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26962", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26962" + }, + { + "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677" + }, + { + "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1" + }, + { + "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26962 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26962", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26962\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26962\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26962\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26962\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26962\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677\",\n \"https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1\",\n \"https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\\n\\nFor raid456, if reshape is still in progress, then IO across reshape\\nposition will wait for reshape to make progress. However, for dm-raid,\\nin following cases reshape will never make progress hence IO will hang:\\n\\n1) the array is read-only;\\n2) MD_RECOVERY_WAIT is set;\\n3) MD_RECOVERY_FROZEN is set;\\n\\nAfter commit c467e97f079f (\\\"md/raid6: use valid sector values to determine\\nif an I/O should wait on the reshape\\\") fix the problem that IO across\\nreshape position doesn't wait for reshape, the dm-raid test\\nshell/lvconvert-raid-reshape.sh start to hang:\\n\\n[root@fedora ~]# cat /proc/979/stack\\n[<0>] wait_woken+0x7d/0x90\\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\\n[<0>] raid_map+0x2c/0x50 [dm_raid]\\n[<0>] __map_bio+0x251/0x380 [dm_mod]\\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\\n[<0>] __submit_bio+0xc2/0x1c0\\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\\n[<0>] submit_bio_noacct+0x2bc/0x780\\n[<0>] submit_bio+0x70/0xc0\\n[<0>] mpage_readahead+0x169/0x1f0\\n[<0>] blkdev_readahead+0x18/0x30\\n[<0>] read_pages+0x7c/0x3b0\\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\\n[<0>] force_page_cache_ra+0x9e/0x130\\n[<0>] page_cache_sync_ra+0x3b/0x110\\n[<0>] filemap_get_pages+0x143/0xa30\\n[<0>] filemap_read+0xdc/0x4b0\\n[<0>] blkdev_read_iter+0x75/0x200\\n[<0>] vfs_read+0x272/0x460\\n[<0>] ksys_read+0x7a/0x170\\n[<0>] __x64_sys_read+0x1c/0x30\\n[<0>] do_syscall_64+0xc6/0x230\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\\n\\nThis is because reshape can't make progress.\\n\\nFor md/raid, the problem doesn't exist because register new sync_thread\\ndoesn't rely on the IO to be done any more:\\n\\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\\n2) md/raid never set MD_RECOVERY_WAIT;\\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\\n sysfs api 'sync_action'.\\n\\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\\npatch on the one hand make sure raid_message() can't change\\nsync_thread() through raid_message() after presuspend(), on the other\\nhand detect the above 3 cases before wait for IO do be done in\\ndm_suspend(), and let dm-raid requeue those IO.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26962\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26964", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26964" + }, + { + "url": "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd" + }, + { + "url": "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4" + }, + { + "url": "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757" + }, + { + "url": "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d" + }, + { + "url": "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea" + }, + { + "url": "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26964 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26964", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26964\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26964\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26964\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26964\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26964\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd\",\n \"https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4\",\n \"https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757\",\n \"https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d\",\n \"https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea\",\n \"https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: xhci: Add error handling in xhci_map_urb_for_dma\\n\\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\\nthen the following sg_pcopy_to_buffer() can lead to crash since it\\ntries to memcpy to NULL pointer.\\n\\nSo return -ENOMEM if kzalloc returns null pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26964\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26965" + }, + { + "url": "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060" + }, + { + "url": "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589" + }, + { + "url": "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362" + }, + { + "url": "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089" + }, + { + "url": "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194" + }, + { + "url": "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95" + }, + { + "url": "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f" + }, + { + "url": "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2" + }, + { + "url": "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060\",\n \"https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589\",\n \"https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362\",\n \"https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089\",\n \"https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194\",\n \"https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95\",\n \"https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f\",\n \"https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2\",\n \"https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26966" + }, + { + "url": "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99" + }, + { + "url": "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9" + }, + { + "url": "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2" + }, + { + "url": "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8" + }, + { + "url": "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38" + }, + { + "url": "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03" + }, + { + "url": "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f" + }, + { + "url": "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d" + }, + { + "url": "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99\",\n \"https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9\",\n \"https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2\",\n \"https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8\",\n \"https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38\",\n \"https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03\",\n \"https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f\",\n \"https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d\",\n \"https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26969" + }, + { + "url": "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429" + }, + { + "url": "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94" + }, + { + "url": "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe" + }, + { + "url": "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f" + }, + { + "url": "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d" + }, + { + "url": "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566" + }, + { + "url": "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255" + }, + { + "url": "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27" + }, + { + "url": "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429\",\n \"https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94\",\n \"https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe\",\n \"https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f\",\n \"https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d\",\n \"https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566\",\n \"https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255\",\n \"https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27\",\n \"https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26970" + }, + { + "url": "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52" + }, + { + "url": "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb" + }, + { + "url": "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6" + }, + { + "url": "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b" + }, + { + "url": "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52\",\n \"https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb\",\n \"https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6\",\n \"https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b\",\n \"https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d\",\n \"https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d\",\n \"https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\\n\\nThe frequency table arrays are supposed to be terminated with an\\nempty element. Add such entry to the end of the arrays where it\\nis missing in order to avoid possible out-of-bound access when\\nthe table is traversed by functions like qcom_find_freq() or\\nqcom_find_freq_floor().\\n\\nOnly compile tested.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26972", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26972" + }, + { + "url": "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae" + }, + { + "url": "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae\",\n \"https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\\n\\nFor error handling path in ubifs_symlink(), inode will be marked as\\nbad first, then iput() is invoked. If inode->i_link is initialized by\\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\\n'S_IFREG'.\\nFollowing kmemleak is easy to be reproduced by injecting error in\\nubifs_jnl_update() when doing symlink in encryption scenario:\\n unreferenced object 0xffff888103da3d98 (size 8):\\n comm \\\"ln\\\", pid 1692, jiffies 4294914701 (age 12.045s)\\n backtrace:\\n kmemdup+0x32/0x70\\n __fscrypt_encrypt_symlink+0xed/0x1c0\\n ubifs_symlink+0x210/0x300 [ubifs]\\n vfs_symlink+0x216/0x360\\n do_symlinkat+0x11a/0x190\\n do_syscall_64+0x3b/0xe0\\nThere are two ways fixing it:\\n 1. Remove make_bad_inode() in error handling path. We can do that\\n because ubifs_evict_inode() will do same processes for good\\n symlink inode and bad symlink inode, for inode->i_nlink checking\\n is before is_bad_inode().\\n 2. Free inode->i_link before marking inode bad.\\nMethod 2 is picked, it has less influence, personally, I think.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26973", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26973" + }, + { + "url": "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb" + }, + { + "url": "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688" + }, + { + "url": "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63" + }, + { + "url": "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6" + }, + { + "url": "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee" + }, + { + "url": "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375" + }, + { + "url": "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6" + }, + { + "url": "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f" + }, + { + "url": "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb\",\n \"https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688\",\n \"https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63\",\n \"https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6\",\n \"https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee\",\n \"https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375\",\n \"https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6\",\n \"https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f\",\n \"https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfat: fix uninitialized field in nostale filehandles\\n\\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\\nstores only first 10 bytes of the file handle. However the length of the\\nfile handle must be a multiple of 4 so the file handle is actually 12\\nbytes long and the last two bytes remain uninitialized. This is not\\ngreat at we potentially leak uninitialized information with the handle\\nto userspace. Properly initialize the full handle length.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26974" + }, + { + "url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be" + }, + { + "url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7" + }, + { + "url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f" + }, + { + "url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c" + }, + { + "url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc" + }, + { + "url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81" + }, + { + "url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828" + }, + { + "url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71" + }, + { + "url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be\",\n \"https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7\",\n \"https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f\",\n \"https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c\",\n \"https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc\",\n \"https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81\",\n \"https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828\",\n \"https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71\",\n \"https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: qat - resolve race condition during AER recovery\\n\\nDuring the PCI AER system's error recovery process, the kernel driver\\nmay encounter a race condition with freeing the reset_data structure's\\nmemory. If the device restart will take more than 10 seconds the function\\nscheduling that restart will exit due to a timeout, and the reset_data\\nstructure will be freed. However, this data structure is used for\\ncompletion notification after the restart is completed, which leads\\nto a UAF bug.\\n\\nThis results in a KFENCE bug notice.\\n\\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\\n process_one_work+0x173/0x340\\n\\nTo resolve this race condition, the memory associated to the container\\nof the work_struct is freed on the worker if the timeout expired,\\notherwise on the function that schedules the worker.\\nThe timeout detection can be done by checking if the caller is\\nstill waiting for completion or not by using completion_done() function.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26976" + }, + { + "url": "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157" + }, + { + "url": "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750" + }, + { + "url": "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb" + }, + { + "url": "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac" + }, + { + "url": "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98" + }, + { + "url": "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5" + }, + { + "url": "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff" + }, + { + "url": "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b" + }, + { + "url": "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157\",\n \"https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750\",\n \"https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb\",\n \"https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac\",\n \"https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98\",\n \"https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5\",\n \"https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff\",\n \"https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b\",\n \"https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\\n\\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\\nKVM must ensure that none of its workqueue callbacks is running when the\\nlast reference to the KVM _module_ is put. Gifting a reference to the\\nassociated VM prevents the workqueue callback from dereferencing freed\\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\\nbefore the callback completes.\\n\\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\\n\\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\\n Workqueue: events async_pf_execute [kvm]\\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\\n Call Trace:\\n \\n async_pf_execute+0x198/0x260 [kvm]\\n process_one_work+0x145/0x2d0\\n worker_thread+0x27e/0x3a0\\n kthread+0xba/0xe0\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n \\n ---[ end trace 0000000000000000 ]---\\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\\n Workqueue: events async_pf_execute [kvm]\\n Call Trace:\\n \\n __schedule+0x33f/0xa40\\n schedule+0x53/0xc0\\n schedule_timeout+0x12a/0x140\\n __wait_for_common+0x8d/0x1d0\\n __flush_work.isra.0+0x19f/0x2c0\\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\\n kvm_put_kvm+0x1c1/0x320 [kvm]\\n async_pf_execute+0x198/0x260 [kvm]\\n process_one_work+0x145/0x2d0\\n worker_thread+0x27e/0x3a0\\n kthread+0xba/0xe0\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n \\n\\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\\nthen there's no need to gift async_pf_execute() a reference because all\\ninvocations of async_pf_execute() will be forced to complete before the\\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\\nunloading bug as __fput() won't do module_put() on the last vCPU reference\\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\\nlast reference to the KVM module.\\n\\nNote that kvm_check_async_pf_completion() may also take the work item off\\nthe completion queue and so also needs to flush the work queue, as the\\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\\non the workqueue could theoretically delay a vCPU due to waiting for the\\nwork to complete, but that's a very, very small chance, and likely a very\\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\\nnew request, i.e. will effectively delay entering the guest, so the\\nremaining work is really just:\\n\\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\\n\\n __kvm_vcpu_wake_up(vcpu);\\n\\n mmput(mm);\\n\\nand mmput() can't drop the last reference to the page tables if the vCPU is\\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\\n\\nAdd a helper to do the flushing, specifically to deal with \\\"wakeup all\\\"\\nwork items, as they aren't actually work items, i.e. are never placed in a\\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\\n__flush_work() complain (kudos to whoever added that sanity check).\\n\\nNote, commit 5f6de5cbebee (\\\"KVM: Prevent module exit until al\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26977" + }, + { + "url": "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6" + }, + { + "url": "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8" + }, + { + "url": "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637" + }, + { + "url": "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed" + }, + { + "url": "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f" + }, + { + "url": "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26977", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6\",\n \"https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8\",\n \"https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637\",\n \"https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed\",\n \"https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f\",\n \"https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npci_iounmap(): Fix MMIO mapping leak\\n\\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\\nwhich means MMIO mappings are leaked.\\n\\nMove the guard so we call iounmap() for MMIO mappings.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26979" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26979", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26980", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26980" + }, + { + "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085" + }, + { + "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1" + }, + { + "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248" + }, + { + "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20" + }, + { + "url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26980 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26980", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26980\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26980\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26980\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26980\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26980\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085\",\n \"https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1\",\n \"https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248\",\n \"https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20\",\n \"https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\\n\\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\\nvalidation could be skipped. if request size is smaller than\\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\\ndecrypting transform request. smb3_decrypt_req() will validate transform\\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26980\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26981", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26981" + }, + { + "url": "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243" + }, + { + "url": "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9" + }, + { + "url": "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1" + }, + { + "url": "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611" + }, + { + "url": "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f" + }, + { + "url": "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8" + }, + { + "url": "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0" + }, + { + "url": "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26981 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26981", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26981\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26981\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26981\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26981\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26981\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243\",\n \"https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9\",\n \"https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1\",\n \"https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611\",\n \"https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f\",\n \"https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8\",\n \"https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0\",\n \"https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix OOB in nilfs_set_de_type\\n\\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\\ndefined as \\\"S_IFMT >> S_SHIFT\\\", but the nilfs_set_de_type() function,\\nwhich uses this array, specifies the index to read from the array in the\\nsame way as \\\"(mode & S_IFMT) >> S_SHIFT\\\".\\n\\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\\n *inode)\\n{\\n\\tumode_t mode = inode->i_mode;\\n\\n\\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\\n}\\n\\nHowever, when the index is determined this way, an out-of-bounds (OOB)\\nerror occurs by referring to an index that is 1 larger than the array size\\nwhen the condition \\\"mode & S_IFMT == S_IFMT\\\" is satisfied. Therefore, a\\npatch to resize the nilfs_type_by_mode array should be applied to prevent\\nOOB errors.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26981\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26982" + }, + { + "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5" + }, + { + "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395" + }, + { + "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5\",\n \"https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395\",\n \"https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSquashfs: check the inode number is not the invalid value of zero\\n\\nSyskiller has produced an out of bounds access in fill_meta_index().\\n\\nThat out of bounds access is ultimately caused because the inode\\nhas an inode number with the invalid value of zero, which was not checked.\\n\\nThe reason this causes the out of bounds access is due to following\\nsequence of events:\\n\\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\\n and fill a metadata index. It however suffers a data read error\\n and aborts, invalidating the newly returned empty metadata index.\\n It does this by setting the inode number of the index to zero,\\n which means unused (zero is not a valid inode number).\\n\\n2. When fill_meta_index() is subsequently called again on another\\n read operation, locate_meta_index() returns the previous index\\n because it matches the inode number of 0. Because this index\\n has been returned it is expected to have been filled, and because\\n it hasn't been, an out of bounds access is performed.\\n\\nThis patch adds a sanity check which checks that the inode number\\nis not zero when the inode is created and returns -EINVAL if it is.\\n\\n[phillip@squashfs.org.uk: whitespace fix]\\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26983", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26983" + }, + { + "url": "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918" + }, + { + "url": "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35" + }, + { + "url": "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0" + }, + { + "url": "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26983 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26983", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26983\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26983\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26983\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26983\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26983\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918\",\n \"https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35\",\n \"https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0\",\n \"https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbootconfig: use memblock_free_late to free xbc memory to buddy\\n\\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\\nover memory to buddy allocator. So it doesn't make sense to free memory\\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\\nFollowing KASAN logs shows this case.\\n\\nThis patch fixes the xbc memory free problem by calling memblock_free()\\nin early xbc init error rewind path and calling memblock_free_late() in\\nxbc exit path to free memory to buddy allocator.\\n\\n[ 9.410890] ==================================================================\\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\\n\\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\\n[ 9.460789] Call Trace:\\n[ 9.463518] \\n[ 9.465859] dump_stack_lvl+0x53/0x70\\n[ 9.469949] print_report+0xce/0x610\\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\\n[ 9.483877] kasan_report+0xc6/0x100\\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\\n[ 9.493125] memblock_isolate_range+0x12d/0x260\\n[ 9.498187] memblock_phys_free+0xb4/0x160\\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\\n[ 9.526426] xbc_exit+0x17/0x70\\n[ 9.529935] kernel_init+0x38/0x1e0\\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\\n[ 9.538601] ret_from_fork+0x2c/0x50\\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\\n[ 9.551552] \\n\\n[ 9.555649] The buggy address belongs to the physical page:\\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\\n[ 9.576271] page_type: 0xffffffff()\\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\\n[ 9.597476] page dumped because: kasan: bad access detected\\n\\n[ 9.605362] Memory state around the buggy address:\\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.634930] ^\\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[ 9.654675] ==================================================================\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26983\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26984" + }, + { + "url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716" + }, + { + "url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7" + }, + { + "url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52" + }, + { + "url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572" + }, + { + "url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525" + }, + { + "url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039" + }, + { + "url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9" + }, + { + "url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716\",\n \"https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7\",\n \"https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52\",\n \"https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572\",\n \"https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525\",\n \"https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039\",\n \"https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9\",\n \"https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: fix instmem race condition around ptr stores\\n\\nRunning a lot of VK CTS in parallel against nouveau, once every\\nfew hours you might see something like this crash.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\n...\\n\\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n ? __lock_acquire+0x3ed/0x2170\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\\n\\nAdding any sort of useful debug usually makes it go away, so I hand\\nwrote the function in a line, and debugged the asm.\\n\\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\\nthe nv50_instobj_acquire called from nvkm_kmap.\\n\\nIf Thread A and Thread B both get to nv50_instobj_acquire around\\nthe same time, and Thread A hits the refcount_set line, and in\\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\\nchance the ptrs value won't have been stored since refcount_set\\nis unordered. Force a memory barrier here, I picked smp_mb, since\\nwe want it on all CPUs and it's write followed by a read.\\n\\nv2: use paired smp_rmb/smp_wmb.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26988" + }, + { + "url": "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4" + }, + { + "url": "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a" + }, + { + "url": "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9" + }, + { + "url": "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea" + }, + { + "url": "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8" + }, + { + "url": "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4\",\n \"https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a\",\n \"https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9\",\n \"https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea\",\n \"https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8\",\n \"https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninit/main.c: Fix potential static_command_line memory overflow\\n\\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\\nstatic_command_line, but the strings copied into static_command_line are\\nextra_command_line and command_line, rather than extra_command_line and\\nboot_command_line.\\n\\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\\nwill overflow.\\n\\nThis patch just recovers strlen(command_line) which was miss-consolidated\\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\\\"init/main: add\\nchecks for the return value of memblock_alloc*()\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26989" + }, + { + "url": "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3" + }, + { + "url": "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4" + }, + { + "url": "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457" + }, + { + "url": "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069" + }, + { + "url": "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3\",\n \"https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4\",\n \"https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457\",\n \"https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069\",\n \"https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: hibernate: Fix level3 translation fault in swsusp_save()\\n\\nOn arm64 machines, swsusp_save() faults if it attempts to access\\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\\n\\n Unable to handle kernel paging request at virtual address ffffff8000000000\\n Mem abort info:\\n ESR = 0x0000000096000007\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x07: level 3 translation fault\\n Data abort info:\\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\\n Internal error: Oops: 0000000096000007 [#1] SMP\\n Internal error: Oops: 0000000096000007 [#1] SMP\\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : swsusp_save+0x280/0x538\\n lr : swsusp_save+0x280/0x538\\n sp : ffffffa034a3fa40\\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\\n Call trace:\\n swsusp_save+0x280/0x538\\n swsusp_arch_suspend+0x148/0x190\\n hibernation_snapshot+0x240/0x39c\\n hibernate+0xc4/0x378\\n state_store+0xf0/0x10c\\n kobj_attr_store+0x14/0x24\\n\\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\\n-> kernel_page_present() assuming that a page is always present when\\ncan_set_direct_map() is false (all of rodata_full,\\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\\nshould not be saved during hibernation.\\n\\nThis problem was introduced by changes to the pfn_valid() logic in\\ncommit a7d9f306ba70 (\\\"arm64: drop pfn_valid_within() and simplify\\npfn_valid()\\\").\\n\\nSimilar to other architectures, drop the !can_set_direct_map() check in\\nkernel_page_present() so that page_is_savable() skips such pages.\\n\\n[catalin.marinas@arm.com: rework commit message]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26993", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26993" + }, + { + "url": "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c" + }, + { + "url": "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063" + }, + { + "url": "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b" + }, + { + "url": "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17" + }, + { + "url": "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4" + }, + { + "url": "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78" + }, + { + "url": "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957" + }, + { + "url": "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26993 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26993", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26993\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26993\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26993\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26993\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26993\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c\",\n \"https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063\",\n \"https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b\",\n \"https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17\",\n \"https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4\",\n \"https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78\",\n \"https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957\",\n \"https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\\n\\nThe sysfs_break_active_protection() routine has an obvious reference\\nleak in its error path. If the call to kernfs_find_and_get() fails then\\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\\nroutine won't get called (and would only cause an access violation by\\ntrying to dereference kn->parent if it was called). As a result, the\\nreference to kobj acquired at the start of the function will never be\\nreleased.\\n\\nFix the leak by adding an explicit kobject_put() call when kn is NULL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26993\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26994", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26994" + }, + { + "url": "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8" + }, + { + "url": "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76" + }, + { + "url": "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222" + }, + { + "url": "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f" + }, + { + "url": "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595" + }, + { + "url": "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f" + }, + { + "url": "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c" + }, + { + "url": "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26994 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26994", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26994\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26994\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26994\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26994\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26994\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8\",\n \"https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76\",\n \"https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222\",\n \"https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f\",\n \"https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595\",\n \"https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f\",\n \"https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c\",\n \"https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspeakup: Avoid crash on very long word\\n\\nIn case a console is set up really large and contains a really long word\\n(> 256 characters), we have to stop before the length of the word buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26994\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26996", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26996" + }, + { + "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93" + }, + { + "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e" + }, + { + "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7" + }, + { + "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca" + }, + { + "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26996 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26996", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26996\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26996\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26996\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26996\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26996\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93\",\n \"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e\",\n \"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7\",\n \"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca\",\n \"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\\n\\nWhen ncm function is working and then stop usb0 interface for link down,\\neth_stop() is called. At this piont, accidentally if usb transport error\\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\\n\\nAfter that, ncm_disable() is called to disable for ncm unbind\\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\\n\\nAs the result, ncm object is released in ncm unbind\\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\\n\\nAnd when ncm bind again to recover netdev, ncm object is reallocated\\nbut usb0 interface is already associated to previous released ncm object.\\n\\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\\n\\n[function unlink via configfs]\\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\\n --> error happens in usb_ep_enable().\\n NCM: ncm_disable: ncm=ffffff9b179c3200\\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\\n\\n[function link via configfs]\\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\\n eth_start_xmit()\\n --> dev->wrap()\\n Unable to handle kernel paging request at virtual address dead00000000014f\\n\\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\\nbut the gether connection might be established.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26996\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-26999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-26999" + }, + { + "url": "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907" + }, + { + "url": "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7" + }, + { + "url": "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce" + }, + { + "url": "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef" + }, + { + "url": "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928" + }, + { + "url": "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f" + }, + { + "url": "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729" + }, + { + "url": "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-26999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-26999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-26999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-26999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-26999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-26999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907\",\n \"https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7\",\n \"https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce\",\n \"https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef\",\n \"https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928\",\n \"https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f\",\n \"https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729\",\n \"https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\\n\\nThe mitigation was intended to stop the irq completely. That may be\\nbetter than a hard lock-up but it turns out that you get a crash anyway\\nif you're using pmac_zilog as a serial console:\\n\\nttyPZ0: pmz: rx irq flood !\\nBUG: spinlock recursion on CPU#0, swapper/0\\n\\nThat's because the pr_err() call in pmz_receive_chars() results in\\npmz_console_write() attempting to lock a spinlock already locked in\\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\\nBUG splat. The spinlock in question is the one in struct uart_port.\\n\\nEven when it's not fatal, the serial port rx function ceases to work.\\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\\nseen in the bug report linked below.\\n\\nA web search for other reports of the error message \\\"pmz: rx irq flood\\\"\\ndidn't produce anything. So I don't think this code is needed any more.\\nRemove it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-26999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27000", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27000" + }, + { + "url": "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37" + }, + { + "url": "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a" + }, + { + "url": "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270" + }, + { + "url": "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495" + }, + { + "url": "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026" + }, + { + "url": "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad" + }, + { + "url": "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37" + }, + { + "url": "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37\",\n \"https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a\",\n \"https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270\",\n \"https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495\",\n \"https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026\",\n \"https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad\",\n \"https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37\",\n \"https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: mxs-auart: add spinlock around changing cts state\\n\\nThe uart_handle_cts_change() function in serial_core expects the caller\\nto hold uport->lock. For example, I have seen the below kernel splat,\\nwhen the Bluetooth driver is loaded on an i.MX28 board.\\n\\n [ 85.119255] ------------[ cut here ]------------\\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\\n (...)\\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\\n (...)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27001", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27001" + }, + { + "url": "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9" + }, + { + "url": "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696" + }, + { + "url": "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2" + }, + { + "url": "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b" + }, + { + "url": "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b" + }, + { + "url": "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f" + }, + { + "url": "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8" + }, + { + "url": "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27001 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27001", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27001\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27001\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27001\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27001\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27001\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9\",\n \"https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696\",\n \"https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2\",\n \"https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b\",\n \"https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b\",\n \"https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f\",\n \"https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8\",\n \"https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncomedi: vmk80xx: fix incomplete endpoint checking\\n\\nWhile vmk80xx does have endpoint checking implemented, some things\\ncan fall through the cracks. Depending on the hardware model,\\nURBs can have either bulk or interrupt type, and current version\\nof vmk80xx_find_usb_endpoints() function does not take that fully\\ninto account. While this warning does not seem to be too harmful,\\nat the very least it will crash systems with 'panic_on_warn' set on\\nthem.\\n\\nFix the issue found by Syzkaller [1] by somewhat simplifying the\\nendpoint checking process with usb_find_common_endpoints() and\\nensuring that only expected endpoint types are present.\\n\\nThis patch has not been tested on real hardware.\\n\\n[1] Syzkaller report:\\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\\n...\\nCall Trace:\\n \\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\\n...\\n\\nSimilar issue also found by Syzkaller:\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27001\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27002", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27002" + }, + { + "url": "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8" + }, + { + "url": "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3" + }, + { + "url": "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5" + }, + { + "url": "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27002 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27002", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27002\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27002\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27002\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27002\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27002\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8\",\n \"https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3\",\n \"https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5\",\n \"https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: mediatek: Do a runtime PM get on controllers during probe\\n\\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\\nstage, which leads to a deadlock in the following call stack:\\n\\nCPU0: genpd_lock --> clk_prepare_lock\\ngenpd_power_off_work_fn()\\n genpd_lock()\\n generic_pm_domain::power_off()\\n clk_unprepare()\\n clk_prepare_lock()\\n\\nCPU1: clk_prepare_lock --> genpd_lock\\nclk_register()\\n __clk_core_init()\\n clk_prepare_lock()\\n clk_pm_runtime_get()\\n genpd_lock()\\n\\nDo a runtime PM get at the probe function to make sure clk_register()\\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\\ndo this on all mediatek clock controller probings because we don't\\nbelieve this would cause any regression.\\n\\nVerified on MT8183 and MT8192 Chromebooks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27002\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27004", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27004" + }, + { + "url": "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c" + }, + { + "url": "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba" + }, + { + "url": "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123" + }, + { + "url": "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5" + }, + { + "url": "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034" + }, + { + "url": "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc" + }, + { + "url": "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c\",\n \"https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba\",\n \"https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123\",\n \"https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5\",\n \"https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034\",\n \"https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc\",\n \"https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: Get runtime PM before walking tree during disable_unused\\n\\nDoug reported [1] the following hung task:\\n\\n INFO: task swapper/0:1 blocked for more than 122 seconds.\\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\\n Call trace:\\n __switch_to+0xf4/0x1f4\\n __schedule+0x418/0xb80\\n schedule+0x5c/0x10c\\n rpm_resume+0xe0/0x52c\\n rpm_resume+0x178/0x52c\\n __pm_runtime_resume+0x58/0x98\\n clk_pm_runtime_get+0x30/0xb0\\n clk_disable_unused_subtree+0x58/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused_subtree+0x38/0x208\\n clk_disable_unused+0x4c/0xe4\\n do_one_initcall+0xcc/0x2d8\\n do_initcall_level+0xa4/0x148\\n do_initcalls+0x5c/0x9c\\n do_basic_setup+0x24/0x30\\n kernel_init_freeable+0xec/0x164\\n kernel_init+0x28/0x120\\n ret_from_fork+0x10/0x20\\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\\n \\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\\n Workqueue: events_unbound deferred_probe_work_func\\n Call trace:\\n __switch_to+0xf4/0x1f4\\n __schedule+0x418/0xb80\\n schedule+0x5c/0x10c\\n schedule_preempt_disabled+0x2c/0x48\\n __mutex_lock+0x238/0x488\\n __mutex_lock_slowpath+0x1c/0x28\\n mutex_lock+0x50/0x74\\n clk_prepare_lock+0x7c/0x9c\\n clk_core_prepare_lock+0x20/0x44\\n clk_prepare+0x24/0x30\\n clk_bulk_prepare+0x40/0xb0\\n mdss_runtime_resume+0x54/0x1c8\\n pm_generic_runtime_resume+0x30/0x44\\n __genpd_runtime_resume+0x68/0x7c\\n genpd_runtime_resume+0x108/0x1f4\\n __rpm_callback+0x84/0x144\\n rpm_callback+0x30/0x88\\n rpm_resume+0x1f4/0x52c\\n rpm_resume+0x178/0x52c\\n __pm_runtime_resume+0x58/0x98\\n __device_attach+0xe0/0x170\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x3c/0x9c\\n device_add+0x644/0x814\\n mipi_dsi_device_register_full+0xe4/0x170\\n devm_mipi_dsi_device_register_full+0x28/0x70\\n ti_sn_bridge_probe+0x1dc/0x2c0\\n auxiliary_bus_probe+0x4c/0x94\\n really_probe+0xcc/0x2c8\\n __driver_probe_device+0xa8/0x130\\n driver_probe_device+0x48/0x110\\n __device_attach_driver+0xa4/0xcc\\n bus_for_each_drv+0x8c/0xd8\\n __device_attach+0xf8/0x170\\n device_initial_probe+0x1c/0x28\\n bus_probe_device+0x3c/0x9c\\n deferred_probe_work_func+0x9c/0xd8\\n process_one_work+0x148/0x518\\n worker_thread+0x138/0x350\\n kthread+0x138/0x1e0\\n ret_from_fork+0x10/0x20\\n\\nThe first thread is walking the clk tree and calling\\nclk_pm_runtime_get() to power on devices required to read the clk\\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\\nprepare_lock, and is trying to runtime PM resume a device, when it finds\\nthat the device is in the process of resuming so the thread schedule()s\\naway waiting for the device to finish resuming before continuing. The\\nsecond thread is runtime PM resuming the same device, but the runtime\\nresume callback is calling clk_prepare(), trying to grab the\\nprepare_lock waiting on the first thread.\\n\\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\\nnever runtime PM resume or suspend a device with the clk prepare_lock\\nheld. Actually doing that is near impossible today because the global\\nprepare_lock would have to be dropped in the middle of the tree, the\\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\\nagain to ensure consistency of the clk tree topology. If anything\\nchanges with the clk tree in the meantime, we've lost and will need to\\nstart the operation all over again.\\n\\nLuckily, most of the time we're simply incrementing or decrementing the\\nruntime PM count on an active device, so we don't have the chance to\\nschedule away with the prepare_lock held. Let's fix this immediate\\nproblem that can be\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27005" + }, + { + "url": "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6" + }, + { + "url": "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42" + }, + { + "url": "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6\",\n \"https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42\",\n \"https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninterconnect: Don't access req_list while it's being manipulated\\n\\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\\nprotect access to icc_node::req_list.\\n\\nThe icc_set_bw() function will eventually iterate over req_list while\\nonly holding icc_bw_lock, but req_list can be modified while only\\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\\nand icc_put().\\n\\nExample A:\\n\\n CPU0 CPU1\\n ---- ----\\n icc_set_bw(path_a)\\n mutex_lock(&icc_bw_lock);\\n icc_put(path_b)\\n mutex_lock(&icc_lock);\\n aggregate_requests()\\n hlist_for_each_entry(r, ...\\n hlist_del(...\\n \\n\\nExample B:\\n\\n CPU0 CPU1\\n ---- ----\\n icc_set_bw(path_a)\\n mutex_lock(&icc_bw_lock);\\n path_b = of_icc_get()\\n of_icc_get_by_index()\\n mutex_lock(&icc_lock);\\n path_find()\\n path_init()\\n aggregate_requests()\\n hlist_for_each_entry(r, ...\\n hlist_add_head(...\\n \\n\\nFix this by ensuring icc_bw_lock is always held before manipulating\\nicc_node::req_list. The additional places icc_bw_lock is held don't\\nperform any memory allocations, so we should still be safe from the\\noriginal lockdep splats that motivated the separate locks.\\n\\n[1] commit af42269c3523 (\\\"interconnect: Fix locking for runpm vs reclaim\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27008" + }, + { + "url": "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062" + }, + { + "url": "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5" + }, + { + "url": "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1" + }, + { + "url": "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face" + }, + { + "url": "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042" + }, + { + "url": "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb" + }, + { + "url": "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e" + }, + { + "url": "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062\",\n \"https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5\",\n \"https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1\",\n \"https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face\",\n \"https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042\",\n \"https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb\",\n \"https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e\",\n \"https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: nv04: Fix out of bounds access\\n\\nWhen Output Resource (dcb->or) value is assigned in\\nfabricate_dcb_output(), there may be out of bounds access to\\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\\nused as index there.\\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\\nnumber of bit to set, not value.\\n\\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27009" + }, + { + "url": "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48" + }, + { + "url": "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49" + }, + { + "url": "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538" + }, + { + "url": "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e" + }, + { + "url": "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48\",\n \"https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49\",\n \"https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538\",\n \"https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e\",\n \"https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/cio: fix race condition during online processing\\n\\nA race condition exists in ccw_device_set_online() that can cause the\\nonline process to fail, leaving the affected device in an inconsistent\\nstate. As a result, subsequent attempts to set that device online fail\\nwith return code ENODEV.\\n\\nThe problem occurs when a path verification request arrives after\\na wait for final device state completed, but before the result state\\nis evaluated.\\n\\nFix this by ensuring that the CCW-device lock is held between\\ndetermining final state and checking result state.\\n\\nNote that since:\\n\\ncommit 2297791c92d0 (\\\"s390/cio: dont unregister subchannel from child-drivers\\\")\\n\\npath verification requests are much more likely to occur during boot,\\nresulting in an increased chance of this race condition occurring.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27010", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27010" + }, + { + "url": "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11" + }, + { + "url": "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27010 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27010", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27010\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27010\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27010\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27010\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27010\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11\",\n \"https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Fix mirred deadlock on device recursion\\n\\nWhen the mirred action is used on a classful egress qdisc and a packet is\\nmirrored or redirected to self we hit a qdisc lock deadlock.\\nSee trace below.\\n\\n[..... other info removed for brevity....]\\n[ 82.890906]\\n[ 82.890906] ============================================\\n[ 82.890906] WARNING: possible recursive locking detected\\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\\n[ 82.890906] --------------------------------------------\\n[ 82.890906] ping/418 is trying to acquire lock:\\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\\n__dev_queue_xmit+0x1778/0x3550\\n[ 82.890906]\\n[ 82.890906] but task is already holding lock:\\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\\n__dev_queue_xmit+0x1778/0x3550\\n[ 82.890906]\\n[ 82.890906] other info that might help us debug this:\\n[ 82.890906] Possible unsafe locking scenario:\\n[ 82.890906]\\n[ 82.890906] CPU0\\n[ 82.890906] ----\\n[ 82.890906] lock(&sch->q.lock);\\n[ 82.890906] lock(&sch->q.lock);\\n[ 82.890906]\\n[ 82.890906] *** DEADLOCK ***\\n[ 82.890906]\\n[..... other info removed for brevity....]\\n\\nExample setup (eth0->eth0) to recreate\\ntc qdisc add dev eth0 root handle 1: htb default 30\\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth0\\n\\nAnother example(eth0->eth1->eth0) to recreate\\ntc qdisc add dev eth0 root handle 1: htb default 30\\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth1\\n\\ntc qdisc add dev eth1 root handle 1: htb default 30\\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\\\\n action mirred egress redirect dev eth0\\n\\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\\nroot qdisc is entered. When the softirq enters it a second time, if the\\nqdisc owner is the same CPU, the packet is dropped to break the loop.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27010\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27011", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27011" + }, + { + "url": "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6" + }, + { + "url": "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27011 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27011", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27011\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27011\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27011\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27011\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27011\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6\",\n \"https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fix memleak in map from abort path\\n\\nThe delete set command does not rely on the transaction object for\\nelement removal, therefore, a combination of delete element + delete set\\nfrom the abort path could result in restoring twice the refcount of the\\nmapping.\\n\\nCheck for inactive element in the next generation for the delete element\\ncommand in the abort path, skip restoring state if next generation bit\\nhas been already cleared. This is similar to the activate logic using\\nthe set walk iterator.\\n\\n[ 6170.286929] ------------[ cut here ]------------\\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.287071] Modules linked in: [...]\\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\\n[ 6170.287962] Call Trace:\\n[ 6170.287967] \\n[ 6170.287973] ? __warn+0x9f/0x1a0\\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\\n[ 6170.288104] ? handle_bug+0x3c/0x70\\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27011\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27012" + }, + { + "url": "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637" + }, + { + "url": "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637\",\n \"https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: restore set elements when delete set fails\\n\\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\\nthe original state. Currently, it uses the set->ops->walk() to iterate\\nover these set elements. The existing set iterator skips inactive\\nelements in the next generation, this does not work from the abort path\\nto restore the original state since it has to skip active elements\\ninstead (not inactive ones).\\n\\nThis patch moves the check for inactive elements to the set iterator\\ncallback, then it reverses the logic for the .activate case which\\nneeds to skip active elements.\\n\\nToggle next generation bit for elements when delete set command is\\ninvoked and call nft_clear() from .activate (abort) path to restore the\\nnext generation bit.\\n\\nThe splat below shows an object in mappings memleak:\\n\\n[43929.457523] ------------[ cut here ]------------\\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[...]\\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\\n[43929.458114] Call Trace:\\n[43929.458118] \\n[43929.458121] ? __warn+0x9f/0x1a0\\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458188] ? report_bug+0x1b1/0x1e0\\n[43929.458196] ? handle_bug+0x3c/0x70\\n[43929.458200] ? exc_invalid_op+0x17/0x40\\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\\n[43929.458512] ? rb_insert_color+0x2e/0x280\\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27013" + }, + { + "url": "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421" + }, + { + "url": "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad" + }, + { + "url": "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3" + }, + { + "url": "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa" + }, + { + "url": "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713" + }, + { + "url": "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588" + }, + { + "url": "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb" + }, + { + "url": "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421\",\n \"https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad\",\n \"https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3\",\n \"https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa\",\n \"https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713\",\n \"https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588\",\n \"https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb\",\n \"https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: limit printing rate when illegal packet received by tun dev\\n\\nvhost_worker will call tun call backs to receive packets. If too many\\nillegal packets arrives, tun_do_read will keep dumping packet contents.\\nWhen console is enabled, it will costs much more cpu time to dump\\npacket and soft lockup will be detected.\\n\\nnet_ratelimit mechanism can be used to limit the dumping rate.\\n\\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \\\"vhost-32980\\\"\\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\\n [exception RIP: io_serial_in+20]\\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\\n #12 [ffffa65531497b68] printk at ffffffff89318306\\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27014" + }, + { + "url": "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc" + }, + { + "url": "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b" + }, + { + "url": "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b" + }, + { + "url": "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc\",\n \"https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b\",\n \"https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b\",\n \"https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Prevent deadlock while disabling aRFS\\n\\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\\naRFS works are canceled using the `cancel_work_sync` function,\\nwhich waits for the work to end if it has already started.\\nHowever, while waiting for the work handler, the handler will\\ntry to acquire the `state_lock` which is already acquired.\\n\\nThe worker acquires the lock to delete the rules if the state\\nis down, which is not the worker's responsibility since\\ndisabling aRFS deletes the rules.\\n\\nAdd an aRFS state variable, which indicates whether the aRFS is\\nenabled and prevent adding rules when the aRFS is disabled.\\n\\nKernel log:\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\\n------------------------------------------------------\\nethtool/386089 is trying to acquire lock:\\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\\n\\nbut task is already holding lock:\\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\\n __mutex_lock+0x80/0xc90\\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\\n process_one_work+0x1dc/0x4a0\\n worker_thread+0x1bf/0x3c0\\n kthread+0xd7/0x100\\n ret_from_fork+0x2d/0x50\\n ret_from_fork_asm+0x11/0x20\\n\\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\\n __lock_acquire+0x17b4/0x2c80\\n lock_acquire+0xd0/0x2b0\\n __flush_work+0x7a/0x4e0\\n __cancel_work_timer+0x131/0x1c0\\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\\n ethnl_set_channels+0x28f/0x3b0\\n ethnl_default_set_doit+0xec/0x240\\n genl_family_rcv_msg_doit+0xd0/0x120\\n genl_rcv_msg+0x188/0x2c0\\n netlink_rcv_skb+0x54/0x100\\n genl_rcv+0x24/0x40\\n netlink_unicast+0x1a1/0x270\\n netlink_sendmsg+0x214/0x460\\n __sock_sendmsg+0x38/0x60\\n __sys_sendto+0x113/0x170\\n __x64_sys_sendto+0x20/0x30\\n do_syscall_64+0x40/0xe0\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n\\nother info that might help us debug this:\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(&priv->state_lock);\\n lock((work_completion)(&rule->arfs_work));\\n lock(&priv->state_lock);\\n lock((work_completion)(&rule->arfs_work));\\n\\n *** DEADLOCK ***\\n\\n3 locks held by ethtool/386089:\\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\\n\\nstack backtrace:\\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0x60/0xa0\\n check_noncircular+0x144/0x160\\n __lock_acquire+0x17b4/0x2c80\\n lock_acquire+0xd0/0x2b0\\n ? __flush_work+0x74/0x4e0\\n ? save_trace+0x3e/0x360\\n ? __flush_work+0x74/0x4e0\\n __flush_work+0x7a/0x4e0\\n ? __flush_work+0x74/0x4e0\\n ? __lock_acquire+0xa78/0x2c80\\n ? lock_acquire+0xd0/0x2b0\\n ? mark_held_locks+0x49/0x70\\n __cancel_work_timer+0x131/0x1c0\\n ? mark_held_locks+0x49/0x70\\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\\n ethnl_set_channels+0x28f/0x3b0\\n ethnl_default_set_doit+0xec/0x240\\n genl_family_rcv_msg_doit+0xd0/0x120\\n genl_rcv_msg+0x188/0x2c0\\n ? ethn\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27015" + }, + { + "url": "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d" + }, + { + "url": "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27" + }, + { + "url": "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d" + }, + { + "url": "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56" + }, + { + "url": "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d\",\n \"https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27\",\n \"https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d\",\n \"https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56\",\n \"https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: flowtable: incorrect pppoe tuple\\n\\npppoe traffic reaching ingress path does not match the flowtable entry\\nbecause the pppoe header is expected to be at the network header offset.\\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\\nenter the classical forwarding path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27016", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27016" + }, + { + "url": "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf" + }, + { + "url": "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7" + }, + { + "url": "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9" + }, + { + "url": "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163" + }, + { + "url": "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf\",\n \"https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7\",\n \"https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9\",\n \"https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163\",\n \"https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: flowtable: validate pppoe header\\n\\nEnsure there is sufficient room to access the protocol field of the\\nPPPoe header. Validate it once before the flowtable lookup, then use a\\nhelper function to access protocol field.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27017" + }, + { + "url": "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73" + }, + { + "url": "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73\",\n \"https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\\n\\nThe generation mask can be updated while netlink dump is in progress.\\nThe pipapo set backend walk iterator cannot rely on it to infer what\\nview of the datastructure is to be used. Add notation to specify if user\\nwants to read/update the set.\\n\\nBased on patch from Florian Westphal.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27018", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27018" + }, + { + "url": "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d" + }, + { + "url": "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615" + }, + { + "url": "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178" + }, + { + "url": "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6" + }, + { + "url": "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27018 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27018", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27018\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27018\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27018\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27018\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27018\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d\",\n \"https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615\",\n \"https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178\",\n \"https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6\",\n \"https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\\n\\nFor historical reasons, when bridge device is in promisc mode, packets\\nthat are directed to the taps follow bridge input hook path. This patch\\nadds a workaround to reset conntrack for these packets.\\n\\nJianbo Liu reports warning splats in their test infrastructure where\\ncloned packets reach the br_netfilter input hook to confirm the\\nconntrack object.\\n\\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\\nreached the input hook because it is passed up to the bridge device to\\nreach the taps.\\n\\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\\n0000000000000000\\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\\n0000000000000400\\n[ 57.585440] Call Trace:\\n[ 57.585721] \\n[ 57.585976] ? __warn+0x7d/0x130\\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.586811] ? report_bug+0xf1/0x1c0\\n[ 57.587177] ? handle_bug+0x3f/0x70\\n[ 57.587539] ? exc_invalid_op+0x13/0x60\\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\\n[ 57.588825] nf_hook_slow+0x3d/0xd0\\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\\n[ 57.589579] br_pass_frame_up+0xfc/0x150\\n[ 57.589970] ? br_port_flags_change+0x40/0x40\\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\\n[ 57.590837] ? ipt_do_table+0x32e/0x430\\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\\n[ 57.597017] ? __napi_build_skb+0x37/0x40\\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27018\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27019", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27019" + }, + { + "url": "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920" + }, + { + "url": "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73" + }, + { + "url": "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e" + }, + { + "url": "https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88" + }, + { + "url": "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484" + }, + { + "url": "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27019 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27019", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27019\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27019\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27019\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27019\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27019\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920\",\n \"https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73\",\n \"https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e\",\n \"https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88\",\n \"https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484\",\n \"https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\\n\\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\\nand there is not any protection when iterate over nf_tables_objects\\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\\nof nf_tables_objects list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\\nnft_obj_type_get() to protect the entire type query process.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27019\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27020" + }, + { + "url": "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f" + }, + { + "url": "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907" + }, + { + "url": "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5" + }, + { + "url": "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05" + }, + { + "url": "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a" + }, + { + "url": "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b" + }, + { + "url": "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c" + }, + { + "url": "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f\",\n \"https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907\",\n \"https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5\",\n \"https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05\",\n \"https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a\",\n \"https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b\",\n \"https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c\",\n \"https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\\n\\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\\nand there is not any protection when iterate over nf_tables_expressions\\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\\nof nf_tables_expressions list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\\nnft_expr_type_get() to protect the entire type query process.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27025", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27025" + }, + { + "url": "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d" + }, + { + "url": "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e" + }, + { + "url": "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced" + }, + { + "url": "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8" + }, + { + "url": "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797" + }, + { + "url": "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983" + }, + { + "url": "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a" + }, + { + "url": "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27025 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27025", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27025\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27025\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27025\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27025\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27025\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d\",\n \"https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e\",\n \"https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced\",\n \"https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8\",\n \"https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797\",\n \"https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983\",\n \"https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a\",\n \"https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: null check for nla_nest_start\\n\\nnla_nest_start() may fail and return NULL. Insert a check and set errno\\nbased on other call sites within the same source code.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27025\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27032", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27032" + }, + { + "url": "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58" + }, + { + "url": "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c" + }, + { + "url": "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1" + }, + { + "url": "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67" + }, + { + "url": "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27032", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58\",\n \"https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c\",\n \"https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1\",\n \"https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67\",\n \"https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to avoid potential panic during recovery\\n\\nDuring recovery, if FAULT_BLOCK is on, it is possible that\\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\\nthen it may trigger panic.\\n\\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\\ntype is on, it may encounter deadloop in loop of block reservation.\\n\\nLet's change as below to fix these issues:\\n- remove bug_on() to avoid panic.\\n- limit the loop count of block reservation to avoid potential\\ndeadloop.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27035", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27035" + }, + { + "url": "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532" + }, + { + "url": "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed" + }, + { + "url": "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00" + }, + { + "url": "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684" + }, + { + "url": "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27035 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27035", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27035\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27035\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27035\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27035\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27035\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532\",\n \"https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed\",\n \"https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00\",\n \"https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684\",\n \"https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\\n\\nIf data block in compressed cluster is not persisted with metadata\\nduring checkpoint, after SPOR, the data may be corrupted, let's\\nguarantee to write compressed page by checkpoint.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27035\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27041", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27041" + }, + { + "url": "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b" + }, + { + "url": "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c" + }, + { + "url": "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957" + }, + { + "url": "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27041 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27041", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27041\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27041\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27041\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27041\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27041\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b\",\n \"https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c\",\n \"https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957\",\n \"https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\\n\\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\\nbefore the call to dc_enable_dmub_notifications(), check\\nbeforehand to ensure there will not be a possible NULL-ptr-deref\\nthere.\\n\\nAlso, since commit 1e88eb1b2c25 (\\\"drm/amd/display: Drop\\nCONFIG_DRM_AMD_DC_HDCP\\\") there are two separate checks for NULL in\\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\\nClean up by combining them all under one 'if'.\\n\\nFound by Linux Verification Center (linuxtesting.org) with static\\nanalysis tool SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27041\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27056", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27056" + }, + { + "url": "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f" + }, + { + "url": "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27056 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27056", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27056\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27056\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27056\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27056\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27056\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f\",\n \"https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\\n\\nThe resume code path assumes that the TX queue for the offloading TID\\nhas been configured. At resume time it then tries to sync the write\\npointer as it may have been updated by the firmware.\\n\\nIn the unusual event that no packets have been send on TID 0, the queue\\nwill not have been allocated and this causes a crash. Fix this by\\nensuring the queue exist at suspend time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27056\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27057", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27057" + }, + { + "url": "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759" + }, + { + "url": "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2" + }, + { + "url": "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27057 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27057", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27057\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27057\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27057\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27057\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27057\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759\",\n \"https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2\",\n \"https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\\n\\nWhen the system is suspended while audio is active, the\\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\\nsuspend the DSP is turned off, streams will be re-started after resume.\\n\\nIf the firmware crashes during while audio is running (or when we reset\\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\\nwill fail with IPC error and the state change is interrupted.\\nThis will cause misalignment between the kernel and firmware state on next\\nDSP boot resulting errors returned by firmware for IPC messages, eventually\\nfailing the audio resume.\\nOn stream close the errors are ignored so the kernel state will be\\ncorrected on the next DSP boot, so the second boot after the DSP panic.\\n\\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\\n\\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\\nignoring error on state sending to allow the kernel's state to be\\nconsistent with the state the firmware will have after the next boot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27057\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27059", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27059" + }, + { + "url": "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49" + }, + { + "url": "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133" + }, + { + "url": "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636" + }, + { + "url": "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964" + }, + { + "url": "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325" + }, + { + "url": "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34" + }, + { + "url": "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f" + }, + { + "url": "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27059 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27059", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27059\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27059\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27059\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27059\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27059\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49\",\n \"https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133\",\n \"https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636\",\n \"https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964\",\n \"https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325\",\n \"https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34\",\n \"https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f\",\n \"https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\\n\\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\\nin the ATA ID information to calculate cylinder and head values when\\ncreating a CDB for READ or WRITE commands. The calculation involves\\ndivision and modulus operations, which will cause a crash if either of\\nthese values is 0. While this never happens with a genuine device, it\\ncould happen with a flawed or subversive emulation, as reported by the\\nsyzbot fuzzer.\\n\\nProtect against this possibility by refusing to bind to the device if\\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\\ninformation is 0. This requires isd200_Initialization() to return a\\nnegative error code when initialization fails; currently it always\\nreturns 0 (even when there is an error).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27059\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27062", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27062" + }, + { + "url": "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7" + }, + { + "url": "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589" + }, + { + "url": "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27062 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27062", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27062\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27062\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27062\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27062\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27062\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7\",\n \"https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589\",\n \"https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau: lock the client object tree.\\n\\nIt appears the client object tree has no locking unless I've missed\\nsomething else. Fix races around adding/removing client objects,\\nmostly vram bar mappings.\\n\\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 4562.099544] Call Trace:\\n[ 4562.099555] \\n[ 4562.099573] ? die_addr+0x36/0x90\\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\\n[ 4562.100356] __do_fault+0x32/0x150\\n[ 4562.100362] do_fault+0x7c/0x560\\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\\n[ 4562.100388] do_user_addr_fault+0x208/0x860\\n[ 4562.100395] exc_page_fault+0x7f/0x200\\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\\n[ 4562.100412] RIP: 0033:0x9b9870\\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n[ 4562.100446] \\n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27062\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27072", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27072" + }, + { + "url": "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2" + }, + { + "url": "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27072 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27072", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27072\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27072\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27072\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27072\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27072\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2\",\n \"https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: usbtv: Remove useless locks in usbtv_video_free()\\n\\nRemove locks calls in usbtv_video_free() because\\nare useless and may led to a deadlock as reported here:\\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\\nAlso remove usbtv_stop() call since it will be called when\\nunregistering the device.\\n\\nBefore 'c838530d230b' this issue would only be noticed if you\\ndisconnect while streaming and now it is noticeable even when\\ndisconnecting while not streaming.\\n\\n\\n[hverkuil: fix minor spelling mistake in log message]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27072\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27389", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27389" + }, + { + "url": "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3" + }, + { + "url": "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3" + }, + { + "url": "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a" + }, + { + "url": "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27389 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27389", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27389\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27389\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27389\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27389\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27389\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6\",\n \"https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3\",\n \"https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3\",\n \"https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a\",\n \"https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore: inode: Only d_invalidate() is needed\\n\\nUnloading a modular pstore backend with records in pstorefs would\\ntrigger the dput() double-drop warning:\\n\\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\\n\\nUsing the combo of d_drop()/dput() (as mentioned in\\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\\nleads to the reference counting problem seen above. Use d_invalidate()\\nand update the code to not bother checking for error codes that can\\nnever happen.\\n\\n---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27389\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27393", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27393" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/08/4" + }, + { + "url": "http://xenbits.xen.org/xsa/advisory-457.html" + }, + { + "url": "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f" + }, + { + "url": "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629" + }, + { + "url": "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1" + }, + { + "url": "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6" + }, + { + "url": "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27393 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27393", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27393\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27393\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27393\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27393\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27393\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/08/4\",\n \"http://xenbits.xen.org/xsa/advisory-457.html\",\n \"https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f\",\n \"https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629\",\n \"https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1\",\n \"https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6\",\n \"https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen-netfront: Add missing skb_mark_for_recycle\\n\\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\\ncommit 6a5bcd84e886 (\\\"page_pool: Allow drivers to hint on SKB recycling\\\").\\n\\nIt is believed that fixes tag were missing a call to page_pool_release_page()\\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\\nSince v6.6 the call page_pool_release_page() were removed (in\\ncommit 535b9c61bdef (\\\"net: page_pool: hide page_pool_release_page()\\\")\\nand remaining callers converted (in commit 6bfef2ec0172 (\\\"Merge branch\\n'net-page_pool-remove-page_pool_release_page'\\\")).\\n\\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\\\"mm/page_pool: catch\\npage_pool memory leaks\\\").\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27393\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27395", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27395" + }, + { + "url": "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994" + }, + { + "url": "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3" + }, + { + "url": "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424" + }, + { + "url": "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2" + }, + { + "url": "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4" + }, + { + "url": "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1" + }, + { + "url": "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137" + }, + { + "url": "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27395 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27395", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27395\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27395\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27395\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27395\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27395\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994\",\n \"https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3\",\n \"https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424\",\n \"https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2\",\n \"https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4\",\n \"https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1\",\n \"https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137\",\n \"https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\\n\\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\\nis possible that the RCU grace period will pass during the traversal and\\nthe key will be free.\\n\\nTo prevent this, it should be changed to hlist_for_each_entry_safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27395\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27396", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27396" + }, + { + "url": "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58" + }, + { + "url": "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd" + }, + { + "url": "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29" + }, + { + "url": "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6" + }, + { + "url": "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07" + }, + { + "url": "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7" + }, + { + "url": "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474" + }, + { + "url": "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27396 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27396", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27396\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27396\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27396\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27396\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27396\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58\",\n \"https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd\",\n \"https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29\",\n \"https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6\",\n \"https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07\",\n \"https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7\",\n \"https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474\",\n \"https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: gtp: Fix Use-After-Free in gtp_dellink\\n\\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\\nof gtp_dellink, is not part of the RCU read critical section, it\\nis possible that the RCU grace period will pass during the traversal and\\nthe key will be free.\\n\\nTo prevent this, it should be changed to hlist_for_each_entry_safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27396\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27397", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27397" + }, + { + "url": "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d" + }, + { + "url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3" + }, + { + "url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15" + }, + { + "url": "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379" + }, + { + "url": "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01" + }, + { + "url": "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe" + }, + { + "url": "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27397 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27397", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27397\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27397\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27397\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27397\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27397\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d\",\n \"https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3\",\n \"https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15\",\n \"https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379\",\n \"https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01\",\n \"https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe\",\n \"https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: use timestamp to check for set element timeout\\n\\nAdd a timestamp field at the beginning of the transaction, store it\\nin the nftables per-netns area.\\n\\nUpdate set backend .insert, .deactivate and sync gc path to use the\\ntimestamp, this avoids that an element expires while control plane\\ntransaction is still unfinished.\\n\\n.lookup and .update, which are used from packet path, still use the\\ncurrent time to check if the element has expired. And .get path and dump\\nalso since this runs lockless under rcu read size lock. Then, there is\\nasync gc which also needs to check the current time since it runs\\nasynchronously from a workqueue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27397\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27398", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27398" + }, + { + "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2" + }, + { + "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249" + }, + { + "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014" + }, + { + "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53" + }, + { + "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546" + }, + { + "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178" + }, + { + "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5" + }, + { + "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27398 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27398", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27398\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27398\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27398\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27398\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27398\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2\",\n \"https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249\",\n \"https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014\",\n \"https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53\",\n \"https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546\",\n \"https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178\",\n \"https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5\",\n \"https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\\n\\nWhen the sco connection is established and then, the sco socket\\nis releasing, timeout_work will be scheduled to judge whether\\nthe sco disconnection is timeout. The sock will be deallocated\\nlater, but it is dereferenced again in sco_sock_timeout. As a\\nresult, the use-after-free bugs will happen. The root cause is\\nshown below:\\n\\n Cleanup Thread | Worker Thread\\nsco_sock_release |\\n sco_sock_close |\\n __sco_sock_close |\\n sco_sock_set_timer |\\n schedule_delayed_work |\\n sco_sock_kill | (wait a time)\\n sock_put(sk) //FREE | sco_sock_timeout\\n | sock_hold(sk) //USE\\n\\nThe KASAN report triggered by POC is shown below:\\n\\n[ 95.890016] ==================================================================\\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\\n...\\n[ 95.890755] Workqueue: events sco_sock_timeout\\n[ 95.890755] Call Trace:\\n[ 95.890755] \\n[ 95.890755] dump_stack_lvl+0x45/0x110\\n[ 95.890755] print_address_description+0x78/0x390\\n[ 95.890755] print_report+0x11b/0x250\\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] kasan_report+0x139/0x170\\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\\n[ 95.890755] process_one_work+0x561/0xc50\\n[ 95.890755] worker_thread+0xab2/0x13c0\\n[ 95.890755] ? pr_cont_work+0x490/0x490\\n[ 95.890755] kthread+0x279/0x300\\n[ 95.890755] ? pr_cont_work+0x490/0x490\\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\\n[ 95.890755] ret_from_fork+0x34/0x60\\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\\n[ 95.890755] ret_from_fork_asm+0x11/0x20\\n[ 95.890755] \\n[ 95.890755]\\n[ 95.890755] Allocated by task 506:\\n[ 95.890755] kasan_save_track+0x3f/0x70\\n[ 95.890755] __kasan_kmalloc+0x86/0x90\\n[ 95.890755] __kmalloc+0x17f/0x360\\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\\n[ 95.890755] sk_alloc+0x31/0x4e0\\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\\n[ 95.890755] sco_sock_create+0xad/0x320\\n[ 95.890755] bt_sock_create+0x145/0x320\\n[ 95.890755] __sock_create+0x2e1/0x650\\n[ 95.890755] __sys_socket+0xd0/0x280\\n[ 95.890755] __x64_sys_socket+0x75/0x80\\n[ 95.890755] do_syscall_64+0xc4/0x1b0\\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 95.890755]\\n[ 95.890755] Freed by task 506:\\n[ 95.890755] kasan_save_track+0x3f/0x70\\n[ 95.890755] kasan_save_free_info+0x40/0x50\\n[ 95.890755] poison_slab_object+0x118/0x180\\n[ 95.890755] __kasan_slab_free+0x12/0x30\\n[ 95.890755] kfree+0xb2/0x240\\n[ 95.890755] __sk_destruct+0x317/0x410\\n[ 95.890755] sco_sock_release+0x232/0x280\\n[ 95.890755] sock_close+0xb2/0x210\\n[ 95.890755] __fput+0x37f/0x770\\n[ 95.890755] task_work_run+0x1ae/0x210\\n[ 95.890755] get_signal+0xe17/0xf70\\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\\n[ 95.890755] do_syscall_64+0xd1/0x1b0\\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 95.890755]\\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\\n[ 95.890755] The buggy address is located 128 bytes inside of\\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\\n[ 95.890755]\\n[ 95.890755] The buggy address belongs to the physical page:\\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\n[ 95.890755] ano\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27398\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27399", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27399" + }, + { + "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c" + }, + { + "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9" + }, + { + "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33" + }, + { + "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0" + }, + { + "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c" + }, + { + "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae" + }, + { + "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79" + }, + { + "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27399 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27399", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27399\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27399\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27399\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27399\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27399\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c\",\n \"https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9\",\n \"https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33\",\n \"https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0\",\n \"https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c\",\n \"https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae\",\n \"https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79\",\n \"https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\\n\\nThere is a race condition between l2cap_chan_timeout() and\\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\\nchannel, the chan->conn will be set to null. But the conn could\\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\\nAs a result the null pointer dereference bug will happen. The\\nKASAN report triggered by POC is shown below:\\n\\n[ 472.074580] ==================================================================\\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\\n[ 472.075308]\\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[ 472.075308] Workqueue: events l2cap_chan_timeout\\n[ 472.075308] Call Trace:\\n[ 472.075308] \\n[ 472.075308] dump_stack_lvl+0x137/0x1a0\\n[ 472.075308] print_report+0x101/0x250\\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\\n[ 472.075308] ? mutex_lock+0x68/0xc0\\n[ 472.075308] kasan_report+0x139/0x170\\n[ 472.075308] ? mutex_lock+0x68/0xc0\\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\\n[ 472.075308] mutex_lock+0x68/0xc0\\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\\n[ 472.075308] process_one_work+0x5d2/0xe00\\n[ 472.075308] worker_thread+0xe1d/0x1660\\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\\n[ 472.075308] kthread+0x2b7/0x350\\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\\n[ 472.075308] ret_from_fork+0x4d/0x80\\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\\n[ 472.075308] ret_from_fork_asm+0x11/0x20\\n[ 472.075308] \\n[ 472.075308] ==================================================================\\n[ 472.094860] Disabling lock debugging due to kernel taint\\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\\n[ 472.096136] #PF: supervisor write access in kernel mode\\n[ 472.096136] #PF: error_code(0x0002) - not-present page\\n[ 472.096136] PGD 0 P4D 0\\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[ 472.096136] Workqueue: events l2cap_chan_timeout\\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\\n[ 472.096136] Call Trace:\\n[ 472.096136] \\n[ 472.096136] ? __die_body+0x8d/0xe0\\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\\n[ 472.096136] ? _printk+0x7a/0xa0\\n[ 472.096136] ? mutex_lock+0x68/0xc0\\n[ 472.096136] ? add_taint+0x42/0xd0\\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\\n[ 472.096136] ? mutex_lock+0x75/0xc0\\n[ 472.096136] ? mutex_lock+0x88/0xc0\\n[ 472.096136] ? mutex_lock+0x75/0xc0\\n[ 472.096136] l2cap_chan_timeo\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27399\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27400", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27400" + }, + { + "url": "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d" + }, + { + "url": "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be" + }, + { + "url": "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480" + }, + { + "url": "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27400 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27400", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27400\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27400\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27400\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27400\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27400\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d\",\n \"https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be\",\n \"https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480\",\n \"https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\\n\\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\\non same heap. The basic problem here is that after the move the old\\nlocation is simply not available any more.\\n\\nSome fixes were suggested, but essentially we should call the move\\nnotification before actually moving things because only this way we have\\nthe correct order for DMA-buf and VM move notifications as well.\\n\\nAlso rework the statistic handling so that we don't update the eviction\\ncounter before the move.\\n\\nv2: add missing NULL check\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27400\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27401", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27401" + }, + { + "url": "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa" + }, + { + "url": "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98" + }, + { + "url": "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f" + }, + { + "url": "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c" + }, + { + "url": "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285" + }, + { + "url": "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b" + }, + { + "url": "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239" + }, + { + "url": "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27401 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27401", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27401\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27401\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27401\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27401\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27401\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa\",\n \"https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98\",\n \"https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f\",\n \"https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c\",\n \"https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285\",\n \"https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b\",\n \"https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239\",\n \"https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\\n\\nEnsure that packet_buffer_get respects the user_length provided. If\\nthe length of the head packet exceeds the user_length, packet_buffer_get\\nwill now return 0 to signify to the user that no data were read\\nand a larger buffer size is required. Helps prevent user space overflows.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27401\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27402", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27402" + }, + { + "url": "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277" + }, + { + "url": "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5" + }, + { + "url": "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88" + }, + { + "url": "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27402 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27402", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27402\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27402\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27402\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27402\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27402\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277\",\n \"https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5\",\n \"https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88\",\n \"https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nphonet/pep: fix racy skb_queue_empty() use\\n\\nThe receive queues are protected by their respective spin-lock, not\\nthe socket lock. This could lead to skb_peek() unexpectedly\\nreturning NULL or a pointer to an already dequeued socket buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27402\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27407", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27407" + }, + { + "url": "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7" + }, + { + "url": "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb" + }, + { + "url": "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27407 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27407", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27407\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27407\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27407\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27407\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27407\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7\",\n \"https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb\",\n \"https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Fixed overflow check in mi_enum_attr()\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27407\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27408", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27408" + }, + { + "url": "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba" + }, + { + "url": "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3" + }, + { + "url": "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27408 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27408", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27408\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27408\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27408\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27408\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27408\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba\",\n \"https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3\",\n \"https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\\n\\nThe Linked list element and pointer are not stored in the same memory as\\nthe eDMA controller register. If the doorbell register is toggled before\\nthe full write of the linked list a race condition error will occur.\\nIn remote setup we can only use a readl to the memory to assure the full\\nwrite has occurred.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27408\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27418", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27418" + }, + { + "url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3" + }, + { + "url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd" + }, + { + "url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b" + }, + { + "url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27418 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27418", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27418\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27418\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27418\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27418\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27418\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3\",\n \"https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd\",\n \"https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b\",\n \"https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mctp: take ownership of skb in mctp_local_output\\n\\nCurrently, mctp_local_output only takes ownership of skb on success, and\\nwe may leak an skb if mctp_local_output fails in specific states; the\\nskb ownership isn't transferred until the actual output routing occurs.\\n\\nInstead, make mctp_local_output free the skb on all error paths up to\\nthe route action, so it always consumes the passed skb.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27418\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27435", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27435" + }, + { + "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8" + }, + { + "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818" + }, + { + "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96" + }, + { + "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d" + }, + { + "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27435 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27435", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27435\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27435\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27435\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27435\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27435\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8\",\n \"https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818\",\n \"https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96\",\n \"https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d\",\n \"https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: fix reconnection fail due to reserved tag allocation\\n\\nWe found a issue on production environment while using NVMe over RDMA,\\nadmin_q reconnect failed forever while remote target and network is ok.\\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\\nallocation. In my case, the tag was hold by a keep alive request\\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\\nrequest maked as idle and will not process before reset success. As\\nfabric_q shares tagset with admin_q, while reconnect remote target, we\\nneed a tag for connect command, but the only one reserved tag was held\\nby keep alive command which waiting inside admin_q. As a result, we\\nfailed to reconnect admin_q forever. In order to fix this issue, I\\nthink we should keep two reserved tags for admin queue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27435\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-27437", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-27437" + }, + { + "url": "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060" + }, + { + "url": "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351" + }, + { + "url": "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2" + }, + { + "url": "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda" + }, + { + "url": "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5" + }, + { + "url": "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438" + }, + { + "url": "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec" + }, + { + "url": "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-27437 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-27437", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-27437\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-27437\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-27437\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-27437\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-27437\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060\",\n \"https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351\",\n \"https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2\",\n \"https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda\",\n \"https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5\",\n \"https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438\",\n \"https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec\",\n \"https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\\n\\nCurrently for devices requiring masking at the irqchip for INTx, ie.\\ndevices without DisINTx support, the IRQ is enabled in request_irq()\\nand subsequently disabled as necessary to align with the masked status\\nflag. This presents a window where the interrupt could fire between\\nthese events, resulting in the IRQ incrementing the disable depth twice.\\nThis would be unrecoverable for a user since the masked flag prevents\\nnested enables through vfio.\\n\\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\\nis never auto-enabled, then unmask as required.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-27437\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-31076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-31076" + }, + { + "url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f" + }, + { + "url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76" + }, + { + "url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420" + }, + { + "url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8" + }, + { + "url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" + }, + { + "url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30" + }, + { + "url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1" + }, + { + "url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-31076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-31076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-31076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-31076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-31076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-31076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-31076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f\",\n \"https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76\",\n \"https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420\",\n \"https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8\",\n \"https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32\",\n \"https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30\",\n \"https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1\",\n \"https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\\n\\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\\ninterrupt affinity reconfiguration via procfs. Instead, the change is\\ndeferred until the next instance of the interrupt being triggered on the\\noriginal CPU.\\n\\nWhen the interrupt next triggers on the original CPU, the new affinity is\\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\\nbut the old vector on the original CPU remains and is not immediately\\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\\nprocess is delayed until the next trigger of the interrupt on the new CPU.\\n\\nUpon the subsequent triggering of the interrupt on the new CPU,\\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\\nremains online. Subsequently, the timer on the old CPU iterates over its\\nvector_cleanup list, reclaiming old vectors.\\n\\nHowever, a rare scenario arises if the old CPU is outgoing before the\\ninterrupt triggers again on the new CPU.\\n\\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\\nthough __vector_schedule_cleanup() is later called on the new CPU, it\\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\\napicd->move_in_progress and apicd->prev_vector to 0.\\n\\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\\nCPU vector leak.\\n\\nTo address this issue, move the invocation of irq_force_complete_move()\\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\\ninterrupt is currently or used to be affine to the outgoing CPU.\\n\\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\\nfollowing a warning message, although theoretically it should never see\\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-31076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-33621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-33621" + }, + { + "url": "https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989" + }, + { + "url": "https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381" + }, + { + "url": "https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48" + }, + { + "url": "https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761" + }, + { + "url": "https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0" + }, + { + "url": "https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5" + }, + { + "url": "https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a" + }, + { + "url": "https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-33621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-33621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-33621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-33621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-33621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-33621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-33621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989\",\n \"https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381\",\n \"https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48\",\n \"https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761\",\n \"https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0\",\n \"https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5\",\n \"https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a\",\n \"https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\\n\\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\\n\\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:sk_mc_loop+0x2d/0x70\\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n\\n ? __warn (kernel/panic.c:693)\\n ? sk_mc_loop (net/core/sock.c:760)\\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\\n ? handle_bug (arch/x86/kernel/traps.c:239)\\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\\n ? sk_mc_loop (net/core/sock.c:760)\\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\\n ? nf_hook_slow (net/netfilter/core.c:626)\\n ip6_finish_output (net/ipv6/ip6_output.c:222)\\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\\n dev_hard_start_xmit (net/core/dev.c:3594)\\n sch_direct_xmit (net/sched/sch_generic.c:343)\\n __qdisc_run (net/sched/sch_generic.c:416)\\n net_tx_action (net/core/dev.c:5286)\\n handle_softirqs (kernel/softirq.c:555)\\n __irq_exit_rcu (kernel/softirq.c:589)\\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\\n\\nThe warning triggers as this:\\npacket_sendmsg\\n packet_snd //skb->sk is packet sk\\n __dev_queue_xmit\\n __dev_xmit_skb //q->enqueue is not NULL\\n __qdisc_run\\n sch_direct_xmit\\n dev_hard_start_xmit\\n ipvlan_start_xmit\\n ipvlan_xmit_mode_l3 //l3 mode\\n ipvlan_process_outbound //vepa flag\\n ipvlan_process_v6_outbound\\n ip6_local_out\\n __ip6_finish_output\\n ip6_finish_output2 //multicast packet\\n sk_mc_loop //sk->sk_family is AF_PACKET\\n\\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-33621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-33847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-33847" + }, + { + "url": "https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee" + }, + { + "url": "https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec" + }, + { + "url": "https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c" + }, + { + "url": "https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b" + }, + { + "url": "https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d" + }, + { + "url": "https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-33847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-33847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-33847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-33847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-33847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-33847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-33847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee\",\n \"https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec\",\n \"https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c\",\n \"https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b\",\n \"https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d\",\n \"https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: don't allow unaligned truncation on released compress inode\\n\\nf2fs image may be corrupted after below testcase:\\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\\n- mount /dev/vdb /mnt/f2fs\\n- touch /mnt/f2fs/file\\n- f2fs_io setflags compression /mnt/f2fs/file\\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\\n- f2fs_io release_cblocks /mnt/f2fs/file\\n- truncate -s 8192 /mnt/f2fs/file\\n- umount /mnt/f2fs\\n- fsck.f2fs /dev/vdb\\n\\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\\n[FSCK] other corrupted bugs [Fail]\\n\\nThe reason is: partial truncation assume compressed inode has reserved\\nblocks, after partial truncation, valid block count may change w/o\\n.i_blocks and .total_valid_block_count update, result in corruption.\\n\\nThis patch only allow cluster size aligned truncation on released\\ncompress inode for fixing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-33847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34027", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34027" + }, + { + "url": "https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019" + }, + { + "url": "https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b" + }, + { + "url": "https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f" + }, + { + "url": "https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4" + }, + { + "url": "https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b" + }, + { + "url": "https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34027 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-34027", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34027\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34027\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34027\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34027\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34027\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019\",\n \"https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b\",\n \"https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f\",\n \"https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4\",\n \"https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b\",\n \"https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\\n\\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\\nto avoid racing with checkpoint, otherwise, filesystem metadata including\\nblkaddr in dnode, inode fields and .total_valid_block_count may be\\ncorrupted after SPO case.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34027\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-34777", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-34777" + }, + { + "url": "https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad" + }, + { + "url": "https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b" + }, + { + "url": "https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936" + }, + { + "url": "https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87" + }, + { + "url": "https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-34777 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-34777", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-34777\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-34777\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-34777\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-34777\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34777\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad\",\n \"https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b\",\n \"https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936\",\n \"https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87\",\n \"https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-mapping: benchmark: fix node id validation\\n\\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\\nleading to:\\n\\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117)\\nkasan_report (mm/kasan/report.c:603)\\nkasan_check_range (mm/kasan/generic.c:189)\\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\\nnode_state (include/linux/nodemask.h:423) [inline]\\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\\n__x64_sys_ioctl (fs/ioctl.c:890)\\ndo_syscall_64 (arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\\nspecial valid case meaning that benchmarking kthreads won't be bound to a\\ncpuset of a given node.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-34777\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35247" + }, + { + "url": "https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019" + }, + { + "url": "https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702" + }, + { + "url": "https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8" + }, + { + "url": "https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093" + }, + { + "url": "https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8" + }, + { + "url": "https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35247", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019\",\n \"https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702\",\n \"https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8\",\n \"https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093\",\n \"https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8\",\n \"https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: region: add owner module and take its refcount\\n\\nThe current implementation of the fpga region assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the region\\nduring programming if the parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_region\\nstruct and use it to take the module's refcount. Modify the functions for\\nregistering a region to take an additional owner module parameter and\\nrename them to avoid conflicts. Use the old function names for helper\\nmacros that automatically set the module that registers the region as the\\nowner. This ensures compatibility with existing low-level control modules\\nand reduces the chances of registering a region without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35784", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35784" + }, + { + "url": "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b" + }, + { + "url": "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd" + }, + { + "url": "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35784 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35784", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35784\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35784\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35784\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35784\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35784\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b\",\n \"https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd\",\n \"https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix deadlock with fiemap and extent locking\\n\\nWhile working on the patchset to remove extent locking I got a lockdep\\nsplat with fiemap and pagefaulting with my new extent lock replacement\\nlock.\\n\\nThis deadlock exists with our normal code, we just don't have lockdep\\nannotations with the extent locking so we've never noticed it.\\n\\nSince we're copying the fiemap extent to user space on every iteration\\nwe have the chance of pagefaulting. Because we hold the extent lock for\\nthe entire range we could mkwrite into a range in the file that we have\\nmmap'ed. This would deadlock with the following stack trace\\n\\n[<0>] lock_extent+0x28d/0x2f0\\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\\n[<0>] do_page_mkwrite+0x50/0xb0\\n[<0>] do_fault+0xc1/0x7b0\\n[<0>] __handle_mm_fault+0x2fa/0x460\\n[<0>] handle_mm_fault+0xa4/0x330\\n[<0>] do_user_addr_fault+0x1f4/0x800\\n[<0>] exc_page_fault+0x7c/0x1e0\\n[<0>] asm_exc_page_fault+0x26/0x30\\n[<0>] rep_movs_alternative+0x33/0x70\\n[<0>] _copy_to_user+0x49/0x70\\n[<0>] fiemap_fill_next_extent+0xc8/0x120\\n[<0>] emit_fiemap_extent+0x4d/0xa0\\n[<0>] extent_fiemap+0x7f8/0xad0\\n[<0>] btrfs_fiemap+0x49/0x80\\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\\n[<0>] do_syscall_64+0x94/0x1a0\\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nI wrote an fstest to reproduce this deadlock without my replacement lock\\nand verified that the deadlock exists with our existing locking.\\n\\nTo fix this simply don't take the extent lock for the entire duration of\\nthe fiemap. This is safe in general because we keep track of where we\\nare when we're searching the tree, so if an ordered extent updates in\\nthe middle of our fiemap call we'll still emit the correct extents\\nbecause we know what offset we were on before.\\n\\nThe only place we maintain the lock is searching delalloc. Since the\\ndelalloc stuff can change during writeback we want to lock the extent\\nrange so we have a consistent view of delalloc at the time we're\\nchecking to see if we need to set the delalloc flag.\\n\\nWith this patch applied we no longer deadlock with my testcase.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35784\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35785", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35785" + }, + { + "url": "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7" + }, + { + "url": "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee" + }, + { + "url": "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac" + }, + { + "url": "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3" + }, + { + "url": "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35785 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35785", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35785\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35785\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35785\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35785\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35785\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7\",\n \"https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee\",\n \"https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac\",\n \"https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4\",\n \"https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3\",\n \"https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntee: optee: Fix kernel panic caused by incorrect error handling\\n\\nThe error path while failing to register devices on the TEE bus has a\\nbug leading to kernel panic as follows:\\n\\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\\n[ 15.406913] Mem abort info:\\n[ 15.409722] ESR = 0x0000000096000005\\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 15.418814] SET = 0, FnV = 0\\n[ 15.421878] EA = 0, S1PTW = 0\\n[ 15.425031] FSC = 0x05: level 1 translation fault\\n[ 15.429922] Data abort info:\\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\\n\\nCommit 7269cba53d90 (\\\"tee: optee: Fix supplicant based device enumeration\\\")\\nlead to the introduction of this bug. So fix it appropriately.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35785\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35789", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35789" + }, + { + "url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc" + }, + { + "url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685" + }, + { + "url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7" + }, + { + "url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b" + }, + { + "url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931" + }, + { + "url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f" + }, + { + "url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb" + }, + { + "url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e" + }, + { + "url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35789 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35789", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35789\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35789\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35789\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35789\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35789\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc\",\n \"https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685\",\n \"https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7\",\n \"https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b\",\n \"https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931\",\n \"https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f\",\n \"https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb\",\n \"https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e\",\n \"https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\\n\\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\\nafter the VLAN change.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35789\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35790", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35790" + }, + { + "url": "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9" + }, + { + "url": "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531" + }, + { + "url": "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35790 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35790", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35790\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35790\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35790\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35790\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35790\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9\",\n \"https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531\",\n \"https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\\n\\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\\nNULL in those cases.\\n\\nRemove manual sysfs node creation in favor of adding attribute group as\\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\\nnot used here otherwise the path to the sysfs nodes is no longer compliant\\nwith the ABI.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35790\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35791", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35791" + }, + { + "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4" + }, + { + "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d" + }, + { + "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865" + }, + { + "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807" + }, + { + "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7" + }, + { + "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35791 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35791", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35791\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35791\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35791\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35791\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35791\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4\",\n \"https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d\",\n \"https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865\",\n \"https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807\",\n \"https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7\",\n \"https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\\n\\nDo the cache flush of converted pages in svm_register_enc_region() before\\ndropping kvm->lock to fix use-after-free issues where region and/or its\\narray of pages could be freed by a different task, e.g. if userspace has\\n__unregister_enc_region_locked() already queued up for the region.\\n\\nNote, the \\\"obvious\\\" alternative of using local variables doesn't fully\\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\\nregion structure itself would be fine, but region->pages could be freed.\\n\\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\\nflow is a rare slow path, and the manual flush is only needed on CPUs that\\nlack coherency for encrypted memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35791\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35794", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35794" + }, + { + "url": "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73" + }, + { + "url": "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b" + }, + { + "url": "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35794 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35794", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35794\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35794\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35794\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35794\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35794\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73\",\n \"https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b\",\n \"https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-raid: really frozen sync_thread during suspend\\n\\n1) commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\") remove\\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\\n dm-raid relies on __md_stop_writes() to frozen sync_thread\\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\\n md_stop_writes(), and since stop_sync_thread() is only used for\\n dm-raid in this case, also move stop_sync_thread() to\\n md_stop_writes().\\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\\n it only prevent new sync_thread to start, and it can't stop the\\n running sync thread; In order to frozen sync_thread, after seting the\\n flag, stop_sync_thread() should be used.\\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\\n look correct. Consider that reentrant stop_sync_thread() do nothing,\\n always call md_stop_writes() in raid_postsuspend().\\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\\n new sync_thread can start unexpected. Fix this by disallow\\n raid_message() to change sync_thread status during suspend.\\n\\nNote that after commit f52f5c71f3d4 (\\\"md: fix stopping sync thread\\\"), the\\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\\nand with previous fixes, the test won't hang there anymore, however, the\\ntest will still fail and complain that ext4 is corrupted. And with this\\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\\nis corrupted anymore. However, there is still a deadlock related to\\ndm-raid456 that will be fixed in following patches.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35794\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35796", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35796" + }, + { + "url": "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11" + }, + { + "url": "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3" + }, + { + "url": "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a" + }, + { + "url": "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e" + }, + { + "url": "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48" + }, + { + "url": "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8" + }, + { + "url": "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35796 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35796", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35796\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35796\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35796\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35796\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35796\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11\",\n \"https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3\",\n \"https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a\",\n \"https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e\",\n \"https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48\",\n \"https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8\",\n \"https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ll_temac: platform_get_resource replaced by wrong function\\n\\nThe function platform_get_resource was replaced with\\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\\n\\nThis eventually ends up in platform_get_resource_byname in the call\\nstack, where it causes a null pointer in strcmp.\\n\\n\\tif (type == resource_type(r) && !strcmp(r->name, name))\\n\\nIt should have been replaced with devm_platform_ioremap_resource.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35796\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35799", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35799" + }, + { + "url": "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48" + }, + { + "url": "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06" + }, + { + "url": "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38" + }, + { + "url": "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35799 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35799", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35799\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35799\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35799\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35799\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35799\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48\",\n \"https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06\",\n \"https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38\",\n \"https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Prevent crash when disable stream\\n\\n[Why]\\nDisabling stream encoder invokes a function that no longer exists.\\n\\n[How]\\nCheck if the function declaration is NULL in disable stream encoder.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35799\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35801", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35801" + }, + { + "url": "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422" + }, + { + "url": "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd" + }, + { + "url": "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d" + }, + { + "url": "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8" + }, + { + "url": "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35801 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35801", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35801\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35801\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35801\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35801\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35801\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422\",\n \"https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd\",\n \"https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d\",\n \"https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8\",\n \"https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\\n\\nCommit 672365477ae8 (\\\"x86/fpu: Update XFD state where required\\\") and\\ncommit 8bf26758ca96 (\\\"x86/fpu: Add XFD state to fpstate\\\") introduced a\\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\\norder to avoid unnecessary writes to the MSR.\\n\\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\\nwipes out any stale state. But the per CPU cached xfd value is not\\nreset, which brings them out of sync.\\n\\nAs a consequence a subsequent xfd_update_state() might fail to update\\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\\nspace, which crashes the kernel.\\n\\nTo fix this, introduce xfd_set_state() to write xfd_state together\\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35801\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35803", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35803" + }, + { + "url": "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926" + }, + { + "url": "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc" + }, + { + "url": "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31" + }, + { + "url": "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02" + }, + { + "url": "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35803 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35803", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35803\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35803\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35803\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35803\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35803\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926\",\n \"https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc\",\n \"https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31\",\n \"https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02\",\n \"https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/efistub: Call mixed mode boot services on the firmware's stack\\n\\nNormally, the EFI stub calls into the EFI boot services using the stack\\nthat was live when the stub was entered. According to the UEFI spec,\\nthis stack needs to be at least 128k in size - this might seem large but\\nall asynchronous processing and event handling in EFI runs from the same\\nstack and so quite a lot of space may be used in practice.\\n\\nIn mixed mode, the situation is a bit different: the bootloader calls\\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\\nentry point, where the boot stack is set up, using a fixed allocation\\nof 16k. This stack is still in use when the EFI stub is started in\\n64-bit mode, and so all calls back into the EFI firmware will be using\\nthe decompressor's limited boot stack.\\n\\nDue to the placement of the boot stack right after the boot heap, any\\nstack overruns have gone unnoticed. However, commit\\n\\n 5c4feadb0011983b (\\\"x86/decompressor: Move global symbol references to C code\\\")\\n\\nmoved the definition of the boot heap into C code, and now the boot\\nstack is placed right at the base of BSS, where any overruns will\\ncorrupt the end of the .data section.\\n\\nWhile it would be possible to work around this by increasing the size of\\nthe boot stack, doing so would affect all x86 systems, and mixed mode\\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\\n\\nSo instead, record the firmware stack pointer value when entering from\\nthe 32-bit firmware, and switch to this stack every time a EFI boot\\nservice call is made.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35803\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35804", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35804" + }, + { + "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71" + }, + { + "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06" + }, + { + "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902" + }, + { + "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551" + }, + { + "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35804 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35804", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35804\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35804\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35804\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35804\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35804\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71\",\n \"https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06\",\n \"https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902\",\n \"https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551\",\n \"https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\\n\\nWhen emulating an atomic access on behalf of the guest, mark the target\\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\\nfixes a bug where KVM effectively corrupts guest memory during live\\nmigration by writing to guest memory without informing userspace that the\\npage is dirty.\\n\\nMarking the page dirty got unintentionally dropped when KVM's emulated\\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\\nmapped the guest page into kernel memory, and marked the page dirty during\\nthe unmap phase.\\n\\nMark the page dirty even if the CMPXCHG fails, as the old data is written\\nback on failure, i.e. the page is still written. The value written is\\nguaranteed to be the same because the operation is atomic, but KVM's ABI\\nis that all writes are dirty logged regardless of the value written. And\\nmore importantly, that's what KVM did before the buggy commit.\\n\\nHuge kudos to the folks on the Cc list (and many others), who did all the\\nactual work of triaging and debugging.\\n\\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35804\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35805", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35805" + }, + { + "url": "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7" + }, + { + "url": "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1" + }, + { + "url": "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683" + }, + { + "url": "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc" + }, + { + "url": "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c" + }, + { + "url": "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e" + }, + { + "url": "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35805 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35805", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35805\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35805\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35805\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35805\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35805\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7\",\n \"https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1\",\n \"https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683\",\n \"https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc\",\n \"https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c\",\n \"https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2\",\n \"https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e\",\n \"https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm snapshot: fix lockup in dm_exception_table_exit\\n\\nThere was reported lockup when we exit a snapshot with many exceptions.\\nFix this by adding \\\"cond_resched\\\" to the loop that frees the exceptions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35805\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35806", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35806" + }, + { + "url": "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397" + }, + { + "url": "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f" + }, + { + "url": "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3" + }, + { + "url": "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a" + }, + { + "url": "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03" + }, + { + "url": "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd" + }, + { + "url": "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9" + }, + { + "url": "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec" + }, + { + "url": "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35806 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35806", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35806\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35806\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35806\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35806\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35806\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397\",\n \"https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f\",\n \"https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3\",\n \"https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a\",\n \"https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03\",\n \"https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd\",\n \"https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9\",\n \"https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec\",\n \"https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\\n\\nsmp_call_function_single disables IRQs when executing the callback. To\\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\\nother lockers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35806\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35807", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35807" + }, + { + "url": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6" + }, + { + "url": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5" + }, + { + "url": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd" + }, + { + "url": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1" + }, + { + "url": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc" + }, + { + "url": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c" + }, + { + "url": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a" + }, + { + "url": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c" + }, + { + "url": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35807 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35807", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35807\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35807\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35807\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35807\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35807\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6\",\n \"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5\",\n \"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd\",\n \"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1\",\n \"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc\",\n \"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c\",\n \"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a\",\n \"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c\",\n \"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix corruption during on-line resize\\n\\nWe observed a corruption during on-line resize of a file system that is\\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\\nresize_inode is turned off by default by mke2fs. The issue can be\\nreproduced on a smaller file system for convenience by explicitly\\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\\nsize of a meta block group in this setup) then leads to a corruption:\\n\\n dev=/dev/ # should be >= 16 GiB\\n mkdir -p /corruption\\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\\n mount -t ext4 $dev /corruption\\n\\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\\n sha1sum /corruption/test\\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\\n\\n /sbin/resize2fs $dev $((2*2**21))\\n # drop page cache to force reload the block from disk\\n echo 1 > /proc/sys/vm/drop_caches\\n\\n sha1sum /corruption/test\\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\\n\\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\\nblock group and 2^6 are the number of block groups that make a meta\\nblock group.\\n\\nThe last checksum might be different depending on how the file is laid\\nout across the physical blocks. The actual corruption occurs at physical\\nblock 63*2^15 = 2064384 which would be the location of the backup of the\\nmeta block group's block descriptor. During the on-line resize the file\\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\\n2 in the example - meaning all block groups after 16 GiB. However, in\\next4_flex_group_add we might add block groups that are not part of the\\nfirst meta block group yet. In the reproducer we achieved this by\\nsubstracting the size of a whole block group from the point where the\\nmeta block group would start. This must be considered when updating the\\nbackup block group descriptors to follow the non-meta_bg layout. The fix\\nis to add a test whether the group to add is already part of the meta\\nblock group or not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35807\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35808", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35808" + }, + { + "url": "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc" + }, + { + "url": "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669" + }, + { + "url": "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35808 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35808", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35808\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35808\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35808\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35808\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35808\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc\",\n \"https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669\",\n \"https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/dm-raid: don't call md_reap_sync_thread() directly\\n\\nCurrently md_reap_sync_thread() is called from raid_message() directly\\nwithout holding 'reconfig_mutex', this is definitely unsafe because\\nmd_reap_sync_thread() can change many fields that is protected by\\n'reconfig_mutex'.\\n\\nHowever, hold 'reconfig_mutex' here is still problematic because this\\nwill cause deadlock, for example, commit 130443d60b1b (\\\"md: refactor\\nidle/frozen_sync_thread() to fix deadlock\\\").\\n\\nFix this problem by using stop_sync_thread() to unregister sync_thread,\\nlike md/raid did.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35808\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35809", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35809" + }, + { + "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1" + }, + { + "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970" + }, + { + "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674" + }, + { + "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b" + }, + { + "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6" + }, + { + "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf" + }, + { + "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491" + }, + { + "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5" + }, + { + "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35809 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35809", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35809\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35809\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35809\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35809\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35809\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1\",\n \"https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970\",\n \"https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674\",\n \"https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b\",\n \"https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6\",\n \"https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf\",\n \"https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491\",\n \"https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5\",\n \"https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/PM: Drain runtime-idle callbacks before driver removal\\n\\nA race condition between the .runtime_idle() callback and the .remove()\\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\\nunhandled page fault [1].\\n\\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\\nguarantee that. It only guarantees that the suspend and resume callbacks\\nwill not be running when it returns.\\n\\nHowever, if a .runtime_idle() callback is already running when\\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\\nstatus of the device is RPM_ACTIVE and it will return right away without\\nwaiting for the former to complete. In fact, it cannot wait for\\n.runtime_idle() to complete because it may be called from that callback (it\\narguably does not make much sense to do that, but it is not strictly\\nprohibited).\\n\\nThus in general, whoever is providing a .runtime_idle() callback needs\\nto protect it from running in parallel with whatever code runs after\\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\\npm_runtime_get_sync() has returned, but it may continue running then if it\\nhas started earlier.]\\n\\nOne way to address that race condition is to call pm_runtime_barrier()\\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\\nbeing invoked) to wait for the .runtime_idle() callback to complete should\\nit be running at that point. A suitable place for doing that is in\\npci_device_remove() which calls pm_runtime_get_sync() before removing the\\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\\nwill prevent the race in question from occurring, not just in the rtsx_pcr\\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35809\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35811", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35811" + }, + { + "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb" + }, + { + "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744" + }, + { + "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a" + }, + { + "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169" + }, + { + "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a" + }, + { + "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731" + }, + { + "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1" + }, + { + "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35811 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35811", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35811\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35811\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35811\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35811\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35811\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb\",\n \"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744\",\n \"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78\",\n \"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a\",\n \"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169\",\n \"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a\",\n \"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731\",\n \"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1\",\n \"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\\n\\nThis is the candidate patch of CVE-2023-47233 :\\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\\n\\nIn brcm80211 driver,it starts with the following invoking chain\\nto start init a timeout worker:\\n\\n->brcmf_usb_probe\\n ->brcmf_usb_probe_cb\\n ->brcmf_attach\\n ->brcmf_bus_started\\n ->brcmf_cfg80211_attach\\n ->wl_init_priv\\n ->brcmf_init_escan\\n ->INIT_WORK(&cfg->escan_timeout_work,\\n\\t\\t brcmf_cfg80211_escan_timeout_worker);\\n\\nIf we disconnect the USB by hotplug, it will call\\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\\n\\nbrcmf_usb_disconnect\\n ->brcmf_usb_disconnect_cb\\n ->brcmf_detach\\n ->brcmf_cfg80211_detach\\n ->kfree(cfg);\\n\\nWhile the timeout woker may still be running. This will cause\\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\\n\\nFix it by deleting the timer and canceling the worker in\\nbrcmf_cfg80211_detach.\\n\\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35811\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35813", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35813" + }, + { + "url": "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56" + }, + { + "url": "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6" + }, + { + "url": "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2" + }, + { + "url": "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304" + }, + { + "url": "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28" + }, + { + "url": "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55" + }, + { + "url": "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68" + }, + { + "url": "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35813 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35813", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35813\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35813\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35813\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35813\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35813\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56\",\n \"https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6\",\n \"https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2\",\n \"https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304\",\n \"https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28\",\n \"https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55\",\n \"https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68\",\n \"https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: core: Avoid negative index with array access\\n\\nCommit 4d0c8d0aef63 (\\\"mmc: core: Use mrq.sbc in close-ended ffu\\\") assigns\\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\\ngreater than zero. Let's fix this by adding a check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35813\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35815", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35815" + }, + { + "url": "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3" + }, + { + "url": "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7" + }, + { + "url": "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50" + }, + { + "url": "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596" + }, + { + "url": "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2" + }, + { + "url": "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a" + }, + { + "url": "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410" + }, + { + "url": "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35815 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35815", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35815\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35815\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35815\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35815\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35815\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3\",\n \"https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7\",\n \"https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50\",\n \"https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596\",\n \"https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2\",\n \"https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a\",\n \"https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410\",\n \"https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\\n\\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\\nthat is not embedded inside struct aio_kiocb. With the current code,\\ndepending on the compiler, the req->ki_ctx read happens either before\\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\\nthat it is guaranteed that the IOCB_AIO_RW test happens first.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35815\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35817" + }, + { + "url": "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe" + }, + { + "url": "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d" + }, + { + "url": "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb" + }, + { + "url": "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3" + }, + { + "url": "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3" + }, + { + "url": "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe\",\n \"https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d\",\n \"https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb\",\n \"https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3\",\n \"https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3\",\n \"https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\\n\\nOtherwise after the GTT bo is released, the GTT and gart space is freed\\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\\nand leave valid mapping entry pointing to the stale system page. Then\\nif GPU access the gart address mistakely, it will read undefined value\\ninstead page fault, harder to debug and reproduce the real issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35819" + }, + { + "url": "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02" + }, + { + "url": "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1" + }, + { + "url": "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa" + }, + { + "url": "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e" + }, + { + "url": "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506" + }, + { + "url": "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14" + }, + { + "url": "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df" + }, + { + "url": "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc" + }, + { + "url": "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02\",\n \"https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1\",\n \"https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa\",\n \"https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e\",\n \"https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506\",\n \"https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14\",\n \"https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df\",\n \"https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc\",\n \"https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\\n\\nsmp_call_function always runs its callback in hard IRQ context, even on\\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\\n\\nAlthough this bug has existed for a while, it was not apparent until\\ncommit ef2a8d5478b9 (\\\"net: dpaa: Adjust queue depth on rate change\\\")\\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\\ntime a link goes up or down.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35821", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35821" + }, + { + "url": "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3" + }, + { + "url": "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566" + }, + { + "url": "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e" + }, + { + "url": "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e" + }, + { + "url": "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f" + }, + { + "url": "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310" + }, + { + "url": "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f" + }, + { + "url": "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3" + }, + { + "url": "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35821 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35821", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35821\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35821\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35821\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35821\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35821\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3\",\n \"https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566\",\n \"https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e\",\n \"https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e\",\n \"https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f\",\n \"https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310\",\n \"https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f\",\n \"https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3\",\n \"https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubifs: Set page uptodate in the correct place\\n\\nPage cache reads are lockless, so setting the freshly allocated page\\nuptodate before we've overwritten it with the data it's supposed to have\\nin it will allow a simultaneous reader to see old data. Move the call\\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\\nnew data into the page.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35821\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35822", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35822" + }, + { + "url": "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e" + }, + { + "url": "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8" + }, + { + "url": "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252" + }, + { + "url": "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c" + }, + { + "url": "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a" + }, + { + "url": "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c" + }, + { + "url": "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290" + }, + { + "url": "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf" + }, + { + "url": "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35822 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35822", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35822\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35822\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35822\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35822\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35822\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e\",\n \"https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8\",\n \"https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252\",\n \"https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c\",\n \"https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a\",\n \"https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c\",\n \"https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290\",\n \"https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf\",\n \"https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: udc: remove warning when queue disabled ep\\n\\nIt is possible trigger below warning message from mass storage function,\\n\\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\\npc : usb_ep_queue+0x7c/0x104\\nlr : fsg_main_thread+0x494/0x1b3c\\n\\nRoot cause is mass storage function try to queue request from main thread,\\nbut other thread may already disable ep when function disable.\\n\\nAs there is no function failure in the driver, in order to avoid effort\\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35822\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35823" + }, + { + "url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f" + }, + { + "url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d" + }, + { + "url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90" + }, + { + "url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1" + }, + { + "url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda" + }, + { + "url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51" + }, + { + "url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d" + }, + { + "url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35823", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f\",\n \"https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d\",\n \"https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90\",\n \"https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1\",\n \"https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda\",\n \"https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51\",\n \"https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d\",\n \"https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvt: fix unicode buffer corruption when deleting characters\\n\\nThis is the same issue that was fixed for the VGA text buffer in commit\\n39cdb68c64d8 (\\\"vt: fix memory overlapping when deleting chars in the\\nbuffer\\\"). The cure is also the same i.e. replace memcpy() with memmove()\\ndue to the overlaping buffers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35825", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35825" + }, + { + "url": "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c" + }, + { + "url": "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7" + }, + { + "url": "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b" + }, + { + "url": "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f" + }, + { + "url": "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c" + }, + { + "url": "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779" + }, + { + "url": "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03" + }, + { + "url": "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35825 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35825", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35825\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35825\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35825\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35825\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35825\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c\",\n \"https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7\",\n \"https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b\",\n \"https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f\",\n \"https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c\",\n \"https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779\",\n \"https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03\",\n \"https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: ncm: Fix handling of zero block length packets\\n\\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\\nset to 65536, it has been observed that we receive short packets,\\nwhich come at interval of 5-10 seconds sometimes and have block\\nlength zero but still contain 1-2 valid datagrams present.\\n\\nAccording to the NCM spec:\\n\\n\\\"If wBlockLength = 0x0000, the block is terminated by a\\nshort packet. In this case, the USB transfer must still\\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\\nand the size is a multiple of wMaxPacketSize for the\\ngiven pipe, then no ZLP shall be sent.\\n\\nwBlockLength= 0x0000 must be used with extreme care, because\\nof the possibility that the host and device may get out of\\nsync, and because of test issues.\\n\\nwBlockLength = 0x0000 allows the sender to reduce latency by\\nstarting to send a very large NTB, and then shortening it when\\nthe sender discovers that there’s not sufficient data to justify\\nsending a large NTB\\\"\\n\\nHowever, there is a potential issue with the current implementation,\\nas it checks for the occurrence of multiple NTBs in a single\\ngiveback by verifying if the leftover bytes to be processed is zero\\nor not. If the block length reads zero, we would process the same\\nNTB infintely because the leftover bytes is never zero and it leads\\nto a crash. Fix this by bailing out if block length reads zero.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35825\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35826", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35826" + }, + { + "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367" + }, + { + "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6" + }, + { + "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65" + }, + { + "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2" + }, + { + "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35826 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35826", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35826\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35826\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35826\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35826\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35826\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367\",\n \"https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6\",\n \"https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65\",\n \"https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2\",\n \"https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\\n\\nFix an incorrect number of pages being released for buffers that do not\\nstart at the beginning of a page.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35826\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35832" + }, + { + "url": "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555" + }, + { + "url": "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555\",\n \"https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\\n\\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\\nIt should be freed by kvfree not kfree.\\nOr umount will triger:\\n\\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\\n[ 406.830676 ] #PF: supervisor read access in kernel mode\\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\\n[ 406.832487 ] PGD 0 P4D 0\\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\\n[ 406.841464 ] Call Trace:\\n[ 406.841583 ] \\n[ 406.841682 ] ? __die+0x1f/0x70\\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\\n[ 406.842014 ] ? fixup_exception+0x22/0x310\\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\\n[ 406.842842 ] ? kfree+0x62/0x140\\n[ 406.842988 ] ? kfree+0x104/0x140\\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\\n[ 406.843390 ] kobject_put+0xb7/0x170\\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\\n[ 406.843756 ] cleanup_mnt+0xba/0x150\\n[ 406.843917 ] task_work_run+0x59/0xa0\\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35833", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35833" + }, + { + "url": "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3" + }, + { + "url": "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24" + }, + { + "url": "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8" + }, + { + "url": "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59" + }, + { + "url": "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6" + }, + { + "url": "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35833 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35833", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35833\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35833\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35833\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35833\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35833\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3\",\n \"https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24\",\n \"https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8\",\n \"https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59\",\n \"https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714\",\n \"https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6\",\n \"https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\\n\\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\\nthe error handling path of fsl_qdma_probe().\\n\\nSwitch to the managed version to fix both issues.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35833\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35835" + }, + { + "url": "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7" + }, + { + "url": "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b" + }, + { + "url": "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb" + }, + { + "url": "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b" + }, + { + "url": "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7" + }, + { + "url": "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056" + }, + { + "url": "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5" + }, + { + "url": "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7\",\n \"https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b\",\n \"https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb\",\n \"https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b\",\n \"https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7\",\n \"https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056\",\n \"https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5\",\n \"https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: fix a double-free in arfs_create_groups\\n\\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\\nft->g and return an error. However, arfs_create_table, the only caller of\\narfs_create_groups, will hold this error and call to\\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35837", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35837" + }, + { + "url": "https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f" + }, + { + "url": "https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b" + }, + { + "url": "https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38" + }, + { + "url": "https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa" + }, + { + "url": "https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec" + }, + { + "url": "https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35837 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35837", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35837\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35837\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35837\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35837\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35837\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f\",\n \"https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b\",\n \"https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38\",\n \"https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa\",\n \"https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec\",\n \"https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mvpp2: clear BM pool before initialization\\n\\nRegister value persist after booting the kernel using\\nkexec which results in kernel panic. Thus clear the\\nBM pool registers before initialisation to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35837\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35839" + }, + { + "url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c" + }, + { + "url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b" + }, + { + "url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547" + }, + { + "url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\n\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(&neigh->arp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb->dev = nf_bridge->physindev\n br_handle_frame_finish\n\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\",\n \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\",\n \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\",\n \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\\n\\nAn skb can be added to a neigh->arp_queue while waiting for an arp\\nreply. Where original skb's skb->dev can be different to neigh's\\nneigh->dev. For instance in case of bridging dnated skb from one veth to\\nanother, the skb would be added to a neigh->arp_queue of the bridge.\\n\\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\\nthere is no explicit mechanism that prevents this physindev from been\\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\\ndifferent device's neigh queue) we can crash on e.g. this stack:\\n\\narp_process\\n neigh_update\\n skb = __skb_dequeue(&neigh->arp_queue)\\n neigh_resolve_output(..., skb)\\n ...\\n br_nf_dev_xmit\\n br_nf_pre_routing_finish_bridge_slow\\n skb->dev = nf_bridge->physindev\\n br_handle_frame_finish\\n\\nLet's use plain ifindex instead of net_device link. To peek into the\\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\\nget device and are safe to use it or we don't get it and drop skb.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35840", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35840" + }, + { + "url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453" + }, + { + "url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c" + }, + { + "url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a" + }, + { + "url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721" + }, + { + "url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35840 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35840", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35840\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35840\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35840\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35840\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35840\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453\",\n \"https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c\",\n \"https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a\",\n \"https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721\",\n \"https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\\n\\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\\nin mptcp_parse_option()\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35840\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35843", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35843" + }, + { + "url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15" + }, + { + "url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35843 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35843", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35843\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35843\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35843\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35843\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35843\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15\",\n \"https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Use device rbtree in iopf reporting path\\n\\nThe existing I/O page fault handler currently locates the PCI device by\\ncalling pci_get_domain_bus_and_slot(). This function searches the list\\nof all PCI devices until the desired device is found. To improve lookup\\nefficiency, replace it with device_rbtree_find() to search the device\\nwithin the probed device rbtree.\\n\\nThe I/O page fault is initiated by the device, which does not have any\\nsynchronization mechanism with the software to ensure that the device\\nstays in the probed device tree. Theoretically, a device could be released\\nby the IOMMU subsystem after device_rbtree_find() and before\\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\\n\\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\\nrelease device path. This lock doesn't introduce any performance overhead,\\nas the conflict between I/O page fault reporting and device releasing is\\nvery rare.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35843\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35847", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35847" + }, + { + "url": "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792" + }, + { + "url": "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137" + }, + { + "url": "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438" + }, + { + "url": "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52" + }, + { + "url": "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662" + }, + { + "url": "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91" + }, + { + "url": "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9" + }, + { + "url": "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35847 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35847", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35847\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35847\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35847\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35847\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35847\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792\",\n \"https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137\",\n \"https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438\",\n \"https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52\",\n \"https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662\",\n \"https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91\",\n \"https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9\",\n \"https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/gic-v3-its: Prevent double free on error\\n\\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\\nwhen its_vpe_init() fails after successfully allocating at least one\\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\\ninterrupts along with the area bitmap and the vprop_page and\\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\\nvprop_page again.\\n\\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\\nfrom its_vpe_irq_domain_alloc().\\n\\n[ tglx: Massaged change log ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35847\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35848", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35848" + }, + { + "url": "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a" + }, + { + "url": "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676" + }, + { + "url": "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc" + }, + { + "url": "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6" + }, + { + "url": "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da" + }, + { + "url": "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35848 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35848", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35848\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35848\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35848\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35848\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35848\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a\",\n \"https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676\",\n \"https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc\",\n \"https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6\",\n \"https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da\",\n \"https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\neeprom: at24: fix memory corruption race condition\\n\\nIf the eeprom is not accessible, an nvmem device will be registered, the\\nread will fail, and the device will be torn down. If another driver\\naccesses the nvmem device after the teardown, it will reference\\ninvalid memory.\\n\\nMove the failure point before registering the nvmem device.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35848\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35849" + }, + { + "url": "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf" + }, + { + "url": "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6" + }, + { + "url": "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc" + }, + { + "url": "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772" + }, + { + "url": "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86" + }, + { + "url": "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6" + }, + { + "url": "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d" + }, + { + "url": "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf\",\n \"https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6\",\n \"https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc\",\n \"https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772\",\n \"https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86\",\n \"https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6\",\n \"https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d\",\n \"https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\\n\\nSyzbot reported the following information leak for in\\nbtrfs_ioctl_logical_to_ino():\\n\\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\\n copy_to_user include/linux/uaccess.h:191 [inline]\\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\\n btrfs_ioctl+0x714/0x1260\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n Uninit was created at:\\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\\n __do_kmalloc_node mm/slub.c:3954 [inline]\\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\\n kmalloc_node include/linux/slab.h:648 [inline]\\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\\n kvmalloc include/linux/slab.h:766 [inline]\\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\\n btrfs_ioctl+0x714/0x1260\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n Bytes 40-65535 of 65536 are uninitialized\\n Memory access of size 65536 starts at ffff888045a40000\\n\\nThis happens, because we're copying a 'struct btrfs_data_container' back\\nto user-space. This btrfs_data_container is allocated in\\n'init_data_container()' via kvmalloc(), which does not zero-fill the\\nmemory.\\n\\nFix this by using kvzalloc() which zeroes out the memory on allocation.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35851", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35851" + }, + { + "url": "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489" + }, + { + "url": "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88" + }, + { + "url": "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371" + }, + { + "url": "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189" + }, + { + "url": "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35851 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35851", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35851\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35851\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35851\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35851\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35851\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489\",\n \"https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88\",\n \"https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371\",\n \"https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189\",\n \"https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: fix NULL-deref on non-serdev suspend\\n\\nQualcomm ROME controllers can be registered from the Bluetooth line\\ndiscipline and in this case the HCI UART serdev pointer is NULL.\\n\\nAdd the missing sanity check to prevent a NULL-pointer dereference when\\nwakeup() is called for a non-serdev controller during suspend.\\n\\nJust return true for now to restore the original behaviour and address\\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\\n(\\\"Bluetooth: hci_qca: only assign wakeup with serial port support\\\") that\\ncauses the crash to happen already at setup() time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35851\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35852", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35852" + }, + { + "url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758" + }, + { + "url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04" + }, + { + "url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f" + }, + { + "url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d" + }, + { + "url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d" + }, + { + "url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab" + }, + { + "url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35852 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35852", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35852\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35852\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35852\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35852\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35852\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758\",\n \"https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04\",\n \"https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f\",\n \"https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d\",\n \"https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d\",\n \"https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab\",\n \"https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\\n\\nThe rehash delayed work is rescheduled with a delay if the number of\\ncredits at end of the work is not negative as supposedly it means that\\nthe migration ended. Otherwise, it is rescheduled immediately.\\n\\nAfter \\\"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\\nrehash\\\" the above is no longer accurate as a non-negative number of\\ncredits is no longer indicative of the migration being done. It can also\\nhappen if the work encountered an error in which case the migration will\\nresume the next time the work is scheduled.\\n\\nThe significance of the above is that it is possible for the work to be\\npending and associated with hints that were allocated when the migration\\nstarted. This leads to the hints being leaked [1] when the work is\\ncanceled while pending as part of ACL region dismantle.\\n\\nFix by freeing the hints if hints are associated with a work that was\\ncanceled while pending.\\n\\nBlame the original commit since the reliance on not having a pending\\nwork associated with hints is fragile.\\n\\n[1]\\nunreferenced object 0xffff88810e7c3000 (size 256):\\n comm \\\"kworker/0:16\\\", pid 176, jiffies 4295460353\\n hex dump (first 32 bytes):\\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\\n backtrace (crc 2544ddb9):\\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\\n [<00000000bda6fe39>] kthread+0x246/0x300\\n [<0000000070056d23>] ret_from_fork+0x34/0x70\\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35852\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35853" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf" + }, + { + "url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e" + }, + { + "url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1" + }, + { + "url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977" + }, + { + "url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d" + }, + { + "url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76" + }, + { + "url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf\",\n \"https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e\",\n \"https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1\",\n \"https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977\",\n \"https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d\",\n \"https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76\",\n \"https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\\n\\nThe rehash delayed work migrates filters from one region to another.\\nThis is done by iterating over all chunks (all the filters with the same\\npriority) in the region and in each chunk iterating over all the\\nfilters.\\n\\nIf the migration fails, the code tries to migrate the filters back to\\nthe old region. However, the rollback itself can also fail in which case\\nanother migration will be erroneously performed. Besides the fact that\\nthis ping pong is not a very good idea, it also creates a problem.\\n\\nEach virtual chunk references two chunks: The currently used one\\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\\nfirst holds the chunk we want to migrate filters to and the second holds\\nthe chunk we are migrating filters from.\\n\\nThe code currently assumes - but does not verify - that the backup chunk\\ndoes not exist (NULL) if the currently used chunk does not reference the\\ntarget region. This assumption breaks when we are trying to rollback a\\nrollback, resulting in the backup chunk being overwritten and leaked\\n[1].\\n\\nFix by not rolling back a failed rollback and add a warning to avoid\\nfuture cases.\\n\\n[1]\\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\\nModules linked in:\\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:parman_destroy+0x17/0x20\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H\",\n \"metrics\": {\n \"baseScore\": 6.4,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 4.7\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35854" + }, + { + "url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049" + }, + { + "url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121" + }, + { + "url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519" + }, + { + "url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887" + }, + { + "url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1" + }, + { + "url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1" + }, + { + "url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049\",\n \"https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121\",\n \"https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519\",\n \"https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887\",\n \"https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1\",\n \"https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1\",\n \"https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\\n\\nThe rehash delayed work migrates filters from one region to another\\naccording to the number of available credits.\\n\\nThe migrated from region is destroyed at the end of the work if the\\nnumber of credits is non-negative as the assumption is that this is\\nindicative of migration being complete. This assumption is incorrect as\\na non-negative number of credits can also be the result of a failed\\nmigration.\\n\\nThe destruction of a region that still has filters referencing it can\\nresult in a use-after-free [1].\\n\\nFix by not destroying the region if migration failed.\\n\\n[1]\\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\\n\\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xce/0x670\\n kasan_report+0xd7/0x110\\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nAllocated by task 174:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n __kmalloc+0x19c/0x360\\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n\\nFreed by task 7:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3b/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x14/0x30\\n kfree+0xc1/0x290\\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35855", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35855" + }, + { + "url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0" + }, + { + "url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4" + }, + { + "url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770" + }, + { + "url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a" + }, + { + "url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758" + }, + { + "url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef" + }, + { + "url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35855 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35855", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35855\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35855\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35855\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35855\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35855\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0\",\n \"https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4\",\n \"https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770\",\n \"https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a\",\n \"https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758\",\n \"https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef\",\n \"https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\\n\\nThe rule activity update delayed work periodically traverses the list of\\nconfigured rules and queries their activity from the device.\\n\\nAs part of this task it accesses the entry pointed by 'ventry->entry',\\nbut this entry can be changed concurrently by the rehash delayed work,\\nleading to a use-after-free [1].\\n\\nFix by closing the race and perform the activity query under the\\n'vregion->lock' mutex.\\n\\n[1]\\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\\n\\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xce/0x670\\n kasan_report+0xd7/0x110\\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nAllocated by task 1039:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n __kmalloc+0x19c/0x360\\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\\n\\nFreed by task 1039:\\n kasan_save_stack+0x33/0x60\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3b/0x60\\n poison_slab_object+0x102/0x170\\n __kasan_slab_free+0x14/0x30\\n kfree+0xc1/0x290\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\\n process_one_work+0x8eb/0x19b0\\n worker_thread+0x6c9/0xf70\\n kthread+0x2c9/0x3b0\\n ret_from_fork+0x4d/0x80\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35855\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35857", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35857" + }, + { + "url": "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401" + }, + { + "url": "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767" + }, + { + "url": "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270" + }, + { + "url": "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941" + }, + { + "url": "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35857 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35857", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35857\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35857\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35857\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35857\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35857\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401\",\n \"https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767\",\n \"https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270\",\n \"https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941\",\n \"https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nicmp: prevent possible NULL dereferences from icmp_build_probe()\\n\\nFirst problem is a double call to __in_dev_get_rcu(), because\\nthe second one could return NULL.\\n\\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\\n\\nSecond problem is a read from dev->ip6_ptr with no NULL check:\\n\\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\\n\\nUse the correct RCU API to fix these.\\n\\nv2: add missing include \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35857\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35861" + }, + { + "url": "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1" + }, + { + "url": "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4" + }, + { + "url": "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f" + }, + { + "url": "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35861", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1\",\n \"https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4\",\n \"https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f\",\n \"https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35862", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35862" + }, + { + "url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d" + }, + { + "url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01" + }, + { + "url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645" + }, + { + "url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35862 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35862", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35862\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35862\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35862\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35862\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35862\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d\",\n \"https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01\",\n \"https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645\",\n \"https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35862\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35863" + }, + { + "url": "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2" + }, + { + "url": "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825" + }, + { + "url": "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac" + }, + { + "url": "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2\",\n \"https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825\",\n \"https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac\",\n \"https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in is_valid_oplock_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35864", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35864" + }, + { + "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1" + }, + { + "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb" + }, + { + "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5" + }, + { + "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35864 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35864", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35864\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35864\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35864\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35864\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35864\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1\",\n \"https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb\",\n \"https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5\",\n \"https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35864\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35865", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35865" + }, + { + "url": "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd" + }, + { + "url": "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4" + }, + { + "url": "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628" + }, + { + "url": "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35865 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35865", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35865\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35865\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35865\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35865\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35865\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd\",\n \"https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4\",\n \"https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628\",\n \"https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35865\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35866" + }, + { + "url": "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682" + }, + { + "url": "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113" + }, + { + "url": "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682\",\n \"https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113\",\n \"https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_dump_full_key()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35867" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/29/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65" + }, + { + "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49" + }, + { + "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7" + }, + { + "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/29/2\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65\",\n \"https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49\",\n \"https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7\",\n \"https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_stats_proc_show()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35868", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35868" + }, + { + "url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b" + }, + { + "url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72" + }, + { + "url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7" + }, + { + "url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35868 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35868", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35868\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35868\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35868\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35868\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35868\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b\",\n \"https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72\",\n \"https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7\",\n \"https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix potential UAF in cifs_stats_proc_write()\\n\\nSkip sessions that are being teared down (status == SES_EXITING) to\\navoid UAF.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35868\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35869" + }, + { + "url": "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a" + }, + { + "url": "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc" + }, + { + "url": "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a\",\n \"https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc\",\n \"https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: guarantee refcounted children from parent session\\n\\nAvoid potential use-after-free bugs when walking DFS referrals,\\nmounting and performing DFS failover by ensuring that all children\\nfrom parent @tcon->ses are also refcounted. They're all needed across\\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\\nit, too.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35870" + }, + { + "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa" + }, + { + "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5" + }, + { + "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\",\n \"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\",\n \"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix UAF in smb2_reconnect_server()\\n\\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\\nis already being teared down by another thread that is executing\\n__cifs_put_smb_ses(). This can happen when (a) the client has\\nconnection to the server but no session or (b) another thread ends up\\nsetting @ses->ses_status again to something different than\\nSES_EXITING.\\n\\nTo fix this, we need to make sure to unconditionally set\\n@ses->ses_status to SES_EXITING and prevent any other threads from\\nsetting a new status while we're still tearing it down.\\n\\nThe following can be reproduced by adding some delay to right after\\nthe ipc is freed in __cifs_put_smb_ses() - which will give\\nsmb2_reconnect_server() worker a chance to run and then accessing\\n@ses->ipc:\\n\\nkinit ...\\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\\n[disconnect srv]\\nls /mnt/1 &>/dev/null\\nsleep 30\\nkdestroy\\n[reconnect srv]\\nsleep 10\\numount /mnt/1\\n...\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\ngeneral protection fault, probably for non-canonical address\\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\\nknlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? die_addr+0x36/0x90\\n ? exc_general_protection+0x1c1/0x3f0\\n ? asm_exc_general_protection+0x26/0x30\\n ? __list_del_entry_valid_or_report+0x33/0xf0\\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\\n smb2_reconnect_server+0x4ed/0x710 [cifs]\\n process_one_work+0x205/0x6b0\\n worker_thread+0x191/0x360\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe2/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35871" + }, + { + "url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4" + }, + { + "url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5" + }, + { + "url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8" + }, + { + "url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9" + }, + { + "url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef" + }, + { + "url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4\",\n \"https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5\",\n \"https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8\",\n \"https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9\",\n \"https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef\",\n \"https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: process: Fix kernel gp leakage\\n\\nchildregs represents the registers which are active for the new thread\\nin user context. For a kernel thread, childregs->gp is never used since\\nthe kernel gp is not touched by switch_to. For a user mode helper, the\\ngp value can be observed in user space after execve or possibly by other\\nmeans.\\n\\n[From the email thread]\\n\\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\\n\\nchildregs is the *user* context during syscall execution and it is observable\\nfrom userspace in at least five ways:\\n\\n1. kernel_execve does not currently clear integer registers, so the starting\\n register state for PID 1 and other user processes started by the kernel has\\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\\n zeroed by the memset in the patch comment.\\n\\n This is a bug in its own right, but I'm unwilling to bet that it is the only\\n way to exploit the issue addressed by this patch.\\n\\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\\n happen at user/kernel boundaries.\\n\\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\\n user_mode_helpers before the exec completes, but gp is not one of the\\n registers it returns.\\n\\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\\n LOCKDOWN_PERF. I have not attempted to write exploit code.\\n\\n5. Much of the tracing infrastructure allows access to user registers. I have\\n not attempted to determine which forms of tracing allow access to user\\n registers without already allowing access to kernel registers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35872" + }, + { + "url": "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5" + }, + { + "url": "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8" + }, + { + "url": "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706" + }, + { + "url": "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e" + }, + { + "url": "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5\",\n \"https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8\",\n \"https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706\",\n \"https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e\",\n \"https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\\n\\nfolio_is_secretmem() currently relies on secretmem folios being LRU\\nfolios, to save some cycles.\\n\\nHowever, folios might reside in a folio batch without the LRU flag set, or\\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\\nunreliable for this purpose.\\n\\nIn particular, this is the case when secretmem_fault() allocates a fresh\\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\\nadded to the per-cpu folio batch and won't get the LRU flag set until the\\nbatch was drained using e.g., lru_add_drain().\\n\\nConsequently, folio_is_secretmem() might not detect secretmem folios and\\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\\nwhen we would later try reading/writing to the folio, because the folio\\nhas been unmapped from the directmap.\\n\\nFix it by removing that unreliable check.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35875" + }, + { + "url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e" + }, + { + "url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374" + }, + { + "url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5" + }, + { + "url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e\",\n \"https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374\",\n \"https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5\",\n \"https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\\n\\nThere are few uses of CoCo that don't rely on working cryptography and\\nhence a working RNG. Unfortunately, the CoCo threat model means that the\\nVM host cannot be trusted and may actively work against guests to\\nextract secrets or manipulate computation. Since a malicious host can\\nmodify or observe nearly all inputs to guests, the only remaining source\\nof entropy for CoCo guests is RDRAND.\\n\\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\\nis meant to gracefully continue on gathering entropy from other sources,\\nbut since there aren't other sources on CoCo, this is catastrophic.\\nThis is mostly a concern at boot time when initially seeding the RNG, as\\nafter that the consequences of a broken RDRAND are much more\\ntheoretical.\\n\\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\\nfails, panic(). This will also trigger if the system is booted without\\nRDRAND, as RDRAND is essential for a safe CoCo boot.\\n\\nAdd this deliberately to be \\\"just a CoCo x86 driver feature\\\" and not\\npart of the RNG itself. Many device drivers and platforms have some\\ndesire to contribute something to the RNG, and add_device_randomness()\\nis specifically meant for this purpose.\\n\\nAny driver can call it with seed data of any quality, or even garbage\\nquality, and it can only possibly make the quality of the RNG better or\\nhave no effect, but can never make it worse.\\n\\nRather than trying to build something into the core of the RNG, consider\\nthe particular CoCo issue just a CoCo issue, and therefore separate it\\nall out into driver (well, arch/platform) code.\\n\\n [ bp: Massage commit message. ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35877", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35877" + }, + { + "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221" + }, + { + "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173" + }, + { + "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6" + }, + { + "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec" + }, + { + "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a" + }, + { + "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f" + }, + { + "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4" + }, + { + "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35877 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35877", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35877\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35877\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35877\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35877\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35877\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221\",\n \"https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173\",\n \"https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6\",\n \"https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec\",\n \"https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a\",\n \"https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f\",\n \"https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4\",\n \"https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/mm/pat: fix VM_PAT handling in COW mappings\\n\\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\\nin fact, all PTEs) can be replaced during write faults to point at anon\\nfolios. Reliably recovering the correct PFN and cachemode using\\nfollow_phys() from PTEs will not work in COW mappings.\\n\\nUsing follow_phys(), we might just get the address+protection of the anon\\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\\ntrack_pfn_copy(), not properly calling free_pfn_range().\\n\\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\\nit with the wrong range, possibly leaking memory.\\n\\nTo fix that, let's update follow_phys() to refuse returning anon folios,\\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\\nif we run into that.\\n\\nWe will now properly handle untrack_pfn() with COW mappings, where we\\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\\nthe first page was replaced by an anon folio, though: we'd have to store\\nthe cachemode in the VMA to make this work, likely growing the VMA size.\\n\\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\\ncase: it would have failed in the past with swap/nonswap entries already,\\nand it would have done the wrong thing with anon folios.\\n\\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\\n\\n<--- C reproducer --->\\n #include \\n #include \\n #include \\n #include \\n\\n int main(void)\\n {\\n struct io_uring_params p = {};\\n int ring_fd;\\n size_t size;\\n char *map;\\n\\n ring_fd = io_uring_setup(1, &p);\\n if (ring_fd < 0) {\\n perror(\\\"io_uring_setup\\\");\\n return 1;\\n }\\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\\n\\n /* Map the submission queue ring MAP_PRIVATE */\\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\\n ring_fd, IORING_OFF_SQ_RING);\\n if (map == MAP_FAILED) {\\n perror(\\\"mmap\\\");\\n return 1;\\n }\\n\\n /* We have at least one page. Let's COW it. */\\n *map = 0;\\n pause();\\n return 0;\\n }\\n<--- C reproducer --->\\n\\nOn a system with 16 GiB RAM and swap configured:\\n # ./iouring &\\n # memhog 16G\\n # killall iouring\\n[ 301.552930] ------------[ cut here ]------------\\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\\n[ 301.565725] PKRU: 55555554\\n[ 301.565944] Call Trace:\\n[ 301.566148] \\n[ 301.566325] ? untrack_pfn+0xf4/0x100\\n[ 301.566618] ? __warn+0x81/0x130\\n[ 301.566876] ? untrack_pfn+0xf4/0x100\\n[ 3\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35877\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35878", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35878" + }, + { + "url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898" + }, + { + "url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987" + }, + { + "url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35878 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35878", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35878\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35878\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35878\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35878\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35878\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898\",\n \"https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987\",\n \"https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: module: prevent NULL pointer dereference in vsnprintf()\\n\\nIn of_modalias(), we can get passed the str and len parameters which would\\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\\nwhen the length is also 0. Also, we need to filter out the negative values\\nof the len parameter as these will result in a really huge buffer since\\nsnprintf() takes size_t parameter while ours is ssize_t...\\n\\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\\nanalysis tool.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35878\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35879" + }, + { + "url": "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a" + }, + { + "url": "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c" + }, + { + "url": "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951" + }, + { + "url": "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82" + }, + { + "url": "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84" + }, + { + "url": "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a\",\n \"https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c\",\n \"https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951\",\n \"https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82\",\n \"https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84\",\n \"https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\\n\\nIn the following sequence:\\n 1) of_platform_depopulate()\\n 2) of_overlay_remove()\\n\\nDuring the step 1, devices are destroyed and devlinks are removed.\\nDuring the step 2, OF nodes are destroyed but\\n__of_changeset_entry_destroy() can raise warnings related to missing\\nof_node_put():\\n ERROR: memory leak, expected refcount 1 instead of 2 ...\\n\\nIndeed, during the devlink removals performed at step 1, the removal\\nitself releasing the device (and the attached of_node) is done by a job\\nqueued in a workqueue and so, it is done asynchronously with respect to\\nfunction calls.\\nWhen the warning is present, of_node_put() will be called but wrongly\\ntoo late from the workqueue job.\\n\\nIn order to be sure that any ongoing devlink removals are done before\\nthe of_node destruction, synchronize the of_changeset_destroy() with the\\ndevlink removals.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35884" + }, + { + "url": "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19" + }, + { + "url": "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8" + }, + { + "url": "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4" + }, + { + "url": "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f" + }, + { + "url": "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd" + }, + { + "url": "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19\",\n \"https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8\",\n \"https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4\",\n \"https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f\",\n \"https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd\",\n \"https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\\n\\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\\nbeing forwarded. If such packets might land in a tunnel this can cause\\nvarious issues and udp_gro_receive makes sure this isn't the case by\\nlooking for a matching socket. This is performed in\\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\\nwith tunneled packets when the endpoint is in another netns. In such\\ncases the packets will be GROed at the UDP level, which leads to various\\nissues later on. The same thing can happen with rx-gro-list.\\n\\nWe saw this with geneve packets being GROed at the UDP level. In such\\ncase gso_size is set; later the packet goes through the geneve rx path,\\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\\nare not adjusted with regard to geneve. When those skbs hit\\nskb_fragment, it will misbehave. Different outcomes are possible\\ndepending on what the GROed skbs look like; from corrupted packets to\\nkernel crashes.\\n\\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\\nfrag_list. Because gso_size is wrong (geneve header was pulled)\\nskb_segment thinks there is \\\"geneve header size\\\" of data in frag_list,\\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\\ndo with the issue. This is only one of the potential issues.\\n\\nLooking up for a matching socket in udp_gro_receive is fragile: the\\nlookup could be extended to all netns (not speaking about performances)\\nbut nothing prevents those packets from being modified in between and we\\ncould still not find a matching socket. It's OK to keep the current\\nlogic there as it should cover most cases but we also need to make sure\\nwe handle tunnel packets being GROed too early.\\n\\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\\nbe segmented.\\n\\n[1] kernel BUG at net/core/skbuff.c:4408!\\n RIP: 0010:skb_segment+0xd2a/0xf70\\n __udp_gso_segment+0xaa/0x560\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35885" + }, + { + "url": "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6" + }, + { + "url": "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4" + }, + { + "url": "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971" + }, + { + "url": "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4" + }, + { + "url": "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6\",\n \"https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4\",\n \"https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971\",\n \"https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4\",\n \"https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxbf_gige: stop interface during shutdown\\n\\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\\nexception while the system is shutting down via \\\"reboot\\\" command.\\nThe mlxbf_driver will experience an exception right after executing\\nits shutdown() method. One example of this exception is:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\\nMem abort info:\\n ESR = 0x0000000096000004\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x04: level 0 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000004\\n CM = 0, WnR = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\\nInternal error: Oops: 96000004 [#1] SMP\\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\\nsp : ffff8000080d3c10\\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\\nCall trace:\\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\\n __napi_poll+0x40/0x1c8\\n net_rx_action+0x314/0x3a0\\n __do_softirq+0x128/0x334\\n run_ksoftirqd+0x54/0x6c\\n smpboot_thread_fn+0x14c/0x190\\n kthread+0x10c/0x110\\n ret_from_fork+0x10/0x20\\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\\n---[ end trace 7cc3941aa0d8e6a4 ]---\\nKernel panic - not syncing: Oops: Fatal exception in interrupt\\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\\nPHYS_OFFSET: 0x80000000\\nCPU features: 0x000005c1,a3330e5a\\nMemory Limit: none\\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\\n\\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\\nHowever, the driver's stop() method will only execute if networking interface\\nconfiguration logic within the Linux distribution has been setup to do so.\\n\\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\\nand this can lead to an exception if NAPI is scheduled while the hardware\\ninterface has only been partially deinitialized.\\n\\nThe networking interface managed by the mlxbf_gige driver must be properly\\nstopped during system shutdown so that IFF_UP is cleared, the hardware\\ninterface is put into a clean state, and NAPI is fully deinitialized.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35886" + }, + { + "url": "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2" + }, + { + "url": "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778" + }, + { + "url": "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061" + }, + { + "url": "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe" + }, + { + "url": "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985" + }, + { + "url": "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae" + }, + { + "url": "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776" + }, + { + "url": "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2\",\n \"https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778\",\n \"https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061\",\n \"https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe\",\n \"https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985\",\n \"https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae\",\n \"https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776\",\n \"https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: Fix infinite recursion in fib6_dump_done().\\n\\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\\nnetlink socket destruction. [1]\\n\\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\\nthe response was generated. The following recvmmsg() resumed the dump\\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\\nto the fault injection. [0]\\n\\n 12:01:34 executing program 3:\\n r0 = socket$nl_route(0x10, 0x3, 0x0)\\n sendmsg$nl_route(r0, ... snip ...)\\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\\n\\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\\nreceiving the response halfway through, and finally netlink_sock_destruct()\\ncalled nlk_sk(sk)->cb.done().\\n\\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\\nitself recursively and hitting the stack guard page.\\n\\nTo avoid the issue, let's set the destructor after kzalloc().\\n\\n[0]:\\nFAULT_INJECTION: forcing a failure.\\nname failslab, interval 1, probability 0, space 0, times 0\\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl (lib/dump_stack.c:117)\\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\\n should_failslab (mm/slub.c:3733)\\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\\n rtnl_dump_all (net/core/rtnetlink.c:4029)\\n netlink_dump (net/netlink/af_netlink.c:2269)\\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\\n ___sys_recvmsg (net/socket.c:2846)\\n do_recvmmsg (net/socket.c:2943)\\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\\n\\n[1]:\\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nWorkqueue: events netlink_sock_destruct_work\\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\\nPKRU: 55555554\\nCall Trace:\\n <#DF>\\n \\n \\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n ...\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\\n sk_destruct (net/core/sock.c:2224)\\n __sk_free (net/core/sock.c:2235)\\n sk_free (net/core/sock.c:2246)\\n process_one_work (kernel/workqueue.c:3259)\\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35887", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35887" + }, + { + "url": "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b" + }, + { + "url": "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9" + }, + { + "url": "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35887 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35887", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35887\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35887\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35887\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35887\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35887\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b\",\n \"https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9\",\n \"https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\\n\\nWhen the ax25 device is detaching, the ax25_dev_device_down()\\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\\nthe timer handler is running, the ax25_ds_del_timer() that\\ncalls del_timer() in it will return directly. As a result,\\nthe use-after-free bugs could happen, one of the scenarios\\nis shown below:\\n\\n (Thread 1) | (Thread 2)\\n | ax25_ds_timeout()\\nax25_dev_device_down() |\\n ax25_ds_del_timer() |\\n del_timer() |\\n ax25_dev_put() //FREE |\\n | ax25_dev-> //USE\\n\\nIn order to mitigate bugs, when the device is detaching, use\\ntimer_shutdown_sync() to stop the timer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35887\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35888", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35888" + }, + { + "url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac" + }, + { + "url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446" + }, + { + "url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0" + }, + { + "url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d" + }, + { + "url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d" + }, + { + "url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85" + }, + { + "url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5" + }, + { + "url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35888 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35888", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35888\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35888\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35888\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35888\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35888\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac\",\n \"https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446\",\n \"https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0\",\n \"https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d\",\n \"https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d\",\n \"https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85\",\n \"https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5\",\n \"https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerspan: make sure erspan_base_hdr is present in skb->head\\n\\nsyzbot reported a problem in ip6erspan_rcv() [1]\\n\\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\\nsure erspan_base_hdr is present in skb linear part (skb->head)\\nbefore getting @ver field from it.\\n\\nAdd the missing pskb_may_pull() calls.\\n\\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\\n because skb->head might have changed.\\n\\n[1]\\n\\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\\n dst_input include/net/dst.h:460 [inline]\\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\\n call_write_iter include/linux/fs.h:2108 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xb63/0x1520 fs/read_write.c:590\\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\\n call_write_iter include/linux/fs.h:2108 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xb63/0x1520 fs/read_write.c:590\\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35888\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35890", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35890" + }, + { + "url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad" + }, + { + "url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f" + }, + { + "url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f" + }, + { + "url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486" + }, + { + "url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35890 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35890", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35890\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35890\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35890\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35890\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35890\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad\",\n \"https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f\",\n \"https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f\",\n \"https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486\",\n \"https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngro: fix ownership transfer\\n\\nIf packets are GROed with fraglist they might be segmented later on and\\ncontinue their journey in the stack. In skb_segment_list those skbs can\\nbe reused as-is. This is an issue as their destructor was removed in\\nskb_gro_receive_list but not the reference to their socket, and then\\nthey can't be orphaned. Fix this by also removing the reference to the\\nsocket.\\n\\nFor example this could be observed,\\n\\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\\n Call Trace:\\n ipv6_list_rcv+0x250/0x3f0\\n __netif_receive_skb_list_core+0x49d/0x8f0\\n netif_receive_skb_list_internal+0x634/0xd40\\n napi_complete_done+0x1d2/0x7d0\\n gro_cell_poll+0x118/0x1f0\\n\\nA similar construction is found in skb_gro_receive, apply the same\\nchange there.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35890\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35892" + }, + { + "url": "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1" + }, + { + "url": "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b" + }, + { + "url": "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460" + }, + { + "url": "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1\",\n \"https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b\",\n \"https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460\",\n \"https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\\n\\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\\nnot RTNL.\\n\\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\\n\\nsyzbot reported:\\n\\nWARNING: suspicious RCU usage\\n6.1.74-syzkaller #0 Not tainted\\n-----------------------------\\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n3 locks held by udevd/1142:\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\\n\\nstack backtrace:\\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\\nCall Trace:\\n \\n [] __dump_stack lib/dump_stack.c:88 [inline]\\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\\n [] invoke_softirq kernel/softirq.c:447 [inline]\\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35893" + }, + { + "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366" + }, + { + "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5" + }, + { + "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924" + }, + { + "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c" + }, + { + "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14" + }, + { + "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd" + }, + { + "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec" + }, + { + "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366\",\n \"https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5\",\n \"https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924\",\n \"https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c\",\n \"https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14\",\n \"https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd\",\n \"https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec\",\n \"https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_skbmod: prevent kernel-infoleak\\n\\nsyzbot found that tcf_skbmod_dump() was copying four bytes\\nfrom kernel stack to user space [1].\\n\\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\\n\\nWe need to clear the structure before filling fields.\\n\\n[1]\\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n copy_to_user_iter lib/iov_iter.c:24 [inline]\\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n copy_to_iter include/linux/uio.h:196 [inline]\\n simple_copy_to_iter net/core/datagram.c:532 [inline]\\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\\n __do_sys_recvfrom net/socket.c:2260 [inline]\\n __se_sys_recvfrom net/socket.c:2256 [inline]\\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\\n nlmsg_unicast include/net/netlink.h:1144 [inline]\\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\\n tcf_add_notify net/sched/act_api.c:2048 [inline]\\n tcf_action_add net/sched/act_api.c:2071 [inline]\\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\\n __sys_sendmsg net/socket.c:2667 [inline]\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was stored to memory at:\\n __nla_put lib/nlattr.c:1041 [inline]\\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\\n tcf_add_notify net/sched/act_api.c:2042 [inline]\\n tcf_action_add net/sched/act_api.c:2071 [inline]\\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35895" + }, + { + "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86" + }, + { + "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd" + }, + { + "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5" + }, + { + "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec" + }, + { + "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75" + }, + { + "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058" + }, + { + "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86\",\n \"https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd\",\n \"https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5\",\n \"https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec\",\n \"https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75\",\n \"https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058\",\n \"https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\\n\\nsyzkaller started using corpuses where a BPF tracing program deletes\\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\\ninvoked from any interrupt context, locks taken during a map_delete_elem\\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\\nis possible, as reported by lockdep:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(&htab->buckets[i].lock);\\n local_irq_disable();\\n lock(&host->lock);\\n lock(&htab->buckets[i].lock);\\n \\n lock(&host->lock);\\n\\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\\nenabled, or in softirq context.\\n\\nDetect when map_delete_elem operation is invoked from a context which is\\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\\nerror.\\n\\nNote that map updates are not affected by this issue. BPF verifier does not\\nallow updating sockmap/sockhash from a BPF tracing program today.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35896", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35896" + }, + { + "url": "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc" + }, + { + "url": "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6" + }, + { + "url": "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5" + }, + { + "url": "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b" + }, + { + "url": "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018" + }, + { + "url": "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35896 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35896", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35896\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35896\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35896\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35896\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35896\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc\",\n \"https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6\",\n \"https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5\",\n \"https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b\",\n \"https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018\",\n \"https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: validate user input for expected length\\n\\nI got multiple syzbot reports showing old bugs exposed\\nby BPF after commit 20f2505fb436 (\\\"bpf: Try to avoid kzalloc\\nin cgroup/{s,g}etsockopt\\\")\\n\\nsetsockopt() @optlen argument should be taken into account\\nbefore copying data.\\n\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\\n\\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\\nRIP: 0033:0x7fd22067dde9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\\n \\n\\nAllocated by task 7238:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\\n kasan_kmalloc include/linux/kasan.h:211 [inline]\\n __do_kmalloc_node mm/slub.c:4069 [inline]\\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\\n kmalloc_noprof include/linux/slab.h:664 [inline]\\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\\n\\nThe buggy address belongs to the object at ffff88802cd73da0\\n which belongs to the cache kmalloc-8 of size 8\\nThe buggy address is located 0 bytes inside of\\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\\n\\nThe buggy address belongs to the physical page:\\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\\npage_type: 0xffffefff(slab)\\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35896\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35897", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35897" + }, + { + "url": "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518" + }, + { + "url": "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4" + }, + { + "url": "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb" + }, + { + "url": "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927" + }, + { + "url": "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827" + }, + { + "url": "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78" + }, + { + "url": "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362" + }, + { + "url": "https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35897 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35897", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35897\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35897\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35897\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35897\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35897\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518\",\n \"https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4\",\n \"https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb\",\n \"https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927\",\n \"https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827\",\n \"https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78\",\n \"https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362\",\n \"https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\\n\\nHook unregistration is deferred to the commit phase, same occurs with\\nhook updates triggered by the table dormant flag. When both commands are\\ncombined, this results in deleting a basechain while leaving its hook\\nstill registered in the core.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35897\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35898" + }, + { + "url": "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304" + }, + { + "url": "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8" + }, + { + "url": "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007" + }, + { + "url": "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df" + }, + { + "url": "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331" + }, + { + "url": "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b" + }, + { + "url": "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77" + }, + { + "url": "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304\",\n \"https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8\",\n \"https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007\",\n \"https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df\",\n \"https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331\",\n \"https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b\",\n \"https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77\",\n \"https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\\n\\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\\nAnd thhere is not any protection when iterate over nf_tables_flowtables\\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\\ndata-race of nf_tables_flowtables list entry.\\n\\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\\nnft_flowtable_type_get() to protect the entire type query process.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35899" + }, + { + "url": "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2" + }, + { + "url": "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7" + }, + { + "url": "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31" + }, + { + "url": "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e" + }, + { + "url": "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6" + }, + { + "url": "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86" + }, + { + "url": "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2\",\n \"https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7\",\n \"https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31\",\n \"https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e\",\n \"https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6\",\n \"https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86\",\n \"https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: flush pending destroy work before exit_net release\\n\\nSimilar to 2c9f0293280e (\\\"netfilter: nf_tables: flush pending destroy\\nwork before netlink notifier\\\") to address a race between exit_net and\\nthe destroy workqueue.\\n\\nThe trace below shows an element to be released via destroy workqueue\\nwhile exit_net path (triggered via module removal) has already released\\nthe set that is used in such transaction.\\n\\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\\n[ 1360.547984] Call Trace:\\n[ 1360.547991] \\n[ 1360.547998] dump_stack_lvl+0x53/0x70\\n[ 1360.548014] print_report+0xc4/0x610\\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548176] kasan_report+0xae/0xe0\\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\\n[ 1360.548591] process_one_work+0x2f1/0x670\\n[ 1360.548610] worker_thread+0x4d3/0x760\\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\\n[ 1360.548640] kthread+0x16b/0x1b0\\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\\n[ 1360.548665] ret_from_fork+0x2f/0x50\\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\\n[ 1360.548707] \\n\\n[ 1360.548719] Allocated by task 192061:\\n[ 1360.548726] kasan_save_stack+0x20/0x40\\n[ 1360.548739] kasan_save_track+0x14/0x30\\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\\n[ 1360.548927] netlink_unicast+0x367/0x4f0\\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\\n[ 1360.548971] do_syscall_64+0x55/0x120\\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\\n\\n[ 1360.548994] Freed by task 192222:\\n[ 1360.548999] kasan_save_stack+0x20/0x40\\n[ 1360.549009] kasan_save_track+0x14/0x30\\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\\n[ 1360.549028] poison_slab_object+0x100/0x180\\n[ 1360.549036] __kasan_slab_free+0x14/0x30\\n[ 1360.549042] kfree+0xb6/0x260\\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\\n[ 1360.549221] ops_exit_list+0x50/0xa0\\n[ 1360.549229] free_exit_list+0x101/0x140\\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\\n[ 1360.549352] do_syscall_64+0x55/0x120\\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\\n\\n(gdb) list *__nft_release_table+0x473\\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\\n11350 list_del(&flowtable->list);\\n11351 nft_use_dec(&table->use);\\n11352 nf_tables_flowtable_destroy(flowtable);\\n11353 }\\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\\n11355 list_del(&set->list);\\n11356 nft_use_dec(&table->use);\\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\\n11358 nft_map_deactivat\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 4.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35900" + }, + { + "url": "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab" + }, + { + "url": "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7" + }, + { + "url": "https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8" + }, + { + "url": "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830" + }, + { + "url": "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b" + }, + { + "url": "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb" + }, + { + "url": "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769" + }, + { + "url": "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab\",\n \"https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7\",\n \"https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8\",\n \"https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830\",\n \"https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b\",\n \"https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb\",\n \"https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769\",\n \"https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: reject new basechain after table flag update\\n\\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\\niterating over current chains in table (existing and new).\\n\\nThe following configuration allows for an inconsistent state:\\n\\n add table x\\n add chain x y { type filter hook input priority 0; }\\n add table x { flags dormant; }\\n add chain x w { type filter hook input priority 1; }\\n\\nwhich triggers the following warning when trying to unregister chain w\\nwhich is already unregistered.\\n\\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\\n[...]\\n[ 127.322519] Call Trace:\\n[ 127.322521] \\n[ 127.322524] ? __warn+0x9f/0x1a0\\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\\n[ 127.322537] ? report_bug+0x1b1/0x1e0\\n[ 127.322545] ? handle_bug+0x3c/0x70\\n[ 127.322552] ? exc_invalid_op+0x17/0x40\\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35902" + }, + { + "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b" + }, + { + "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a" + }, + { + "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d" + }, + { + "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9" + }, + { + "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196" + }, + { + "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14" + }, + { + "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c" + }, + { + "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b\",\n \"https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a\",\n \"https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d\",\n \"https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9\",\n \"https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196\",\n \"https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14\",\n \"https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c\",\n \"https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/rds: fix possible cp null dereference\\n\\ncp might be null, calling cp->cp_conn would produce null dereference\\n\\n[Simon Horman adds:]\\n\\nAnalysis:\\n\\n* cp is a parameter of __rds_rdma_map and is not reassigned.\\n\\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\\n\\n - rds_get_mr()\\n - rds_get_mr_for_dest\\n\\n* Prior to the code above, the following assumes that cp may be NULL\\n (which is indicative, but could itself be unnecessary)\\n\\n\\ttrans_private = rs->rs_transport->get_mr(\\n\\t\\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\\n\\t\\targs->vec.addr, args->vec.bytes,\\n\\t\\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\\n\\n* The code modified by this patch is guarded by IS_ERR(trans_private),\\n where trans_private is assigned as per the previous point in this analysis.\\n\\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\\n which can return an ERR_PTR if the conn (4th) argument is NULL.\\n\\n* ret is set to PTR_ERR(trans_private).\\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\\n Thus ret may be -ENODEV in which case the code in question will execute.\\n\\nConclusion:\\n* cp may be NULL at the point where this patch adds a check;\\n this patch does seem to address a possible bug\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35904" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b" + }, + { + "url": "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e" + }, + { + "url": "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b\",\n \"https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e\",\n \"https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nselinux: avoid dereference of garbage after mount failure\\n\\nIn case kern_mount() fails and returns an error pointer return in the\\nerror branch instead of continuing and dereferencing the error pointer.\\n\\nWhile on it drop the never read static variable selinuxfs_mount.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35905" + }, + { + "url": "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103" + }, + { + "url": "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69" + }, + { + "url": "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69" + }, + { + "url": "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1" + }, + { + "url": "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d" + }, + { + "url": "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103\",\n \"https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69\",\n \"https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69\",\n \"https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1\",\n \"https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d\",\n \"https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Protect against int overflow for stack access size\\n\\nThis patch re-introduces protection against the size of access to stack\\nmemory being negative; the access size can appear negative as a result\\nof overflowing its signed int representation. This should not actually\\nhappen, as there are other protections along the way, but we should\\nprotect against it anyway. One code path was missing such protections\\n(fixed in the previous patch in the series), causing out-of-bounds array\\naccesses in check_stack_range_initialized(). This patch causes the\\nverification of a program with such a non-sensical access size to fail.\\n\\nThis check used to exist in a more indirect way, but was inadvertendly\\nremoved in a833a17aeac7.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35907" + }, + { + "url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab" + }, + { + "url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e" + }, + { + "url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52" + }, + { + "url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3" + }, + { + "url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab\",\n \"https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e\",\n \"https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52\",\n \"https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3\",\n \"https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxbf_gige: call request_irq() after NAPI initialized\\n\\nThe mlxbf_gige driver encounters a NULL pointer exception in\\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\\nthe exception is as follows:\\na) enable kdump\\nb) trigger kdump via \\\"echo c > /proc/sysrq-trigger\\\"\\nc) kdump kernel executes\\nd) kdump kernel loads mlxbf_gige module\\ne) the mlxbf_gige module runs its open() as the\\n the \\\"oob_net0\\\" interface is brought up\\nf) mlxbf_gige module will experience an exception\\n during its open(), something like:\\n\\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n Mem abort info:\\n ESR = 0x0000000086000004\\n EC = 0x21: IABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x04: level 0 translation fault\\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\\n Internal error: Oops: 0000000086000004 [#1] SMP\\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : 0x0\\n lr : __napi_poll+0x40/0x230\\n sp : ffff800008003e00\\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\\n Call trace:\\n 0x0\\n net_rx_action+0x178/0x360\\n __do_softirq+0x15c/0x428\\n __irq_exit_rcu+0xac/0xec\\n irq_exit+0x18/0x2c\\n handle_domain_irq+0x6c/0xa0\\n gic_handle_irq+0xec/0x1b0\\n call_on_irq_stack+0x20/0x2c\\n do_interrupt_handler+0x5c/0x70\\n el1_interrupt+0x30/0x50\\n el1h_64_irq_handler+0x18/0x2c\\n el1h_64_irq+0x7c/0x80\\n __setup_irq+0x4c0/0x950\\n request_threaded_irq+0xf4/0x1bc\\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\\n __dev_open+0x100/0x220\\n __dev_change_flags+0x16c/0x1f0\\n dev_change_flags+0x2c/0x70\\n do_setlink+0x220/0xa40\\n __rtnl_newlink+0x56c/0x8a0\\n rtnl_newlink+0x58/0x84\\n rtnetlink_rcv_msg+0x138/0x3c4\\n netlink_rcv_skb+0x64/0x130\\n rtnetlink_rcv+0x20/0x30\\n netlink_unicast+0x2ec/0x360\\n netlink_sendmsg+0x278/0x490\\n __sock_sendmsg+0x5c/0x6c\\n ____sys_sendmsg+0x290/0x2d4\\n ___sys_sendmsg+0x84/0xd0\\n __sys_sendmsg+0x70/0xd0\\n __arm64_sys_sendmsg+0x2c/0x40\\n invoke_syscall+0x78/0x100\\n el0_svc_common.constprop.0+0x54/0x184\\n do_el0_svc+0x30/0xac\\n el0_svc+0x48/0x160\\n el0t_64_sync_handler+0xa4/0x12c\\n el0t_64_sync+0x1a4/0x1a8\\n Code: bad PC value\\n ---[ end trace 7d1c3f3bf9d81885 ]---\\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\\n PHYS_OFFSET: 0x80000000\\n CPU features: 0x0,000005c1,a3332a5a\\n Memory Limit: none\\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\\n\\nThe exception happens because there is a pending RX interrupt before the\\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\\nimmediately after this request_irq() completes. The\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35908" + }, + { + "url": "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8" + }, + { + "url": "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be" + }, + { + "url": "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3" + }, + { + "url": "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8\",\n \"https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be\",\n \"https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3\",\n \"https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: get psock ref after taking rxlock to avoid leak\\n\\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\\nthen call tls_rx_reader_lock. If that fails, we return directly\\nwithout releasing the reference.\\n\\nInstead of adding a new label, just take the reference after locking\\nhas succeeded, since we don't need it before.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35910" + }, + { + "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada" + }, + { + "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4" + }, + { + "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f" + }, + { + "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a" + }, + { + "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de" + }, + { + "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50" + }, + { + "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87" + }, + { + "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada\",\n \"https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4\",\n \"https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f\",\n \"https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a\",\n \"https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de\",\n \"https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50\",\n \"https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87\",\n \"https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: properly terminate timers for kernel sockets\\n\\nWe had various syzbot reports about tcp timers firing after\\nthe corresponding netns has been dismantled.\\n\\nFortunately Josef Bacik could trigger the issue more often,\\nand could test a patch I wrote two years ago.\\n\\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\\nto 'stop' the timers.\\n\\ninet_csk_clear_xmit_timers() can be called from any context,\\nincluding when socket lock is held.\\nThis is the reason it uses sk_stop_timer(), aka del_timer().\\nThis means that ongoing timers might finish much later.\\n\\nFor user sockets, this is fine because each running timer\\nholds a reference on the socket, and the user socket holds\\na reference on the netns.\\n\\nFor kernel sockets, we risk that the netns is freed before\\ntimer can complete, because kernel sockets do not hold\\nreference on the netns.\\n\\nThis patch adds inet_csk_clear_xmit_timers_sync() function\\nthat using sk_stop_timer_sync() to make sure all timers\\nare terminated before the kernel socket is released.\\nModules using kernel sockets close them in their netns exit()\\nhandler.\\n\\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\\nwhile socket lock is held.\\n\\nIt is very possible we can revert in the future commit\\n3a58f13a881e (\\\"net: rds: acquire refcount on TCP sockets\\\")\\nwhich attempted to solve the issue in rds only.\\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\\n\\nWe probably can remove the check_net() tests from\\ntcp_out_of_resources() and __tcp_close() in the future.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35912" + }, + { + "url": "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341" + }, + { + "url": "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5" + }, + { + "url": "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62" + }, + { + "url": "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8" + }, + { + "url": "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341\",\n \"https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5\",\n \"https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62\",\n \"https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8\",\n \"https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\\n\\nIf the rx payload length check fails, or if kmemdup() fails,\\nwe still need to free the command response. Fix that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35915" + }, + { + "url": "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff" + }, + { + "url": "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240" + }, + { + "url": "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c" + }, + { + "url": "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a" + }, + { + "url": "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a" + }, + { + "url": "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16" + }, + { + "url": "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7" + }, + { + "url": "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff\",\n \"https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240\",\n \"https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c\",\n \"https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a\",\n \"https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a\",\n \"https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16\",\n \"https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7\",\n \"https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\\n\\nsyzbot reported the following uninit-value access issue [1][2]:\\n\\nnci_rx_work() parses and processes received packet. When the payload\\nlength is zero, each message type handler reads uninitialized payload\\nand KMSAN detects this issue. The receipt of a packet with a zero-size\\npayload is considered unexpected, and therefore, such packets should be\\nsilently discarded.\\n\\nThis patch resolved this issue by checking payload size before calling\\neach message type handler codes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35918" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35918", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35920", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35920" + }, + { + "url": "https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6" + }, + { + "url": "https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38" + }, + { + "url": "https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35920 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35920", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect decoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.\n\nHardware name: Google juniper sku16 board (DT)\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\nsp : ffffffc0131dbbd0\nx29: ffffffc0131dbbd0 x28: 0000000000000000\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\nx21: 0000000000000010 x20: ffffff9b050ea328\nx19: ffffffc0131dbc08 x18: 0000000000001000\nx17: 0000000000000000 x16: ffffffd2d461c6e0\nx15: 0000000000000242 x14: 000000000000018f\nx13: 000000000000004d x12: 0000000000000000\nx11: 0000000000000001 x10: fffffffffffffff0\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : fffffffffffffff0\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\nCall trace:\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\nirq_thread_fn+0x38/0x94\nirq_thread+0x100/0x1c0\nkthread+0x140/0x1fc\nret_from_fork+0x10/0x30\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\n---[ end trace ace43ce36cbd5c93 ]---\nKernel panic - not syncing: Oops: Fatal exception\nSMP: stopping secondary CPUs\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\nPHYS_OFFSET: 0xffffffe580000000\nCPU features: 0x08240002,2188200c\nMemory Limit: none", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35920\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35920\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35920\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35920\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35920\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6\",\n \"https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38\",\n \"https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: adding lock to protect decoder context list\\n\\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\\nbeen deleted due to an unexpected behavior on the SCP IP block.\\n\\nHardware name: Google juniper sku16 board (DT)\\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\\nsp : ffffffc0131dbbd0\\nx29: ffffffc0131dbbd0 x28: 0000000000000000\\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\\nx21: 0000000000000010 x20: ffffff9b050ea328\\nx19: ffffffc0131dbc08 x18: 0000000000001000\\nx17: 0000000000000000 x16: ffffffd2d461c6e0\\nx15: 0000000000000242 x14: 000000000000018f\\nx13: 000000000000004d x12: 0000000000000000\\nx11: 0000000000000001 x10: fffffffffffffff0\\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\\nx7 : 0000000000000000 x6 : 000000000000003f\\nx5 : 0000000000000040 x4 : fffffffffffffff0\\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\\nCall trace:\\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\\nirq_thread_fn+0x38/0x94\\nirq_thread+0x100/0x1c0\\nkthread+0x140/0x1fc\\nret_from_fork+0x10/0x30\\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\\n---[ end trace ace43ce36cbd5c93 ]---\\nKernel panic - not syncing: Oops: Fatal exception\\nSMP: stopping secondary CPUs\\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\\nPHYS_OFFSET: 0xffffffe580000000\\nCPU features: 0x08240002,2188200c\\nMemory Limit: none\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35920\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35922" + }, + { + "url": "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4" + }, + { + "url": "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f" + }, + { + "url": "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33" + }, + { + "url": "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029" + }, + { + "url": "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971" + }, + { + "url": "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270" + }, + { + "url": "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0" + }, + { + "url": "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4\",\n \"https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f\",\n \"https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33\",\n \"https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029\",\n \"https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971\",\n \"https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270\",\n \"https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0\",\n \"https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbmon: prevent division by zero in fb_videomode_from_videomode()\\n\\nThe expression htotal * vtotal can have a zero value on\\noverflow. It is necessary to prevent division by zero like in\\nfb_var_to_videomode().\\n\\nFound by Linux Verification Center (linuxtesting.org) with Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35924", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35924" + }, + { + "url": "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f" + }, + { + "url": "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40" + }, + { + "url": "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35924 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35924", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35924\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35924\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35924\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35924\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35924\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f\",\n \"https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40\",\n \"https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: ucsi: Limit read size on v1.2\\n\\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\\nincreased from 16 to 256. In order to avoid overflowing reads for older\\nsystems, add a mechanism to use the read UCSI version to truncate read\\nsizes on UCSI v1.2.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35924\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35925", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35925" + }, + { + "url": "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8" + }, + { + "url": "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854" + }, + { + "url": "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe" + }, + { + "url": "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7" + }, + { + "url": "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02" + }, + { + "url": "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68" + }, + { + "url": "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c" + }, + { + "url": "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35925 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35925", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35925\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35925\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35925\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35925\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35925\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8\",\n \"https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854\",\n \"https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe\",\n \"https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7\",\n \"https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02\",\n \"https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68\",\n \"https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c\",\n \"https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: prevent division by zero in blk_rq_stat_sum()\\n\\nThe expression dst->nr_samples + src->nr_samples may\\nhave zero value on overflow. It is necessary to add\\na check to avoid division by zero.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35925\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35926", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35926" + }, + { + "url": "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054" + }, + { + "url": "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35926 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35926", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35926\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35926\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35926\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35926\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35926\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054\",\n \"https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: iaa - Fix async_disable descriptor leak\\n\\nThe disable_async paths of iaa_compress/decompress() don't free idxd\\ndescriptors in the async_disable case. Currently this only happens in\\nthe testcases where req->dst is set to null. Add a test to free them\\nin those paths.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35926\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35927" + }, + { + "url": "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545" + }, + { + "url": "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c" + }, + { + "url": "https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e" + }, + { + "url": "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd" + }, + { + "url": "https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545\",\n \"https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c\",\n \"https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e\",\n \"https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd\",\n \"https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: Check output polling initialized before disabling\\n\\nIn drm_kms_helper_poll_disable() check if output polling\\nsupport is initialized before disabling polling. If not flag\\nthis as a warning.\\nAdditionally in drm_mode_config_helper_suspend() and\\ndrm_mode_config_helper_resume() calls, that re the callers of these\\nfunctions, avoid invoking them if polling is not initialized.\\nFor drivers like hyperv-drm, that do not initialize connector\\npolling, if suspend is called without this check, it leads to\\nsuspend failure with following stack\\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\\n[ 770.948823] ------------[ cut here ]------------\\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\\n[ 770.948879] Call Trace:\\n[ 770.948880] \\n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948889] ? __warn+0x81/0x110\\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948892] ? report_bug+0x10a/0x140\\n[ 770.948895] ? handle_bug+0x3c/0x70\\n[ 770.948898] ? exc_invalid_op+0x14/0x70\\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\\n[ 770.948905] __cancel_work_timer+0x103/0x190\\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\\n[ 770.948951] dpm_run_callback+0x4c/0x140\\n[ 770.948954] __device_suspend_noir\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35928" + }, + { + "url": "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69" + }, + { + "url": "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c" + }, + { + "url": "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587" + }, + { + "url": "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69\",\n \"https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c\",\n \"https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587\",\n \"https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\\n\\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\\nproperly handled in amdgpu_device_init(). If the function exits early\\ndue to an error, the memory is unmapped. If the function completes\\nsuccessfully, the memory remains mapped.\\n\\nReported by smatch:\\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35929" + }, + { + "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc" + }, + { + "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a" + }, + { + "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc\",\n \"https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a\",\n \"https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\\n\\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\\n\\n CPU2 CPU11\\nkthread\\nrcu_nocb_cb_kthread ksys_write\\nrcu_do_batch vfs_write\\nrcu_torture_timer_cb proc_sys_write\\n__kmem_cache_free proc_sys_call_handler\\nkmemleak_free drop_caches_sysctl_handler\\ndelete_object_full drop_slab\\n__delete_object shrink_slab\\nput_object lazy_rcu_shrink_scan\\ncall_rcu rcu_nocb_flush_bypass\\n__call_rcu_commn rcu_nocb_bypass_lock\\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\\n atomic_inc(&rdp->nocb_lock_contended);\\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\\n\\nReproduce this bug with \\\"echo 3 > /proc/sys/vm/drop_caches\\\".\\n\\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\\ndirectly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35930", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35930" + }, + { + "url": "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf" + }, + { + "url": "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b" + }, + { + "url": "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f" + }, + { + "url": "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7" + }, + { + "url": "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a" + }, + { + "url": "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8" + }, + { + "url": "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8" + }, + { + "url": "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35930 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35930", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35930\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35930\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35930\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35930\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35930\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf\",\n \"https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b\",\n \"https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f\",\n \"https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7\",\n \"https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a\",\n \"https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8\",\n \"https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8\",\n \"https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\\n\\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\\nunsuccessful status. In such cases, the elsiocb is not issued, the\\ncompletion is not called, and thus the elsiocb resource is leaked.\\n\\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\\nrelease the elsiocb resource.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35930\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35931" + }, + { + "url": "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35" + }, + { + "url": "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35\",\n \"https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\\n\\nWhy:\\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\\n caused system hang.\\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\\n [ 557.373718] [drm] PCIE GART of 512M enabled.\\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\\n [ 557.373789] [drm] PSP is resuming...\\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\\n [ 557.547069] [drm] No support for XGMI hive yet...\\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\\n [ 557.610492] [drm] PCI error: slot reset callback!!\\n ...\\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\\n [ 560.843444] PKRU: 55555554\\n [ 560.846480] Call Trace:\\n [ 560.849225] \\n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\\n [ 560.867778] ? show_regs.part.0+0x23/0x29\\n [ 560.872293] ? __die_body.cold+0x8/0xd\\n [ 560.876502] ? die_addr+0x3e/0x60\\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\\n [ 560.904520] process_one_work+0x228/0x3d0\\nHow:\\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35932", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35932" + }, + { + "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40" + }, + { + "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd" + }, + { + "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9" + }, + { + "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35932 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35932", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35932\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35932\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35932\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35932\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35932\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40\",\n \"https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd\",\n \"https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9\",\n \"https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vc4: don't check if plane->state->fb == state->fb\\n\\nCurrently, when using non-blocking commits, we can see the following\\nkernel warning:\\n\\n[ 110.908514] ------------[ cut here ]------------\\n[ 110.908529] refcount_t: underflow; use-after-free.\\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\\n[ 110.909170] sp : ffffffc00913b9c0\\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\\n[ 110.909434] Call trace:\\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\\n[ 110.914873] invoke_syscall+0x4c/0x114\\n[ 110.914897] el0_svc_common+0xd0/0x118\\n[ 110.914917] do_el0_svc+0x38/0xd0\\n[ 110.914936] el0_svc+0x30/0x8c\\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\\n[ 110.914979] el0t_64_sync+0x18c/0x190\\n[ 110.914996] ---[ end trace 0000000000000000 ]---\\n\\nThis happens because, although `prepare_fb` and `cleanup_fb` are\\nperfectly balanced, we cannot guarantee consistency in the check\\nplane->state->fb == state->fb. This means that sometimes we can increase\\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\\nopposite can also be true.\\n\\nIn fact, the struct drm_plane .state shouldn't be accessed directly\\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\\nbe used. So, we could stick to this check, but using\\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35932\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35933", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35933" + }, + { + "url": "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28" + }, + { + "url": "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e" + }, + { + "url": "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b" + }, + { + "url": "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9" + }, + { + "url": "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912" + }, + { + "url": "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645" + }, + { + "url": "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990" + }, + { + "url": "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35933 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35933", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35933\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35933\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35933\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35933\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35933\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28\",\n \"https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e\",\n \"https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b\",\n \"https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9\",\n \"https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912\",\n \"https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645\",\n \"https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990\",\n \"https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\\n\\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\\nhdev->req_skb is NULL, which will cause this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35933\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35934" + }, + { + "url": "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0" + }, + { + "url": "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec" + }, + { + "url": "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4" + }, + { + "url": "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2" + }, + { + "url": "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0\",\n \"https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7\",\n \"https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec\",\n \"https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4\",\n \"https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2\",\n \"https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\\n\\nMany syzbot reports show extreme rtnl pressure, and many of them hint\\nthat smc acquires rtnl in netns creation for no good reason [1]\\n\\nThis patch returns early from smc_pnet_net_init()\\nif there is no netdevice yet.\\n\\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\\nbecause smc_pnet_netdev_event() is also calling\\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\\n\\n[1] extract of typical syzbot reports\\n\\n2 locks held by syz-executor.3/12252:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.4/12253:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.1/12257:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.2/12261:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.0/12265:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.3/12268:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.4/12271:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.1/12274:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\\n2 locks held by syz-executor.2/12280:\\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35935" + }, + { + "url": "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229" + }, + { + "url": "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5" + }, + { + "url": "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a" + }, + { + "url": "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501" + }, + { + "url": "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9" + }, + { + "url": "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c" + }, + { + "url": "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3" + }, + { + "url": "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229\",\n \"https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5\",\n \"https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a\",\n \"https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501\",\n \"https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9\",\n \"https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c\",\n \"https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3\",\n \"https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\\n\\nChange BUG_ON to proper error handling if building the path buffer\\nfails. The pointers are not printed so we don't accidentally leak kernel\\naddresses.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35936", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35936" + }, + { + "url": "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d" + }, + { + "url": "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da" + }, + { + "url": "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2" + }, + { + "url": "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9" + }, + { + "url": "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99" + }, + { + "url": "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385" + }, + { + "url": "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89" + }, + { + "url": "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35936 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35936", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35936\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35936\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35936\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35936\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35936\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d\",\n \"https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da\",\n \"https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2\",\n \"https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9\",\n \"https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99\",\n \"https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385\",\n \"https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89\",\n \"https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\\n\\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\\nas it could be caused only by two impossible conditions:\\n\\n- at first the search key is set up to look for a chunk tree item, with\\n offset -1, this is an inexact search and the key->offset will contain\\n the correct offset upon a successful search, a valid chunk tree item\\n cannot have an offset -1\\n\\n- after first successful search, the found_key corresponds to a chunk\\n item, the offset is decremented by 1 before the next loop, it's\\n impossible to find a chunk item there due to alignment and size\\n constraints\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35936\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35937" + }, + { + "url": "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544" + }, + { + "url": "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9" + }, + { + "url": "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544\",\n \"https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9\",\n \"https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: check A-MSDU format more carefully\\n\\nIf it looks like there's another subframe in the A-MSDU\\nbut the header isn't fully there, we can end up reading\\ndata out of bounds, only to discard later. Make this a\\nbit more careful and check if the subframe header can\\neven be present.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35938" + }, + { + "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793" + }, + { + "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015" + }, + { + "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de" + }, + { + "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559" + }, + { + "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793\",\n \"https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015\",\n \"https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de\",\n \"https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559\",\n \"https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: decrease MHI channel buffer length to 8KB\\n\\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\\nwith 0, making MHI use a default size, 64KB, to allocate channel\\nbuffers. This is likely to fail in some scenarios where system\\nmemory is highly fragmented and memory compaction or reclaim is\\nnot allowed.\\n\\nThere is a fail report which is caused by it:\\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\\nWorkqueue: events_unbound async_run_entry_fn\\nCall Trace:\\n \\n dump_stack_lvl+0x47/0x60\\n warn_alloc+0x13a/0x1b0\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __alloc_pages_direct_compact+0xab/0x210\\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\\n __alloc_pages+0x32d/0x350\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __kmalloc_large_node+0x72/0x110\\n __kmalloc+0x37c/0x480\\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n device_for_each_child+0x5c/0xa0\\n ? __pfx_pci_pm_resume+0x10/0x10\\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n dpm_run_callback+0x8c/0x1e0\\n device_resume+0x104/0x340\\n ? __pfx_dpm_watchdog_handler+0x10/0x10\\n async_resume+0x1d/0x30\\n async_run_entry_fn+0x32/0x120\\n process_one_work+0x168/0x330\\n worker_thread+0x2f5/0x410\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe8/0x120\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nActually those buffers are used only by QMI target -> host communication.\\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\\nthan 6KB. So change buf_len field to 8KB, which results in order 1\\nallocation if page size is 4KB. In this way, we can at least save some\\nmemory, and as well as decrease the possibility of allocation failure\\nin those scenarios.\\n\\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35939" + }, + { + "url": "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a" + }, + { + "url": "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9" + }, + { + "url": "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c" + }, + { + "url": "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a\",\n \"https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9\",\n \"https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c\",\n \"https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-direct: Leak pages on dma_set_decrypted() failure\\n\\nOn TDX it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\\nshould be a rare case. Just leak the pages in this case instead of\\nfreeing them.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35940" + }, + { + "url": "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb" + }, + { + "url": "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682" + }, + { + "url": "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc" + }, + { + "url": "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8" + }, + { + "url": "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041" + }, + { + "url": "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb\",\n \"https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682\",\n \"https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc\",\n \"https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8\",\n \"https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041\",\n \"https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npstore/zone: Add a null pointer check to the psz_kmsg_read\\n\\nkasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35941" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35941", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35942" + }, + { + "url": "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d" + }, + { + "url": "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c" + }, + { + "url": "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d\",\n \"https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c\",\n \"https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\\n\\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\\nhdmi rx verification IP that should not enable for HDMI TX.\\nBut actually if the clock is disabled before HDMI/LCDIF probe,\\nLCDIF will not get pixel clock from HDMI PHY and print the error\\nlogs:\\n\\n[CRTC:39:crtc-2] vblank wait timed out\\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\\n\\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35943", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35943" + }, + { + "url": "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f" + }, + { + "url": "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3" + }, + { + "url": "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35943 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35943", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f\",\n \"https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3\",\n \"https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\\n\\ndevm_kasprintf() returns a pointer to dynamically allocated memory\\nwhich can be NULL upon failure. Ensure the allocation was successful\\nby checking the pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35943\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35944" + }, + { + "url": "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74" + }, + { + "url": "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec" + }, + { + "url": "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f" + }, + { + "url": "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100" + }, + { + "url": "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73" + }, + { + "url": "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051" + }, + { + "url": "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b" + }, + { + "url": "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74\",\n \"https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec\",\n \"https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f\",\n \"https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100\",\n \"https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73\",\n \"https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051\",\n \"https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b\",\n \"https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\\n\\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\\n\\nmemcpy: detected field-spanning write (size 56) of single field \\\"&dg_info->msg\\\"\\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\\n\\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\\n\\nSome code commentry, based on my understanding:\\n\\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\\n/// This is 24 + payload_size\\n\\nmemcpy(&dg_info->msg, dg, dg_size);\\n\\tDestination = dg_info->msg ---> this is a 24 byte\\n\\t\\t\\t\\t\\tstructure(struct vmci_datagram)\\n\\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\\n\\tSize = dg_size = 24 + payload_size\\n\\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\\n\\n 35 struct delayed_datagram_info {\\n 36 struct datagram_entry *entry;\\n 37 struct work_struct work;\\n 38 bool in_dg_host_queue;\\n 39 /* msg and msg_payload must be together. */\\n 40 struct vmci_datagram msg;\\n 41 u8 msg_payload[];\\n 42 };\\n\\nSo those extra bytes of payload are copied into msg_payload[], a run time\\nwarning is seen while fuzzing with Syzkaller.\\n\\nOne possible way to fix the warning is to split the memcpy() into\\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\\n\\nGustavo quoted:\\n\\\"Under FORTIFY_SOURCE we should not copy data across multiple members\\nin a structure.\\\"\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35945" + }, + { + "url": "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311" + }, + { + "url": "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b" + }, + { + "url": "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311\",\n \"https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b\",\n \"https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\\n\\nIf phydev->irq is set unconditionally, check\\nfor valid interrupt handler or fall back to polling mode to prevent\\nnullptr exceptions in interrupt service routine.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35946", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35946" + }, + { + "url": "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2" + }, + { + "url": "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35946 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35946", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35946\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35946\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35946\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35946\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35946\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d\",\n \"https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2\",\n \"https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fix null pointer access when abort scan\\n\\nDuring cancel scan we might use vif that weren't scanning.\\nFix this by using the actual scanning vif.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35946\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35947" + }, + { + "url": "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081" + }, + { + "url": "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38" + }, + { + "url": "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b" + }, + { + "url": "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0" + }, + { + "url": "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab" + }, + { + "url": "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c\",\n \"https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081\",\n \"https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38\",\n \"https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b\",\n \"https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0\",\n \"https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab\",\n \"https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc\",\n \"https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndyndbg: fix old BUG_ON in >control parser\\n\\nFix a BUG_ON from 2009. Even if it looks \\\"unreachable\\\" (I didn't\\nreally look), lets make sure by removing it, doing pr_err and return\\n-EINVAL instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35948" + }, + { + "url": "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcachefs: Check for journal entries overruning end of sb clean section\\n\\nFix a missing bounds check in superblock validation.\\n\\nNote that we don't yet have repair code for this case - repair code for\\nindividual items is generally low priority, since the whole superblock\\nis checksummed, validated prior to write, and we have backups.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.4,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35949", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35949" + }, + { + "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273" + }, + { + "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35949 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35949", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35949\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35949\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35949\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35949\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35949\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273\",\n \"https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee\",\n \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: make sure that WRITTEN is set on all metadata blocks\\n\\nWe previously would call btrfs_check_leaf() if we had the check\\nintegrity code enabled, which meant that we could only run the extended\\nleaf checks if we had WRITTEN set on the header flags.\\n\\nThis leaves a gap in our checking, because we could end up with\\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\\nextended leaf checks don't get run which we rely on to validate all of\\nthe item pointers to make sure we don't access memory outside of the\\nextent buffer.\\n\\nHowever, since 732fab95abe2 (\\\"btrfs: check-integrity: remove\\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\\\") we no longer call\\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\\never call it on blocks that are being written out, and thus have WRITTEN\\nset, or that are being read in, which should have WRITTEN set.\\n\\nAdd checks to make sure we have WRITTEN set appropriately, and then make\\nsure __btrfs_check_leaf() always does the item checking. This will\\nprotect us from file systems that have been corrupted and no longer have\\nWRITTEN set on some of the blocks.\\n\\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\\nKASAN as out-of-bound access in the eb accessors. The example is a dir\\nitem at the end of an eb.\\n\\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\\n [2.621] Call Trace:\\n [2.621] \\n [2.621] ? show_regs+0x74/0x80\\n [2.621] ? die_addr+0x46/0xc0\\n [2.621] ? exc_general_protection+0x161/0x2a0\\n [2.621] ? asm_exc_general_protection+0x26/0x30\\n [2.621] ? btrfs_get_16+0x33a/0x6d0\\n [2.621] ? btrfs_get_16+0x34b/0x6d0\\n [2.621] ? btrfs_get_16+0x33a/0x6d0\\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\\n [2.621] btrfs_get_tree+0xd25/0x1910\\n\\n[ copy more details from report ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35949\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35950" + }, + { + "url": "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984" + }, + { + "url": "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055" + }, + { + "url": "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea" + }, + { + "url": "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0" + }, + { + "url": "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e" + }, + { + "url": "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984\",\n \"https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055\",\n \"https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea\",\n \"https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0\",\n \"https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e\",\n \"https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764\",\n \"https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\\n\\nThe modes[] array contains pointers to modes on the connectors'\\nmode lists, which are protected by dev->mode_config.mutex.\\nThus we need to extend modes[] the same protection or by the\\ntime we use it the elements may already be pointing to\\nfreed/reused memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35951" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3" + }, + { + "url": "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002" + }, + { + "url": "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3\",\n \"https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002\",\n \"https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\\n\\nSubject: [PATCH] drm/panfrost: Fix the error path in\\n panfrost_mmu_map_fault_addr()\\n\\nIf some the pages or sgt allocation failed, we shouldn't release the\\npages ref we got earlier, otherwise we will end up with unbalanced\\nget/put_pages() calls. We should instead leave everything in place\\nand let the BO release function deal with extra cleanup when the object\\nis destroyed, or let the fault handler try again next time it's called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35955" + }, + { + "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e" + }, + { + "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8" + }, + { + "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0" + }, + { + "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d" + }, + { + "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808" + }, + { + "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412" + }, + { + "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33" + }, + { + "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e\",\n \"https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8\",\n \"https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0\",\n \"https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d\",\n \"https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808\",\n \"https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412\",\n \"https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33\",\n \"https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkprobes: Fix possible use-after-free issue on kprobe registration\\n\\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\\na time. `is_module_text_address()` and `__module_text_address()`\\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\\nIf we use `is_module_text_address()` and `__module_text_address()`\\nseparately, there is a chance that the first one is succeeded but the\\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\\nbetween those operations.\\n\\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\\nis failed, that is ignored because it expected a kernel_text address.\\nBut it may have failed simply because module->state has been changed\\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\\nnon-exist module text address (use-after-free).\\n\\nTo fix this problem, we should not use separated `is_module_text_address()`\\nand `__module_text_address()`, but use only `__module_text_address()`\\nonce and do `try_module_get(module)` which is only available with\\nMODULE_STATE_LIVE.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35956" + }, + { + "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9" + }, + { + "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c" + }, + { + "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9\",\n \"https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c\",\n \"https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\\n\\nCreate subvolume, create snapshot and delete subvolume all use\\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\\ndone to the parent subvolume's fs tree, which cannot be mediated in the\\nnormal way via start_transaction. When quota groups (squota or qgroups)\\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\\noperation is associated to a transaction, we convert PREALLOC to\\nPERTRANS, which gets cleared in bulk at the end of the transaction.\\n\\nHowever, the error paths of these three operations were not implementing\\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\\nPERTRANS in a generic cleanup step regardless of errors or whether the\\noperation was fully associated to a transaction or not. This resulted in\\nerror paths occasionally converting this rsv to PERTRANS without calling\\nrecord_root_in_trans successfully, which meant that unless that root got\\nrecorded in the transaction by some other thread, the end of the\\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\\nfor the leaked reservation.\\n\\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\\nfollowing properties:\\n\\n1. any failure before record_root_in_trans is called successfully\\n results in freeing the PREALLOC reservation.\\n2. after record_root_in_trans, we convert to PERTRANS, and now the\\n transaction owns freeing the reservation.\\n\\nThis patch enforces those properties on the three operations. Without\\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\\nruns on my system. With this patch, it ran successfully 1000 times in a\\nrow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35958" + }, + { + "url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1" + }, + { + "url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7" + }, + { + "url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0" + }, + { + "url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde" + }, + { + "url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1\",\n \"https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7\",\n \"https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0\",\n \"https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde\",\n \"https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d\",\n \"https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ena: Fix incorrect descriptor free behavior\\n\\nENA has two types of TX queues:\\n- queues which only process TX packets arriving from the network stack\\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\\n or XDP_TX instructions\\n\\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\\nand unmaps + frees every descriptor that hasn't been acknowledged yet\\nby the device (uncompleted TX transactions).\\nThe function assumes that the processed TX queue is necessarily from\\nthe first category listed above and ends up using napi_consume_skb()\\nfor descriptors belonging to an XDP specific queue.\\n\\nThis patch solves a bug in which, in case of a VF reset, the\\ndescriptors aren't freed correctly, leading to crashes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35959" + }, + { + "url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7" + }, + { + "url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76" + }, + { + "url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519" + }, + { + "url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7\",\n \"https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76\",\n \"https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519\",\n \"https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\\n\\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\\nlockdep_is_held().\\n\\nAcquire the state_lock in mlx5e_selq_cleanup().\\n\\nKernel log:\\n=============================\\nWARNING: suspicious RCU usage\\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\\n-----------------------------\\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n2 locks held by systemd-modules/293:\\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\\n\\nstack backtrace:\\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0x8a/0xa0\\n lockdep_rcu_suspicious+0x154/0x1a0\\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\\n rdma_init_netdev+0x4e/0x80 [ib_core]\\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\\n add_client_context+0x112/0x1c0 [ib_core]\\n ib_register_client+0x166/0x1b0 [ib_core]\\n ? 0xffffffffa0573000\\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\\n do_one_initcall+0x61/0x250\\n do_init_module+0x8a/0x270\\n init_module_from_file+0x8b/0xd0\\n idempotent_init_module+0x17d/0x230\\n __x64_sys_finit_module+0x61/0xb0\\n do_syscall_64+0x71/0x140\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35960" + }, + { + "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423" + }, + { + "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f" + }, + { + "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801" + }, + { + "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0" + }, + { + "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64" + }, + { + "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453" + }, + { + "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d" + }, + { + "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423\",\n \"https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f\",\n \"https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801\",\n \"https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0\",\n \"https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64\",\n \"https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453\",\n \"https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d\",\n \"https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Properly link new fs rules into the tree\\n\\nPreviously, add_rule_fg would only add newly created rules from the\\nhandle into the tree when they had a refcount of 1. On the other hand,\\ncreate_flow_handle tries hard to find and reference already existing\\nidentical rules instead of creating new ones.\\n\\nThese two behaviors can result in a situation where create_flow_handle\\n1) creates a new rule and references it, then\\n2) in a subsequent step during the same handle creation references it\\n again,\\nresulting in a rule with a refcount of 2 that is not linked into the\\ntree, will have a NULL parent and root and will result in a crash when\\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\\ndeletion, assumes node->parent is != NULL.\\n\\nThis happened in the wild, due to another bug related to incorrect\\nhandling of duplicate pkt_reformat ids, which lead to the code in\\ncreate_flow_handle incorrectly referencing a just-added rule in the same\\nflow handle, resulting in the problem described above. Full details are\\nat [1].\\n\\nThis patch changes add_rule_fg to add new rules without parents into\\nthe tree, properly initializing them and avoiding the crash. This makes\\nit more consistent with how rules are added to an FTE in\\ncreate_flow_handle.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.1,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35965" + }, + { + "url": "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846" + }, + { + "url": "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9" + }, + { + "url": "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846\",\n \"https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9\",\n \"https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix not validating setsockopt user input\\n\\nCheck user input length before copying data.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35966" + }, + { + "url": "https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546" + }, + { + "url": "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695" + }, + { + "url": "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546\",\n \"https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695\",\n \"https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: RFCOMM: Fix not validating setsockopt user input\\n\\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\\nchecking user input length.\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\\ninclude/linux/sockptr.h:49 [inline]\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\\ninclude/linux/sockptr.h:55 [inline]\\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\\nnet/bluetooth/rfcomm/sock.c:632 [inline]\\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\\nnet/bluetooth/rfcomm/sock.c:673\\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35967" + }, + { + "url": "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7" + }, + { + "url": "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01" + }, + { + "url": "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c" + }, + { + "url": "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315" + }, + { + "url": "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7\",\n \"https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01\",\n \"https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c\",\n \"https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315\",\n \"https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: SCO: Fix not validating setsockopt user input\\n\\nsyzbot reported sco_sock_setsockopt() is copying data without\\nchecking user input length.\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\\ninclude/linux/sockptr.h:49 [inline]\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\\ninclude/linux/sockptr.h:55 [inline]\\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\\nnet/bluetooth/sco.c:893\\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35969" + }, + { + "url": "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652" + }, + { + "url": "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70" + }, + { + "url": "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb" + }, + { + "url": "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83" + }, + { + "url": "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129" + }, + { + "url": "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1" + }, + { + "url": "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903" + }, + { + "url": "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652\",\n \"https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70\",\n \"https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb\",\n \"https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83\",\n \"https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129\",\n \"https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1\",\n \"https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903\",\n \"https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\\n\\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\\nstill means hlist_for_each_entry_rcu can return an item that got removed\\nfrom the list. The memory itself of such item is not freed thanks to RCU\\nbut nothing guarantees the actual content of the memory is sane.\\n\\nIn particular, the reference count can be zero. This can happen if\\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\\ntiming, this can happen:\\n\\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\\n\\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\\n reference count drops to zero and kfree_rcu is scheduled.\\n\\n3. ipv6_get_ifaddr continues and tries to increments the reference count\\n (in6_ifa_hold).\\n\\n4. The rcu is unlocked and the entry is freed.\\n\\n5. The freed entry is returned.\\n\\nPrevent increasing of the reference count in such case. The name\\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\\n\\n[ 41.506330] refcount_t: addition on 0; use-after-free.\\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\\n[ 41.507413] Modules linked in: veth bridge stp llc\\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 41.516799] Call Trace:\\n[ 41.517037] \\n[ 41.517249] ? __warn+0x7b/0x120\\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\\n[ 41.517923] ? report_bug+0x164/0x190\\n[ 41.518240] ? handle_bug+0x3d/0x70\\n[ 41.518541] ? exc_invalid_op+0x17/0x70\\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\\n[ 41.523102] ? netlink_unicast+0x30f/0x390\\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\\n[ 41.523832] netlink_rcv_skb+0x53/0x100\\n[ 41.524157] netlink_unicast+0x23b/0x390\\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\\n[ 41.525467] do_syscall_64+0xa5/0x1b0\\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\\n[ 41.527942] RSP: 002b:00007f\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35970" + }, + { + "url": "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6" + }, + { + "url": "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf" + }, + { + "url": "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9" + }, + { + "url": "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e" + }, + { + "url": "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6\",\n \"https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf\",\n \"https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9\",\n \"https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e\",\n \"https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Clear stale u->oob_skb.\\n\\nsyzkaller started to report deadlock of unix_gc_lock after commit\\n4090fa373f0e (\\\"af_unix: Replace garbage collection algorithm.\\\"), but\\nit just uncovers the bug that has been there since commit 314001f0bf92\\n(\\\"af_unix: Add OOB support\\\").\\n\\nThe repro basically does the following.\\n\\n from socket import *\\n from array import array\\n\\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\\\"i\\\", [c2.fileno()]))], MSG_OOB)\\n c2.recv(1) # blocked as no normal data in recv queue\\n\\n c2.close() # done async and unblock recv()\\n c1.close() # done async and trigger GC\\n\\nA socket sends its file descriptor to itself as OOB data and tries to\\nreceive normal data, but finally recv() fails due to async close().\\n\\nThe problem here is wrong handling of OOB skb in manage_oob(). When\\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\\nThis is wrong in terms of uAPI.\\n\\nLet's say we send \\\"hello\\\" with MSG_OOB, and \\\"world\\\" without MSG_OOB.\\nThe 'o' is handled as OOB data. When recv() is called twice without\\nMSG_OOB, the OOB data should be lost.\\n\\n >>> from socket import *\\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\\n 5\\n >>> c1.send(b'world')\\n 5\\n >>> c2.recv(5) # OOB data is not received\\n b'hell'\\n >>> c2.recv(5) # OOB date is skipped\\n b'world'\\n >>> c2.recv(5, MSG_OOB) # This should return an error\\n b'o'\\n\\nIn the same situation, TCP actually returns -EINVAL for the last\\nrecv().\\n\\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\\nEPOLLPRI even though the data has passed through by previous recv().\\n\\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\\nit from recv queue.\\n\\nThe reason why the old GC did not trigger the deadlock is because the\\nold GC relied on the receive queue to detect the loop.\\n\\nWhen it is triggered, the socket with OOB data is marked as GC candidate\\nbecause file refcount == inflight count (1). However, after traversing\\nall inflight sockets, the socket still has a positive inflight count (1),\\nthus the socket is excluded from candidates. Then, the old GC lose the\\nchance to garbage-collect the socket.\\n\\nWith the old GC, the repro continues to create true garbage that will\\nnever be freed nor detected by kmemleak as it's linked to the global\\ninflight list. That's why we couldn't even notice the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35971" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540" + }, + { + "url": "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b" + }, + { + "url": "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f" + }, + { + "url": "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540\",\n \"https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b\",\n \"https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f\",\n \"https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\\n\\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\\nimplementation is guarded by local_bh_disable() and local_bh_enable().\\nThe local_bh_enable() may call do_softirq() to run softirqs in case\\nany are pending. One of the softirqs is net_rx_action, which ultimately\\nreaches the driver .start_xmit callback. If that happens, the system\\nhangs. The entire call chain is below:\\n\\nks8851_start_xmit_par from netdev_start_xmit\\nnetdev_start_xmit from dev_hard_start_xmit\\ndev_hard_start_xmit from sch_direct_xmit\\nsch_direct_xmit from __dev_queue_xmit\\n__dev_queue_xmit from __neigh_update\\n__neigh_update from neigh_update\\nneigh_update from arp_process.constprop.0\\narp_process.constprop.0 from __netif_receive_skb_one_core\\n__netif_receive_skb_one_core from process_backlog\\nprocess_backlog from __napi_poll.constprop.0\\n__napi_poll.constprop.0 from net_rx_action\\nnet_rx_action from __do_softirq\\n__do_softirq from call_with_stack\\ncall_with_stack from do_softirq\\ndo_softirq from __local_bh_enable_ip\\n__local_bh_enable_ip from netif_rx\\nnetif_rx from ks8851_irq\\nks8851_irq from irq_thread_fn\\nirq_thread_fn from irq_thread\\nirq_thread from kthread\\nkthread from ret_from_fork\\n\\nThe hang happens because ks8851_irq() first locks a spinlock in\\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\\nand with that spinlock locked, calls netif_rx(). Once the execution\\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\\nwhich attempts to claim the already locked spinlock again, and the\\nhang happens.\\n\\nMove the do_softirq() call outside of the spinlock protected section\\nof ks8851_irq() by disabling BHs around the entire spinlock protected\\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\\nthe spinlock protected section, so that it can trigger do_softirq()\\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\\nsafely call ks8851_start_xmit_par() without attempting to lock the\\nalready locked spinlock.\\n\\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\\nlocal_bh_disable()/local_bh_enable() calls.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35973", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35973" + }, + { + "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915" + }, + { + "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e" + }, + { + "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852" + }, + { + "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" + }, + { + "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536" + }, + { + "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670" + }, + { + "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c" + }, + { + "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915\",\n \"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e\",\n \"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852\",\n \"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79\",\n \"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536\",\n \"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670\",\n \"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c\",\n \"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngeneve: fix header validation in geneve[6]_xmit_skb\\n\\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\\n\\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\\nskb->protocol.\\n\\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\\npskb_inet_may_pull() does nothing at all.\\n\\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\\nthe network header might not point to the correct location, and skb\\nlinear part could be smaller than expected.\\n\\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\\n\\nUse this in geneve for the moment, I suspect we need to adopt this\\nmore broadly.\\n\\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\\n - Only call __vlan_get_protocol() for vlan types.\\n\\nv2,v3 - Addressed Sabrina comments on v1 and v2\\n\\n[1]\\n\\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3081 [inline]\\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n __sys_sendto+0x685/0x830 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\\n packet_snd net/packet/af_packet.c:3024 [inline]\\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n __sys_sendto+0x685/0x830 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35976" + }, + { + "url": "https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d" + }, + { + "url": "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44" + }, + { + "url": "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa" + }, + { + "url": "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6" + }, + { + "url": "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417" + }, + { + "url": "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c" + }, + { + "url": "https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd" + }, + { + "url": "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d\",\n \"https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44\",\n \"https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa\",\n \"https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6\",\n \"https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417\",\n \"https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c\",\n \"https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd\",\n \"https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\\n\\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\\n\\nMake sure to validate setsockopt() @optlen parameter.\\n\\n[1]\\n\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\\n\\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\nRIP: 0033:0x7fb40587de69\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\\n \\n\\nAllocated by task 7549:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\\n kasan_kmalloc include/linux/kasan.h:211 [inline]\\n __do_kmalloc_node mm/slub.c:3966 [inline]\\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\\n kmalloc include/linux/slab.h:632 [inline]\\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nThe buggy address belongs to the object at ffff888028c6cde0\\n which belongs to the cache kmalloc-8 of size 8\\nThe buggy address is located 1 bytes to the right of\\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\\n\\nThe buggy address belongs to the physical page:\\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\\npage_type: 0xffffffff()\\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\npage_owner tracks the page as allocated\\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\\n set_page_owner include/linux/page_owner.h:31 [inline]\\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\\n prep_new_page mm/page_alloc.c:\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 6.7,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35978" + }, + { + "url": "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810" + }, + { + "url": "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2" + }, + { + "url": "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8" + }, + { + "url": "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06" + }, + { + "url": "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0" + }, + { + "url": "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67" + }, + { + "url": "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76" + }, + { + "url": "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810\",\n \"https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2\",\n \"https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8\",\n \"https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06\",\n \"https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0\",\n \"https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67\",\n \"https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76\",\n \"https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix memory leak in hci_req_sync_complete()\\n\\nIn 'hci_req_sync_complete()', always free the previous sync\\nrequest state before assigning reference to a new one.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35979" + }, + { + "url": "https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268" + }, + { + "url": "https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446" + }, + { + "url": "https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35979", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268\",\n \"https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446\",\n \"https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nraid1: fix use-after-free for original bio in raid1_write_request()\\n\\nr1_bio->bios[] is used to record new bios that will be issued to\\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\\nto be freed:\\n\\nraid1_write_request()\\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\\n for (i = 0; i < disks; i++) -> for each rdev in conf\\n // first rdev is normal\\n r1_bio->bios[0] = bio; -> set to original bio\\n // second rdev is blocked\\n if (test_bit(Blocked, &rdev->flags))\\n break\\n\\n if (blocked_rdev)\\n free_r1bio()\\n put_all_bios()\\n bio_put(r1_bio->bios[0]) -> original bio is freed\\n\\nTest scripts:\\n\\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\\\\n -iodepth=128 -name=test -direct=1\\necho blocked > /sys/block/md0/md/rd2/state\\n\\nTest result:\\n\\nBUG bio-264 (Not tainted): Object already free\\n-----------------------------------------------------------------------------\\n\\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\\n kmem_cache_alloc+0x324/0x480\\n mempool_alloc_slab+0x24/0x50\\n mempool_alloc+0x6e/0x220\\n bio_alloc_bioset+0x1af/0x4d0\\n blkdev_direct_IO+0x164/0x8a0\\n blkdev_write_iter+0x309/0x440\\n aio_write+0x139/0x2f0\\n io_submit_one+0x5ca/0xb70\\n __do_sys_io_submit+0x86/0x270\\n __x64_sys_io_submit+0x22/0x30\\n do_syscall_64+0xb1/0x210\\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\\n kmem_cache_free+0x28c/0x550\\n mempool_free_slab+0x1f/0x30\\n mempool_free+0x40/0x100\\n bio_free+0x59/0x80\\n bio_put+0xf0/0x220\\n free_r1bio+0x74/0xb0\\n raid1_make_request+0xadf/0x1150\\n md_handle_request+0xc7/0x3b0\\n md_submit_bio+0x76/0x130\\n __submit_bio+0xd8/0x1d0\\n submit_bio_noacct_nocheck+0x1eb/0x5c0\\n submit_bio_noacct+0x169/0xd40\\n submit_bio+0xee/0x1d0\\n blkdev_direct_IO+0x322/0x8a0\\n blkdev_write_iter+0x309/0x440\\n aio_write+0x139/0x2f0\\n\\nSince that bios for underlying disks are not allocated yet, fix this\\nproblem by using mempool_free() directly to free the r1_bio.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35982" + }, + { + "url": "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924" + }, + { + "url": "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259" + }, + { + "url": "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2" + }, + { + "url": "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d" + }, + { + "url": "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f" + }, + { + "url": "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa" + }, + { + "url": "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6" + }, + { + "url": "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924\",\n \"https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259\",\n \"https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2\",\n \"https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d\",\n \"https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f\",\n \"https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa\",\n \"https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6\",\n \"https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbatman-adv: Avoid infinite loop trying to resize local TT\\n\\nIf the MTU of one of an attached interface becomes too small to transmit\\nthe local translation table then it must be resized to fit inside all\\nfragments (when enabled) or a single packet.\\n\\nBut if the MTU becomes too low to transmit even the header + the VLAN\\nspecific part then the resizing of the local TT will never succeed. This\\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\\non top of batman-adv. In this case, at least 116 byte would be needed.\\nThere will just be an endless spam of\\n\\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\\n\\nin the log but the function will never finish. Problem here is that the\\ntimeout will be halved all the time and will then stagnate at 0 and\\ntherefore never be able to reduce the table even more.\\n\\nThere are other scenarios possible with a similar result. The number of\\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\\nhigh to fit inside a packet. Such a scenario can therefore happen also with\\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\\nbytes.\\n\\nWhile this should be handled proactively when:\\n\\n* interface with too low MTU is added\\n* VLAN is added\\n* non-purgeable local mac is added\\n* MTU of an attached interface is reduced\\n* fragmentation setting gets disabled (which most likely requires dropping\\n attached interfaces)\\n\\nnot all of these scenarios can be prevented because batman-adv is only\\nconsuming events without the the possibility to prevent these actions\\n(non-purgable MAC address added, MTU of an attached interface is reduced).\\nIt is therefore necessary to also make sure that the code is able to handle\\nalso the situations when there were already incompatible system\\nconfiguration are present.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.1,\n \"exploitabilityScore\": 1.4,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35984" + }, + { + "url": "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83" + }, + { + "url": "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d" + }, + { + "url": "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde" + }, + { + "url": "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620" + }, + { + "url": "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec" + }, + { + "url": "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f" + }, + { + "url": "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23" + }, + { + "url": "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83\",\n \"https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d\",\n \"https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde\",\n \"https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620\",\n \"https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec\",\n \"https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f\",\n \"https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23\",\n \"https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: smbus: fix NULL function pointer dereference\\n\\nBaruch reported an OOPS when using the designware controller as target\\nonly. Target-only modes break the assumption of one transfer function\\nalways being available. Fix this by always checking the pointer in\\n__i2c_transfer.\\n\\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35988" + }, + { + "url": "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6" + }, + { + "url": "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be" + }, + { + "url": "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b" + }, + { + "url": "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948" + }, + { + "url": "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa" + }, + { + "url": "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6\",\n \"https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be\",\n \"https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b\",\n \"https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948\",\n \"https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa\",\n \"https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: Fix TASK_SIZE on 64-bit NOMMU\\n\\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\\ncausing spurious failures in the userspace access routines.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35989" + }, + { + "url": "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e" + }, + { + "url": "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb" + }, + { + "url": "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b" + }, + { + "url": "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be" + }, + { + "url": "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e\",\n \"https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb\",\n \"https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b\",\n \"https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be\",\n \"https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\\n\\nDuring the removal of the idxd driver, registered offline callback is\\ninvoked as part of the clean up process. However, on systems with only\\none CPU online, no valid target is available to migrate the\\nperf context, resulting in a kernel oops:\\n\\n BUG: unable to handle page fault for address: 000000000002a2b8\\n #PF: supervisor write access in kernel mode\\n #PF: error_code(0x0002) - not-present page\\n PGD 1470e1067 P4D 0\\n Oops: 0002 [#1] PREEMPT SMP NOPTI\\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\\n RIP: 0010:mutex_lock+0x2e/0x50\\n ...\\n Call Trace:\\n \\n __die+0x24/0x70\\n page_fault_oops+0x82/0x160\\n do_user_addr_fault+0x65/0x6b0\\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\\n exc_page_fault+0x7d/0x170\\n asm_exc_page_fault+0x26/0x30\\n mutex_lock+0x2e/0x50\\n mutex_lock+0x1e/0x50\\n perf_pmu_migrate_context+0x87/0x1f0\\n perf_event_cpu_offline+0x76/0x90 [idxd]\\n cpuhp_invoke_callback+0xa2/0x4f0\\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\\n cpuhp_thread_fun+0x98/0x150\\n smpboot_thread_fn+0x27/0x260\\n smpboot_thread_fn+0x1af/0x260\\n __pfx_smpboot_thread_fn+0x10/0x10\\n kthread+0x103/0x140\\n __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x50\\n __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nFix the issue by preventing the migration of the perf context to an\\ninvalid target.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35990", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35990" + }, + { + "url": "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076" + }, + { + "url": "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38" + }, + { + "url": "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11" + }, + { + "url": "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b" + }, + { + "url": "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557" + }, + { + "url": "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35990 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35990", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35990\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35990\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35990\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35990\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35990\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076\",\n \"https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38\",\n \"https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11\",\n \"https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b\",\n \"https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557\",\n \"https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma: xilinx_dpdma: Fix locking\\n\\nThere are several places where either chan->lock or chan->vchan.lock was\\nnot held. Add appropriate locking. This fixes lockdep warnings like\\n\\n[ 31.077578] ------------[ cut here ]------------\\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.077953] Modules linked in:\\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\\n[ 31.078550] sp : ffffffc083bb2e10\\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\\n[ 31.080307] Call trace:\\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\\n[ 31.081139] commit_tail+0x234/0x294\\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\\n[ 31.081363] drm_atomic_commit+0x100/0x140\\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\\n[ 31.081971] fbcon_init+0x538/0xc48\\n[ 31.082047] visual_init+0x16c/0x23c\\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\\n[ 31.082320] do_take_over_console+0x24c/0x33c\\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\\n[ 31.082663] register_framebuffer+0x27c/0x38c\\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\\n[ 31.083115] drm_client_register+0xa0/0xf4\\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\\n[ 31.083616] platform_probe+0x8c/0x13c\\n[ 31.083713] really_probe+0x258/0x59c\\n[ 31.083793] __driver_probe_device+0xc4/0x224\\n[ 31.083878] driver_probe_device+0x70/0x1c0\\n[ 31.083961] __device_attach_driver+0x108/0x1e0\\n[ 31.084052] bus_for_each_drv+0x9c/0x100\\n[ 31.084125] __device_attach+0x100/0x298\\n[ 31.084207] device_initial_probe+0x14/0x20\\n[ 31.084292] bus_probe_device+0xd8/0xdc\\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\\n[ 31.084451] process_one_work+0x3ac/0x988\\n[ 31.084643] worker_thread+0x398/0x694\\n[ 31.084752] kthread+0x1bc/0x1c0\\n[ 31.084848] ret_from_fork+0x10/0x20\\n[ 31.084932] irq event stamp: 64549\\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\\n[ 31.085157]\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35990\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35995" + }, + { + "url": "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3" + }, + { + "url": "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4" + }, + { + "url": "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c" + }, + { + "url": "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87" + }, + { + "url": "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1" + }, + { + "url": "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3" + }, + { + "url": "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35995", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3\",\n \"https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4\",\n \"https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c\",\n \"https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87\",\n \"https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1\",\n \"https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3\",\n \"https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPI: CPPC: Use access_width over bit_width for system memory accesses\\n\\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\\ncannot be depended on to be always on a clean 8b boundary. This was\\nuncovered on the Cobalt 100 platform.\\n\\nSError Interrupt on CPU26, code 0xbe000011 -- SError\\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\\n pc : cppc_get_perf_caps+0xec/0x410\\n lr : cppc_get_perf_caps+0xe8/0x410\\n sp : ffff8000155ab730\\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\\n Kernel panic - not syncing: Asynchronous SError Interrupt\\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\\n5.15.2.1-13 #1\\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\\n Call trace:\\n dump_backtrace+0x0/0x1e0\\n show_stack+0x24/0x30\\n dump_stack_lvl+0x8c/0xb8\\n dump_stack+0x18/0x34\\n panic+0x16c/0x384\\n add_taint+0x0/0xc0\\n arm64_serror_panic+0x7c/0x90\\n arm64_is_fatal_ras_serror+0x34/0xa4\\n do_serror+0x50/0x6c\\n el1h_64_error_handler+0x40/0x74\\n el1h_64_error+0x7c/0x80\\n cppc_get_perf_caps+0xec/0x410\\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\\n cpufreq_online+0x2dc/0xa30\\n cpufreq_add_dev+0xc0/0xd4\\n subsys_interface_register+0x134/0x14c\\n cpufreq_register_driver+0x1b0/0x354\\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\\n do_one_initcall+0x50/0x250\\n do_init_module+0x60/0x27c\\n load_module+0x2300/0x2570\\n __do_sys_finit_module+0xa8/0x114\\n __arm64_sys_finit_module+0x2c/0x3c\\n invoke_syscall+0x78/0x100\\n el0_svc_common.constprop.0+0x180/0x1a0\\n do_el0_svc+0x84/0xa0\\n el0_svc+0x2c/0xc0\\n el0t_64_sync_handler+0xa4/0x12c\\n el0t_64_sync+0x1a4/0x1a8\\n\\nInstead, use access_width to determine the size and use the offset and\\nwidth to shift and mask the bits to read/write out. Make sure to add a\\ncheck for system memory since pcc redefines the access_width to\\nsubspace id.\\n\\nIf access_width is not set, then fall back to using bit_width.\\n\\n[ rjw: Subject and changelog edits, comment adjustments ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35997", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35997" + }, + { + "url": "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1" + }, + { + "url": "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401" + }, + { + "url": "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722" + }, + { + "url": "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497" + }, + { + "url": "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22" + }, + { + "url": "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e" + }, + { + "url": "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8" + }, + { + "url": "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35997 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35997", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35997\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35997\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35997\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35997\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35997\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1\",\n \"https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401\",\n \"https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722\",\n \"https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497\",\n \"https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22\",\n \"https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e\",\n \"https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8\",\n \"https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\\n\\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\\nHowever, this is not necessary, because I2C core already has its own\\nlocking for that.\\n\\nMore importantly, this flag can cause a lock-up: if the flag is set in\\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\\n(i2c_hid_irq) will check this flag and return immediately without doing\\nanything, then the interrupt handler will be invoked again in an\\ninfinite loop.\\n\\nSince interrupt handler is an RT task, it takes over the CPU and the\\nflag-clearing task never gets scheduled, thus we have a lock-up.\\n\\nDelete this unnecessary flag.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35997\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35998", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35998" + }, + { + "url": "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75" + }, + { + "url": "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc" + }, + { + "url": "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f" + }, + { + "url": "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35998 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35998", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35998\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35998\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35998\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35998\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35998\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75\",\n \"https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc\",\n \"https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f\",\n \"https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\\n\\nCoverity spotted that the cifs_sync_mid_result function could deadlock\\n\\n\\\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\\\"\\n\\nAddresses-Coverity: 1590401 (\\\"Thread deadlock (ORDER_REVERSAL)\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35998\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-35999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-35999" + }, + { + "url": "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e" + }, + { + "url": "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00" + }, + { + "url": "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887" + }, + { + "url": "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-35999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-35999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-35999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-35999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-35999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-35999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-35999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e\",\n \"https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00\",\n \"https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887\",\n \"https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb3: missing lock when picking channel\\n\\nCoverity spotted a place where we should have been holding the\\nchannel lock when accessing the ses channel index.\\n\\nAddresses-Coverity: 1582039 (\\\"Data race condition (MISSING_LOCK)\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-35999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36000", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36000" + }, + { + "url": "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc" + }, + { + "url": "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10" + }, + { + "url": "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2" + }, + { + "url": "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc\",\n \"https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10\",\n \"https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2\",\n \"https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\\n\\nThere is a recent report on UFFDIO_COPY over hugetlb:\\n\\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\\n\\n350:\\tlockdep_assert_held(&hugetlb_lock);\\n\\nShould be an issue in hugetlb but triggered in an userfault context, where\\nit goes into the unlikely path where two threads modifying the resv map\\ntogether. Mike has a fix in that path for resv uncharge but it looks like\\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\\nwill update the cgroup pointer, so it requires to be called with the lock\\nheld.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36003", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36003" + }, + { + "url": "https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c" + }, + { + "url": "https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f" + }, + { + "url": "https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36003 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36003", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix LAG and VF lock dependency in ice_reset_vf()\n\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\n\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\n\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\n\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\n ice_service_task+0x2c9/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\n check_prev_add+0xe2/0xc50\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_reset_vf+0x22f/0x4d0 [ice]\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0 CPU1\n ---- ----\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n\n *** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n \n dump_stack_lvl+0x4a/0x80\n check_noncircular+0x12d/0x150\n check_prev_add+0xe2/0xc50\n ? save_trace+0x59/0x230\n ? add_chain_cache+0x109/0x450\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n ? lockdep_hardirqs_on+0x7d/0x100\n lock_acquire+0xd4/0x2d0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? lock_is_held_type+0xc7/0x120\n __mutex_lock+0x9b/0xbf0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? rcu_is_watching+0x11/0x50\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ice_reset_vf+0x22f/0x4d0 [ice]\n ? process_one_work+0x176/0x4d0\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x104/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36003\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36003\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36003\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36003\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36003\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c\",\n \"https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f\",\n \"https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: fix LAG and VF lock dependency in ice_reset_vf()\\n\\n9f74a3dfcf83 (\\\"ice: Fix VF Reset paths when interface in a failed over\\naggregate\\\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\\nThe commit placed this lock acquisition just prior to the acquisition of\\nthe VF configuration lock.\\n\\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\\nacquires the locks in the order of the VF configuration lock and then the\\nLAG mutex.\\n\\nLockdep reports this violation almost immediately on creating and then\\nremoving 2 VF:\\n\\n======================================================\\nWARNING: possible circular locking dependency detected\\n6.8.0-rc6 #54 Tainted: G W O\\n------------------------------------------------------\\nkworker/60:3/6771 is trying to acquire lock:\\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\\n\\nbut task is already holding lock:\\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\\n __lock_acquire+0x4f8/0xb40\\n lock_acquire+0xd4/0x2d0\\n __mutex_lock+0x9b/0xbf0\\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\\n ice_service_task+0x2c9/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n kthread+0x104/0x140\\n ret_from_fork+0x31/0x50\\n ret_from_fork_asm+0x1b/0x30\\n\\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\\n check_prev_add+0xe2/0xc50\\n validate_chain+0x558/0x800\\n __lock_acquire+0x4f8/0xb40\\n lock_acquire+0xd4/0x2d0\\n __mutex_lock+0x9b/0xbf0\\n ice_reset_vf+0x22f/0x4d0 [ice]\\n ice_process_vflr_event+0x98/0xd0 [ice]\\n ice_service_task+0x1cc/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n kthread+0x104/0x140\\n ret_from_fork+0x31/0x50\\n ret_from_fork_asm+0x1b/0x30\\n\\nother info that might help us debug this:\\n Possible unsafe locking scenario:\\n CPU0 CPU1\\n ---- ----\\n lock(&pf->lag_mutex);\\n lock(&vf->cfg_lock);\\n lock(&pf->lag_mutex);\\n lock(&vf->cfg_lock);\\n\\n *** DEADLOCK ***\\n4 locks held by kworker/60:3/6771:\\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\\n\\nstack backtrace:\\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\\nHardware name:\\nWorkqueue: ice ice_service_task [ice]\\nCall Trace:\\n \\n dump_stack_lvl+0x4a/0x80\\n check_noncircular+0x12d/0x150\\n check_prev_add+0xe2/0xc50\\n ? save_trace+0x59/0x230\\n ? add_chain_cache+0x109/0x450\\n validate_chain+0x558/0x800\\n __lock_acquire+0x4f8/0xb40\\n ? lockdep_hardirqs_on+0x7d/0x100\\n lock_acquire+0xd4/0x2d0\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? lock_is_held_type+0xc7/0x120\\n __mutex_lock+0x9b/0xbf0\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ? rcu_is_watching+0x11/0x50\\n ? ice_reset_vf+0x22f/0x4d0 [ice]\\n ice_reset_vf+0x22f/0x4d0 [ice]\\n ? process_one_work+0x176/0x4d0\\n ice_process_vflr_event+0x98/0xd0 [ice]\\n ice_service_task+0x1cc/0x480 [ice]\\n process_one_work+0x1e9/0x4d0\\n worker_thread+0x1e1/0x3d0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0x104/0x140\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x31/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\n\\nTo avoid deadlock, we must acquire the LAG \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36003\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36004", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36004" + }, + { + "url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c" + }, + { + "url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939" + }, + { + "url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e" + }, + { + "url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c" + }, + { + "url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd" + }, + { + "url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0" + }, + { + "url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22" + }, + { + "url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c\",\n \"https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939\",\n \"https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e\",\n \"https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c\",\n \"https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd\",\n \"https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0\",\n \"https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22\",\n \"https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\\n\\nIssue reported by customer during SRIOV testing, call trace:\\nWhen both i40e and the i40iw driver are loaded, a warning\\nin check_flush_dependency is being triggered. This seems\\nto be because of the i40e driver workqueue is allocated with\\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\\n\\nSimilar error was encountered on ice too and it was fixed by\\nremoving the flag. Do the same for i40e too.\\n\\n[Feb 9 09:08] ------------[ cut here ]------------\\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\\nflushing !WQ_MEM_RECLAIM infiniband:0x0\\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\\ncheck_flush_dependency+0x10b/0x120\\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\\ndm_region_hash dm_log dm_mod fuse\\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\\n0000000000000027\\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\\nffff94d47f620bc0\\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\\n00000000ffff7fff\\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\\nffff94c5451ea180\\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\\nffff94c5f1330ab0\\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\\nknlGS:0000000000000000\\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\\n00000000007706f0\\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\\n0000000000000000\\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\\n0000000000000400\\n[ +0.000001] PKRU: 55555554\\n[ +0.000001] Call Trace:\\n[ +0.000001] \\n[ +0.000002] ? __warn+0x80/0x130\\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] ? report_bug+0x195/0x1a0\\n[ +0.000005] ? handle_bug+0x3c/0x70\\n[ +0.000003] ? exc_invalid_op+0x14/0x70\\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\\n[ +0.000002] __flush_workqueue+0x126/0x3f0\\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\\n[ +0.000024] process_one_work+0x174/0x340\\n[ +0.000003] worker_th\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36005" + }, + { + "url": "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9" + }, + { + "url": "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2" + }, + { + "url": "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816" + }, + { + "url": "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2" + }, + { + "url": "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a" + }, + { + "url": "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9\",\n \"https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2\",\n \"https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816\",\n \"https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2\",\n \"https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a\",\n \"https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\\n\\nCheck for table dormant flag otherwise netdev release event path tries\\nto unregister an already unregistered hook.\\n\\n[524854.857999] ------------[ cut here ]------------\\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\\n[...]\\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\\n[524854.858869] Workqueue: netns cleanup_net\\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\\n[524854.859000] Call Trace:\\n[524854.859006] \\n[524854.859013] ? __warn+0x9f/0x1a0\\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\\n[524854.859044] ? report_bug+0x1b1/0x1e0\\n[524854.859060] ? handle_bug+0x3c/0x70\\n[524854.859071] ? exc_invalid_op+0x17/0x40\\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\\n[524854.859461] ? packet_notifier+0xb3/0x360\\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\\n[524854.859661] notifier_call_chain+0x7d/0x140\\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36006", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36006" + }, + { + "url": "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530" + }, + { + "url": "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a" + }, + { + "url": "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154" + }, + { + "url": "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0" + }, + { + "url": "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40" + }, + { + "url": "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97" + }, + { + "url": "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36006 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36006", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36006\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36006\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36006\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36006\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36006\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530\",\n \"https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a\",\n \"https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154\",\n \"https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0\",\n \"https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40\",\n \"https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97\",\n \"https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\\n\\nBoth the function that migrates all the chunks within a region and the\\nfunction that migrates all the entries within a chunk call\\nlist_first_entry() on the respective lists without checking that the\\nlists are not empty. This is incorrect usage of the API, which leads to\\nthe following warning [1].\\n\\nFix by returning if the lists are empty as there is nothing to migrate\\nin this case.\\n\\n[1]\\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\\nModules linked in:\\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36006\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36007" + }, + { + "url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573" + }, + { + "url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596" + }, + { + "url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d" + }, + { + "url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952" + }, + { + "url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b" + }, + { + "url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916" + }, + { + "url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36007", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573\",\n \"https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596\",\n \"https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d\",\n \"https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952\",\n \"https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b\",\n \"https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916\",\n \"https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\\n\\nAs previously explained, the rehash delayed work migrates filters from\\none region to another. This is done by iterating over all chunks (all\\nthe filters with the same priority) in the region and in each chunk\\niterating over all the filters.\\n\\nWhen the work runs out of credits it stores the current chunk and entry\\nas markers in the per-work context so that it would know where to resume\\nthe migration from the next time the work is scheduled.\\n\\nUpon error, the chunk marker is reset to NULL, but without resetting the\\nentry markers despite being relative to it. This can result in migration\\nbeing resumed from an entry that does not belong to the chunk being\\nmigrated. In turn, this will eventually lead to a chunk being iterated\\nover as if it is an entry. Because of how the two structures happen to\\nbe defined, this does not lead to KASAN splats, but to warnings such as\\n[1].\\n\\nFix by creating a helper that resets all the markers and call it from\\nall the places the currently only reset the chunk marker. For good\\nmeasures also call it when starting a completely new rehash. Add a\\nwarning to avoid future cases.\\n\\n[1]\\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\\nModules linked in:\\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36008" + }, + { + "url": "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1" + }, + { + "url": "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1" + }, + { + "url": "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0" + }, + { + "url": "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4" + }, + { + "url": "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655" + }, + { + "url": "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1\",\n \"https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1\",\n \"https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0\",\n \"https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4\",\n \"https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655\",\n \"https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4: check for NULL idev in ip_route_use_hint()\\n\\nsyzbot was able to trigger a NULL deref in fib_validate_source()\\nin an old tree [1].\\n\\nIt appears the bug exists in latest trees.\\n\\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\\n\\n[1]\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36009" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851" + }, + { + "url": "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b" + }, + { + "url": "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530" + }, + { + "url": "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851\",\n \"https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b\",\n \"https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530\",\n \"https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix netdev refcount issue\\n\\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\\nax25 device is detaching, the dev_tracker of ax25_cb should be\\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\\nof ax25_dev. The log reported by ref_tracker is shown below:\\n\\n[ 80.884935] ref_tracker: reference already released.\\n[ 80.885150] ref_tracker: allocated in:\\n[ 80.885349] ax25_dev_device_up+0x105/0x540\\n[ 80.885730] ax25_device_event+0xa4/0x420\\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\\n[ 80.885730] __dev_notify_flags+0x138/0x280\\n[ 80.885730] dev_change_flags+0xd7/0x180\\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\\n[ 80.885730] dev_ioctl+0x4d8/0xd90\\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\\n[ 80.885730] sock_ioctl+0x38b/0x4f0\\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\\n[ 80.885730] do_syscall_64+0xc4/0x1b0\\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 80.885730] ref_tracker: freed in:\\n[ 80.885730] ax25_device_event+0x272/0x420\\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\\n[ 80.885730] dev_close_many+0x272/0x370\\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\\n[ 80.885730] unregister_netdev+0xcf/0x120\\n[ 80.885730] sixpack_close+0x11f/0x1b0\\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\\n[ 80.885730] __tty_hangup+0x504/0x740\\n[ 80.885730] tty_release+0x46e/0xd80\\n[ 80.885730] __fput+0x37f/0x770\\n[ 80.885730] __x64_sys_close+0x7b/0xb0\\n[ 80.885730] do_syscall_64+0xc4/0x1b0\\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[ 80.893739] ------------[ cut here ]------------\\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\\n[ 80.894297] Modules linked in:\\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\\n...\\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\\n[ 80.935774] ax25_bind+0x424/0x4e0\\n[ 80.935774] __sys_bind+0x1d9/0x270\\n[ 80.935774] __x64_sys_bind+0x75/0x80\\n[ 80.935774] do_syscall_64+0xc4/0x1b0\\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n\\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\\nin order to mitigate the bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36012" + }, + { + "url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac" + }, + { + "url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56" + }, + { + "url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940" + }, + { + "url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac\",\n \"https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56\",\n \"https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940\",\n \"https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\\n\\nTying the msft->data lifetime to hdev by freeing it in\\nhci_release_dev() to fix the following case:\\n\\n[use]\\nmsft_do_close()\\n msft = hdev->msft_data;\\n if (!msft) ...(1) <- passed.\\n return;\\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\\n\\n[free]\\nmsft_unregister()\\n msft = hdev->msft_data;\\n hdev->msft_data = NULL; ...(2)\\n kfree(msft); ...(3) <- msft is freed.\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\\nkernel/locking/mutex.c:587 [inline]\\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\\nkernel/locking/mutex.c:752\\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36013" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2" + }, + { + "url": "https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658" + }, + { + "url": "https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6" + }, + { + "url": "https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n l2cap_connect\n ┌ mutex_lock(&conn->chan_lock);\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\n │ __l2cap_chan_add(conn, chan);\n │ l2cap_chan_hold(chan);\n │ list_add(&chan->list, &conn->chan_l); ... (1)\n └ mutex_unlock(&conn->chan_lock);\n chan->conf_state ... (4) <- use after free\n\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn->chan_lock);\n│ foreach chan in conn->chan_l: ... (2)\n│ l2cap_chan_put(chan);\n│ l2cap_chan_destroy\n│ kfree(chan) ... (3) <- chan freed\n└ mutex_unlock(&conn->chan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"http://www.openwall.com/lists/oss-security/2024/05/30/1\",\n \"http://www.openwall.com/lists/oss-security/2024/05/30/2\",\n \"https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658\",\n \"https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6\",\n \"https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\\n\\nExtend a critical section to prevent chan from early freeing.\\nAlso make the l2cap_connect() return type void. Nothing is using the\\nreturned value but it is ugly to return a potentially freed pointer.\\nMaking it void will help with backports because earlier kernels did use\\nthe return value. Now the compile will break for kernels where this\\npatch is not a complete fix.\\n\\nCall stack summary:\\n\\n[use]\\nl2cap_bredr_sig_cmd\\n l2cap_connect\\n ┌ mutex_lock(&conn->chan_lock);\\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\\n │ __l2cap_chan_add(conn, chan);\\n │ l2cap_chan_hold(chan);\\n │ list_add(&chan->list, &conn->chan_l); ... (1)\\n └ mutex_unlock(&conn->chan_lock);\\n chan->conf_state ... (4) <- use after free\\n\\n[free]\\nl2cap_conn_del\\n┌ mutex_lock(&conn->chan_lock);\\n│ foreach chan in conn->chan_l: ... (2)\\n│ l2cap_chan_put(chan);\\n│ l2cap_chan_destroy\\n│ kfree(chan) ... (3) <- chan freed\\n└ mutex_unlock(&conn->chan_lock);\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\\ninclude/linux/instrumented.h:68 [inline]\\nBUG: KASAN: slab-use-after-free in _test_bit\\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\\nnet/bluetooth/l2cap_core.c:4260\\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 6.8,\n \"exploitabilityScore\": 0.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36014" + }, + { + "url": "https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5" + }, + { + "url": "https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490" + }, + { + "url": "https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c" + }, + { + "url": "https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639" + }, + { + "url": "https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea" + }, + { + "url": "https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb" + }, + { + "url": "https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818" + }, + { + "url": "https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d" + }, + { + "url": "https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5\",\n \"https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490\",\n \"https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c\",\n \"https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639\",\n \"https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea\",\n \"https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb\",\n \"https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818\",\n \"https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d\",\n \"https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/arm/malidp: fix a possible null pointer dereference\\n\\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\\nno check is performed. In order to prevent null pointer dereferencing,\\nensure that mw_state is checked before calling\\n__drm_atomic_helper_connector_reset.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36015" + }, + { + "url": "https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39" + }, + { + "url": "https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e" + }, + { + "url": "https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a" + }, + { + "url": "https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9" + }, + { + "url": "https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b" + }, + { + "url": "https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828" + }, + { + "url": "https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57" + }, + { + "url": "https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nppdev: Add an error check in register_device\n\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\n\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39\",\n \"https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e\",\n \"https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a\",\n \"https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9\",\n \"https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b\",\n \"https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828\",\n \"https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57\",\n \"https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppdev: Add an error check in register_device\\n\\nIn register_device, the return value of ida_simple_get is unchecked,\\nin witch ida_simple_get will use an invalid index value.\\n\\nTo address this issue, index should be checked after ida_simple_get. When\\nthe index value is abnormal, a warning message should be printed, the port\\nshould be dropped, and the value should be recorded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36016", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-117.127", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36016" + }, + { + "url": "https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04" + }, + { + "url": "https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc" + }, + { + "url": "https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a" + }, + { + "url": "https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54" + }, + { + "url": "https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350" + }, + { + "url": "https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5" + }, + { + "url": "https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56" + }, + { + "url": "https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d" + }, + { + "url": "https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\n\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\n\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\n\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-117.127\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04\",\n \"https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc\",\n \"https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a\",\n \"https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54\",\n \"https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350\",\n \"https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5\",\n \"https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56\",\n \"https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d\",\n \"https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\\n\\nAssuming the following:\\n- side A configures the n_gsm in basic option mode\\n- side B sends the header of a basic option mode frame with data length 1\\n- side A switches to advanced option mode\\n- side B sends 2 data bytes which exceeds gsm->len\\n Reason: gsm->len is not used in advanced option mode.\\n- side A switches to basic option mode\\n- side B keeps sending until gsm0_receive() writes past gsm->buf\\n Reason: Neither gsm->state nor gsm->len have been reset after\\n reconfiguration.\\n\\nFix this by changing gsm->count to gsm->len comparison from equal to less\\nthan. Also add upper limit checks against the constant MAX_MRU in\\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\\ngsm->len and gsm->mru.\\n\\nAll other checks remain as we still need to limit the data according to the\\nuser configuration and actual payload size.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-117.127 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36017" + }, + { + "url": "https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489" + }, + { + "url": "https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b" + }, + { + "url": "https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8" + }, + { + "url": "https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169" + }, + { + "url": "https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de" + }, + { + "url": "https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7" + }, + { + "url": "https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a" + }, + { + "url": "https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489\",\n \"https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b\",\n \"https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8\",\n \"https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169\",\n \"https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de\",\n \"https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7\",\n \"https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a\",\n \"https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\\n\\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\\nis not enough and a too small attribute might be cast to a\\nstruct ifla_vf_vlan_info, this might result in an out of bands\\nread access when accessing the saved (casted) entry in ivvl.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36020" + }, + { + "url": "https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6" + }, + { + "url": "https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0" + }, + { + "url": "https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba" + }, + { + "url": "https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31" + }, + { + "url": "https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a" + }, + { + "url": "https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c" + }, + { + "url": "https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d" + }, + { + "url": "https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6\",\n \"https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0\",\n \"https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba\",\n \"https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31\",\n \"https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a\",\n \"https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c\",\n \"https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d\",\n \"https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: fix vf may be used uninitialized in this function warning\\n\\nTo fix the regression introduced by commit 52424f974bc5, which causes\\nservers hang in very hard to reproduce conditions with resets races.\\nUsing two sources for the information is the root cause.\\nIn this function before the fix bumping v didn't mean bumping vf\\npointer. But the code used this variables interchangeably, so stale vf\\ncould point to different/not intended vf.\\n\\nRemove redundant \\\"v\\\" variable and iterate via single VF pointer across\\nwhole function instead to guarantee VF pointer validity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36021", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36021" + }, + { + "url": "https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86" + }, + { + "url": "https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3" + }, + { + "url": "https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5" + }, + { + "url": "https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36021 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36021", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during pf initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36021\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36021\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36021\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36021\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36021\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86\",\n \"https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3\",\n \"https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5\",\n \"https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash when devlink reload during pf initialization\\n\\nThe devlink reload process will access the hardware resources,\\nbut the register operation is done before the hardware is initialized.\\nSo, processing the devlink reload during initialization may lead to kernel\\ncrash. This patch fixes this by taking devl_lock during initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36021\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36022", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36022" + }, + { + "url": "https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6" + }, + { + "url": "https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36022 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36022", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\n\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\nis triggered after initializing the necessary IPs, That init does not\ninclude KFD, and KFD init waits until the reset is completed. KFD init\nis called in the reset handler, but in this case, the zone device and\ndrm client is not initialized, causing app to create kernel panic.\n\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\nAs the previous version has the potential of creating DRM client twice.\n\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\nto guard against drm client creation call multiple times.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36022\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36022\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36022\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36022\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36022\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6\",\n \"https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\\n\\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\\nis triggered after initializing the necessary IPs, That init does not\\ninclude KFD, and KFD init waits until the reset is completed. KFD init\\nis called in the reset handler, but in this case, the zone device and\\ndrm client is not initialized, causing app to create kernel panic.\\n\\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\\nAs the previous version has the potential of creating DRM client twice.\\n\\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\\nto guard against drm client creation call multiple times.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36022\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36024", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36024" + }, + { + "url": "https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7" + }, + { + "url": "https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36024 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36024", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\n\n[Why]\nWorkaroud for a race condition where DMCUB is in the process of\ncommitting to IPS1 during the handshake causing us to miss the\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\n\n[How]\nDisable the reallow to ensure that we have enough of a gap between entry\nand exit and we're not seeing back-to-back wake_and_executes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36024\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36024\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36024\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36024\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36024\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7\",\n \"https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\\n\\n[Why]\\nWorkaroud for a race condition where DMCUB is in the process of\\ncommitting to IPS1 during the handshake causing us to miss the\\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\\n\\n[How]\\nDisable the reallow to ensure that we have enough of a gap between entry\\nand exit and we're not seeing back-to-back wake_and_executes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36024\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36025", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36025" + }, + { + "url": "https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd" + }, + { + "url": "https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a" + }, + { + "url": "https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab" + }, + { + "url": "https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510" + }, + { + "url": "https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36025 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36025", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\n\nThe app_reply->elem[] array is allocated earlier in this function and it\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\nprevent memory corruption.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36025\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36025\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36025\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36025\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36025\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd\",\n \"https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a\",\n \"https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab\",\n \"https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510\",\n \"https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\\n\\nThe app_reply->elem[] array is allocated earlier in this function and it\\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\\nprevent memory corruption.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36025\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36026", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36026" + }, + { + "url": "https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5" + }, + { + "url": "https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113" + }, + { + "url": "https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d" + }, + { + "url": "https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36026 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36026", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\n\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\nan invalid state resulting into hard hangs.\n\nAdding a GFX reset as workaround just before sending the\nMP1_UNLOAD message avoids this failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36026\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36026\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36026\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36026\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36026\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5\",\n \"https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113\",\n \"https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d\",\n \"https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\\n\\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\\nan invalid state resulting into hard hangs.\\n\\nAdding a GFX reset as workaround just before sending the\\nMP1_UNLOAD message avoids this failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36026\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36029", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-116.126", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36029" + }, + { + "url": "https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045" + }, + { + "url": "https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af" + }, + { + "url": "https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20" + }, + { + "url": "https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5" + }, + { + "url": "https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36029 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36029", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-msm: pervent access to suspended controller\n\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36029\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36029\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36029\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-116.126\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36029\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36029\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045\",\n \"https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af\",\n \"https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20\",\n \"https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5\",\n \"https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: sdhci-msm: pervent access to suspended controller\\n\\nGeneric sdhci code registers LED device and uses host->runtime_suspended\\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\\nwhich causes a crash when LED is accessed while controller is runtime\\nsuspended. Fix this by setting the flag correctly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-116.126 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36029\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36031", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36031" + }, + { + "url": "https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7" + }, + { + "url": "https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41" + }, + { + "url": "https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252" + }, + { + "url": "https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a" + }, + { + "url": "https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a" + }, + { + "url": "https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d" + }, + { + "url": "https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36031 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36031", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix overwrite of key expiration on instantiation\n\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36031\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36031\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36031\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36031\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36031\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7\",\n \"https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41\",\n \"https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252\",\n \"https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a\",\n \"https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a\",\n \"https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d\",\n \"https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkeys: Fix overwrite of key expiration on instantiation\\n\\nThe expiry time of a key is unconditionally overwritten during\\ninstantiation, defaulting to turn it permanent. This causes a problem\\nfor DNS resolution as the expiration set by user-space is overwritten to\\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\\ncondition that key_set_expiry is only called when the pre-parser sets a\\nspecific expiry.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36031\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36032", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36032" + }, + { + "url": "https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488" + }, + { + "url": "https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe" + }, + { + "url": "https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a" + }, + { + "url": "https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1" + }, + { + "url": "https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36032 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36032", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching fw build id\n\nAdd the missing sanity checks and move the 255-byte build-id buffer off\nthe stack to avoid leaking stack data through debugfs in case the\nbuild-info reply is malformed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36032\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36032\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36032\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36032\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36032\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488\",\n \"https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe\",\n \"https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a\",\n \"https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1\",\n \"https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: fix info leak when fetching fw build id\\n\\nAdd the missing sanity checks and move the 255-byte build-id buffer off\\nthe stack to avoid leaking stack data through debugfs in case the\\nbuild-info reply is malformed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36032\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36244", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36244" + }, + { + "url": "https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724" + }, + { + "url": "https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2" + }, + { + "url": "https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36244 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36244", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36244\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36244\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36244\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36244\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36244\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724\",\n \"https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2\",\n \"https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\\n\\nIt is possible for syzbot to side-step the restriction imposed by the\\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\\ncycle-time different from (and potentially shorter than) the sum of\\nentry intervals.\\n\\nWe need one more restriction, which is that the cycle time itself must\\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\\nentries. This restriction needs to apply regardless of whether the cycle\\ntime came from the user or was the implicit, auto-calculated value, so\\nwe move the existing \\\"cycle == 0\\\" check outside the \\\"if \\\"(!new->cycle_time)\\\"\\nbranch. This way covers both conditions and scenarios.\\n\\nAdd a selftest which illustrates the issue triggered by syzbot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36244\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36270", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36270" + }, + { + "url": "https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c" + }, + { + "url": "https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d" + }, + { + "url": "https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3" + }, + { + "url": "https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0" + }, + { + "url": "https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03" + }, + { + "url": "https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c" + }, + { + "url": "https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36270 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36270", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36270\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36270\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36270\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36270\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36270\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c\",\n \"https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d\",\n \"https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3\",\n \"https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0\",\n \"https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03\",\n \"https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c\",\n \"https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: tproxy: bail out if IP has been disabled on the device\\n\\nsyzbot reports:\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\\n[..]\\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\\nCall Trace:\\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\\n\\n__in_dev_get_rcu() can return NULL, so check for this.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36270\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36286", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36286" + }, + { + "url": "https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a" + }, + { + "url": "https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4" + }, + { + "url": "https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256" + }, + { + "url": "https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5" + }, + { + "url": "https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9" + }, + { + "url": "https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718" + }, + { + "url": "https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec" + }, + { + "url": "https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36286 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36286", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36286\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36286\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36286\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a\",\n \"https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4\",\n \"https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256\",\n \"https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5\",\n \"https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9\",\n \"https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718\",\n \"https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec\",\n \"https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\\n\\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\\n\\nWARNING: suspicious RCU usage\\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\\n\\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\\n\\nother info that might help us debug this:\\n\\nrcu_scheduler_active = 2, debug_locks = 1\\n2 locks held by syz-executor.4/13427:\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\\n\\nstack backtrace:\\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\\n __do_softirq kernel/softirq.c:588 [inline]\\n invoke_softirq kernel/softirq.c:428 [inline]\\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\\n \\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36286\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36478", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36478" + }, + { + "url": "https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47" + }, + { + "url": "https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36478 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36478", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36478\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36478\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36478\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36478\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36478\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47\",\n \"https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\\n\\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\\npanic:\\n\\nTest script:\\n\\nmodprobe null_blk nr_devices=0\\nmkdir -p /sys/kernel/config/nullb/nullb0\\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\\nwhile true; do echo 1 > power; echo 0 > power; done\\n\\nTest result:\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000148\\nOops: 0000 [#1] PREEMPT SMP\\nRIP: 0010:__lock_acquire+0x41d/0x28f0\\nCall Trace:\\n \\n lock_acquire+0x121/0x450\\n down_write+0x5f/0x1d0\\n simple_recursive_removal+0x12f/0x5c0\\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\\n blk_mq_update_nr_hw_queues+0x4a3/0x720\\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\\n configfs_write_iter+0x119/0x1e0\\n vfs_write+0x326/0x730\\n ksys_write+0x74/0x150\\n\\nThis is because del_gendisk() can concurrent with\\nblk_mq_update_nr_hw_queues():\\n\\nnullb_device_power_store\\tnullb_apply_submit_queues\\n null_del_dev\\n del_gendisk\\n\\t\\t\\t\\t nullb_update_nr_hw_queues\\n\\t\\t\\t\\t if (!dev->nullb)\\n\\t\\t\\t\\t // still set while gendisk is deleted\\n\\t\\t\\t\\t return 0\\n\\t\\t\\t\\t blk_mq_update_nr_hw_queues\\n dev->nullb = NULL\\n\\nFix this problem by resuing the global mutex to protect\\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36478\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36479", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36479" + }, + { + "url": "https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529" + }, + { + "url": "https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125" + }, + { + "url": "https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36479 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36479", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36479\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36479\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36479\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36479\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36479\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529\",\n \"https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125\",\n \"https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: bridge: add owner module and take its refcount\\n\\nThe current implementation of the fpga bridge assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the bridge if\\nthe parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_bridge\\nstruct and use it to take the module's refcount. Modify the function for\\nregistering a bridge to take an additional owner module parameter and\\nrename it to avoid conflicts. Use the old function name for a helper macro\\nthat automatically sets the module that registers the bridge as the owner.\\nThis ensures compatibility with existing low-level control modules and\\nreduces the chances of registering a bridge without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga bridge.\\n\\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\\nthe bridge device is taken in these functions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36479\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36484" + }, + { + "url": "https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165" + }, + { + "url": "https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495" + }, + { + "url": "https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d" + }, + { + "url": "https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3" + }, + { + "url": "https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822" + }, + { + "url": "https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04" + }, + { + "url": "https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc" + }, + { + "url": "https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165\",\n \"https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495\",\n \"https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d\",\n \"https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3\",\n \"https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822\",\n \"https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04\",\n \"https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc\",\n \"https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: relax socket state check at accept time.\\n\\nChristoph reported the following splat:\\n\\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\\nModules linked in:\\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\\n do_accept+0x435/0x620 net/socket.c:1929\\n __sys_accept4_file net/socket.c:1969 [inline]\\n __sys_accept4+0x9b/0x110 net/socket.c:1999\\n __do_sys_accept net/socket.c:2016 [inline]\\n __se_sys_accept net/socket.c:2013 [inline]\\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\nRIP: 0033:0x4315f9\\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\\n \\n\\nThe reproducer invokes shutdown() before entering the listener status.\\nAfter commit 94062790aedb (\\\"tcp: defer shutdown(SEND_SHUTDOWN) for\\nTCP_SYN_RECV sockets\\\"), the above causes the child to reach the accept\\nsyscall in FIN_WAIT1 status.\\n\\nEric noted we can relax the existing assertion in __inet_accept()\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36489", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36489" + }, + { + "url": "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b" + }, + { + "url": "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b" + }, + { + "url": "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302" + }, + { + "url": "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c" + }, + { + "url": "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071" + }, + { + "url": "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36489 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36489", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36489\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36489\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36489\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36489\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36489\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b\",\n \"https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b\",\n \"https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302\",\n \"https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c\",\n \"https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071\",\n \"https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntls: fix missing memory barrier in tls_init\\n\\nIn tls_init(), a write memory barrier is missing, and store-store\\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\\n\\nCPU0 CPU1\\n----- -----\\n// In tls_init()\\n// In tls_ctx_create()\\nctx = kzalloc()\\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\\n\\n// In update_sk_prot()\\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\\n\\n // In sock_common_setsockopt()\\n READ_ONCE(sk->sk_prot)->setsockopt()\\n\\n // In tls_{setsockopt,getsockopt}()\\n ctx->sk_proto->setsockopt() -(3)\\n\\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\\nthe NULL value of ctx->sk_proto, causing NULL dereference.\\n\\nTo fix it, we rely on rcu_assign_pointer() which implies the release\\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\\ninitialized, we can ensure that ctx->sk_proto are visible when\\nchanging sk->sk_prot.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36489\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36880" + }, + { + "url": "https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e" + }, + { + "url": "https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c" + }, + { + "url": "https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d" + }, + { + "url": "https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d" + }, + { + "url": "https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: add missing firmware sanity checks\n\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e\",\n \"https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c\",\n \"https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d\",\n \"https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d\",\n \"https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: add missing firmware sanity checks\\n\\nAdd the missing sanity checks when parsing the firmware files before\\ndownloading them to avoid accessing and corrupting memory beyond the\\nvmalloced buffer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36883", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36883" + }, + { + "url": "https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7" + }, + { + "url": "https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42" + }, + { + "url": "https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3" + }, + { + "url": "https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f" + }, + { + "url": "https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030" + }, + { + "url": "https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6" + }, + { + "url": "https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd" + }, + { + "url": "https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36883 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36883", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36883\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36883\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36883\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36883\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36883\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7\",\n \"https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42\",\n \"https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3\",\n \"https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f\",\n \"https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030\",\n \"https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6\",\n \"https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd\",\n \"https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix out-of-bounds access in ops_init\\n\\nnet_alloc_generic is called by net_alloc, which is called without any\\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\\nis read twice, first to allocate an array, then to set s.len, which is\\nlater used to limit the bounds of the array access.\\n\\nIt is possible that the array is allocated and another thread is\\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\\nto set s.len with a larger than allocated length for the variable array.\\n\\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36883\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36885", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36885" + }, + { + "url": "https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e" + }, + { + "url": "https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2" + }, + { + "url": "https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36885 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36885", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup:\n\n kernel BUG at include/linux/scatterlist.h:187!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\n RIP: 0010:sg_init_one+0x85/0xa0\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\n Call Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\n nvkm_subdev_init_+0x39/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_init+0x44/0x90 [nouveau]\n nvkm_device_init+0x166/0x2e0 [nouveau]\n nvkm_udevice_init+0x47/0x70 [nouveau]\n nvkm_object_init+0x41/0x1c0 [nouveau]\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\n nvkm_ioctl+0x126/0x290 [nouveau]\n nvif_object_ctor+0x112/0x190 [nouveau]\n nvif_device_ctor+0x23/0x60 [nouveau]\n nouveau_cli_init+0x164/0x640 [nouveau]\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? pci_update_current_state+0x72/0xb0\n ? srso_return_thunk+0x5/0x5f\n nouveau_drm_probe+0x12c/0x280 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n local_pci_probe+0x45/0xa0\n pci_device_probe+0xc7/0x270\n really_probe+0xe6/0x3a0\n __driver_probe_device+0x87/0x160\n driver_probe_device+0x1f/0xc0\n __driver_attach+0xec/0x1f0\n ? __pfx___driver_attach+0x10/0x10\n bus_for_each_dev+0x88/0xd0\n bus_add_driver+0x116/0x220\n driver_register+0x59/0x100\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\n do_one_initcall+0x5b/0x320\n do_init_module+0x60/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x120/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x83/0x160\n ? srso_return_thunk+0x5/0x5f\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n RIP: 0033:0x7feeb5cc20cd\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36885\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36885\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36885\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36885\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36885\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e\",\n \"https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2\",\n \"https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\\n\\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\\nBUG() on startup:\\n\\n kernel BUG at include/linux/scatterlist.h:187!\\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\\n RIP: 0010:sg_init_one+0x85/0xa0\\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\\n Call Trace:\\n \\n ? die+0x36/0x90\\n ? do_trap+0xdd/0x100\\n ? sg_init_one+0x85/0xa0\\n ? do_error_trap+0x65/0x80\\n ? sg_init_one+0x85/0xa0\\n ? exc_invalid_op+0x50/0x70\\n ? sg_init_one+0x85/0xa0\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? sg_init_one+0x85/0xa0\\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? srso_return_thunk+0x5/0x5f\\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? srso_return_thunk+0x5/0x5f\\n ? ktime_get+0x47/0xb0\\n ? srso_return_thunk+0x5/0x5f\\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\\n nvkm_subdev_init_+0x39/0x140 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n nvkm_subdev_init+0x44/0x90 [nouveau]\\n nvkm_device_init+0x166/0x2e0 [nouveau]\\n nvkm_udevice_init+0x47/0x70 [nouveau]\\n nvkm_object_init+0x41/0x1c0 [nouveau]\\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\\n nvkm_ioctl+0x126/0x290 [nouveau]\\n nvif_object_ctor+0x112/0x190 [nouveau]\\n nvif_device_ctor+0x23/0x60 [nouveau]\\n nouveau_cli_init+0x164/0x640 [nouveau]\\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n ? pci_update_current_state+0x72/0xb0\\n ? srso_return_thunk+0x5/0x5f\\n nouveau_drm_probe+0x12c/0x280 [nouveau]\\n ? srso_return_thunk+0x5/0x5f\\n local_pci_probe+0x45/0xa0\\n pci_device_probe+0xc7/0x270\\n really_probe+0xe6/0x3a0\\n __driver_probe_device+0x87/0x160\\n driver_probe_device+0x1f/0xc0\\n __driver_attach+0xec/0x1f0\\n ? __pfx___driver_attach+0x10/0x10\\n bus_for_each_dev+0x88/0xd0\\n bus_add_driver+0x116/0x220\\n driver_register+0x59/0x100\\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\\n do_one_initcall+0x5b/0x320\\n do_init_module+0x60/0x250\\n init_module_from_file+0x86/0xc0\\n idempotent_init_module+0x120/0x2b0\\n __x64_sys_finit_module+0x5e/0xb0\\n do_syscall_64+0x83/0x160\\n ? srso_return_thunk+0x5/0x5f\\n entry_SYSCALL_64_after_hwframe+0x71/0x79\\n RIP: 0033:0x7feeb5cc20cd\\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36885\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36886" + }, + { + "url": "https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b" + }, + { + "url": "https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14" + }, + { + "url": "https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1" + }, + { + "url": "https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684" + }, + { + "url": "https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40" + }, + { + "url": "https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90" + }, + { + "url": "https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd" + }, + { + "url": "https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \n \n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b\",\n \"https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14\",\n \"https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1\",\n \"https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684\",\n \"https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40\",\n \"https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90\",\n \"https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd\",\n \"https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix UAF in error path\\n\\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\\na UAF in the tipc_buf_append() error path:\\n\\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\\nlinux/net/core/skbuff.c:1183\\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\\n\\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n1.16.0-debian-1.16.0-5 04/01/2014\\nCall Trace:\\n \\n __dump_stack linux/lib/dump_stack.c:88\\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\\n print_address_description linux/mm/kasan/report.c:377\\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\\n skb_release_all linux/net/core/skbuff.c:1094\\n __kfree_skb linux/net/core/skbuff.c:1108\\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\\n kfree_skb linux/./include/linux/skbuff.h:1244\\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\\n NF_HOOK linux/./include/linux/netfilter.h:314\\n NF_HOOK linux/./include/linux/netfilter.h:308\\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\\n dst_input linux/./include/net/dst.h:461\\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\\n NF_HOOK linux/./include/linux/netfilter.h:314\\n NF_HOOK linux/./include/linux/netfilter.h:308\\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\\n napi_poll linux/net/core/dev.c:6645\\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\\n do_softirq linux/kernel/softirq.c:454\\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\\n \\n \\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\\n local_bh_enable linux/./include/linux/bottom_half.h:33\\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\\n neigh_hh_output linux/./include/net/neighbour.h:526\\n neigh_output linux/./include/net/neighbour.h:540\\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\\n __ip_finish_output linux/net/ipv4/ip_output.c:313\\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\\n dst_output linux/./include/net/dst.h:451\\n ip_local_out linux/net/ipv4/ip_output.c:129\\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\\n sock_sendmsg_nosec linux/net/socket.c:730\\n __sock_sendmsg linux/net/socket.c:745\\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\\n __do_sys_sendto linux/net/socket.c:2203\\n __se_sys_sendto linux/net/socket.c:2199\\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\\n do_syscall_x64 linux/arch/x86/entry/common.c:52\\n do_syscall_\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36889" + }, + { + "url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012" + }, + { + "url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe" + }, + { + "url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4" + }, + { + "url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f" + }, + { + "url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193" + }, + { + "url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012\",\n \"https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe\",\n \"https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4\",\n \"https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f\",\n \"https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193\",\n \"https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure snd_nxt is properly initialized on connect\\n\\nChristoph reported a splat hinting at a corrupted snd_una:\\n\\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n Modules linked in:\\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n Workqueue: events mptcp_worker\\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\\n \\t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\\n \\t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\\n Call Trace:\\n \\n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\\n process_scheduled_works kernel/workqueue.c:3335 [inline]\\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\\n kthread+0x121/0x170 kernel/kthread.c:388\\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\\n \\n\\nWhen fallback to TCP happens early on a client socket, snd_nxt\\nis not yet initialized and any incoming ack will copy such value\\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\\nre-injection after such ack, that would unconditionally trigger a send\\nbuffer cleanup using 'bad' snd_una values.\\n\\nWe could easily disable re-injection for fallback sockets, but such\\ndumb behavior already helped catching a few subtle issues and a very\\nlow to zero impact in practice.\\n\\nInstead address the issue always initializing snd_nxt (and write_seq,\\nfor consistency) at connect time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36893" + }, + { + "url": "https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637" + }, + { + "url": "https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd" + }, + { + "url": "https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57" + }, + { + "url": "https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637\",\n \"https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd\",\n \"https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57\",\n \"https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: tcpm: Check for port partner validity before consuming it\\n\\ntypec_register_partner() does not guarantee partner registration\\nto always succeed. In the event of failure, port->partner is set\\nto the error value or NULL. Given that port->partner validity is\\nnot checked, this results in the following crash:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address xx\\n pc : run_state_machine+0x1bc8/0x1c08\\n lr : run_state_machine+0x1b90/0x1c08\\n..\\n Call trace:\\n run_state_machine+0x1bc8/0x1c08\\n tcpm_state_machine_work+0x94/0xe4\\n kthread_worker_fn+0x118/0x328\\n kthread+0x1d0/0x23c\\n ret_from_fork+0x10/0x20\\n\\nTo prevent the crash, check for port->partner validity before\\nderefencing it in all the call sites.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36894" + }, + { + "url": "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19" + }, + { + "url": "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a" + }, + { + "url": "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb" + }, + { + "url": "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867" + }, + { + "url": "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14" + }, + { + "url": "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4" + }, + { + "url": "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd" + }, + { + "url": "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC. There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect. For a DWC3 based implementation, the callstack looks\nlike the following:\n\n DWC3 Gadget FFS Application\ndwc3_gadget_soft_disconnect() ...\n --> dwc3_stop_active_transfers()\n --> dwc3_gadget_giveback(-ESHUTDOWN)\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\n --> usb_ep_free_request() --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call. This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context. Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n consistently\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19\",\n \"https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a\",\n \"https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb\",\n \"https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867\",\n \"https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14\",\n \"https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4\",\n \"https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd\",\n \"https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\\n\\nFFS based applications can utilize the aio_cancel() callback to dequeue\\npending USB requests submitted to the UDC. There is a scenario where the\\nFFS application issues an AIO cancel call, while the UDC is handling a\\nsoft disconnect. For a DWC3 based implementation, the callstack looks\\nlike the following:\\n\\n DWC3 Gadget FFS Application\\ndwc3_gadget_soft_disconnect() ...\\n --> dwc3_stop_active_transfers()\\n --> dwc3_gadget_giveback(-ESHUTDOWN)\\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\\n --> usb_ep_free_request() --> usb_ep_dequeue()\\n\\nThere is currently no locking implemented between the AIO completion\\nhandler and AIO cancel, so the issue occurs if the completion routine is\\nrunning in parallel to an AIO cancel call coming from the FFS application.\\nAs the completion call frees the USB request (io_data->req) the FFS\\napplication is also referencing it for the usb_ep_dequeue() call. This can\\nlead to accessing a stale/hanging pointer.\\n\\ncommit b566d38857fc (\\\"usb: gadget: f_fs: use io_data->status consistently\\\")\\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\\nHowever, in order to properly implement locking to mitigate this issue, the\\nspinlock can't be added to ffs_epfile_async_io_complete(), as\\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\\nfunction driver's completion handler in the same context. Hence, leading\\ninto a deadlock.\\n\\nFix this issue by moving the usb_ep_free_request() back to\\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\\ncondition above, as the ffs_aio_cancel() routine will not continue\\nattempting to dequeue a request that has already been freed, or the\\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\\ndone referencing it.\\n\\nThis fix depends on\\n commit b566d38857fc (\\\"usb: gadget: f_fs: use io_data->status\\n consistently\\\")\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.6,\n \"exploitabilityScore\": 0.4,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36898" + }, + { + "url": "https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5" + }, + { + "url": "https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2" + }, + { + "url": "https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e" + }, + { + "url": "https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix uninitialised kfifo\n\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked. This results in events being written to and read from an\nuninitialised kfifo. Read events are returned to userspace.\n\nInitialise the kfifo in the case where the software debounce is\nalready active.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5\",\n \"https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2\",\n \"https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e\",\n \"https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: fix uninitialised kfifo\\n\\nIf a line is requested with debounce, and that results in debouncing\\nin software, and the line is subsequently reconfigured to enable edge\\ndetection then the allocation of the kfifo to contain edge events is\\noverlooked. This results in events being written to and read from an\\nuninitialised kfifo. Read events are returned to userspace.\\n\\nInitialise the kfifo in the case where the software debounce is\\nalready active.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36899" + }, + { + "url": "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da" + }, + { + "url": "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a" + }, + { + "url": "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da\",\n \"https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a\",\n \"https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\\n\\nThe use-after-free issue occurs as follows: when the GPIO chip device file\\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\\nchip's lines is also in the release process and holds the notifier chain's\\nread rwsem. Consequently, a race condition leads to the use-after-free of\\nwatched_lines.\\n\\nHere is the typical stack when issue happened:\\n\\n[free]\\ngpio_chrdev_release()\\n --> bitmap_free(cdev->watched_lines) <-- freed\\n --> blocking_notifier_chain_unregister()\\n --> down_write(&nh->rwsem) <-- waiting rwsem\\n --> __down_write_common()\\n --> rwsem_down_write_slowpath()\\n --> schedule_preempt_disabled()\\n --> schedule()\\n\\n[use]\\nst54spi_gpio_dev_release()\\n --> gpio_free()\\n --> gpiod_free()\\n --> gpiod_free_commit()\\n --> gpiod_line_state_notify()\\n --> blocking_notifier_call_chain()\\n --> down_read(&nh->rwsem); <-- held rwsem\\n --> notifier_call_chain()\\n --> lineinfo_changed_notify()\\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\\n\\nThe side effect of the use-after-free issue is that a GPIO line event is\\nbeing generated for userspace where it shouldn't. However, since the chrdev\\nis being closed, userspace won't have the chance to read that event anyway.\\n\\nTo fix the issue, call the bitmap_free() function after the unregistration\\nof lineinfo_changed_nb notifier chain.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36900" + }, + { + "url": "https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095" + }, + { + "url": "https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd" + }, + { + "url": "https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\n\nThis patch fixes this by registering the devlink after\nhardware initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095\",\n \"https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd\",\n \"https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7\",\n \"https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash when devlink reload during initialization\\n\\nThe devlink reload process will access the hardware resources,\\nbut the register operation is done before the hardware is initialized.\\nSo, processing the devlink reload during initialization may lead to kernel\\ncrash.\\n\\nThis patch fixes this by registering the devlink after\\nhardware initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36901" + }, + { + "url": "https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579" + }, + { + "url": "https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a" + }, + { + "url": "https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488" + }, + { + "url": "https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de" + }, + { + "url": "https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0" + }, + { + "url": "https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579\",\n \"https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a\",\n \"https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488\",\n \"https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de\",\n \"https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0\",\n \"https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent NULL dereference in ip6_output()\\n\\nAccording to syzbot, there is a chance that ip6_dst_idev()\\nreturns NULL in ip6_output(). Most places in IPv6 stack\\ndeal with a NULL idev just fine, but not here.\\n\\nsyzbot reported:\\n\\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\\n sctp_connect net/sctp/socket.c:4819 [inline]\\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\\n __sys_connect_file net/socket.c:2048 [inline]\\n __sys_connect+0x2df/0x310 net/socket.c:2065\\n __do_sys_connect net/socket.c:2075 [inline]\\n __se_sys_connect net/socket.c:2072 [inline]\\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36902" + }, + { + "url": "https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09" + }, + { + "url": "https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95" + }, + { + "url": "https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa" + }, + { + "url": "https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290" + }, + { + "url": "https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0" + }, + { + "url": "https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747" + }, + { + "url": "https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa" + }, + { + "url": "https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09\",\n \"https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95\",\n \"https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa\",\n \"https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290\",\n \"https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0\",\n \"https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747\",\n \"https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa\",\n \"https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\\n\\nsyzbot is able to trigger the following crash [1],\\ncaused by unsafe ip6_dst_idev() use.\\n\\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\\n\\n[1]\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\\n ip6_route_output include/net/ip6_route.h:93 [inline]\\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\\n sctp_connect net/sctp/socket.c:4819 [inline]\\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\\n __sys_connect_file net/socket.c:2048 [inline]\\n __sys_connect+0x2df/0x310 net/socket.c:2065\\n __do_sys_connect net/socket.c:2075 [inline]\\n __se_sys_connect net/socket.c:2072 [inline]\\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36903" + }, + { + "url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3" + }, + { + "url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c" + }, + { + "url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3\",\n \"https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c\",\n \"https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: Fix potential uninit-value access in __ip6_make_skb()\\n\\nAs it was done in commit fc1092f51567 (\\\"ipv4: Fix uninit-value access in\\n__ip_make_skb()\\\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\\ninstead of testing HDRINCL on the socket to avoid a race condition which\\ncauses uninit-value access.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36904" + }, + { + "url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446" + }, + { + "url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3" + }, + { + "url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34" + }, + { + "url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8" + }, + { + "url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc" + }, + { + "url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc" + }, + { + "url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9" + }, + { + "url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\",\n \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\",\n \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\",\n \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\",\n \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\",\n \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\",\n \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\",\n \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\\n\\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\\nwith nice analysis.\\n\\nSince commit ec94c2696f0b (\\\"tcp/dccp: avoid one atomic operation for\\ntimewait hashdance\\\"), inet_twsk_hashdance() sets TIME-WAIT socket's\\nsk_refcnt after putting it into ehash and releasing the bucket lock.\\n\\nThus, there is a small race window where other threads could try to\\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\\nfor the TIME-WAIT socket with zero refcnt.\\n\\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\\nand sock_put() will cause underflow, triggering a real use-after-free\\nsomewhere else.\\n\\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\\ntcp_twsk_unique() and give up on reusing the port if it returns false.\\n\\n[0]:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? refcount_warn_saturate+0xe5/0x110\\n ? __warn+0x81/0x130\\n ? refcount_warn_saturate+0xe5/0x110\\n ? report_bug+0x171/0x1a0\\n ? refcount_warn_saturate+0xe5/0x110\\n ? handle_bug+0x3c/0x80\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? refcount_warn_saturate+0xe5/0x110\\n tcp_twsk_unique+0x186/0x190\\n __inet_check_established+0x176/0x2d0\\n __inet_hash_connect+0x74/0x7d0\\n ? __pfx___inet_check_established+0x10/0x10\\n tcp_v4_connect+0x278/0x530\\n __inet_stream_connect+0x10f/0x3d0\\n inet_stream_connect+0x3a/0x60\\n __sys_connect+0xa8/0xd0\\n __x64_sys_connect+0x18/0x20\\n do_syscall_64+0x83/0x170\\n entry_SYSCALL_64_after_hwframe+0x78/0x80\\nRIP: 0033:0x7f62c11a885d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36905" + }, + { + "url": "https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4" + }, + { + "url": "https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270" + }, + { + "url": "https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1" + }, + { + "url": "https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485" + }, + { + "url": "https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f" + }, + { + "url": "https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf" + }, + { + "url": "https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214" + }, + { + "url": "https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4\",\n \"https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270\",\n \"https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1\",\n \"https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485\",\n \"https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f\",\n \"https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf\",\n \"https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214\",\n \"https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\\n\\nTCP_SYN_RECV state is really special, it is only used by\\ncross-syn connections, mostly used by fuzzers.\\n\\nIn the following crash [1], syzbot managed to trigger a divide\\nby zero in tcp_rcv_space_adjust()\\n\\nA socket makes the following state transitions,\\nwithout ever calling tcp_init_transfer(),\\nmeaning tcp_init_buffer_space() is also not called.\\n\\n TCP_CLOSE\\nconnect()\\n TCP_SYN_SENT\\n TCP_SYN_RECV\\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\\n TCP_FIN_WAIT1\\n\\nTo fix this issue, change tcp_shutdown() to not\\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\\nwhich makes no sense anyway.\\n\\nWhen tcp_rcv_state_process() later changes socket state\\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\\nand send a FIN packet from a sane socket state.\\n\\nThis means tcp_send_fin() can now be called from BH\\ncontext, and must use GFP_ATOMIC allocations.\\n\\n[1]\\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\\nCall Trace:\\n \\n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x109/0x280 net/socket.c:1068\\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\\n ___sys_recvmsg net/socket.c:2845 [inline]\\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\\n __sys_recvmmsg net/socket.c:3018 [inline]\\n __do_sys_recvmmsg net/socket.c:3041 [inline]\\n __se_sys_recvmmsg net/socket.c:3034 [inline]\\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7faeb6363db9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36906" + }, + { + "url": "https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726" + }, + { + "url": "https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab" + }, + { + "url": "https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e" + }, + { + "url": "https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af" + }, + { + "url": "https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9381/1: kasan: clear stale stack poison\n\nWe found below OOB crash:\n\n[ 33.452494] ==================================================================\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[ 33.455515]\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\n[ 33.456880] Hardware name: Generic DT based system\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\n[ 33.459863] print_report from kasan_report+0x9c/0x148\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[ 33.467397]\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\n[ 33.468493] and is located at offset 112 in frame:\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[ 33.469917]\n[ 33.470165] This frame has 2 objects:\n[ 33.470696] [32, 76) 'global_zone_diff'\n[ 33.470729] [112, 276) 'global_node_diff'\n[ 33.471294]\n[ 33.472095] The buggy address belongs to the physical page:\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[ 33.473944] flags: 0x1000(reserved|zone=0)\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[ 33.475656] raw: 00000000\n[ 33.476050] page dumped because: kasan: bad access detected\n[ 33.476816]\n[ 33.477061] Memory state around the buggy address:\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[ 33.480415] ^\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.482978] ==================================================================\n\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\n\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\n\nFrom cited commit [1] that explain the problem\n\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\n\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code. Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\n\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\n\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\n\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\n\nFrom cited commit [2]\n\nExtend to check for CONFIG_KASAN_STACK\n\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726\",\n \"https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab\",\n \"https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e\",\n \"https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af\",\n \"https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nARM: 9381/1: kasan: clear stale stack poison\\n\\nWe found below OOB crash:\\n\\n[ 33.452494] ==================================================================\\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\\n[ 33.455515]\\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\\n[ 33.456880] Hardware name: Generic DT based system\\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\\n[ 33.459863] print_report from kasan_report+0x9c/0x148\\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\\n[ 33.467397]\\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\\n[ 33.468493] and is located at offset 112 in frame:\\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\\n[ 33.469917]\\n[ 33.470165] This frame has 2 objects:\\n[ 33.470696] [32, 76) 'global_zone_diff'\\n[ 33.470729] [112, 276) 'global_node_diff'\\n[ 33.471294]\\n[ 33.472095] The buggy address belongs to the physical page:\\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\\n[ 33.473944] flags: 0x1000(reserved|zone=0)\\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\\n[ 33.475656] raw: 00000000\\n[ 33.476050] page dumped because: kasan: bad access detected\\n[ 33.476816]\\n[ 33.477061] Memory state around the buggy address:\\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\\n[ 33.480415] ^\\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\\n[ 33.482978] ==================================================================\\n\\nWe find the root cause of this OOB is that arm does not clear stale stack\\npoison in the case of cpuidle.\\n\\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\\n\\nFrom cited commit [1] that explain the problem\\n\\nFunctions which the compiler has instrumented for KASAN place poison on\\nthe stack shadow upon entry and remove this poison prior to returning.\\n\\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\\nC code. Any instrumented functions on this critical path will leave\\nportions of the stack shadow poisoned.\\n\\nIf CPUs lose context and return to the kernel via a cold path, we\\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\\nwe never remove the poison they placed in the stack shadow area by\\nfunctions calls between this and the actual exit of the kernel.\\n\\nThus, (depending on stackframe layout) subsequent calls to instrumented\\nfunctions may hit this stale poison, resulting in (spurious) KASAN\\nsplats to the console.\\n\\nTo avoid this, clear any stale poison from the idle thread for a CPU\\nprior to bringing a CPU online.\\n\\nFrom cited commit [2]\\n\\nExtend to check for CONFIG_KASAN_STACK\\n\\n[1] commit 0d97e6d8024c (\\\"arm64: kasan: clear stale stack poison\\\")\\n[2] commit d56a9ef84bd0 (\\\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\\\")\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36907" + }, + { + "url": "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc" + }, + { + "url": "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a" + }, + { + "url": "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: add a missing rpc_stat for TCP TLS\n\nCommit 1548036ef120 (\"nfs: make the rpc_stat per net namespace\") added\nfunctionality to specify rpc_stats function but missed adding it to the\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\nthe following kernel oops.\n\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\nvirtual address 000000000000001c\n[ 128.985058] Mem abort info:\n[ 128.985372] ESR = 0x0000000096000004\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 128.986176] SET = 0, FnV = 0\n[ 128.986521] EA = 0, S1PTW = 0\n[ 128.986804] FSC = 0x04: level 0 translation fault\n[ 128.987229] Data abort info:\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\nip_set nf_tables nfnetlink qrtr vsock_loopback\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\nsg fuse\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\ntainted 6.8.0-rc6+ #12\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.000244] sp : ffff8000832b3a00\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\n[ 129.005824] Call trace:\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\n[ 129.008583] process_one_work+0x174/0x3c8\n[ 129.008813] worker_thread+0x2c8/0x3e0\n[ 129.009033] kthread+0x100/0x110\n[ 129.009225] ret_from_fork+0x10/0x20\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc\",\n \"https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a\",\n \"https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: add a missing rpc_stat for TCP TLS\\n\\nCommit 1548036ef120 (\\\"nfs: make the rpc_stat per net namespace\\\") added\\nfunctionality to specify rpc_stats function but missed adding it to the\\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\\nthe following kernel oops.\\n\\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\\nvirtual address 000000000000001c\\n[ 128.985058] Mem abort info:\\n[ 128.985372] ESR = 0x0000000096000004\\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 128.986176] SET = 0, FnV = 0\\n[ 128.986521] EA = 0, S1PTW = 0\\n[ 128.986804] FSC = 0x04: level 0 translation fault\\n[ 128.987229] Data abort info:\\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\\nip_set nf_tables nfnetlink qrtr vsock_loopback\\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\\nsg fuse\\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\\ntainted 6.8.0-rc6+ #12\\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\\n[ 129.000244] sp : ffff8000832b3a00\\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\\n[ 129.005824] Call trace:\\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\\n[ 129.008583] process_one_work+0x174/0x3c8\\n[ 129.008813] worker_thread+0x2c8/0x3e0\\n[ 129.009033] kthread+0x100/0x110\\n[ 129.009225] ret_from_fork+0x10/0x20\\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36908" + }, + { + "url": "https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6" + }, + { + "url": "https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e" + }, + { + "url": "https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: do not WARN if iocg was already offlined\n\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\n\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n Call trace:\n iocg_pay_debt+0x14c/0x190\n iocg_kick_waitq+0x438/0x4c0\n iocg_waitq_timer_fn+0xd8/0x130\n __run_hrtimer+0x144/0x45c\n __hrtimer_run_queues+0x16c/0x244\n hrtimer_interrupt+0x2cc/0x7b0\n\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\n\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6\",\n \"https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e\",\n \"https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-iocost: do not WARN if iocg was already offlined\\n\\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\\nis intended to confirm iocg is active when it has debt. However, warn\\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\\nis run at that time:\\n\\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\\n Call trace:\\n iocg_pay_debt+0x14c/0x190\\n iocg_kick_waitq+0x438/0x4c0\\n iocg_waitq_timer_fn+0xd8/0x130\\n __run_hrtimer+0x144/0x45c\\n __hrtimer_run_queues+0x16c/0x244\\n hrtimer_interrupt+0x2cc/0x7b0\\n\\nThe warn in this situation is meaningless. Since this iocg is being\\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\\niocg is freed after iocg_waitq_timer_fn() returns.\\n\\nTherefore, add the check if iocg was already offlined to avoid warn\\nwhen removing a blkcg or disk.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36909", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36909" + }, + { + "url": "https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039" + }, + { + "url": "https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48" + }, + { + "url": "https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0" + }, + { + "url": "https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36909 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36909", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus ring buffer code could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the struct\nvmbus_gpadl for the ring buffers to decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36909\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36909\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36909\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36909\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36909\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039\",\n \"https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48\",\n \"https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0\",\n \"https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe VMBus ring buffer code could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the struct\\nvmbus_gpadl for the ring buffers to decide whether to free the memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36909\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36910" + }, + { + "url": "https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7" + }, + { + "url": "https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9" + }, + { + "url": "https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54" + }, + { + "url": "https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus device UIO driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7\",\n \"https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9\",\n \"https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54\",\n \"https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nuio_hv_generic: Don't free decrypted memory\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe VMBus device UIO driver could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\\nto decide whether to free the memory.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.2,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36911" + }, + { + "url": "https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b" + }, + { + "url": "https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4" + }, + { + "url": "https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe netvsc driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b\",\n \"https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4\",\n \"https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhv_netvsc: Don't free decrypted memory\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nThe netvsc driver could free decrypted/shared pages if\\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\\nto decide whether to free the memory.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36912" + }, + { + "url": "https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81" + }, + { + "url": "https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca" + }, + { + "url": "https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8" + }, + { + "url": "https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nIn order to make sure callers of vmbus_establish_gpadl() and\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\nallocators, add a field in struct vmbus_gpadl to keep track of the\ndecryption status of the buffers. This will allow the callers to\nknow if they should free or leak the pages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81\",\n \"https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca\",\n \"https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8\",\n \"https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nIn order to make sure callers of vmbus_establish_gpadl() and\\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\\nallocators, add a field in struct vmbus_gpadl to keep track of the\\ndecryption status of the buffers. This will allow the callers to\\nknow if they should free or leak the pages.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36913" + }, + { + "url": "https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a" + }, + { + "url": "https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6" + }, + { + "url": "https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a\",\n \"https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6\",\n \"https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\\n\\nIn CoCo VMs it is possible for the untrusted host to cause\\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\\nerror is returned and the resulting memory is shared. Callers need to\\ntake care to handle these errors to avoid returning decrypted (shared)\\nmemory to the page allocator, which could lead to functional or security\\nissues.\\n\\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\\nfails. Leak the pages if this happens.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.1,\n \"exploitabilityScore\": 2.2,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36914" + }, + { + "url": "https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7" + }, + { + "url": "https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d" + }, + { + "url": "https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip on writeback when it's not applicable\n\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \"BUG: KASAN: slab-out-of-bounds\" as writeback connector does not\nsupport certain features which are not initialized.\n\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7\",\n \"https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d\",\n \"https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip on writeback when it's not applicable\\n\\n[WHY]\\ndynamic memory safety error detector (KASAN) catches and generates error\\nmessages \\\"BUG: KASAN: slab-out-of-bounds\\\" as writeback connector does not\\nsupport certain features which are not initialized.\\n\\n[HOW]\\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36915" + }, + { + "url": "https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8" + }, + { + "url": "https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107" + }, + { + "url": "https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\n\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\n\nUse copy_safe_from_sockptr() instead.\n\n[1]\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\n\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8\",\n \"https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107\",\n \"https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\\n\\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\\n\\nUse copy_safe_from_sockptr() instead.\\n\\n[1]\\n\\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\\n\\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\\n __do_sys_setsockopt net/socket.c:2343 [inline]\\n __se_sys_setsockopt net/socket.c:2340 [inline]\\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\\n do_syscall_64+0xfd/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\nRIP: 0033:0x7f7fac07fd89\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36916", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36916" + }, + { + "url": "https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b" + }, + { + "url": "https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5" + }, + { + "url": "https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1" + }, + { + "url": "https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d" + }, + { + "url": "https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86" + }, + { + "url": "https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36916 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36916", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n \n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36916\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36916\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36916\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36916\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36916\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b\",\n \"https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5\",\n \"https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1\",\n \"https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d\",\n \"https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86\",\n \"https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-iocost: avoid out of bounds shift\\n\\nUBSAN catches undefined behavior in blk-iocost, where sometimes\\niocg->delay is shifted right by a number that is too large,\\nresulting in undefined behavior on some architectures.\\n\\n[ 186.556576] ------------[ cut here ]------------\\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\\nCall Trace:\\n \\n dump_stack_lvl+0x8f/0xe0\\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\\n iocg_kick_delay+0x30b/0x310\\n ioc_timer_fn+0x2fb/0x1f80\\n __run_timer_base+0x1b6/0x250\\n...\\n\\nAvoid that undefined behavior by simply taking the\\n\\\"delay = 0\\\" branch if the shift is too large.\\n\\nI am not sure what the symptoms of an undefined value\\ndelay will be, but I suspect it could be more than a\\nlittle annoying to debug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36916\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36917", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36917" + }, + { + "url": "https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155" + }, + { + "url": "https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee" + }, + { + "url": "https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6" + }, + { + "url": "https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36917 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36917", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix overflow in blk_ioctl_discard()\n\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36917\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36917\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36917\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36917\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36917\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\",\n \"https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee\",\n \"https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6\",\n \"https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: fix overflow in blk_ioctl_discard()\\n\\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\\nHung task occurs if submit an discard ioctl with the following param:\\n start = 0x80000000000ff000, len = 0x8000000000fff000;\\nAdd the overflow validation now.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36917\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36918" + }, + { + "url": "https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c" + }, + { + "url": "https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687" + }, + { + "url": "https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d" + }, + { + "url": "https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36918", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check bloom filter map value size\n\nThis patch adds a missing check to bloom filter creating, rejecting\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\nmany other map types.\n\nThe lack of this protection can cause kernel crashes for value sizes\nthat overflow int's. Such a crash was caught by syzkaller. The next\npatch adds more guard-rails at a lower level.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c\",\n \"https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687\",\n \"https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d\",\n \"https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Check bloom filter map value size\\n\\nThis patch adds a missing check to bloom filter creating, rejecting\\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\\nmany other map types.\\n\\nThe lack of this protection can cause kernel crashes for value sizes\\nthat overflow int's. Such a crash was caught by syzkaller. The next\\npatch adds more guard-rails at a lower level.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36919", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36919" + }, + { + "url": "https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936" + }, + { + "url": "https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3" + }, + { + "url": "https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312" + }, + { + "url": "https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb" + }, + { + "url": "https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3" + }, + { + "url": "https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9" + }, + { + "url": "https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256" + }, + { + "url": "https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36919 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36919", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36919\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36919\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36919\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36919\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36919\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936\",\n \"https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3\",\n \"https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312\",\n \"https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb\",\n \"https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3\",\n \"https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9\",\n \"https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256\",\n \"https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\\n\\nThe session resources are used by FW and driver when session is offloaded,\\nonce session is uploaded these resources are not used. The lock is not\\nrequired as these fields won't be used any longer. The offload and upload\\ncalls are sequential, hence lock is not required.\\n\\nThis will suppress following BUG_ON():\\n\\n[ 449.843143] ------------[ cut here ]------------\\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\\nRebooting.\\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 449.993028] Call Trace:\\n[ 449.995756] __iommu_dma_free+0x96/0x100\\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\\n[ 450.023103] process_one_work+0x1e8/0x3c0\\n[ 450.027581] worker_thread+0x50/0x3b0\\n[ 450.031669] ? rescuer_thread+0x370/0x370\\n[ 450.036143] kthread+0x149/0x170\\n[ 450.039744] ? set_kthread_struct+0x40/0x40\\n[ 450.044411] ret_from_fork+0x22/0x30\\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36919\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36920", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36920" + }, + { + "url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0" + }, + { + "url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716" + }, + { + "url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa" + }, + { + "url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36920 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36920", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf->reply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number '1' from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36920\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36920\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36920\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36920\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36920\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0\",\n \"https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716\",\n \"https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa\",\n \"https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\\n\\nWhen the \\\"storcli2 show\\\" command is executed for eHBA-9600, mpi3mr driver\\nprints this WARNING message:\\n\\n memcpy: detected field-spanning write (size 128) of single field \\\"bsg_reply_buf->reply_buf\\\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\\n\\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \\\"__u8\\nreplay_buf[1]\\\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\\nto be a flexible length array, so the WARN is a false positive.\\n\\nTo suppress the WARN, remove the constant number '1' from the array\\ndeclaration and clarify that it has flexible length. Also, adjust the\\nmemory allocation size to match the change.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36920\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36921", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36921" + }, + { + "url": "https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f" + }, + { + "url": "https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294" + }, + { + "url": "https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36921 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36921", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\n\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\nresult in out-of-bounds array accesses. This prevents issues should the\ndriver get into a bad state during error handling.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36921\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36921\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36921\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36921\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36921\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f\",\n \"https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294\",\n \"https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\\n\\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\\nresult in out-of-bounds array accesses. This prevents issues should the\\ndriver get into a bad state during error handling.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36921\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36922", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36922" + }, + { + "url": "https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89" + }, + { + "url": "https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa" + }, + { + "url": "https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36922 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36922", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36922\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36922\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36922\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36922\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36922\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89\",\n \"https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa\",\n \"https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: read txq->read_ptr under lock\\n\\nIf we read txq->read_ptr without lock, we can read the same\\nvalue twice, then obtain the lock, and reclaim from there\\nto two different places, but crucially reclaim the same\\nentry twice, resulting in the WARN_ONCE() a little later.\\nFix that by reading txq->read_ptr under lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36922\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36923", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36923" + }, + { + "url": "https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd" + }, + { + "url": "https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36923 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36923", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix uninitialized values during inode evict\n\nIf an iget fails due to not being able to retrieve information\nfrom the server then the inode structure is only partially\ninitialized. When the inode gets evicted, references to\nuninitialized structures (like fscache cookies) were being\nmade.\n\nThis patch checks for a bad_inode before doing anything other\nthan clearing the inode from the cache. Since the inode is\nbad, it shouldn't have any state associated with it that needs\nto be written back (and there really isn't a way to complete\nthose anyways).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36923\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36923\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36923\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36923\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36923\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd\",\n \"https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/9p: fix uninitialized values during inode evict\\n\\nIf an iget fails due to not being able to retrieve information\\nfrom the server then the inode structure is only partially\\ninitialized. When the inode gets evicted, references to\\nuninitialized structures (like fscache cookies) were being\\nmade.\\n\\nThis patch checks for a bad_inode before doing anything other\\nthan clearing the inode from the cache. Since the inode is\\nbad, it shouldn't have any state associated with it that needs\\nto be written back (and there really isn't a way to complete\\nthose anyways).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36923\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36924", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36924" + }, + { + "url": "https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd" + }, + { + "url": "https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3" + }, + { + "url": "https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683" + }, + { + "url": "https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36924 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36924", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36924\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36924\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36924\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36924\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36924\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd\",\n \"https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3\",\n \"https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683\",\n \"https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\\n\\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\\nhbalock to avoid potential deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36924\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36927" + }, + { + "url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818" + }, + { + "url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e" + }, + { + "url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818\",\n \"https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e\",\n \"https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv4: Fix uninit-value access in __ip_make_skb()\\n\\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\\nwhile __ip_make_skb() is running, the function will access icmphdr in the\\nskb even if it is not included. This causes the issue reported by KMSAN.\\n\\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\\non the socket.\\n\\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\\nare union in struct flowi4 and are implicitly initialized by\\nflowi4_init_output(), but we should not rely on specific union layout.\\n\\nInitialize these explicitly in raw_sendmsg().\\n\\n[1]\\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\\n ip_finish_skb include/net/ip.h:243 [inline]\\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1318 [inline]\\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36928", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36928" + }, + { + "url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6" + }, + { + "url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524" + }, + { + "url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494" + }, + { + "url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3" + }, + { + "url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36928 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36928", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n >0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36928\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36928\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36928\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36928\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36928\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6\",\n \"https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524\",\n \"https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494\",\n \"https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3\",\n \"https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/qeth: Fix kernel panic after setting hsuid\\n\\nSymptom:\\nWhen the hsuid attribute is set for the first time on an IQD Layer3\\ndevice while the corresponding network interface is already UP,\\nthe kernel will try to execute a napi function pointer that is NULL.\\n\\nExample:\\n---------------------------------------------------------------------------\\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\\n qdio ccwgroup pkey zcrypt\\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\\n >0000000000000002: 0000 illegal\\n 0000000000000004: 0000 illegal\\n 0000000000000006: 0000 illegal\\n 0000000000000008: 0000 illegal\\n 000000000000000a: 0000 illegal\\n 000000000000000c: 0000 illegal\\n 000000000000000e: 0000 illegal\\n[ 2057.572800] Call Trace:\\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\\n[ 2057.572843] Last Breaking-Event-Address:\\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\\n[ 2057.572846]\\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\\n-------------------------------------------------------------------------------------------\\n\\nAnalysis:\\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\\nThe napi.poll functions are set during qeth_open().\\n\\nSince\\ncommit 1cfef80d4c2b (\\\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\\\")\\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\\ndev_open(). So if qeth_free_qdio_queues() cleared\\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\\ncard was offline, they are not set again.\\n\\nReproduction:\\nchzdev -e $devno layer2=0\\nip link set dev $network_interface up\\necho 0 > /sys/bus/ccw\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36928\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36929" + }, + { + "url": "https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62" + }, + { + "url": "https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec" + }, + { + "url": "https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533" + }, + { + "url": "https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6" + }, + { + "url": "https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681" + }, + { + "url": "https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62\",\n \"https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec\",\n \"https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533\",\n \"https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6\",\n \"https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681\",\n \"https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\\n\\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\\ninvalid. Return NULL if such an skb is passed to skb_copy or\\nskb_copy_expand, in order to prevent a crash on a potential later\\ncall to skb_gso_segment.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36931" + }, + { + "url": "https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65" + }, + { + "url": "https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c" + }, + { + "url": "https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2" + }, + { + "url": "https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5" + }, + { + "url": "https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65\",\n \"https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c\",\n \"https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2\",\n \"https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5\",\n \"https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/cio: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36933", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36933" + }, + { + "url": "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a" + }, + { + "url": "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2" + }, + { + "url": "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c" + }, + { + "url": "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79" + }, + { + "url": "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a" + }, + { + "url": "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340" + }, + { + "url": "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9" + }, + { + "url": "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36933 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36933", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb->network_header\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb->mac_header\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb->protocol\n 7. push the NSH header\n 8. restore skb->mac_header\n 9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 & 7, skb->data points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb->data point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb->{mac_header,network_header} in 8 & 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb->mac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb->mac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36933\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36933\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36933\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36933\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36933\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a\",\n \"https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2\",\n \"https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c\",\n \"https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79\",\n \"https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a\",\n \"https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340\",\n \"https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9\",\n \"https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\\n\\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\\n\\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\\n\\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\\n\\nnsh_gso_segment() does the following for the original skb before\\ncalling skb_mac_gso_segment()\\n\\n 1. reset skb->network_header\\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\\n 3. pull the NSH header\\n 4. resets skb->mac_header\\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\\n\\nand does the following for the segmented skb\\n\\n 6. set ntohs(ETH_P_NSH) to skb->protocol\\n 7. push the NSH header\\n 8. restore skb->mac_header\\n 9. set skb->mac_header + mac_len to skb->network_header\\n 10. restore skb->mac_len\\n\\nThere are two problems in 6-7 and 8-9.\\n\\n (a)\\n After 6 & 7, skb->data points to the NSH header, so the outer header\\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\\n\\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\\n skb_pull() in the first nsh_gso_segment() will make skb->data point\\n to the middle of the outer NSH or Ethernet header because the Ethernet\\n header is not pulled by the second nsh_gso_segment().\\n\\n (b)\\n While restoring skb->{mac_header,network_header} in 8 & 9,\\n nsh_gso_segment() does not assume that the data in the linear\\n buffer is shifted.\\n\\n However, udp6_ufo_fragment() could shift the data and change\\n skb->mac_header accordingly as demonstrated by syzbot.\\n\\n If this happens, even the restored skb->mac_header points to\\n the middle of the outer header.\\n\\nIt seems nsh_gso_segment() has never worked with outer headers so far.\\n\\nAt the end of nsh_gso_segment(), the outer header must be restored for\\nthe segmented skb, instead of the NSH header.\\n\\nTo do that, let's calculate the outer header position relatively from\\nthe inner header and set skb->{data,mac_header,protocol} properly.\\n\\n[0]:\\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\\n xmit_one net/core/dev.c:3547 [inline]\\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3081 [inline]\\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n __sys_sendto+0x735/0xa10 net/socket.c:2191\\n __do_sys_sendto net/socket.c:2203 [inline]\\n __se_sys_sendto net/socket.c:2199 [inline]\\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3819 [inline]\\n slab_alloc_node mm/slub.c:3860 [inline]\\n __do_kmalloc_node mm/slub.c:3980 [inline]\\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\\n __\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36933\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36934" + }, + { + "url": "https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32" + }, + { + "url": "https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9" + }, + { + "url": "https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35" + }, + { + "url": "https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4" + }, + { + "url": "https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd" + }, + { + "url": "https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f" + }, + { + "url": "https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147" + }, + { + "url": "https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32\",\n \"https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9\",\n \"https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35\",\n \"https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4\",\n \"https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd\",\n \"https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f\",\n \"https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147\",\n \"https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbna: ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\\ninstead of memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36937" + }, + { + "url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e" + }, + { + "url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc" + }, + { + "url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c" + }, + { + "url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553" + }, + { + "url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e\",\n \"https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc\",\n \"https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c\",\n \"https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553\",\n \"https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: use flags field to disambiguate broadcast redirect\\n\\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\\nup the redirect destination information in struct bpf_redirect_info (using\\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\\nfunction will read this information after the XDP program returns and pass\\nthe frame on to the right redirect destination.\\n\\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\\nbpf_redirect_info to point to the destination map to be broadcast. And\\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\\nit's dealing with a broadcast or a single-value redirect. However, if the\\ndestination map is being destroyed before xdp_do_redirect() is called, the\\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\\nto think that the redirect was to a single target, but the target pointer\\nis also NULL (since broadcast redirects don't have a single target), so\\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\\n\\nTo fix this, change xdp_do_redirect() to react directly to the presence of\\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\\nto disambiguate between a single-target and a broadcast redirect. And only\\nread the 'map' pointer if the broadcast flag is set, aborting if that has\\nbeen cleared out in the meantime. This prevents the crash, while keeping\\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\\nadding any more checks in the non-broadcast fast path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36938" + }, + { + "url": "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27" + }, + { + "url": "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d" + }, + { + "url": "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365" + }, + { + "url": "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80" + }, + { + "url": "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87" + }, + { + "url": "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27\",\n \"https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d\",\n \"https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365\",\n \"https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80\",\n \"https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87\",\n \"https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\\n\\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\\nsyzbot reported [1].\\n\\n[1]\\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\\n\\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\\n sk_psock_put include/linux/skmsg.h:459 [inline]\\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0x68/0x150 net/socket.c:1421\\n __fput+0x2c1/0x660 fs/file_table.c:422\\n __fput_sync+0x44/0x60 fs/file_table.c:507\\n __do_sys_close fs/open.c:1556 [inline]\\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\\n unix_read_skb net/unix/af_unix.c:2546 [inline]\\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x140/0x180 net/socket.c:745\\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\\n ___sys_sendmsg net/socket.c:2638 [inline]\\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\\n do_syscall_64+0xd3/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\\n\\nReported by Kernel Concurrency Sanitizer on:\\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\n\\nPrior to this, commit 4cd12c6065df (\\\"bpf, sockmap: Fix NULL pointer\\ndereference in sk_psock_verdict_data_ready()\\\") fixed one NULL pointer\\nsimilarly due to no protection of saved_data_ready. Here is another\\ndifferent caller causing the same issue because of the same reason. So\\nwe should protect it with sk_callback_lock read lock because the writer\\nside in the sk_psock_drop() uses \\\"write_lock_bh(&sk->sk_callback_lock);\\\".\\n\\nTo avoid errors that could happen in future, I move those two pairs of\\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36939" + }, + { + "url": "https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8" + }, + { + "url": "https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c" + }, + { + "url": "https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65" + }, + { + "url": "https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3" + }, + { + "url": "https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f" + }, + { + "url": "https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba" + }, + { + "url": "https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8\",\n \"https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c\",\n \"https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65\",\n \"https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3\",\n \"https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f\",\n \"https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba\",\n \"https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\\n\\nsyzkaller reported a warning [0] triggered while destroying immature\\nnetns.\\n\\nrpc_proc_register() was called in init_nfs_fs(), but its error\\nhas been ignored since at least the initial commit 1da177e4c3f4\\n(\\\"Linux-2.6.12-rc2\\\").\\n\\nRecently, commit d47151b79e32 (\\\"nfs: expose /proc/net/sunrpc/nfs\\nin net namespaces\\\") converted the procfs to per-netns and made\\nthe problem more visible.\\n\\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\\nand thus nfs_net_exit() will be called while destroying the netns.\\n\\nThen, remove_proc_entry() will be called for non-existing proc\\ndirectory and trigger the warning below.\\n\\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\\n\\n[0]:\\nname 'nfs'\\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\\nModules linked in:\\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\\n __do_sys_unshare kernel/fork.c:3393 [inline]\\n __se_sys_unshare kernel/fork.c:3391 [inline]\\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\nRIP: 0033:0x7f30d0febe5d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36940" + }, + { + "url": "https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068" + }, + { + "url": "https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca" + }, + { + "url": "https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79" + }, + { + "url": "https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c" + }, + { + "url": "https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d" + }, + { + "url": "https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e" + }, + { + "url": "https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd" + }, + { + "url": "https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068\",\n \"https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca\",\n \"https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79\",\n \"https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c\",\n \"https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d\",\n \"https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e\",\n \"https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd\",\n \"https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: core: delete incorrect free in pinctrl_enable()\\n\\nThe \\\"pctldev\\\" struct is allocated in devm_pinctrl_register_and_init().\\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\\nso freeing it in pinctrl_enable() will lead to a double free.\\n\\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\\nthe mutex as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36941" + }, + { + "url": "https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d" + }, + { + "url": "https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a" + }, + { + "url": "https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307" + }, + { + "url": "https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7" + }, + { + "url": "https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457" + }, + { + "url": "https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4" + }, + { + "url": "https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f" + }, + { + "url": "https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d\",\n \"https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a\",\n \"https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307\",\n \"https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7\",\n \"https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457\",\n \"https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4\",\n \"https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f\",\n \"https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: nl80211: don't free NULL coalescing rule\\n\\nIf the parsing fails, we can dereference a NULL pointer here.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36944", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36944" + }, + { + "url": "https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97" + }, + { + "url": "https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10" + }, + { + "url": "https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6" + }, + { + "url": "https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea" + }, + { + "url": "https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36944 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36944", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nReapply \"drm/qxl: simplify qxl_fence_wait\"\n\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\n\nStephen Rostedt reports:\n \"I went to run my tests on my VMs and the tests hung on boot up.\n Unfortunately, the most I ever got out was:\n\n [ 93.607888] Testing event system initcall: OK\n [ 93.667730] Running tests on all trace events:\n [ 93.669757] Testing all events: OK\n [ 95.631064] ------------[ cut here ]------------\n Timed out after 60 seconds\"\n\nand further debugging points to a possible circular locking dependency\nbetween the console_owner locking and the worker pool locking.\n\nReverting the commit allows Steve's VM to boot to completion again.\n\n[ This may obviously result in the \"[TTM] Buffer eviction failed\"\n messages again, which was the reason for that original revert. But at\n this point this seems preferable to a non-booting system... ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36944\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36944\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36944\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36944\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36944\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97\",\n \"https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10\",\n \"https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6\",\n \"https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea\",\n \"https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nReapply \\\"drm/qxl: simplify qxl_fence_wait\\\"\\n\\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\\n\\nStephen Rostedt reports:\\n \\\"I went to run my tests on my VMs and the tests hung on boot up.\\n Unfortunately, the most I ever got out was:\\n\\n [ 93.607888] Testing event system initcall: OK\\n [ 93.667730] Running tests on all trace events:\\n [ 93.669757] Testing all events: OK\\n [ 95.631064] ------------[ cut here ]------------\\n Timed out after 60 seconds\\\"\\n\\nand further debugging points to a possible circular locking dependency\\nbetween the console_owner locking and the worker pool locking.\\n\\nReverting the commit allows Steve's VM to boot to completion again.\\n\\n[ This may obviously result in the \\\"[TTM] Buffer eviction failed\\\"\\n messages again, which was the reason for that original revert. But at\\n this point this seems preferable to a non-booting system... ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36944\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36945" + }, + { + "url": "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06" + }, + { + "url": "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2" + }, + { + "url": "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff" + }, + { + "url": "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06\",\n \"https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2\",\n \"https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff\",\n \"https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\\n\\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\\nresolved by ip_route_output_flow() are not released or put before return.\\nIt may cause the refcount leak, so fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36946", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36946" + }, + { + "url": "https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4" + }, + { + "url": "https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe" + }, + { + "url": "https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137" + }, + { + "url": "https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7" + }, + { + "url": "https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7" + }, + { + "url": "https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a" + }, + { + "url": "https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00" + }, + { + "url": "https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36946 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36946", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36946\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36946\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36946\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36946\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36946\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4\",\n \"https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe\",\n \"https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137\",\n \"https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7\",\n \"https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7\",\n \"https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a\",\n \"https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00\",\n \"https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nphonet: fix rtm_phonet_notify() skb allocation\\n\\nfill_route() stores three components in the skb:\\n\\n- struct rtmsg\\n- RTA_DST (u8)\\n- RTA_OIF (u32)\\n\\nTherefore, rtm_phonet_notify() should use\\n\\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\\nnla_total_size(1) +\\nnla_total_size(4)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36946\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36947", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36947" + }, + { + "url": "https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8" + }, + { + "url": "https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee" + }, + { + "url": "https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb" + }, + { + "url": "https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00" + }, + { + "url": "https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36947 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36947", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix dentry leak\n\nsimple_recursive_removal() drops the pinning references to all positives\nin subtree. For the cases when its argument has been kept alive by\nthe pinning alone that's exactly the right thing to do, but here\nthe argument comes from dcache lookup, that needs to be balanced by\nexplicit dput().\n\nFucked-up-by: Al Viro ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36947\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36947\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36947\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36947\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36947\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8\",\n \"https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee\",\n \"https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb\",\n \"https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00\",\n \"https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nqibfs: fix dentry leak\\n\\nsimple_recursive_removal() drops the pinning references to all positives\\nin subtree. For the cases when its argument has been kept alive by\\nthe pinning alone that's exactly the right thing to do, but here\\nthe argument comes from dcache lookup, that needs to be balanced by\\nexplicit dput().\\n\\nFucked-up-by: Al Viro \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36947\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36948", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36948" + }, + { + "url": "https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717" + }, + { + "url": "https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36948 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36948", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\n\nAddressing potential overflow in result of multiplication of two lower\nprecision (u32) operands before widening it to higher precision\n(u64).\n\n-v2\nFix commit message and description. (Rodrigo)\n\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36948\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36948\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36948\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36948\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36948\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717\",\n \"https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\\n\\nAddressing potential overflow in result of multiplication of two lower\\nprecision (u32) operands before widening it to higher precision\\n(u64).\\n\\n-v2\\nFix commit message and description. (Rodrigo)\\n\\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36948\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36949", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36949" + }, + { + "url": "https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58" + }, + { + "url": "https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d" + }, + { + "url": "https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36949 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36949", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36949\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36949\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36949\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36949\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36949\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58\",\n \"https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d\",\n \"https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\namd/amdkfd: sync all devices to wait all processes being evicted\\n\\nIf there are more than one device doing reset in parallel, the first\\ndevice will call kfd_suspend_all_processes() to evict all processes\\non all devices, this call takes time to finish. other device will\\nstart reset and recover without waiting. if the process has not been\\nevicted before doing recover, it will be restored, then caused page\\nfault.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36949\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36950", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36950" + }, + { + "url": "https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec" + }, + { + "url": "https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420" + }, + { + "url": "https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0" + }, + { + "url": "https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d" + }, + { + "url": "https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9" + }, + { + "url": "https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61" + }, + { + "url": "https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130" + }, + { + "url": "https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36950 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36950", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36950\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36950\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36950\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36950\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36950\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec\",\n \"https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420\",\n \"https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0\",\n \"https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d\",\n \"https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9\",\n \"https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61\",\n \"https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130\",\n \"https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\\n\\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\\ncleared the interrupt.\\n\\nNormally, we always leave bus reset interrupts masked. We infer the bus\\nreset from the self-ID interrupt that happens shortly thereafter. A\\nscenario where we unmask bus reset interrupts was introduced in 2008 in\\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\\nwill unmask bus reset interrupts so we can log them.\\n\\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\\nreset event flag in irq_handler, because we won't service the event until\\nlater. irq_handler exits with the event flag still set. If the\\ncorresponding interrupt is still unmasked, the first bus reset will\\nusually freeze the system due to irq_handler being called again each\\ntime it exits. This freeze can be reproduced by loading firewire_ohci\\nwith \\\"modprobe firewire_ohci debug=-1\\\" (to enable all debugging output).\\nApparently there are also some cases where bus_reset_work will get called\\nsoon enough to clear the event, and operation will continue normally.\\n\\nThis freeze was first reported a few months after a007bb85 was committed,\\nbut until now it was never fixed. The debug level could safely be set\\nto -1 through sysfs after the module was loaded, but this would be\\nineffectual in logging bus reset interrupts since they were only\\nunmasked during initialization.\\n\\nirq_handler will now leave the event flag set but mask bus reset\\ninterrupts, so irq_handler won't be called again and there will be no\\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\\nunmask the interrupt after servicing the event, so future interrupts\\nwill be caught as desired.\\n\\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\\nenabled through sysfs in addition to during initial module loading.\\nHowever, when enabled through sysfs, logging of bus reset interrupts will\\nbe effective only starting with the second bus reset, after\\nbus_reset_work has executed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36950\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36951", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36951" + }, + { + "url": "https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d" + }, + { + "url": "https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2" + }, + { + "url": "https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36951 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36951", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36951\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36951\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36951\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36951\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36951\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d\",\n \"https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2\",\n \"https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: range check cp bad op exception interrupts\\n\\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\\nDo a range check so that the debugger and runtime do not receive garbage\\ncodes.\\nUpdate the user api to guard exception code type checking as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36951\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36952", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36952" + }, + { + "url": "https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3" + }, + { + "url": "https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c" + }, + { + "url": "https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278" + }, + { + "url": "https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0" + }, + { + "url": "https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36952 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36952", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36952\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36952\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36952\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36952\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36952\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3\",\n \"https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c\",\n \"https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278\",\n \"https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0\",\n \"https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\\n\\nThere are cases after NPIV deletion where the fabric switch still believes\\nthe NPIV is logged into the fabric. This occurs when a vport is\\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\\nfabric.\\n\\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\\nobject. This sometimes causes the race condition where the final DA_ID and\\nLOGO are skipped from being sent to the fabric switch.\\n\\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\\nand LOGO are sent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36952\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36953" + }, + { + "url": "https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487" + }, + { + "url": "https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f" + }, + { + "url": "https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80" + }, + { + "url": "https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728" + }, + { + "url": "https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb" + }, + { + "url": "https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487\",\n \"https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f\",\n \"https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80\",\n \"https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728\",\n \"https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb\",\n \"https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\\n\\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\\nthe user-provided CPUID, which (of course) may not be valid. If the ID\\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\\ngracefully.\\n\\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\\nactually returns something and fail the ioctl if not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36954" + }, + { + "url": "https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6" + }, + { + "url": "https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565" + }, + { + "url": "https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574" + }, + { + "url": "https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d" + }, + { + "url": "https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd" + }, + { + "url": "https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6\",\n \"https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae\",\n \"https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565\",\n \"https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c\",\n \"https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574\",\n \"https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d\",\n \"https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd\",\n \"https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix a possible memleak in tipc_buf_append\\n\\n__skb_linearize() doesn't free the skb when it fails, so move\\n'*buf = NULL' after __skb_linearize(), so that the skb can be\\nfreed on the err path.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36955", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36955" + }, + { + "url": "https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e" + }, + { + "url": "https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf" + }, + { + "url": "https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07" + }, + { + "url": "https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377" + }, + { + "url": "https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36955 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36955", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\n\nThe documentation for device_get_named_child_node() mentions this\nimportant point:\n\n\"\nThe caller is responsible for calling fwnode_handle_put() on the\nreturned fwnode pointer.\n\"\n\nAdd fwnode_handle_put() to avoid a leaked reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36955\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36955\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36955\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36955\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36955\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e\",\n \"https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf\",\n \"https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07\",\n \"https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377\",\n \"https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\\n\\nThe documentation for device_get_named_child_node() mentions this\\nimportant point:\\n\\n\\\"\\nThe caller is responsible for calling fwnode_handle_put() on the\\nreturned fwnode pointer.\\n\\\"\\n\\nAdd fwnode_handle_put() to avoid a leaked reference.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.7,\n \"exploitabilityScore\": 2.5,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36955\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36957" + }, + { + "url": "https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7" + }, + { + "url": "https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67" + }, + { + "url": "https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e" + }, + { + "url": "https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f" + }, + { + "url": "https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878" + }, + { + "url": "https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7\",\n \"https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67\",\n \"https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e\",\n \"https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f\",\n \"https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878\",\n \"https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocteontx2-af: avoid off-by-one read from userspace\\n\\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\\ncount + 1). However, the userspace only provides buffer of count bytes and\\nonly these count bytes are verified to be okay to access. To ensure the\\ncopied buffer is NUL terminated, we use memdup_user_nul instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36959" + }, + { + "url": "https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec" + }, + { + "url": "https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1" + }, + { + "url": "https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274" + }, + { + "url": "https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f" + }, + { + "url": "https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6" + }, + { + "url": "https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d" + }, + { + "url": "https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404" + }, + { + "url": "https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\n\nIf we fail to allocate propname buffer, we need to drop the reference\ncount we just took. Because the pinctrl_dt_free_maps() includes the\ndroping operation, here we call it directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec\",\n \"https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1\",\n \"https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274\",\n \"https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f\",\n \"https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6\",\n \"https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d\",\n \"https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404\",\n \"https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\\n\\nIf we fail to allocate propname buffer, we need to drop the reference\\ncount we just took. Because the pinctrl_dt_free_maps() includes the\\ndroping operation, here we call it directly.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36960" + }, + { + "url": "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b" + }, + { + "url": "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f" + }, + { + "url": "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36" + }, + { + "url": "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22" + }, + { + "url": "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c" + }, + { + "url": "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0" + }, + { + "url": "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9" + }, + { + "url": "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b\",\n \"https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f\",\n \"https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36\",\n \"https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22\",\n \"https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c\",\n \"https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0\",\n \"https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9\",\n \"https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix invalid reads in fence signaled events\\n\\nCorrectly set the length of the drm_event to the size of the structure\\nthat's actually used.\\n\\nThe length of the drm_event was set to the parent structure instead of\\nto the drm_vmw_event_fence which is supposed to be read. drm_read\\nuses the length parameter to copy the event to the user space thus\\nresuling in oob reads.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36964", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36964" + }, + { + "url": "https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02" + }, + { + "url": "https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c" + }, + { + "url": "https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32" + }, + { + "url": "https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8" + }, + { + "url": "https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b" + }, + { + "url": "https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96" + }, + { + "url": "https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3" + }, + { + "url": "https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36964 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36964", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36964\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36964\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36964\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36964\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36964\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02\",\n \"https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c\",\n \"https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32\",\n \"https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8\",\n \"https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b\",\n \"https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96\",\n \"https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3\",\n \"https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d\",\n \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/9p: only translate RWX permissions for plain 9P2000\\n\\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\\nto be able to set (among others) the suid bit. This was presumably not\\nthe intent since the unix extended bits are handled explicitly and\\nconditionally on .u.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36964\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36965" + }, + { + "url": "https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf" + }, + { + "url": "https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2" + }, + { + "url": "https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e" + }, + { + "url": "https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42" + }, + { + "url": "https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9" + }, + { + "url": "https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf\",\n \"https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2\",\n \"https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e\",\n \"https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42\",\n \"https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9\",\n \"https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\\n\\nThe IPI buffer location is read from the firmware that we load to the\\nSystem Companion Processor, and it's not granted that both the SRAM\\n(L2TCM) size that is defined in the devicetree node is large enough\\nfor that, and while this is especially true for multi-core SCP, it's\\nstill useful to check on single-core variants as well.\\n\\nFailing to perform this check may make this driver perform R/W\\noperations out of the L2TCM boundary, resulting (at best) in a\\nkernel panic.\\n\\nTo fix that, check that the IPI buffer fits, otherwise return a\\nfailure and refuse to boot the relevant SCP core (or the SCP at\\nall, if this is single core).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36966" + }, + { + "url": "https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606" + }, + { + "url": "https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe" + }, + { + "url": "https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: reliably distinguish block based and fscache mode\n\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\nthat has never been allocated, triggering the following warning:\n\n============================================\nida_free called for id=0 which is not allocated.\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\nModules linked in:\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\nRIP: 0010:ida_free+0x134/0x140\nCall Trace:\n \n erofs_kill_sb+0x81/0x90\n deactivate_locked_super+0x35/0x80\n get_tree_bdev+0x136/0x1e0\n vfs_get_tree+0x2c/0xf0\n do_new_mount+0x190/0x2f0\n [...]\n============================================\n\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\ninitialised, so use sbi->fsid to distinguish between the two modes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606\",\n \"https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe\",\n \"https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerofs: reliably distinguish block based and fscache mode\\n\\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\\nthat has never been allocated, triggering the following warning:\\n\\n============================================\\nida_free called for id=0 which is not allocated.\\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\\nModules linked in:\\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\\nRIP: 0010:ida_free+0x134/0x140\\nCall Trace:\\n \\n erofs_kill_sb+0x81/0x90\\n deactivate_locked_super+0x35/0x80\\n get_tree_bdev+0x136/0x1e0\\n vfs_get_tree+0x2c/0xf0\\n do_new_mount+0x190/0x2f0\\n [...]\\n============================================\\n\\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\\ninitialised, so use sbi->fsid to distinguish between the two modes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36967" + }, + { + "url": "https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28" + }, + { + "url": "https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf" + }, + { + "url": "https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7" + }, + { + "url": "https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56" + }, + { + "url": "https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13" + }, + { + "url": "https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n'scratch' is never freed. Fix this by calling kfree() in the success, and\nin the error case.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28\",\n \"https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf\",\n \"https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7\",\n \"https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56\",\n \"https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13\",\n \"https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\\n\\n'scratch' is never freed. Fix this by calling kfree() in the success, and\\nin the error case.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36968", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36968" + }, + { + "url": "https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8" + }, + { + "url": "https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44" + }, + { + "url": "https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674" + }, + { + "url": "https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30" + }, + { + "url": "https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36968 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36968", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \nModules linked in:\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36968\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36968\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36968\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36968\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36968\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8\",\n \"https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44\",\n \"https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674\",\n \"https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30\",\n \"https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\\n\\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\\noverflow since hdev->le_mtu may not fall in the valid range.\\n\\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\\nprocess earlier if MTU is invalid.\\nAlso, add a missing validation in read_buffer_size() and make it return\\nan error value if the validation fails.\\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\\nkzalloc failure and invalid MTU value.\\n\\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nWorkqueue: hci0 hci_rx_work\\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\\n process_one_work kernel/workqueue.c:3254 [inline]\\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\\n kthread+0x2e3/0x380 kernel/kthread.c:388\\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n \\nModules linked in:\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 6.5,\n \"exploitabilityScore\": 2,\n \"impactScore\": 4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36968\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36969" + }, + { + "url": "https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba" + }, + { + "url": "https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911" + }, + { + "url": "https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639" + }, + { + "url": "https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f" + }, + { + "url": "https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445" + }, + { + "url": "https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix division by zero in setup_dsc_config\n\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\n\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\n\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\n\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba\",\n \"https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911\",\n \"https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639\",\n \"https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f\",\n \"https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445\",\n \"https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix division by zero in setup_dsc_config\\n\\nWhen slice_height is 0, the division by slice_height in the calculation\\nof the number of slices will cause a division by zero driver crash. This\\nleaves the kernel in a state that requires a reboot. This patch adds a\\ncheck to avoid the division by zero.\\n\\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\\nwhen I rebooted the system with the monitor connected.\\n\\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\\n\\nAfter applying this patch, the driver no longer crashes when the monitor\\nis connected and the system is rebooted. I believe this is the same\\nissue reported for 3113.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36970" + }, + { + "url": "https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4" + }, + { + "url": "https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Use request_module_nowait\n\nThis appears to work around a deadlock regression that came in\nwith the LED merge in 6.9.\n\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\nit something like all worker threads are busy and some work that needs\nto complete cannot complete.\n\n[also remove unnecessary \"load_module\" var and now-wrong comment]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4\",\n \"https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: Use request_module_nowait\\n\\nThis appears to work around a deadlock regression that came in\\nwith the LED merge in 6.9.\\n\\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\\nit something like all worker threads are busy and some work that needs\\nto complete cannot complete.\\n\\n[also remove unnecessary \\\"load_module\\\" var and now-wrong comment]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36971", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36971" + }, + { + "url": "https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13" + }, + { + "url": "https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6" + }, + { + "url": "https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508" + }, + { + "url": "https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4" + }, + { + "url": "https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e" + }, + { + "url": "https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc" + }, + { + "url": "https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72" + }, + { + "url": "https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13\",\n \"https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6\",\n \"https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508\",\n \"https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4\",\n \"https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e\",\n \"https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc\",\n \"https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72\",\n \"https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fix __dst_negative_advice() race\\n\\n__dst_negative_advice() does not enforce proper RCU rules when\\nsk->dst_cache must be cleared, leading to possible UAF.\\n\\nRCU rules are that we must first clear sk->sk_dst_cache,\\nthen call dst_release(old_dst).\\n\\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\\nwhile __dst_negative_advice() uses the wrong order.\\n\\nGiven that ip6_negative_advice() has special logic\\nagainst RTF_CACHE, this means each of the three ->negative_advice()\\nexisting methods must perform the sk_dst_reset() themselves.\\n\\nNote the check against NULL dst is centralized in\\n__dst_negative_advice(), there is no need to duplicate\\nit in various callbacks.\\n\\nMany thanks to Clement Lecigne for tracking this issue.\\n\\nThis old bug became visible after the blamed commit, using UDP sockets.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36972", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36972" + }, + { + "url": "https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3" + }, + { + "url": "https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1" + }, + { + "url": "https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1" + }, + { + "url": "https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2" + }, + { + "url": "https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \nModules linked in:\nCR2: 0000000000000008", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3\",\n \"https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1\",\n \"https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1\",\n \"https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2\",\n \"https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\\n\\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\\nqueue_oob().\\n\\n__unix_gc() tries to garbage-collect close()d inflight sockets,\\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\\nwill drop the reference and set NULL to it locklessly.\\n\\nHowever, the peer socket still can send MSG_OOB message and\\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\\nNULL pointer dereference. [0]\\n\\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\\n\\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\\nfalse-positive (See [1]).\\n\\n[0]:\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\n PF: supervisor write access in kernel mode\\n PF: error_code(0x0002) - not-present page\\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\\nOops: 0002 [#1] PREEMPT SMP PTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nWorkqueue: events delayed_fput\\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\\nPKRU: 55555554\\nCall Trace:\\n \\n unix_release_sock (net/unix/af_unix.c:654)\\n unix_release (net/unix/af_unix.c:1050)\\n __sock_release (net/socket.c:660)\\n sock_close (net/socket.c:1423)\\n __fput (fs/file_table.c:423)\\n delayed_fput (fs/file_table.c:444 (discriminator 3))\\n process_one_work (kernel/workqueue.c:3259)\\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\\n kthread (kernel/kthread.c:388)\\n ret_from_fork (arch/x86/kernel/process.c:153)\\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\\n \\nModules linked in:\\nCR2: 0000000000000008\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36974" + }, + { + "url": "https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c" + }, + { + "url": "https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b" + }, + { + "url": "https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404" + }, + { + "url": "https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2" + }, + { + "url": "https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec" + }, + { + "url": "https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923" + }, + { + "url": "https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c\",\n \"https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b\",\n \"https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404\",\n \"https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2\",\n \"https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec\",\n \"https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923\",\n \"https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\\n\\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\\ntaprio_parse_mqprio_opt() must validate it, or userspace\\ncan inject arbitrary data to the kernel, the second time\\ntaprio_change() is called.\\n\\nFirst call (with valid attributes) sets dev->num_tc\\nto a non zero value.\\n\\nSecond call (with arbitrary mqprio attributes)\\nreturns early from taprio_parse_mqprio_opt()\\nand bad things can happen.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36975", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36975" + }, + { + "url": "https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b" + }, + { + "url": "https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a" + }, + { + "url": "https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087" + }, + { + "url": "https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972" + }, + { + "url": "https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487" + }, + { + "url": "https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36975 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36975", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36975\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36975\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36975\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36975\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36975\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b\",\n \"https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a\",\n \"https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087\",\n \"https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972\",\n \"https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487\",\n \"https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKEYS: trusted: Do not use WARN when encode fails\\n\\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\\n\\n1. asn1_encode_sequence() is not an internal function (located\\n in lib/asn1_encode.c).\\n2. Location is known, which makes the stack trace useless.\\n3. Results a crash if panic_on_warn is set.\\n\\nIt is also noteworthy that the use of WARN is undocumented, and it\\nshould be avoided unless there is a carefully considered rationale to\\nuse it.\\n\\nReplace WARN with pr_err, and print the return value instead, which is\\nonly useful piece of information.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36975\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-36978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-36978" + }, + { + "url": "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882" + }, + { + "url": "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f" + }, + { + "url": "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e" + }, + { + "url": "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3" + }, + { + "url": "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d" + }, + { + "url": "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d" + }, + { + "url": "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-36978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-36978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-36978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-36978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-36978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-36978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-36978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882\",\n \"https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f\",\n \"https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e\",\n \"https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3\",\n \"https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d\",\n \"https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d\",\n \"https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\\n\\nq->bands will be assigned to qopt->bands to execute subsequent code logic\\nafter kmalloc. So the old q->bands should not be used in kmalloc.\\nOtherwise, an out-of-bounds write will occur.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-36978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37021", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37021" + }, + { + "url": "https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad" + }, + { + "url": "https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9" + }, + { + "url": "https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37021 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37021", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37021\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37021\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37021\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37021\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37021\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad\",\n \"https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9\",\n \"https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfpga: manager: add owner module and take its refcount\\n\\nThe current implementation of the fpga manager assumes that the low-level\\nmodule registers a driver for the parent device and uses its owner pointer\\nto take the module's refcount. This approach is problematic since it can\\nlead to a null pointer dereference while attempting to get the manager if\\nthe parent device does not have a driver.\\n\\nTo address this problem, add a module owner pointer to the fpga_manager\\nstruct and use it to take the module's refcount. Modify the functions for\\nregistering the manager to take an additional owner module parameter and\\nrename them to avoid conflicts. Use the old function names for helper\\nmacros that automatically set the module that registers the manager as the\\nowner. This ensures compatibility with existing low-level control modules\\nand reduces the chances of registering a manager without setting the owner.\\n\\nAlso, update the documentation to keep it consistent with the new interface\\nfor registering an fpga manager.\\n\\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\\nmanager device is taken in these functions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37021\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37078", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37078" + }, + { + "url": "https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f" + }, + { + "url": "https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d" + }, + { + "url": "https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0" + }, + { + "url": "https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627" + }, + { + "url": "https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92" + }, + { + "url": "https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118" + }, + { + "url": "https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7" + }, + { + "url": "https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37078 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37078", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n \n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n kthread+0x2f0/0x390\n ret_from_fork+0x4b/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37078\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37078\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37078\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37078\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37078\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f\",\n \"https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d\",\n \"https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0\",\n \"https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627\",\n \"https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92\",\n \"https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118\",\n \"https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7\",\n \"https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\\n\\nDestructive writes to a block device on which nilfs2 is mounted can cause\\na kernel bug in the folio/page writeback start routine or writeback end\\nroutine (__folio_start_writeback in the log below):\\n\\n kernel BUG at mm/page-writeback.c:3070!\\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\\n ...\\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\\n ...\\n Call Trace:\\n \\n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\\n kthread+0x2f0/0x390\\n ret_from_fork+0x4b/0x80\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nThis is because when the log writer starts a writeback for segment summary\\nblocks or a super root block that use the backing device's page cache, it\\ndoes not wait for the ongoing folio/page writeback, resulting in an\\ninconsistent writeback state.\\n\\nFix this issue by waiting for ongoing writebacks when putting\\nfolios/pages on the backing device into writeback state.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37078\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37353", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37353" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37353 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37353", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37353\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37353\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37353\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37353\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37353\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37353\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37354", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37354" + }, + { + "url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428" + }, + { + "url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097" + }, + { + "url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b" + }, + { + "url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37354 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37354", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37354\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37354\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37354\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37354\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37354\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428\",\n \"https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097\",\n \"https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b\",\n \"https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\\n\\nWe have been seeing crashes on duplicate keys in\\nbtrfs_set_item_key_safe():\\n\\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\\n ------------[ cut here ]------------\\n kernel BUG at fs/btrfs/ctree.c:2620!\\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\\n\\nWith the following stack trace:\\n\\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\\n #8 vfs_fsync_range (fs/sync.c:188:9)\\n #9 vfs_fsync (fs/sync.c:202:9)\\n #10 do_fsync (fs/sync.c:212:9)\\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\\n\\nSo we're logging a changed extent from fsync, which is splitting an\\nextent in the log tree. But this split part already exists in the tree,\\ntriggering the BUG().\\n\\nThis is the state of the log tree at the time of the crash, dumped with\\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\\nto get more details than btrfs_print_leaf() gives us:\\n\\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\\\"eb\\\"])\\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\\n leaf 33439744 flags 0x100000000000000\\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\\n sequence 204 flags 0x10(PREALLOC)\\n atime 1716417703.220000000 (2024-05-22 15:41:43)\\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\\n index 195 namelen 3 name: 193\\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\\n location key (0 UNKNOWN.0 0) type XATTR\\n transid 7 data_len 1 name_len 6\\n name: user.a\\n data a\\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\\n generation 9 type 1 (regular)\\n extent data disk byte 303144960 nr 12288\\n extent data offset 0 nr 4096 ram 12288\\n extent compression 0 (none)\\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\\n generation 9 type 2 (prealloc)\\n prealloc data disk byte 303144960 nr 12288\\n prealloc data offset 4096 nr 8192\\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\\n generation 9 type 2 (prealloc)\\n prealloc data disk byte 303144960 nr 12288\\n prealloc data offset 8192 nr 4096\\n ...\\n\\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\\nitem 5 starts at i_size.\\n\\nHere is the state of \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37354\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-37356", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-37356" + }, + { + "url": "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c" + }, + { + "url": "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6" + }, + { + "url": "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd" + }, + { + "url": "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66" + }, + { + "url": "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf" + }, + { + "url": "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a" + }, + { + "url": "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be" + }, + { + "url": "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-37356 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-37356", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-37356\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-37356\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-37356\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-37356\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37356\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c\",\n \"https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6\",\n \"https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd\",\n \"https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66\",\n \"https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf\",\n \"https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a\",\n \"https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be\",\n \"https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\\n\\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\\nas follows:\\n\\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\\n ...\\n delivered_ce <<= (10 - dctcp_shift_g);\\n\\nIt seems syzkaller started fuzzing module parameters and triggered\\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\\n\\n memcpy((void*)0x20000080,\\n \\\"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\\\000\\\", 47);\\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\\n /*flags=*/2ul, /*mode=*/0ul);\\n memcpy((void*)0x20000000, \\\"100\\\\000\\\", 4);\\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\\n\\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\\n\\nWith this patch:\\n\\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n 10\\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\\n -bash: echo: write error: Invalid argument\\n\\n[0]:\\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n1.13.0-1ubuntu1.1 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\\n ubsan_epilogue lib/ubsan.c:231 [inline]\\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\\n sk_backlog_rcv include/net/sock.h:1106 [inline]\\n __release_sock+0x20f/0x350 net/core/sock.c:2983\\n release_sock+0x61/0x1f0 net/core/sock.c:3549\\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xc0/0x240 net/socket.c:1421\\n __fput+0x41b/0x890 fs/file_table.c:422\\n task_work_run+0x23b/0x300 kernel/task_work.c:180\\n exit_task_work include/linux/task_work.h:38 [inline]\\n do_exit+0x9c8/0x2540 kernel/exit.c:878\\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\\n __do_sys_exit_group kernel/exit.c:1038 [inline]\\n __se_sys_exit_group kernel/exit.c:1036 [inline]\\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\\nRIP: 0033:0x7f6c2b5005b6\\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-37356\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38306", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38306" + }, + { + "url": "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b" + }, + { + "url": "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38306 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38306", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38306\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38306\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38306\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38306\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38306\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b\",\n \"https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: protect folio::private when attaching extent buffer folios\\n\\n[BUG]\\nSince v6.8 there are rare kernel crashes reported by various people,\\nthe common factor is bad page status error messages like this:\\n\\n BUG: Bad page state in process kswapd0 pfn:d6e840\\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\\n pfn:0xd6e840\\n aops:btree_aops ino:1\\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\\n page_type: 0xffffffff()\\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\\n page dumped because: non-NULL mapping\\n\\n[CAUSE]\\nCommit 09e6cef19c9f (\\\"btrfs: refactor alloc_extent_buffer() to\\nallocate-then-attach method\\\") changes the sequence when allocating a new\\nextent buffer.\\n\\nPreviously we always called grab_extent_buffer() under\\nmapping->i_private_lock, to ensure the safety on modification on\\nfolio::private (which is a pointer to extent buffer for regular\\nsectorsize).\\n\\nThis can lead to the following race:\\n\\nThread A is trying to allocate an extent buffer at bytenr X, with 4\\n4K pages, meanwhile thread B is trying to release the page at X + 4K\\n(the second page of the extent buffer at X).\\n\\n Thread A | Thread B\\n-----------------------------------+-------------------------------------\\n | btree_release_folio()\\n\\t\\t\\t\\t | | This is for the page at X + 4K,\\n\\t\\t\\t\\t | | Not page X.\\n\\t\\t\\t\\t | |\\nalloc_extent_buffer() | |- release_extent_buffer()\\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\\n| page at bytenr X (the first | | |\\n| page). | | |\\n| Which returned -EEXIST. | | |\\n| | | |\\n|- filemap_lock_folio() | | |\\n| Returned the first page locked. | | |\\n| | | |\\n|- grab_extent_buffer() | | |\\n| |- atomic_inc_not_zero() | | |\\n| | Returned false | | |\\n| |- folio_detach_private() | | |- folio_detach_private() for X\\n| |- folio_test_private() | | |- folio_test_private()\\n | Returned true | | | Returned true\\n |- folio_put() | |- folio_put()\\n\\nNow there are two puts on the same folio at folio X, leading to refcount\\nunderflow of the folio X, and eventually causing the BUG_ON() on the\\npage->mapping.\\n\\nThe condition is not that easy to hit:\\n\\n- The release must be triggered for the middle page of an eb\\n If the release is on the same first page of an eb, page lock would kick\\n in and prevent the race.\\n\\n- folio_detach_private() has a very small race window\\n It's only between folio_test_private() and folio_clear_private().\\n\\nThat's exactly when mapping->i_private_lock is used to prevent such race,\\nand commit 09e6cef19c9f (\\\"btrfs: refactor alloc_extent_buffer() to\\nallocate-then-attach method\\\") screwed that up.\\n\\nAt that time, I thought the page lock would kick in as\\nfilemap_release_folio() also requires the page to be locked, but forgot\\nthe filemap_release_folio() only locks one page, not all pages of an\\nextent buffer.\\n\\n[FIX]\\nMove all the code requiring i_private_lock into\\nattach_eb_folio_to_filemap(), so that everything is done with proper\\nlock protection.\\n\\nFurthermore to prevent future problems, add an extra\\nlockdep_assert_locked() to ensure we're holding the proper lock.\\n\\nTo reproducer that is able to hit the race (takes a few minutes with\\ninstrumented code inserting delays to alloc_extent_buffer()):\\n\\n #!/bin/sh\\n drop_caches () {\\n\\t while(true); do\\n\\t\\t echo 3 > /proc/sys/vm/drop_caches\\n\\t\\t echo 1 > /proc/sys/vm/compact_memory\\n\\t done\\n }\\n\\n run_tar () {\\n\\t while(true); do\\n\\t\\t for x in `seq 1 80` ; do\\n\\t\\t\\t tar cf /dev/zero /mnt > /dev/null &\\n\\t\\t done\\n\\t\\t wait\\n\\t done\\n }\\n\\n mkfs.btrfs -f -d single -m single\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38306\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38381", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38381" + }, + { + "url": "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c" + }, + { + "url": "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6" + }, + { + "url": "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619" + }, + { + "url": "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe" + }, + { + "url": "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed" + }, + { + "url": "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea" + }, + { + "url": "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3" + }, + { + "url": "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38381 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38381", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38381\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38381\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38381\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38381\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38381\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c\",\n \"https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6\",\n \"https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619\",\n \"https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe\",\n \"https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed\",\n \"https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea\",\n \"https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3\",\n \"https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc: nci: Fix uninit-value in nci_rx_work\\n\\nsyzbot reported the following uninit-value access issue [1]\\n\\nnci_rx_work() parses received packet from ndev->rx_q. It should be\\nvalidated header size, payload size and total packet size before\\nprocessing the packet. If an invalid packet is detected, it should be\\nsilently discarded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38381\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38538", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38538" + }, + { + "url": "https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5" + }, + { + "url": "https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2" + }, + { + "url": "https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a" + }, + { + "url": "https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc" + }, + { + "url": "https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38538 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38538", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38538\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38538\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38538\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38538\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38538\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5\",\n \"https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2\",\n \"https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a\",\n \"https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc\",\n \"https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: xmit: make sure we have at least eth header len bytes\\n\\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\\nwe can actually pull that amount instead of assuming.\\n\\nTested with dropwatch:\\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\\n origin: software\\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\\n protocol: 0x88a8\\n length: 2\\n original length: 2\\n drop reason: PKT_TOO_SMALL\\n\\n[1]\\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n __bpf_tx_skb net/core/filter.c:2136 [inline]\\n __bpf_redirect_common net/core/filter.c:2180 [inline]\\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\\n __bpf_prog_run include/linux/filter.h:657 [inline]\\n bpf_prog_run include/linux/filter.h:664 [inline]\\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38538\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38540", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38540" + }, + { + "url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc" + }, + { + "url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659" + }, + { + "url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753" + }, + { + "url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38540 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38540", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38540\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38540\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38540\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38540\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38540\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc\",\n \"https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659\",\n \"https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753\",\n \"https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\\n\\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\\nIn that case, \\\"roundup_pow_of_two(hwq_attr->aux_stride)\\\" gets called.\\nroundup_pow_of_two is documented as undefined for 0.\\n\\nFix it in the one caller that had this combination.\\n\\nThe undefined behavior was detected by UBSAN:\\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\\n Call Trace:\\n \\n dump_stack_lvl+0x5d/0x80\\n ubsan_epilogue+0x5/0x30\\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __kmalloc+0x1b6/0x4f0\\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\\n create_qp.part.0+0x128/0x1c0 [ib_core]\\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\\n create_mad_qp+0x8e/0xe0 [ib_core]\\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\\n ib_mad_init_device+0x2be/0x680 [ib_core]\\n add_client_context+0x10d/0x1a0 [ib_core]\\n enable_device_and_get+0xe0/0x1d0 [ib_core]\\n ib_register_device+0x53c/0x630 [ib_core]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\\n auxiliary_bus_probe+0x49/0x80\\n ? driver_sysfs_add+0x57/0xc0\\n really_probe+0xde/0x340\\n ? pm_runtime_barrier+0x54/0x90\\n ? __pfx___driver_attach+0x10/0x10\\n __driver_probe_device+0x78/0x110\\n driver_probe_device+0x1f/0xa0\\n __driver_attach+0xba/0x1c0\\n bus_for_each_dev+0x8f/0xe0\\n bus_add_driver+0x146/0x220\\n driver_register+0x72/0xd0\\n __auxiliary_driver_register+0x6e/0xd0\\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\\n do_one_initcall+0x5b/0x310\\n do_init_module+0x90/0x250\\n init_module_from_file+0x86/0xc0\\n idempotent_init_module+0x121/0x2b0\\n __x64_sys_finit_module+0x5e/0xb0\\n do_syscall_64+0x82/0x160\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? syscall_exit_to_user_mode+0x75/0x230\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? do_syscall_64+0x8e/0x160\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __count_memcg_events+0x69/0x100\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? count_memcg_events.constprop.0+0x1a/0x30\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? handle_mm_fault+0x1f0/0x300\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? do_user_addr_fault+0x34e/0x640\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n RIP: 0033:0x7f4e5132821d\\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\\n \\n ---[ end trace ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38540\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38541", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38541" + }, + { + "url": "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6" + }, + { + "url": "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252" + }, + { + "url": "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a" + }, + { + "url": "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38541 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38541", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38541\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38541\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38541\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38541\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38541\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6\",\n \"https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252\",\n \"https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a\",\n \"https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof: module: add buffer overflow check in of_modalias()\\n\\nIn of_modalias(), if the buffer happens to be too small even for the 1st\\nsnprintf() call, the len parameter will become negative and str parameter\\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\\noverflow check after the 1st snprintf() call and fix such check after the\\nstrlen() call (accounting for the terminating NUL char).\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38541\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38543", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38543" + }, + { + "url": "https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64" + }, + { + "url": "https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc" + }, + { + "url": "https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33" + }, + { + "url": "https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3" + }, + { + "url": "https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38543 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38543", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38543\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38543\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38543\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38543\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38543\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64\",\n \"https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc\",\n \"https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33\",\n \"https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3\",\n \"https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\\n\\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\\ndereferenced, the null pointer dereference bug will happen.\\n\\nMoreover, the device is going away. If the kcalloc() fails, the pages\\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\\nkcalloc().\\n\\nFinally, as there is no need to have physically contiguous memory, Switch\\nkcalloc() to kvcalloc() in order to avoid failing allocations.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38543\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38544", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38544" + }, + { + "url": "https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794" + }, + { + "url": "https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6" + }, + { + "url": "https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb" + }, + { + "url": "https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc" + }, + { + "url": "https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38544 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38544", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38544\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38544\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38544\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38544\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38544\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794\",\n \"https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6\",\n \"https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb\",\n \"https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc\",\n \"https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\\n\\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\\nresp_pkts queue and then a decision is made whether to run the completer\\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\\nperformance counter. This is wrong because if the completer task is\\nalready running in a separate thread it may have already processed the skb\\nand freed it which can cause a seg fault. This has been observed\\ninfrequently in testing at high scale.\\n\\nThis patch fixes this by changing the order of enqueuing the packet until\\nafter the counter is accessed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38544\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38545", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38545" + }, + { + "url": "https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507" + }, + { + "url": "https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911" + }, + { + "url": "https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08" + }, + { + "url": "https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf" + }, + { + "url": "https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38545 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38545", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38545\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38545\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38545\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38545\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38545\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507\",\n \"https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911\",\n \"https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08\",\n \"https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf\",\n \"https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix UAF for cq async event\\n\\nThe refcount of CQ is not protected by locks. When CQ asynchronous\\nevents and CQ destruction are concurrent, CQ may have been released,\\nwhich will cause UAF.\\n\\nUse the xa_lock() to protect the CQ refcount.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38545\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38546", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38546" + }, + { + "url": "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31" + }, + { + "url": "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb" + }, + { + "url": "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5" + }, + { + "url": "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96" + }, + { + "url": "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49" + }, + { + "url": "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21" + }, + { + "url": "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38546 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38546", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38546\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38546\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38546\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38546\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38546\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31\",\n \"https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb\",\n \"https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5\",\n \"https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96\",\n \"https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49\",\n \"https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21\",\n \"https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: vc4: Fix possible null pointer dereference\\n\\nIn vc4_hdmi_audio_init() of_get_address() may return\\nNULL which is later dereferenced. Fix this bug by adding NULL check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38546\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38547", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38547" + }, + { + "url": "https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb" + }, + { + "url": "https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80" + }, + { + "url": "https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0" + }, + { + "url": "https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e" + }, + { + "url": "https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272" + }, + { + "url": "https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35" + }, + { + "url": "https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38547 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38547", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38547\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38547\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38547\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38547\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38547\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb\",\n \"https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80\",\n \"https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0\",\n \"https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e\",\n \"https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272\",\n \"https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35\",\n \"https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\\n\\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\\nis followed with a dereference of mycs->yuv_scaler_binary after the\\nfollowing call chain:\\n\\nsh_css_pipe_load_binaries()\\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\\n |\\n |-> sh_css_pipe_unload_binaries()\\n |-> unload_video_binaries()\\n\\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\\ndereference is triggered.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38547\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38548", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38548" + }, + { + "url": "https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da" + }, + { + "url": "https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79" + }, + { + "url": "https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3" + }, + { + "url": "https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896" + }, + { + "url": "https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a" + }, + { + "url": "https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965" + }, + { + "url": "https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38548 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38548", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38548\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38548\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38548\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38548\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38548\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da\",\n \"https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79\",\n \"https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3\",\n \"https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896\",\n \"https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a\",\n \"https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965\",\n \"https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\\n\\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\\nassigned to mhdp_state->current_mode, and there is a dereference of it in\\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate().\\n\\nFix this bug add a check of mhdp_state->current_mode.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38548\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38549", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38549" + }, + { + "url": "https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4" + }, + { + "url": "https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05" + }, + { + "url": "https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0" + }, + { + "url": "https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364" + }, + { + "url": "https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7" + }, + { + "url": "https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594" + }, + { + "url": "https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67" + }, + { + "url": "https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350" + }, + { + "url": "https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38549 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38549", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38549\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38549\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38549\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38549\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38549\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4\",\n \"https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05\",\n \"https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0\",\n \"https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364\",\n \"https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7\",\n \"https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594\",\n \"https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67\",\n \"https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350\",\n \"https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\\n\\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\\nof 0 bytes. Currently, no such check exists and the kernel will panic if\\na userspace application attempts to allocate a 0x0 GBM buffer.\\n\\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\\nverifying that we now return EINVAL.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38549\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38550", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38550" + }, + { + "url": "https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c" + }, + { + "url": "https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6" + }, + { + "url": "https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6" + }, + { + "url": "https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169" + }, + { + "url": "https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489" + }, + { + "url": "https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38550 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38550", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38550\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38550\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38550\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38550\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38550\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c\",\n \"https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6\",\n \"https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6\",\n \"https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169\",\n \"https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489\",\n \"https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: kirkwood: Fix potential NULL dereference\\n\\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\\nCONFIG_PLAT_ORION macro is not defined.\\nFix this bug by adding NULL check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38550\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38552", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38552" + }, + { + "url": "https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7" + }, + { + "url": "https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123" + }, + { + "url": "https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86" + }, + { + "url": "https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c" + }, + { + "url": "https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca" + }, + { + "url": "https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29" + }, + { + "url": "https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869" + }, + { + "url": "https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e" + }, + { + "url": "https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38552 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38552", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38552\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38552\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38552\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38552\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38552\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7\",\n \"https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123\",\n \"https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86\",\n \"https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c\",\n \"https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca\",\n \"https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29\",\n \"https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869\",\n \"https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e\",\n \"https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix potential index out of bounds in color transformation function\\n\\nFixes index out of bounds issue in the color transformation function.\\nThe issue could occur when the index 'i' exceeds the number of transfer\\nfunction points (TRANSFER_FUNC_POINTS).\\n\\nThe fix adds a check to ensure 'i' is within bounds before accessing the\\ntransfer function points. If 'i' is out of bounds, an error message is\\nlogged and the function returns false to indicate an error.\\n\\nReported by smatch:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38552\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38553", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38553" + }, + { + "url": "https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f" + }, + { + "url": "https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243" + }, + { + "url": "https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5" + }, + { + "url": "https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38553 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38553", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38553\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38553\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38553\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38553\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38553\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f\",\n \"https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243\",\n \"https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5\",\n \"https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\\n\\nThere is a deadlock issue found in sungem driver, please refer to the\\ncommit ac0a230f719b (\\\"eth: sungem: remove .ndo_poll_controller to avoid\\ndeadlocks\\\"). The root cause of the issue is that netpoll is in atomic\\ncontext and disable_irq() is called by .ndo_poll_controller interface\\nof sungem driver, however, disable_irq() might sleep. After analyzing\\nthe implementation of fec_poll_controller(), the fec driver should have\\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\\nso fec_poll_controller() can be safely removed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38553\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38554", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38554" + }, + { + "url": "https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2" + }, + { + "url": "https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad" + }, + { + "url": "https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a" + }, + { + "url": "https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b" + }, + { + "url": "https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38554 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38554", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38554\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38554\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38554\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38554\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38554\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2\",\n \"https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad\",\n \"https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a\",\n \"https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b\",\n \"https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix reference count leak issue of net_device\\n\\nThere is a reference count leak issue of the object \\\"net_device\\\" in\\nax25_dev_device_down(). When the ax25 device is shutting down, the\\nax25_dev_device_down() drops the reference count of net_device one\\nor zero times depending on if we goto unlock_put or not, which will\\ncause memory leak.\\n\\nIn order to solve the above issue, decrease the reference count of\\nnet_device after dev->ax25_ptr is set to null.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38554\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38555", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38555" + }, + { + "url": "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb" + }, + { + "url": "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7" + }, + { + "url": "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0" + }, + { + "url": "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a" + }, + { + "url": "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396" + }, + { + "url": "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40" + }, + { + "url": "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38555 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38555", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38555\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38555\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38555\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38555\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38555\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb\",\n \"https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7\",\n \"https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0\",\n \"https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a\",\n \"https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396\",\n \"https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40\",\n \"https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Discard command completions in internal error\\n\\nFix use after free when FW completion arrives while device is in\\ninternal error state. Avoid calling completion handler in this case,\\nsince the device will flush the command interface and trigger all\\ncompletions manually.\\n\\nKernel log:\\n------------[ cut here ]------------\\nrefcount_t: underflow; use-after-free.\\n...\\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\\n...\\nCall Trace:\\n\\n? __warn+0x79/0x120\\n? refcount_warn_saturate+0xd8/0xe0\\n? report_bug+0x17c/0x190\\n? handle_bug+0x3c/0x60\\n? exc_invalid_op+0x14/0x70\\n? asm_exc_invalid_op+0x16/0x20\\n? refcount_warn_saturate+0xd8/0xe0\\ncmd_ent_put+0x13b/0x160 [mlx5_core]\\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\\nnotifier_call_chain+0x35/0xb0\\natomic_notifier_call_chain+0x16/0x20\\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\\nnotifier_call_chain+0x35/0xb0\\natomic_notifier_call_chain+0x16/0x20\\nirq_int_handler+0x19/0x30 [mlx5_core]\\n__handle_irq_event_percpu+0x4b/0x160\\nhandle_irq_event+0x2e/0x80\\nhandle_edge_irq+0x98/0x230\\n__common_interrupt+0x3b/0xa0\\ncommon_interrupt+0x7b/0xa0\\n\\n\\nasm_common_interrupt+0x22/0x40\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38555\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38556", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38556" + }, + { + "url": "https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918" + }, + { + "url": "https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7" + }, + { + "url": "https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6" + }, + { + "url": "https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b" + }, + { + "url": "https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38556 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38556", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38556\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38556\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38556\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38556\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38556\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918\",\n \"https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7\",\n \"https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6\",\n \"https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b\",\n \"https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Add a timeout to acquire the command queue semaphore\\n\\nPrevent forced completion handling on an entry that has not yet been\\nassigned an index, causing an out of bounds access on idx = -22.\\nInstead of waiting indefinitely for the sem, blocking flow now waits for\\nindex to be allocated or a sem acquisition timeout before beginning the\\ntimer for FW completion.\\n\\nKernel log example:\\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38556\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38557", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38557" + }, + { + "url": "https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4" + }, + { + "url": "https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07" + }, + { + "url": "https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a" + }, + { + "url": "https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38557 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38557", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38557\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38557\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38557\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38557\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38557\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4\",\n \"https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07\",\n \"https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a\",\n \"https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Reload only IB representors upon lag disable/enable\\n\\nOn lag disable, the bond IB device along with all of its\\nrepresentors are destroyed, and then the slaves' representors get reloaded.\\n\\nIn case the slave IB representor load fails, the eswitch error flow\\nunloads all representors, including ethernet representors, where the\\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\\nas the lag driver is not responsible for loading/unloading ethernet\\nrepresentors. Furthermore, the flow described above begins by holding\\nlag lock to prevent bond changes during disable flow. However, when\\nreaching the ethernet representors detachment from lag, the lag lock is\\nrequired again, triggering the following deadlock:\\n\\nCall trace:\\n__switch_to+0xf4/0x148\\n__schedule+0x2c8/0x7d0\\nschedule+0x50/0xe0\\nschedule_preempt_disabled+0x18/0x28\\n__mutex_lock.isra.13+0x2b8/0x570\\n__mutex_lock_slowpath+0x1c/0x28\\nmutex_lock+0x4c/0x68\\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\\ngenl_rcv_msg+0xe4/0x220\\nnetlink_rcv_skb+0x44/0x108\\ngenl_rcv+0x40/0x58\\nnetlink_unicast+0x198/0x268\\nnetlink_sendmsg+0x1d4/0x418\\nsock_sendmsg+0x54/0x60\\n__sys_sendto+0xf4/0x120\\n__arm64_sys_sendto+0x30/0x40\\nel0_svc_common+0x8c/0x120\\ndo_el0_svc+0x30/0xa0\\nel0_svc+0x20/0x30\\nel0_sync_handler+0x90/0xb8\\nel0_sync+0x160/0x180\\n\\nThus, upon lag enable/disable, load and unload only the IB representors\\nof the slaves preventing the deadlock mentioned above.\\n\\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\\na static helper method for its internal logic, in symmetry with the\\nrepresentor unload design.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38557\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38558", + "severity": "High" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38558" + }, + { + "url": "https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5" + }, + { + "url": "https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120" + }, + { + "url": "https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3" + }, + { + "url": "https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982" + }, + { + "url": "https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11" + }, + { + "url": "https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd" + }, + { + "url": "https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56" + }, + { + "url": "https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6" + }, + { + "url": "https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38558 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38558", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38558\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38558\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38558\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38558\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38558\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5\",\n \"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120\",\n \"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3\",\n \"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982\",\n \"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11\",\n \"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd\",\n \"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56\",\n \"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6\",\n \"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\\n\\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\\n\\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\\nwith the metadata like conntrack state, input port, recirculation id,\\netc. Then the packet itself gets parsed to populate the rest of the\\nkeys from the packet headers.\\n\\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\\ninformation even if it is not an ND packet.\\n\\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\\nthe space between 'nd' and 'ct_orig' that holds the original tuple\\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\\n\\nND packets should not normally have conntrack state, so it's fine to\\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\\nICMPv6 can have the state attached and it should not be overwritten.\\n\\nThe issue results in all but the last 4 bytes of the destination\\naddress being wiped from the original conntrack tuple leading to\\nincorrect packet matching and potentially executing wrong actions\\nin case this packet recirculates within the datapath or goes back\\nto userspace.\\n\\nND fields should not be accessed in non-ND packets, so not clearing\\nthem should be fine. Executing memset() only for actual ND packets to\\navoid the issue.\\n\\nInitializing the whole thing before parsing is needed because ND packet\\nmay not contain all the options.\\n\\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\\naffect packets entering OVS datapath from network interfaces, because\\nin this case CT metadata is populated from skb after the packet is\\nalready parsed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38558\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38559", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38559" + }, + { + "url": "https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9" + }, + { + "url": "https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95" + }, + { + "url": "https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8" + }, + { + "url": "https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d" + }, + { + "url": "https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c" + }, + { + "url": "https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59" + }, + { + "url": "https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62" + }, + { + "url": "https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613" + }, + { + "url": "https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38559 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38559", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38559\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38559\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38559\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38559\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38559\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9\",\n \"https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95\",\n \"https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8\",\n \"https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d\",\n \"https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c\",\n \"https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59\",\n \"https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62\",\n \"https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613\",\n \"https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedf: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a count-sized kernel buffer and copy count from\\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\\ndon't ensure that the string is terminated inside the buffer, this can\\nlead to OOB read when using kstrtouint. Fix this issue by using\\nmemdup_user_nul instead of memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38559\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38560", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38560" + }, + { + "url": "https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a" + }, + { + "url": "https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3" + }, + { + "url": "https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf" + }, + { + "url": "https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35" + }, + { + "url": "https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462" + }, + { + "url": "https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2" + }, + { + "url": "https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143" + }, + { + "url": "https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c" + }, + { + "url": "https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38560 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38560", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38560\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38560\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38560\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38560\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38560\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a\",\n \"https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3\",\n \"https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf\",\n \"https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35\",\n \"https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462\",\n \"https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2\",\n \"https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143\",\n \"https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c\",\n \"https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: bfa: Ensure the copied buf is NUL terminated\\n\\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\\nensure that the string is terminated inside the buffer, this can lead to\\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\\nof memdup_user.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38560\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38564", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38564" + }, + { + "url": "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7" + }, + { + "url": "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d" + }, + { + "url": "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd" + }, + { + "url": "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38564 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38564", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38564\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38564\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38564\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38564\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38564\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7\",\n \"https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d\",\n \"https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd\",\n \"https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\\n\\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\\nto properly verify prog_type <> attach_type association.\\n\\nAdd missing attach_type enforcement for the link_create case.\\nOtherwise, it's currently possible to attach cgroup_skb prog\\ntypes to other cgroup hooks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38564\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38565", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38565" + }, + { + "url": "https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72" + }, + { + "url": "https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff" + }, + { + "url": "https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f" + }, + { + "url": "https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603" + }, + { + "url": "https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d" + }, + { + "url": "https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5" + }, + { + "url": "https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70" + }, + { + "url": "https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850" + }, + { + "url": "https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38565 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38565", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38565\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38565\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38565\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38565\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38565\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72\",\n \"https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff\",\n \"https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f\",\n \"https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603\",\n \"https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d\",\n \"https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5\",\n \"https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70\",\n \"https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850\",\n \"https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ar5523: enable proper endpoint verification\\n\\nSyzkaller reports [1] hitting a warning about an endpoint in use\\nnot having an expected type to it.\\n\\nFix the issue by checking for the existence of all proper\\nendpoints with their according types intact.\\n\\nSadly, this patch has not been tested on real hardware.\\n\\n[1] Syzkaller report:\\n------------[ cut here ]------------\\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\\n...\\nCall Trace:\\n \\n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\\n call_driver_probe drivers/base/dd.c:560 [inline]\\n really_probe+0x249/0xb90 drivers/base/dd.c:639\\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\\n call_driver_probe drivers/base/dd.c:560 [inline]\\n really_probe+0x249/0xb90 drivers/base/dd.c:639\\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\\n port_event drivers/usb/core/hub.c:5653 [inline]\\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38565\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38567", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38567" + }, + { + "url": "https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd" + }, + { + "url": "https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f" + }, + { + "url": "https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c" + }, + { + "url": "https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582" + }, + { + "url": "https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7" + }, + { + "url": "https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d" + }, + { + "url": "https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0" + }, + { + "url": "https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38567 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38567", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38567\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38567\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38567\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38567\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38567\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd\",\n \"https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f\",\n \"https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c\",\n \"https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd\",\n \"https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582\",\n \"https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7\",\n \"https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d\",\n \"https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0\",\n \"https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: carl9170: add a proper sanity check for endpoints\\n\\nSyzkaller reports [1] hitting a warning which is caused by presence\\nof a wrong endpoint type at the URB sumbitting stage. While there\\nwas a check for a specific 4th endpoint, since it can switch types\\nbetween bulk and interrupt, other endpoints are trusted implicitly.\\nSimilar warning is triggered in a couple of other syzbot issues [2].\\n\\nFix the issue by doing a comprehensive check of all endpoints\\ntaking into account difference between high- and full-speed\\nconfiguration.\\n\\n[1] Syzkaller report:\\n...\\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\\n...\\nCall Trace:\\n \\n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\\n \\n\\n[2] Related syzkaller crashes:\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38567\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38570", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38570" + }, + { + "url": "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37" + }, + { + "url": "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca" + }, + { + "url": "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73" + }, + { + "url": "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38570 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38570", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38570\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38570\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38570\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38570\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38570\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37\",\n \"https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca\",\n \"https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73\",\n \"https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix potential glock use-after-free on unmount\\n\\nWhen a DLM lockspace is released and there ares still locks in that\\nlockspace, DLM will unlock those locks automatically. Commit\\nfb6791d100d1b started exploiting this behavior to speed up filesystem\\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\\nrelease the lockspace. This didn't take the bast callbacks for\\nasynchronous lock contention notifications into account, which remain\\nactive until until a lock is unlocked or its lockspace is released.\\n\\nTo prevent those callbacks from accessing deallocated objects, put the\\nglocks that should not be unlocked on the sd_dead_glocks list, release\\nthe lockspace, and only then free those glocks.\\n\\nAs an additional measure, ignore unexpected ast and bast callbacks if\\nthe receiving glock is dead.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38570\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38571", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38571" + }, + { + "url": "https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653" + }, + { + "url": "https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f" + }, + { + "url": "https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad" + }, + { + "url": "https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278" + }, + { + "url": "https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f" + }, + { + "url": "https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38571 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38571", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38571\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38571\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38571\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38571\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38571\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653\",\n \"https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f\",\n \"https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad\",\n \"https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278\",\n \"https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f\",\n \"https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/tsens: Fix null pointer dereference\\n\\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\\nFix this bug by adding null pointer check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38571\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38573", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38573" + }, + { + "url": "https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5" + }, + { + "url": "https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618" + }, + { + "url": "https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf" + }, + { + "url": "https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe" + }, + { + "url": "https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4" + }, + { + "url": "https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38573 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38573", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38573\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38573\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38573\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38573\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38573\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5\",\n \"https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618\",\n \"https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf\",\n \"https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe\",\n \"https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4\",\n \"https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncppc_cpufreq: Fix possible null pointer dereference\\n\\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\\ndifferent places with various parameters. So cpufreq_cpu_get() can return\\nnull as 'policy' in some circumstances.\\nFix this bug by adding null return check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38573\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38577", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38577" + }, + { + "url": "https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222" + }, + { + "url": "https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7" + }, + { + "url": "https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec" + }, + { + "url": "https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697" + }, + { + "url": "https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38577 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38577", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38577\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38577\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38577\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38577\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38577\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222\",\n \"https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7\",\n \"https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec\",\n \"https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697\",\n \"https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\\n\\nThere is a possibility of buffer overflow in\\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\\nto sprintf() are huge. Counter numbers, needed for this\\nare unrealistically high, but buffer overflow is still\\npossible.\\n\\nUse snprintf() with buffer size instead of sprintf().\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38577\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38578", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38578" + }, + { + "url": "https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c" + }, + { + "url": "https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93" + }, + { + "url": "https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1" + }, + { + "url": "https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df" + }, + { + "url": "https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910" + }, + { + "url": "https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5" + }, + { + "url": "https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e" + }, + { + "url": "https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1" + }, + { + "url": "https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38578 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38578", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38578\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38578\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38578\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38578\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38578\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c\",\n \"https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93\",\n \"https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1\",\n \"https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df\",\n \"https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910\",\n \"https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5\",\n \"https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e\",\n \"https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1\",\n \"https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\necryptfs: Fix buffer size for tag 66 packet\\n\\nThe 'TAG 66 Packet Format' description is missing the cipher code and\\nchecksum fields that are packed into the message packet. As a result,\\nthe buffer allocated for the packet is 3 bytes too small and\\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\\nbuffer.\\n\\nFix this by increasing the size of the allocation so the whole packet\\nwill always fit in the buffer.\\n\\nThis fixes the below kasan slab-out-of-bounds bug:\\n\\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\\n\\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\\n Call Trace:\\n \\n dump_stack_lvl+0x4c/0x70\\n print_report+0xc5/0x610\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n ? kasan_complete_mode_report_info+0x44/0x210\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n kasan_report+0xc2/0x110\\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n __asan_store1+0x62/0x80\\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\\n ? __alloc_pages+0x2e2/0x540\\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\\n ? dentry_open+0x8f/0xd0\\n ecryptfs_write_metadata+0x30a/0x550\\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\\n ? ecryptfs_get_lower_file+0x6b/0x190\\n ecryptfs_initialize_file+0x77/0x150\\n ecryptfs_create+0x1c2/0x2f0\\n path_openat+0x17cf/0x1ba0\\n ? __pfx_path_openat+0x10/0x10\\n do_filp_open+0x15e/0x290\\n ? __pfx_do_filp_open+0x10/0x10\\n ? __kasan_check_write+0x18/0x30\\n ? _raw_spin_lock+0x86/0xf0\\n ? __pfx__raw_spin_lock+0x10/0x10\\n ? __kasan_check_write+0x18/0x30\\n ? alloc_fd+0xf4/0x330\\n do_sys_openat2+0x122/0x160\\n ? __pfx_do_sys_openat2+0x10/0x10\\n __x64_sys_openat+0xef/0x170\\n ? __pfx___x64_sys_openat+0x10/0x10\\n do_syscall_64+0x60/0xd0\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n RIP: 0033:0x7f00a703fd67\\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\\n \\n\\n Allocated by task 181:\\n kasan_save_stack+0x2f/0x60\\n kasan_set_track+0x29/0x40\\n kasan_save_alloc_info+0x25/0x40\\n __kasan_kmalloc+0xc5/0xd0\\n __kmalloc+0x66/0x160\\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\\n ecryptfs_write_metadata+0x30a/0x550\\n ecryptfs_initialize_file+0x77/0x150\\n ecryptfs_create+0x1c2/0x2f0\\n path_openat+0x17cf/0x1ba0\\n do_filp_open+0x15e/0x290\\n do_sys_openat2+0x122/0x160\\n __x64_sys_openat+0xef/0x170\\n do_syscall_64+0x60/0xd0\\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38578\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38579", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38579" + }, + { + "url": "https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9" + }, + { + "url": "https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57" + }, + { + "url": "https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd" + }, + { + "url": "https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5" + }, + { + "url": "https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434" + }, + { + "url": "https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd" + }, + { + "url": "https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0" + }, + { + "url": "https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b" + }, + { + "url": "https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38579 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38579", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38579\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38579\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38579\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38579\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38579\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9\",\n \"https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57\",\n \"https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd\",\n \"https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5\",\n \"https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434\",\n \"https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd\",\n \"https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0\",\n \"https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b\",\n \"https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: bcm - Fix pointer arithmetic\\n\\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\\ninstead of hash_iv_len which could lead to going beyond the\\nbuffer boundaries.\\nFix this bug by changing ciph_key_len to hash_iv_len.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38579\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38580", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38580" + }, + { + "url": "https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d" + }, + { + "url": "https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b" + }, + { + "url": "https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2" + }, + { + "url": "https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784" + }, + { + "url": "https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38580 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38580", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38580\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38580\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38580\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38580\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38580\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d\",\n \"https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b\",\n \"https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2\",\n \"https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784\",\n \"https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nepoll: be better about file lifetimes\\n\\nepoll can call out to vfs_poll() with a file pointer that may race with\\nthe last 'fput()'. That would make f_count go down to zero, and while\\nthe ep->mtx locking means that the resulting file pointer tear-down will\\nbe blocked until the poll returns, it means that f_count is already\\ndead, and any use of it won't actually get a reference to the file any\\nmore: it's dead regardless.\\n\\nMake sure we have a valid ref on the file pointer before we call down to\\nvfs_poll() from the epoll routines.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38580\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38582", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38582" + }, + { + "url": "https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd" + }, + { + "url": "https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0" + }, + { + "url": "https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b" + }, + { + "url": "https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830" + }, + { + "url": "https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a" + }, + { + "url": "https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b" + }, + { + "url": "https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f" + }, + { + "url": "https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e" + }, + { + "url": "https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38582 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38582", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38582\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38582\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38582\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38582\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38582\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd\",\n \"https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0\",\n \"https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b\",\n \"https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830\",\n \"https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a\",\n \"https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b\",\n \"https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f\",\n \"https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e\",\n \"https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential hang in nilfs_detach_log_writer()\\n\\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\\nduring nilfs2 unmount.\\n\\nAnalysis revealed that this is because nilfs_segctor_sync(), which\\nsynchronizes with the log writer thread, can be called after\\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\\nbelow:\\n\\nnilfs_detach_log_writer\\n nilfs_segctor_destroy\\n nilfs_segctor_kill_thread --> Shut down log writer thread\\n flush_work\\n nilfs_iput_work_func\\n nilfs_dispose_list\\n iput\\n nilfs_evict_inode\\n nilfs_transaction_commit\\n nilfs_construct_segment (if inode needs sync)\\n nilfs_segctor_sync --> Attempt to synchronize with\\n log writer thread\\n *** DEADLOCK ***\\n\\nFix this issue by changing nilfs_segctor_sync() so that the log writer\\nthread returns normally without synchronizing after it terminates, and by\\nforcing tasks that are already waiting to complete once after the thread\\nterminates.\\n\\nThe skipped inode metadata flushout will then be processed together in the\\nsubsequent cleanup work in nilfs_segctor_destroy().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38582\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38583", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38583" + }, + { + "url": "https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6" + }, + { + "url": "https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148" + }, + { + "url": "https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb" + }, + { + "url": "https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d" + }, + { + "url": "https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164" + }, + { + "url": "https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a" + }, + { + "url": "https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438" + }, + { + "url": "https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7" + }, + { + "url": "https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38583 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38583", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38583\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38583\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38583\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38583\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38583\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6\",\n \"https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148\",\n \"https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb\",\n \"https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d\",\n \"https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164\",\n \"https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a\",\n \"https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438\",\n \"https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7\",\n \"https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix use-after-free of timer for log writer thread\\n\\nPatch series \\\"nilfs2: fix log writer related issues\\\".\\n\\nThis bug fix series covers three nilfs2 log writer-related issues,\\nincluding a timer use-after-free issue and potential deadlock issue on\\nunmount, and a potential freeze issue in event synchronization found\\nduring their analysis. Details are described in each commit log.\\n\\n\\nThis patch (of 3):\\n\\nA use-after-free issue has been reported regarding the timer sc_timer on\\nthe nilfs_sc_info structure.\\n\\nThe problem is that even though it is used to wake up a sleeping log\\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\\nis about to be freed, and is used regardless of the thread's lifetime.\\n\\nFix this issue by limiting the use of sc_timer only while the log writer\\nthread is alive.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38583\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38586", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38586" + }, + { + "url": "https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6" + }, + { + "url": "https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d" + }, + { + "url": "https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479" + }, + { + "url": "https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27" + }, + { + "url": "https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1" + }, + { + "url": "https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd" + }, + { + "url": "https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38586 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38586", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38586\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38586\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38586\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38586\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38586\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6\",\n \"https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d\",\n \"https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479\",\n \"https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27\",\n \"https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1\",\n \"https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd\",\n \"https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\\n\\nAn issue was found on the RTL8125b when transmitting small fragmented\\npackets, whereby invalid entries were inserted into the transmit ring\\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\\naddress.\\n\\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\\nwhich may occur when small packets are padded (to work around hardware\\nquirks) in rtl8169_tso_csum_v2().\\n\\nTo fix this, postpone inspecting nr_frags until after any padding has been\\napplied.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38586\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38587", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38587" + }, + { + "url": "https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b" + }, + { + "url": "https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586" + }, + { + "url": "https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e" + }, + { + "url": "https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358" + }, + { + "url": "https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535" + }, + { + "url": "https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb" + }, + { + "url": "https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996" + }, + { + "url": "https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef" + }, + { + "url": "https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38587 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38587", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38587\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38587\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38587\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38587\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38587\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b\",\n \"https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586\",\n \"https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e\",\n \"https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358\",\n \"https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535\",\n \"https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb\",\n \"https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996\",\n \"https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef\",\n \"https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\\n\\nThe \\\"buf\\\" pointer is an array of u16 values. This code should be\\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\\notherwise it can the still got out of bounds.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38587\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38588", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38588" + }, + { + "url": "https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b" + }, + { + "url": "https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6" + }, + { + "url": "https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461" + }, + { + "url": "https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831" + }, + { + "url": "https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada" + }, + { + "url": "https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38588 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38588", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38588\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38588\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38588\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38588\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38588\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b\",\n \"https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6\",\n \"https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461\",\n \"https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831\",\n \"https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada\",\n \"https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nftrace: Fix possible use-after-free issue in ftrace_location()\\n\\nKASAN reports a bug:\\n\\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\\n Read of size 8 at addr ffff888141d40010 by task insmod/424\\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\\n [...]\\n Call Trace:\\n \\n dump_stack_lvl+0x68/0xa0\\n print_report+0xcf/0x610\\n kasan_report+0xb5/0xe0\\n ftrace_location+0x90/0x120\\n register_kprobe+0x14b/0xa40\\n kprobe_init+0x2d/0xff0 [kprobe_example]\\n do_one_initcall+0x8f/0x2d0\\n do_init_module+0x13a/0x3c0\\n load_module+0x3082/0x33d0\\n init_module_from_file+0xd2/0x130\\n __x64_sys_finit_module+0x306/0x440\\n do_syscall_64+0x68/0x140\\n entry_SYSCALL_64_after_hwframe+0x71/0x79\\n\\nThe root cause is that, in lookup_rec(), ftrace record of some address\\nis being searched in ftrace pages of some module, but those ftrace pages\\nat the same time is being freed in ftrace_release_mod() as the\\ncorresponding module is being deleted:\\n\\n CPU1 | CPU2\\n register_kprobes() { | delete_module() {\\n check_kprobe_address_safe() { |\\n arch_check_ftrace_location() { |\\n ftrace_location() { |\\n lookup_rec() // USE! | ftrace_release_mod() // Free!\\n\\nTo fix this issue:\\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\\n 2. Use ftrace_location_range() instead of lookup_rec() in\\n ftrace_location();\\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38588\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38589", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38589" + }, + { + "url": "https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691" + }, + { + "url": "https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7" + }, + { + "url": "https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5" + }, + { + "url": "https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3" + }, + { + "url": "https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5" + }, + { + "url": "https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de" + }, + { + "url": "https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d" + }, + { + "url": "https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6" + }, + { + "url": "https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38589 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38589", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38589\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38589\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38589\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38589\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38589\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691\",\n \"https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7\",\n \"https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5\",\n \"https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3\",\n \"https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5\",\n \"https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de\",\n \"https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d\",\n \"https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6\",\n \"https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetrom: fix possible dead-lock in nr_rt_ioctl()\\n\\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\\n\\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\\n\\n[1]\\nWARNING: possible circular locking dependency detected\\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\\n------------------------------------------------------\\nsyz-executor350/5129 is trying to acquire lock:\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\\n\\nbut task is already holding lock:\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\\n\\nwhich lock already depends on the new lock.\\n\\nthe existing dependency chain (in reverse order) is:\\n\\n-> #1 (nr_node_list_lock){+...}-{2:2}:\\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\\n spin_lock_bh include/linux/spinlock.h:356 [inline]\\n nr_remove_node net/netrom/nr_route.c:299 [inline]\\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\\n spin_lock_bh include/linux/spinlock.h:356 [inline]\\n nr_node_lock include/net/netrom.h:152 [inline]\\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nother info that might help us debug this:\\n\\n Possible unsafe locking scenario:\\n\\n CPU0 CPU1\\n ---- ----\\n lock(nr_node_list_lock);\\n lock(&nr_node->node_lock);\\n lock(nr_node_list_lock);\\n lock(&nr_node->node_lock);\\n\\n *** DEADLOCK ***\\n\\n1 lock held by syz-executor350/5129:\\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\\n #0: ffffffff8f70\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38589\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38590", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38590" + }, + { + "url": "https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990" + }, + { + "url": "https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c" + }, + { + "url": "https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43" + }, + { + "url": "https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b" + }, + { + "url": "https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b" + }, + { + "url": "https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55" + }, + { + "url": "https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38590 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38590", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38590\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38590\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38590\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38590\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38590\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990\",\n \"https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c\",\n \"https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43\",\n \"https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b\",\n \"https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b\",\n \"https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55\",\n \"https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Modify the print level of CQE error\\n\\nToo much print may lead to a panic in kernel. Change ibdev_err() to\\nibdev_err_ratelimited(), and change the printing level of cqe dump\\nto debug level.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38590\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38591", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38591" + }, + { + "url": "https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868" + }, + { + "url": "https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d" + }, + { + "url": "https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9" + }, + { + "url": "https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0" + }, + { + "url": "https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37" + }, + { + "url": "https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38591 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38591", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38591\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38591\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38591\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38591\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38591\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868\",\n \"https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d\",\n \"https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9\",\n \"https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0\",\n \"https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37\",\n \"https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix deadlock on SRQ async events.\\n\\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\\nxa_erase_irq() to avoid deadlock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38591\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38594", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38594" + }, + { + "url": "https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197" + }, + { + "url": "https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416" + }, + { + "url": "https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38594 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38594", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38594\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38594\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38594\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38594\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38594\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197\",\n \"https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416\",\n \"https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: stmmac: move the EST lock to struct stmmac_priv\\n\\nReinitialize the whole EST structure would also reset the mutex\\nlock which is embedded in the EST structure, and then trigger\\nthe following warning. To address this, move the lock to struct\\nstmmac_priv. We also need to reacquire the mutex lock when doing\\nthis initialization.\\n\\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\\n Modules linked in:\\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\\n Hardware name: NXP i.MX8MPlus EVK board (DT)\\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : __mutex_lock+0xd84/0x1068\\n lr : __mutex_lock+0xd84/0x1068\\n sp : ffffffc0864e3570\\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\\n Call trace:\\n __mutex_lock+0xd84/0x1068\\n mutex_lock_nested+0x28/0x34\\n tc_setup_taprio+0x118/0x68c\\n stmmac_setup_tc+0x50/0xf0\\n taprio_change+0x868/0xc9c\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38594\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38596", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38596" + }, + { + "url": "https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb" + }, + { + "url": "https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055" + }, + { + "url": "https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25" + }, + { + "url": "https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c" + }, + { + "url": "https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5" + }, + { + "url": "https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9" + }, + { + "url": "https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b" + }, + { + "url": "https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe" + }, + { + "url": "https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38596 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38596", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38596\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38596\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38596\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38596\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38596\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb\",\n \"https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055\",\n \"https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25\",\n \"https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c\",\n \"https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5\",\n \"https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9\",\n \"https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b\",\n \"https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe\",\n \"https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\\n\\nA data-race condition has been identified in af_unix. In one data path,\\nthe write function unix_release_sock() atomically writes to\\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\\nunix_stream_sendmsg() does not read it atomically. Consequently, this\\nissue is causing the following KCSAN splat to occur:\\n\\n\\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\\n\\n\\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\\n\\tunix_release_sock (net/unix/af_unix.c:640)\\n\\tunix_release (net/unix/af_unix.c:1050)\\n\\tsock_close (net/socket.c:659 net/socket.c:1421)\\n\\t__fput (fs/file_table.c:422)\\n\\t__fput_sync (fs/file_table.c:508)\\n\\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\\n\\t__x64_sys_close (fs/open.c:1541)\\n\\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\\n\\tdo_syscall_64 (arch/x86/entry/common.c:?)\\n\\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n\\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\\n\\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\\n\\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\\n\\t____sys_sendmsg (net/socket.c:2584)\\n\\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\\n\\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\\n\\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\\n\\tdo_syscall_64 (arch/x86/entry/common.c:?)\\n\\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n\\tvalue changed: 0x01 -> 0x03\\n\\nThe line numbers are related to commit dd5a440a31fa (\\\"Linux 6.9-rc7\\\").\\n\\nCommit e1d09c2c2f57 (\\\"af_unix: Fix data races around sk->sk_shutdown.\\\")\\naddressed a comparable issue in the past regarding sk->sk_shutdown.\\nHowever, it overlooked resolving this particular data path.\\nThis patch only offending unix_stream_sendmsg() function, since the\\nother reads seem to be protected by unix_state_lock() as discussed in\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38596\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38597", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38597" + }, + { + "url": "https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6" + }, + { + "url": "https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b" + }, + { + "url": "https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937" + }, + { + "url": "https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4" + }, + { + "url": "https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f" + }, + { + "url": "https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce" + }, + { + "url": "https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38597 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38597", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38597\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38597\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38597\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38597\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38597\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6\",\n \"https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b\",\n \"https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937\",\n \"https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4\",\n \"https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f\",\n \"https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce\",\n \"https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\\n\\nErhard reports netpoll warnings from sungem:\\n\\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\\n\\ngem_poll_controller() disables interrupts, which may sleep.\\nWe can't sleep in netpoll, it has interrupts disabled completely.\\nStrangely, gem_poll_controller() doesn't even poll the completions,\\nand instead acts as if an interrupt has fired so it just schedules\\nNAPI and exits. None of this has been necessary for years, since\\nnetpoll invokes NAPI directly.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38597\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38598", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38598" + }, + { + "url": "https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3" + }, + { + "url": "https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce" + }, + { + "url": "https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482" + }, + { + "url": "https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492" + }, + { + "url": "https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f" + }, + { + "url": "https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b" + }, + { + "url": "https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1" + }, + { + "url": "https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798" + }, + { + "url": "https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38598 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38598", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38598\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38598\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38598\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38598\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38598\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3\",\n \"https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce\",\n \"https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482\",\n \"https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492\",\n \"https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f\",\n \"https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b\",\n \"https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1\",\n \"https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798\",\n \"https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: fix resync softlockup when bitmap size is less than array size\\n\\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\\ntrigger following softlockup:\\n\\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\\nCall Trace:\\n \\n md_bitmap_start_sync+0x6b/0xf0\\n raid10_sync_request+0x25c/0x1b40 [raid10]\\n md_do_sync+0x64b/0x1020\\n md_thread+0xa7/0x170\\n kthread+0xcf/0x100\\n ret_from_fork+0x30/0x50\\n ret_from_fork_asm+0x1a/0x30\\n\\nAnd the detailed process is as follows:\\n\\nmd_do_sync\\n j = mddev->resync_min\\n while (j < max_sectors)\\n sectors = raid10_sync_request(mddev, j, &skipped)\\n if (!md_bitmap_start_sync(..., &sync_blocks))\\n // md_bitmap_start_sync set sync_blocks to 0\\n return sync_blocks + sectors_skippe;\\n // sectors = 0;\\n j += sectors;\\n // j never change\\n\\nRoot cause is that commit 301867b1c168 (\\\"md/raid10: check\\nslab-out-of-bounds in md_bitmap_get_counter\\\") return early from\\nmd_bitmap_get_counter(), without setting returned blocks.\\n\\nFix this problem by always set returned blocks from\\nmd_bitmap_get_counter\\\"(), as it used to be.\\n\\nNoted that this patch just fix the softlockup problem in kernel, the\\ncase that bitmap size doesn't match array size still need to be fixed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38598\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38599", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38599" + }, + { + "url": "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11" + }, + { + "url": "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df" + }, + { + "url": "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275" + }, + { + "url": "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07" + }, + { + "url": "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b" + }, + { + "url": "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb" + }, + { + "url": "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913" + }, + { + "url": "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098" + }, + { + "url": "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38599 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38599", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38599\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38599\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38599\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38599\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38599\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11\",\n \"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df\",\n \"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275\",\n \"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07\",\n \"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b\",\n \"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb\",\n \"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913\",\n \"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098\",\n \"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njffs2: prevent xattr node from overflowing the eraseblock\\n\\nAdd a check to make sure that the requested xattr node size is no larger\\nthan the eraseblock minus the cleanmarker.\\n\\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\\nand spread across multiple eraseblocks, which means that a xattr node\\nmust not occupy more than one eraseblock. If the requested xattr value is\\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\\nthe nodes and causing errors such as:\\n\\njffs2: argh. node added in wrong place at 0x0000b050(2)\\njffs2: nextblock 0x0000a000, expected at 0000b00c\\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\\nread=0xfc892c93, calc=0x000000\\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\\nend of the erase block\\njffs2: Perhaps the file system was created with the wrong erase size?\\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\\nat 0x00000010: 0x1044 instead\\n\\nThis breaks the filesystem and can lead to KASAN crashes such as:\\n\\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\\nRead of size 4 at addr ffff88802c31e914 by task repro/830\\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\\nCall Trace:\\n \\n dump_stack_lvl+0xc6/0x120\\n print_report+0xc4/0x620\\n ? __virt_addr_valid+0x308/0x5b0\\n kasan_report+0xc1/0xf0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n ? jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_sum_add_kvec+0x125e/0x15d0\\n jffs2_flash_direct_writev+0xa8/0xd0\\n jffs2_flash_writev+0x9c9/0xef0\\n ? __x64_sys_setxattr+0xc4/0x160\\n ? do_syscall_64+0x69/0x140\\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n [...]\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38599\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38600", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-118.128", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38600" + }, + { + "url": "https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68" + }, + { + "url": "https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4" + }, + { + "url": "https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c" + }, + { + "url": "https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7" + }, + { + "url": "https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a" + }, + { + "url": "https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38600 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38600", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38600\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38600\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38600\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-118.128\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38600\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38600\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68\",\n \"https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4\",\n \"https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c\",\n \"https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7\",\n \"https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a\",\n \"https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: Fix deadlocks with kctl removals at disconnection\\n\\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\\ncall callbacks and do sync for card->power_ref_sleep waiters at the\\nend. The callback may delete a kctl element, and this can lead to a\\ndeadlock when the device was in the suspended state. Namely:\\n\\n* A process waits for the power up at snd_power_ref_and_wait() in\\n snd_ctl_info() or read/write() inside card->controls_rwsem.\\n\\n* The system gets disconnected meanwhile, and the driver tries to\\n delete a kctl via snd_ctl_remove*(); it tries to take\\n card->controls_rwsem again, but this is already locked by the\\n above. Since the sleeper isn't woken up, this deadlocks.\\n\\nAn easy fix is to wake up sleepers before processing the driver\\ndisconnect callbacks but right after setting the card->shutdown flag.\\nThen all sleepers will abort immediately, and the code flows again.\\n\\nSo, basically this patch moves the wait_event() call at the right\\ntiming. While we're at it, just to be sure, call wait_event_all()\\ninstead of wait_event(), although we don't use exclusive events on\\nthis queue for now.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-118.128 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38600\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38601", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38601" + }, + { + "url": "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b" + }, + { + "url": "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e" + }, + { + "url": "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb" + }, + { + "url": "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1" + }, + { + "url": "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87" + }, + { + "url": "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533" + }, + { + "url": "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e" + }, + { + "url": "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa" + }, + { + "url": "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38601 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38601", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38601\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38601\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38601\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38601\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38601\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b\",\n \"https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e\",\n \"https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb\",\n \"https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1\",\n \"https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87\",\n \"https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533\",\n \"https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e\",\n \"https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa\",\n \"https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Fix a race between readers and resize checks\\n\\nThe reader code in rb_get_reader_page() swaps a new reader page into the\\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\\nnew page. Following that, if the operation is successful,\\nold->list.next->prev gets updated too. This means the underlying\\ndoubly-linked list is temporarily inconsistent, page->prev->next or\\npage->next->prev might not be equal back to page for some page in the\\nring buffer.\\n\\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\\nIt calls rb_check_pages() which can detect the described inconsistency\\nand stop further tracing:\\n\\n[ 190.271762] ------------[ cut here ]------------\\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\\n[ 190.271789] Modules linked in: [...]\\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\\n[ 190.272023] Code: [...]\\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 190.272077] Call Trace:\\n[ 190.272098] \\n[ 190.272189] ring_buffer_resize+0x2ab/0x460\\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\\n[ 190.272216] tracing_entries_write+0x74/0xc0\\n[ 190.272225] vfs_write+0xf5/0x420\\n[ 190.272248] ksys_write+0x67/0xe0\\n[ 190.272256] do_syscall_64+0x82/0x170\\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n[ 190.272373] RIP: 0033:0x7f1bd657d263\\n[ 190.272381] Code: [...]\\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\\n[ 190.272412] \\n[ 190.272414] ---[ end trace 0000000000000000 ]---\\n\\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\\ntrace_buffer has recording disabled. Recent commit d78ab792705c\\n(\\\"tracing: Stop current tracer when resizing buffer\\\") causes that it is\\nnow always the case which makes it more likely to experience this issue.\\n\\nThe window to hit this race is nonetheless very small. To help\\nreproducing it, one can add a delay loop in rb_get_reader_page():\\n\\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\\n if (!ret)\\n \\tgoto spin;\\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\\n \\t__asm__ __volatile__ (\\\"\\\" : : : \\\"memory\\\");\\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\\n\\n.. \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38601\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38602", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38602" + }, + { + "url": "https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868" + }, + { + "url": "https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a" + }, + { + "url": "https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3" + }, + { + "url": "https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c" + }, + { + "url": "https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38602 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38602", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38602\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38602\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38602\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38602\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38602\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868\",\n \"https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a\",\n \"https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3\",\n \"https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c\",\n \"https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix reference count leak issues of ax25_dev\\n\\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\\ncount leak issue of the object \\\"ax25_dev\\\".\\n\\nMemory leak issue in ax25_addr_ax25dev():\\n\\nThe reference count of the object \\\"ax25_dev\\\" can be increased multiple\\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\\n\\nMemory leak issues in ax25_dev_device_down():\\n\\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\\nAs a result, the reference count of ax25_dev is 2. But when the device is\\nshutting down. The ax25_dev_device_down() drops the reference count once\\nor twice depending on if we goto unlock_put or not, which will cause\\nmemory leak.\\n\\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\\nafter it is removed from the ax25_dev_list.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38602\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38605", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38605" + }, + { + "url": "https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1" + }, + { + "url": "https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12" + }, + { + "url": "https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5" + }, + { + "url": "https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434" + }, + { + "url": "https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e" + }, + { + "url": "https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92" + }, + { + "url": "https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38605 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38605", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38605\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38605\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38605\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38605\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38605\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1\",\n \"https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12\",\n \"https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5\",\n \"https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434\",\n \"https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e\",\n \"https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92\",\n \"https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: core: Fix NULL module pointer assignment at card init\\n\\nThe commit 81033c6b584b (\\\"ALSA: core: Warn on empty module\\\")\\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\\nobject creation, and it also wraps the code around it with '#ifdef\\nMODULE'. This works in most cases, but the devils are always in\\ndetails. \\\"MODULE\\\" is defined when the target code (i.e. the sound\\ncore) is built as a module; but this doesn't mean that the caller is\\nalso built-in or not. Namely, when only the sound core is built-in\\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\\nthe passed module pointer is ignored even if it's non-NULL, and\\ncard->module remains as NULL. This would result in the missing module\\nreference up/down at the device open/close, leading to a race with the\\ncode execution after the module removal.\\n\\nFor addressing the bug, move the assignment of card->module again out\\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\\nmodule can be really NULL when all sound drivers are built-in.\\n\\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\\nlead to a false-positive NULL module check. Admittedly it won't catch\\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\\nreal problem as it's only for debugging, and the condition is pretty\\nrare.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 8.8,\n \"exploitabilityScore\": 2.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38605\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38607", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38607" + }, + { + "url": "https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9" + }, + { + "url": "https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e" + }, + { + "url": "https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8" + }, + { + "url": "https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058" + }, + { + "url": "https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d" + }, + { + "url": "https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7" + }, + { + "url": "https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05" + }, + { + "url": "https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56" + }, + { + "url": "https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38607 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38607", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38607\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38607\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38607\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38607\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38607\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9\",\n \"https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e\",\n \"https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8\",\n \"https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058\",\n \"https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d\",\n \"https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7\",\n \"https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05\",\n \"https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56\",\n \"https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmacintosh/via-macii: Fix \\\"BUG: sleeping function called from invalid context\\\"\\n\\nThe via-macii ADB driver calls request_irq() after disabling hard\\ninterrupts. But disabling interrupts isn't necessary here because the\\nVIA shift register interrupt was masked during VIA1 initialization.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38607\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38608", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38608" + }, + { + "url": "https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644" + }, + { + "url": "https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38608 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38608", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38608\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38608\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38608\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38608\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38608\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644\",\n \"https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix netif state handling\\n\\nmlx5e_suspend cleans resources only if netif_device_present() returns\\ntrue. However, mlx5e_resume changes the state of netif, via\\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\\nleaks:\\n\\nmlx5e_probe\\n _mlx5e_resume\\n mlx5e_attach_netdev\\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\\n register_netdev <-- failed for some reason.\\nERROR_FLOW:\\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\\n\\nHence, clean resources in this case as well.\\n\\n[1]\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\nPGD 0 P4D 0\\nOops: 0010 [#1] SMP\\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:0x0\\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\\nCall Trace:\\n \\n ? __die+0x20/0x60\\n ? page_fault_oops+0x14c/0x3c0\\n ? exc_page_fault+0x75/0x140\\n ? asm_exc_page_fault+0x22/0x30\\n notifier_call_chain+0x35/0xb0\\n blocking_notifier_call_chain+0x3d/0x60\\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\\n ? auxiliary_match_id+0x6a/0x90\\n auxiliary_bus_probe+0x38/0x80\\n ? driver_sysfs_add+0x51/0x80\\n really_probe+0xc9/0x3e0\\n ? driver_probe_device+0x90/0x90\\n __driver_probe_device+0x80/0x160\\n driver_probe_device+0x1e/0x90\\n __device_attach_driver+0x7d/0x100\\n bus_for_each_drv+0x80/0xd0\\n __device_attach+0xbc/0x1f0\\n bus_probe_device+0x86/0xa0\\n device_add+0x637/0x840\\n __auxiliary_device_add+0x3b/0xa0\\n add_adev+0xc9/0x140 [mlx5_core]\\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\\n mlx5_register_device+0x53/0xa0 [mlx5_core]\\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\\n mlx5_init_one+0x3b/0x60 [mlx5_core]\\n probe_one+0x44c/0x730 [mlx5_core]\\n local_pci_probe+0x3e/0x90\\n pci_device_probe+0xbf/0x210\\n ? kernfs_create_link+0x5d/0xa0\\n ? sysfs_do_create_link_sd+0x60/0xc0\\n really_probe+0xc9/0x3e0\\n ? driver_probe_device+0x90/0x90\\n __driver_probe_device+0x80/0x160\\n driver_probe_device+0x1e/0x90\\n __device_attach_driver+0x7d/0x100\\n bus_for_each_drv+0x80/0xd0\\n __device_attach+0xbc/0x1f0\\n pci_bus_add_device+0x54/0x80\\n pci_iov_add_virtfn+0x2e6/0x320\\n sriov_enable+0x208/0x420\\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\\n sriov_numvfs_store+0xae/0x1a0\\n kernfs_fop_write_iter+0x10c/0x1a0\\n vfs_write+0x291/0x3c0\\n ksys_write+0x5f/0xe0\\n do_syscall_64+0x3d/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n CR2: 0000000000000000\\n ---[ end trace 0000000000000000 ]---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38608\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38610", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38610" + }, + { + "url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb" + }, + { + "url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559" + }, + { + "url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4" + }, + { + "url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a" + }, + { + "url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32" + }, + { + "url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38610 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38610", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38610\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38610\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38610\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38610\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38610\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb\",\n \"https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559\",\n \"https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4\",\n \"https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a\",\n \"https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32\",\n \"https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\\n\\nPatch series \\\"mm: follow_pte() improvements and acrn follow_pte() fixes\\\".\\n\\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\\ncompiles, that's all I know. I'll appreciate some review and testing from\\nacrn folks.\\n\\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\\nmore sanity checks, and improving the documentation. Gave it a quick test\\non x86-64 using VM_PAT that ends up using follow_pte().\\n\\n\\nThis patch (of 3):\\n\\nWe currently miss handling various cases, resulting in a dangerous\\nfollow_pte() (previously follow_pfn()) usage.\\n\\n(1) We're not checking PTE write permissions.\\n\\nMaybe we should simply always require pte_write() like we do for\\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\\nACRN_MEM_ACCESS_WRITE for now.\\n\\n(2) We're not rejecting refcounted pages.\\n\\nAs we are not using MMU notifiers, messing with refcounted pages is\\ndangerous and can result in use-after-free. Let's make sure to reject them.\\n\\n(3) We are only looking at the first PTE of a bigger range.\\n\\nWe only lookup a single PTE, but memmap->len may span a larger area.\\nLet's loop over all involved PTEs and make sure the PFN range is\\nactually contiguous. Reject everything else: it couldn't have worked\\neither way, and rather made use access PFNs we shouldn't be accessing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38610\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38611", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38611" + }, + { + "url": "https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9" + }, + { + "url": "https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce" + }, + { + "url": "https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80" + }, + { + "url": "https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38611 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38611", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38611\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38611\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38611\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38611\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38611\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9\",\n \"https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce\",\n \"https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80\",\n \"https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\\n\\nUsing __exit for the remove function results in the remove callback\\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\\nunbound (e.g. using sysfs or hotplug), the driver is just removed\\nwithout the cleanup being performed. This results in resource leaks. Fix\\nit by compiling in the remove callback unconditionally.\\n\\nThis also fixes a W=1 modpost warning:\\n\\n\\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38611\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38612", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38612" + }, + { + "url": "https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c" + }, + { + "url": "https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7" + }, + { + "url": "https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45" + }, + { + "url": "https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01" + }, + { + "url": "https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66" + }, + { + "url": "https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4" + }, + { + "url": "https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a" + }, + { + "url": "https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4" + }, + { + "url": "https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38612 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38612", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38612\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38612\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38612\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38612\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38612\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c\",\n \"https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7\",\n \"https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45\",\n \"https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01\",\n \"https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66\",\n \"https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4\",\n \"https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a\",\n \"https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4\",\n \"https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix invalid unregister error path\\n\\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\\nis not defined. In that case if seg6_hmac_init() fails, the\\ngenl_unregister_family() isn't called.\\n\\nThis issue exist since commit 46738b1317e1 (\\\"ipv6: sr: add option to control\\nlwtunnel support\\\"), and commit 5559cea2d5aa (\\\"ipv6: sr: fix possible\\nuse-after-free and null-ptr-deref\\\") replaced unregister_pernet_subsys()\\nwith genl_unregister_family() in this error path.\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38612\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38613", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38613" + }, + { + "url": "https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0" + }, + { + "url": "https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14" + }, + { + "url": "https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82" + }, + { + "url": "https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b" + }, + { + "url": "https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87" + }, + { + "url": "https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a" + }, + { + "url": "https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed" + }, + { + "url": "https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c" + }, + { + "url": "https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38613 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38613", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38613\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38613\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38613\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38613\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38613\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0\",\n \"https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14\",\n \"https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82\",\n \"https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b\",\n \"https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87\",\n \"https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a\",\n \"https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed\",\n \"https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c\",\n \"https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nm68k: Fix spinlock race in kernel thread creation\\n\\nContext switching does take care to retain the correct lock owner across\\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\\nremaining disabled for the entire duration of the switch.\\n\\nThis condition is guaranteed for normal process creation and context\\nswitching between already running processes, because both 'prev' and\\n'next' already have interrupts disabled in their saved copies of the\\nstatus register.\\n\\nThe situation is different for newly created kernel threads. The status\\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\\nUpon restoring the 'next' thread's status register in switch_to() aka\\nresume(), interrupts then become enabled prematurely. resume() then\\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\\nlock is released (see finish_task_switch() and finish_lock_switch()).\\n\\nA timer interrupt calling scheduler_tick() before the lock is released\\nin finish_task_switch() will find the lock already taken, with the\\ncurrent task as lock owner. This causes a spinlock recursion warning as\\nreported by Guenter Roeck.\\n\\nAs far as I can ascertain, this race has been opened in commit\\n533e6903bea0 (\\\"m68k: split ret_from_fork(), simplify kernel_thread()\\\")\\nbut I haven't done a detailed study of kernel history so it may well\\npredate that commit.\\n\\nInterrupts cannot be disabled in the saved status register copy for\\nkernel threads (init will complain about interrupts disabled when\\nfinally starting user space). Disable interrupts temporarily when\\nswitching the tasks' register sets in resume().\\n\\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\\n- this leaves enough of a race for the 'spinlock recursion' warning to\\nstill be observed.\\n\\nTested on ARAnyM and qemu (Quadra 800 emulation).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38613\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38615", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38615" + }, + { + "url": "https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6" + }, + { + "url": "https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378" + }, + { + "url": "https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c" + }, + { + "url": "https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273" + }, + { + "url": "https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d" + }, + { + "url": "https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872" + }, + { + "url": "https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce" + }, + { + "url": "https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38615 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38615", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38615\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38615\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38615\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38615\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38615\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6\",\n \"https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378\",\n \"https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c\",\n \"https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273\",\n \"https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d\",\n \"https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872\",\n \"https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce\",\n \"https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpufreq: exit() callback is optional\\n\\nThe exit() callback is optional and shouldn't be called without checking\\na valid pointer first.\\n\\nAlso, we must clear freq_table pointer even if the exit() callback isn't\\npresent.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38615\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38618", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38618" + }, + { + "url": "https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3" + }, + { + "url": "https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e" + }, + { + "url": "https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f" + }, + { + "url": "https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1" + }, + { + "url": "https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e" + }, + { + "url": "https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd" + }, + { + "url": "https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab" + }, + { + "url": "https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38618 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38618", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38618\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38618\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38618\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38618\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38618\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3\",\n \"https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e\",\n \"https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f\",\n \"https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1\",\n \"https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e\",\n \"https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd\",\n \"https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab\",\n \"https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: timer: Set lower bound of start tick time\\n\\nCurrently ALSA timer doesn't have the lower limit of the start tick\\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\\nwhere the callback repeatedly queuing the expire update, as reported\\nby fuzzer.\\n\\nThis patch introduces a sanity check of the timer start tick time, so\\nthat the system returns an error when a too small start size is set.\\nAs of this patch, the lower limit is hard-coded to 100us, which is\\nsmall enough but can still work somehow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38618\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38619", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38619" + }, + { + "url": "https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30" + }, + { + "url": "https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4" + }, + { + "url": "https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1" + }, + { + "url": "https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd" + }, + { + "url": "https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15" + }, + { + "url": "https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8" + }, + { + "url": "https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361" + }, + { + "url": "https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38619 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38619", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38619\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38619\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38619\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38619\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38619\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30\",\n \"https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4\",\n \"https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1\",\n \"https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd\",\n \"https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15\",\n \"https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8\",\n \"https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361\",\n \"https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb-storage: alauda: Check whether the media is initialized\\n\\nThe member \\\"uzonesize\\\" of struct alauda_info will remain 0\\nif alauda_init_media() fails, potentially causing divide errors\\nin alauda_read_data() and alauda_write_lba().\\n- Add a member \\\"media_initialized\\\" to struct alauda_info.\\n- Change a condition in alauda_check_media() to ensure the\\n first initialization.\\n- Add an error check for the return value of alauda_init_media().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38619\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38621", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38621" + }, + { + "url": "https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd" + }, + { + "url": "https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261" + }, + { + "url": "https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7" + }, + { + "url": "https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52" + }, + { + "url": "https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808" + }, + { + "url": "https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200" + }, + { + "url": "https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a" + }, + { + "url": "https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38621 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38621", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38621\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38621\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38621\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38621\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38621\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd\",\n \"https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261\",\n \"https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7\",\n \"https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52\",\n \"https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808\",\n \"https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200\",\n \"https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a\",\n \"https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\\n\\nThe subtract in this condition is reversed. The ->length is the length\\nof the buffer. The ->bytesused is how many bytes we have copied thus\\nfar. When the condition is reversed that means the result of the\\nsubtraction is always negative but since it's unsigned then the result\\nis a very high positive value. That means the overflow check is never\\ntrue.\\n\\nAdditionally, the ->bytesused doesn't actually work for this purpose\\nbecause we're not writing to \\\"buf->mem + buf->bytesused\\\". Instead, the\\nmath to calculate the destination where we are writing is a bit\\ninvolved. You calculate the number of full lines already written,\\nmultiply by two, skip a line if necessary so that we start on an odd\\nnumbered line, and add the offset into the line.\\n\\nTo fix this buffer overflow, just take the actual destination where we\\nare writing, if the offset is already out of bounds print an error and\\nreturn. Otherwise, write up to buf->length bytes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38621\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38623", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38623" + }, + { + "url": "https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef" + }, + { + "url": "https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1" + }, + { + "url": "https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7" + }, + { + "url": "https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f" + }, + { + "url": "https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38623 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38623", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38623\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38623\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38623\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38623\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38623\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef\",\n \"https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1\",\n \"https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7\",\n \"https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f\",\n \"https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Use variable length array instead of fixed size\\n\\nShould fix smatch warning:\\n\\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)\",\n \"cvss\": [\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38623\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38624", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38624" + }, + { + "url": "https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40" + }, + { + "url": "https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b" + }, + { + "url": "https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57" + }, + { + "url": "https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d" + }, + { + "url": "https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38624 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38624", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38624\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38624\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38624\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38624\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38624\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40\",\n \"https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b\",\n \"https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57\",\n \"https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d\",\n \"https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\\n\\nFor example, in the expression:\\n\\tvbo = 2 * vbo + skip\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38624\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38625", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38625" + }, + { + "url": "https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803" + }, + { + "url": "https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8" + }, + { + "url": "https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38625 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38625", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38625\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38625\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38625\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38625\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38625\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803\",\n \"https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8\",\n \"https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Check 'folio' pointer for NULL\\n\\nIt can be NULL if bmap is called.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38625\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38627", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38627" + }, + { + "url": "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20" + }, + { + "url": "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459" + }, + { + "url": "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247" + }, + { + "url": "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931" + }, + { + "url": "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b" + }, + { + "url": "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36" + }, + { + "url": "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695" + }, + { + "url": "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38627 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38627", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38627\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38627\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38627\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38627\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38627\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20\",\n \"https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459\",\n \"https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247\",\n \"https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931\",\n \"https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b\",\n \"https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36\",\n \"https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695\",\n \"https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nstm class: Fix a double free in stm_register_device()\\n\\nThe put_device(&stm->dev) call will trigger stm_device_release() which\\nfrees \\\"stm\\\" so the vfree(stm) on the next line is a double free.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38627\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38628", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38628" + }, + { + "url": "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464" + }, + { + "url": "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0" + }, + { + "url": "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09" + }, + { + "url": "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38628 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38628", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38628\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38628\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38628\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38628\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38628\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464\",\n \"https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0\",\n \"https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09\",\n \"https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\\n\\nHang on to the control IDs instead of pointers since those are correctly\\nhandled with locks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38628\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38630", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38630" + }, + { + "url": "https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4" + }, + { + "url": "https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314" + }, + { + "url": "https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38630 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38630", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38630\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38630\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38630\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38630\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38630\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4\",\n \"https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314\",\n \"https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\\n\\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\\nde-activate the timer. If the timer handler is running, del_timer() could\\nnot stop it and will return directly. If the port region is released by\\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\\nto write into the region that is released, the use-after-free bug will\\nhappen.\\n\\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\\ncould be finished before the port region is released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38630\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38632", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38632" + }, + { + "url": "https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376" + }, + { + "url": "https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140" + }, + { + "url": "https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38632 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38632", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38632\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38632\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38632\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38632\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38632\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376\",\n \"https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140\",\n \"https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/pci: fix potential memory leak in vfio_intx_enable()\\n\\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38632\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38633", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38633" + }, + { + "url": "https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b" + }, + { + "url": "https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752" + }, + { + "url": "https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec" + }, + { + "url": "https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003" + }, + { + "url": "https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00" + }, + { + "url": "https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762" + }, + { + "url": "https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72" + }, + { + "url": "https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38633 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38633", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38633\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38633\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38633\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38633\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38633\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b\",\n \"https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752\",\n \"https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec\",\n \"https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003\",\n \"https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00\",\n \"https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762\",\n \"https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72\",\n \"https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: max3100: Update uart_driver_registered on driver removal\\n\\nThe removal of the last MAX3100 device triggers the removal of\\nthe driver. However, code doesn't update the respective global\\nvariable and after insmod — rmmod — insmod cycle the kernel\\noopses:\\n\\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\\n BUG: kernel NULL pointer dereference, address: 0000000000000408\\n ...\\n RIP: 0010:serial_core_register_port+0xa0/0x840\\n ...\\n max3100_probe+0x1b6/0x280 [max3100]\\n spi_probe+0x8d/0xb0\\n\\nUpdate the actual state so next time UART driver will be registered\\nagain.\\n\\nHugo also noticed, that the error path in the probe also affected\\nby having the variable set, and not cleared. Instead of clearing it\\nmove the assignment after the successfull uart_register_driver() call.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38633\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38634", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38634" + }, + { + "url": "https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9" + }, + { + "url": "https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47" + }, + { + "url": "https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba" + }, + { + "url": "https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec" + }, + { + "url": "https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869" + }, + { + "url": "https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458" + }, + { + "url": "https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94" + }, + { + "url": "https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38634 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38634", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38634\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38634\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38634\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38634\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38634\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9\",\n \"https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47\",\n \"https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba\",\n \"https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec\",\n \"https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869\",\n \"https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458\",\n \"https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94\",\n \"https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\\n\\nuart_handle_cts_change() has to be called with port lock taken,\\nSince we run it in a separate work, the lock may not be taken at\\nthe time of running. Make sure that it's taken by explicitly doing\\nthat. Without it we got a splat:\\n\\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\\n ...\\n Workqueue: max3100-0 max3100_work [max3100]\\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\\n ...\\n max3100_handlerx+0xc5/0x110 [max3100]\\n max3100_work+0x12a/0x340 [max3100]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38634\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38635", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38635" + }, + { + "url": "https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089" + }, + { + "url": "https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567" + }, + { + "url": "https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785" + }, + { + "url": "https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021" + }, + { + "url": "https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91" + }, + { + "url": "https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078" + }, + { + "url": "https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38635 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38635", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38635\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38635\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38635\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38635\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38635\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089\",\n \"https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567\",\n \"https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785\",\n \"https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021\",\n \"https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91\",\n \"https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078\",\n \"https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoundwire: cadence: fix invalid PDI offset\\n\\nFor some reason, we add an offset to the PDI, presumably to skip the\\nPDI0 and PDI1 which are reserved for BPT.\\n\\nThis code is however completely wrong and leads to an out-of-bounds\\naccess. We were just lucky so far since we used only a couple of PDIs\\nand remained within the PDI array bounds.\\n\\nA Fixes: tag is not provided since there are no known platforms where\\nthe out-of-bounds would be accessed, and the initial code had problems\\nas well.\\n\\nA follow-up patch completely removes this useless offset.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38635\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38637", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38637" + }, + { + "url": "https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2" + }, + { + "url": "https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38" + }, + { + "url": "https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731" + }, + { + "url": "https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b" + }, + { + "url": "https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8" + }, + { + "url": "https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648" + }, + { + "url": "https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21" + }, + { + "url": "https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38637 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38637", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38637\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38637\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38637\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38637\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38637\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2\",\n \"https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38\",\n \"https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731\",\n \"https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b\",\n \"https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8\",\n \"https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648\",\n \"https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21\",\n \"https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngreybus: lights: check return of get_channel_from_mode\\n\\nIf channel for the given node is not found we return null from\\nget_channel_from_mode. Make sure we validate the return pointer\\nbefore using it in two of the missing places.\\n\\nThis was originally reported in [0]:\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\\n\\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38637\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38659", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38659" + }, + { + "url": "https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7" + }, + { + "url": "https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600" + }, + { + "url": "https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227" + }, + { + "url": "https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5" + }, + { + "url": "https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31" + }, + { + "url": "https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d" + }, + { + "url": "https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449" + }, + { + "url": "https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38659 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38659", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38659\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38659\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38659\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38659\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38659\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7\",\n \"https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600\",\n \"https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227\",\n \"https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5\",\n \"https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31\",\n \"https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d\",\n \"https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449\",\n \"https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nenic: Validate length of nl attributes in enic_set_vf_port\\n\\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\\nis of length PORT_PROFILE_MAX and that the nl attributes\\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\\nusing the policy is for the max size of the attributes and not on exact\\nsize so the length of these attributes might be less than the sizes that\\nenic_set_vf_port expects. This might cause an out of bands\\nread access in the memcpys of the data of these\\nattributes in enic_set_vf_port.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38659\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38661", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38661" + }, + { + "url": "https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558" + }, + { + "url": "https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056" + }, + { + "url": "https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9" + }, + { + "url": "https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0" + }, + { + "url": "https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05" + }, + { + "url": "https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6" + }, + { + "url": "https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad" + }, + { + "url": "https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38661 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38661", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38661\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38661\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38661\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38661\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38661\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558\",\n \"https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056\",\n \"https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9\",\n \"https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0\",\n \"https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05\",\n \"https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6\",\n \"https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad\",\n \"https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/ap: Fix crash in AP internal function modify_bitmap()\\n\\nA system crash like this\\n\\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\\n Fault in home space mode while using kernel ASCE.\\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\\n Modules linked in: mlx5_ib ...\\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\\n Hardware name: IBM 3931 A01 704 (LPAR)\\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\\n 0000014b75e7b600: 18b2 lr %r11,%r2\\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\\n 0000014b75e7b60c: a7680001 lhi %r6,1\\n 0000014b75e7b610: 187b lr %r7,%r11\\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\\n 0000014b75e7b616: 18e9 lr %r14,%r9\\n Call Trace:\\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\\n [<0000014b75e7b758>] apmask_store+0x68/0x140\\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\\n [<0000014b75598524>] vfs_write+0x1b4/0x448\\n [<0000014b7559894c>] ksys_write+0x74/0x100\\n [<0000014b7618a440>] __do_syscall+0x268/0x328\\n [<0000014b761a3558>] system_call+0x70/0x98\\n INFO: lockdep is turned off.\\n Last Breaking-Event-Address:\\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\\n Kernel panic - not syncing: Fatal exception: panic_on_oops\\n\\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\\n\\nThe fix is simple: use unsigned long values for the internal variables. The\\ncorrect checks are already in place in the function but a simple int for\\nthe internal variables was used with the possibility to overflow.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38661\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38662", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38662" + }, + { + "url": "https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1" + }, + { + "url": "https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9" + }, + { + "url": "https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d" + }, + { + "url": "https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e" + }, + { + "url": "https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d" + }, + { + "url": "https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38662 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38662", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38662\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38662\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38662\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38662\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38662\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1\",\n \"https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9\",\n \"https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d\",\n \"https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e\",\n \"https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d\",\n \"https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Allow delete from sockmap/sockhash only if update is allowed\\n\\nWe have seen an influx of syzkaller reports where a BPF program attached to\\na tracepoint triggers a locking rule violation by performing a map_delete\\non a sockmap/sockhash.\\n\\nWe don't intend to support this artificial use scenario. Extend the\\nexisting verifier allowed-program-type check for updating sockmap/sockhash\\nto also cover deleting from a map.\\n\\nFrom now on only BPF programs which were previously allowed to update\\nsockmap/sockhash can delete from these map types.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38662\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38667", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38667" + }, + { + "url": "https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80" + }, + { + "url": "https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44" + }, + { + "url": "https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af" + }, + { + "url": "https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38667 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38667", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38667\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38667\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38667\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38667\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38667\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80\",\n \"https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44\",\n \"https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af\",\n \"https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: prevent pt_regs corruption for secondary idle threads\\n\\nTop of the kernel thread stack should be reserved for pt_regs. However\\nthis is not the case for the idle threads of the secondary boot harts.\\nTheir stacks overlap with their pt_regs, so both may get corrupted.\\n\\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\\n(\\\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\\\").\\nHowever that fix was not propagated to the secondary harts. The problem\\nhas been noticed in some CPU hotplug tests with V enabled. The function\\nsmp_callin stored several registers on stack, corrupting top of pt_regs\\nstructure including status field. As a result, kernel attempted to save\\nor restore inexistent V context.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38667\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-38780", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-38780" + }, + { + "url": "https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed" + }, + { + "url": "https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a" + }, + { + "url": "https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a" + }, + { + "url": "https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e" + }, + { + "url": "https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878" + }, + { + "url": "https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef" + }, + { + "url": "https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8" + }, + { + "url": "https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-38780 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-38780", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-38780\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-38780\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-38780\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-38780\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38780\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed\",\n \"https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a\",\n \"https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a\",\n \"https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e\",\n \"https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878\",\n \"https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef\",\n \"https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8\",\n \"https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\\n\\nSince commit a6aa8fca4d79 (\\\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\\nknown context\\\") by error replaced spin_unlock_irqrestore() with\\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\\ninconsistent lock state warning.\\n\\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-38780\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39276", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39276" + }, + { + "url": "https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21" + }, + { + "url": "https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e" + }, + { + "url": "https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb" + }, + { + "url": "https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483" + }, + { + "url": "https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16" + }, + { + "url": "https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577" + }, + { + "url": "https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8" + }, + { + "url": "https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39276 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39276", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39276\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39276\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39276\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39276\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39276\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21\",\n \"https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e\",\n \"https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb\",\n \"https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483\",\n \"https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16\",\n \"https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577\",\n \"https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8\",\n \"https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\\n\\nSyzbot reports a warning as follows:\\n\\n============================================\\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\\nModules linked in:\\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\\nCall Trace:\\n \\n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\\n kill_block_super+0x44/0x90 fs/super.c:1675\\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\\n[...]\\n============================================\\n\\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\\nin the __entry_find(), won't be put away, and eventually trigger the above\\nissue in mb_cache_destroy() due to reference count leakage.\\n\\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39276\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39277", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39277" + }, + { + "url": "https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f" + }, + { + "url": "https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41" + }, + { + "url": "https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464" + }, + { + "url": "https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13" + }, + { + "url": "https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39277 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39277", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39277\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39277\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39277\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39277\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39277\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f\",\n \"https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41\",\n \"https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464\",\n \"https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13\",\n \"https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\\n\\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\\nresulting in the following sanitizer report:\\n\\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\\nindex -1 is out of range for type 'cpumask [64][1]'\\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117)\\nubsan_epilogue (lib/ubsan.c:232)\\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\\n__x64_sys_ioctl (fs/ioctl.c:890)\\ndo_syscall_64 (arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\\nof a particular node.\\n\\nNote that the provided node id is checked inside map_benchmark_ioctl().\\nIt's just a NUMA_NO_NODE case which is not handled properly later.\\n\\nFound by Linux Verification Center (linuxtesting.org).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39277\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39292", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39292" + }, + { + "url": "https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4" + }, + { + "url": "https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2" + }, + { + "url": "https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14" + }, + { + "url": "https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0" + }, + { + "url": "https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33" + }, + { + "url": "https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1" + }, + { + "url": "https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101" + }, + { + "url": "https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39292 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39292", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39292\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39292\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39292\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4\",\n \"https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2\",\n \"https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14\",\n \"https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0\",\n \"https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33\",\n \"https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1\",\n \"https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101\",\n \"https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\num: Add winch to winch_handlers before registering winch IRQ\\n\\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\\nadded to the winch_handlers list.\\n\\nIf that happens, register_winch_irq() adds to that list a winch that is\\nscheduled to be (or has already been) freed, causing a panic later in\\nwinch_cleanup().\\n\\nAvoid the race by adding the winch to the winch_handlers list before\\nregistering the IRQ, and rolling back if um_request_irq() fails.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39292\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39293", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39293" + }, + { + "url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5" + }, + { + "url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39293 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39293", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39293\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39293\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39293\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39293\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39293\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5\",\n \"https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"xsk: Support redirect to any socket bound to the same umem\\\"\\n\\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\\n\\nThis patch introduced a potential kernel crash when multiple napi instances\\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\\npossible for multiple napi instances to access the Rx ring at the same time,\\nwhich will result in a corrupted ring state which can lead to a crash when\\nflushing the rings in __xsk_flush(). This can happen when the linked list of\\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\\nis not possible, so let us revert this for now.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39293\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39298", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39298" + }, + { + "url": "https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b" + }, + { + "url": "https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd" + }, + { + "url": "https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad" + }, + { + "url": "https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39298 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39298", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n try_memory_failure_hugetlb\n me_huge_page\n __page_handle_poison\n dissolve_free_hugetlb_folio\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n take_page_off_buddy -- Failed as page is not in the \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39298\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39298\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39298\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39298\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39298\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b\",\n \"https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd\",\n \"https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad\",\n \"https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\\n\\nWhen I did memory failure tests recently, below panic occurs:\\n\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\\n------------[ cut here ]------------\\nkernel BUG at include/linux/page-flags.h:1009!\\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nRIP: 0010:__del_page_from_free_list+0x151/0x180\\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\\nCall Trace:\\n \\n __rmqueue_pcplist+0x23b/0x520\\n get_page_from_freelist+0x26b/0xe40\\n __alloc_pages_noprof+0x113/0x1120\\n __folio_alloc_noprof+0x11/0xb0\\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\\n __alloc_fresh_hugetlb_folio+0xe7/0x140\\n alloc_pool_huge_folio+0x68/0x100\\n set_max_huge_pages+0x13d/0x340\\n hugetlb_sysctl_handler_common+0xe8/0x110\\n proc_sys_call_handler+0x194/0x280\\n vfs_write+0x387/0x550\\n ksys_write+0x64/0xe0\\n do_syscall_64+0xc2/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7ff916114887\\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\\n \\nModules linked in: mce_inject hwpoison_inject\\n---[ end trace 0000000000000000 ]---\\n\\nAnd before the panic, there had an warning about bad page state:\\n\\nBUG: Bad page state in process page-types pfn:8cee00\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\\npage_type: 0xffffff7f(buddy)\\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\\npage dumped because: nonzero mapcount\\nModules linked in: mce_inject hwpoison_inject\\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\\nCall Trace:\\n \\n dump_stack_lvl+0x83/0xa0\\n bad_page+0x63/0xf0\\n free_unref_page+0x36e/0x5c0\\n unpoison_memory+0x50b/0x630\\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\\n debugfs_attr_write+0x42/0x60\\n full_proxy_write+0x5b/0x80\\n vfs_write+0xcd/0x550\\n ksys_write+0x64/0xe0\\n do_syscall_64+0xc2/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f189a514887\\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\\n \\n\\nThe root cause should be the below race:\\n\\n memory_failure\\n try_memory_failure_hugetlb\\n me_huge_page\\n __page_handle_poison\\n dissolve_free_hugetlb_folio\\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\\n take_page_off_buddy -- Failed as page is not in the \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39298\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39301", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39301" + }, + { + "url": "https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17" + }, + { + "url": "https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b" + }, + { + "url": "https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a" + }, + { + "url": "https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17" + }, + { + "url": "https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867" + }, + { + "url": "https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b" + }, + { + "url": "https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672" + }, + { + "url": "https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39301 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39301", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39301\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39301\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39301\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39301\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39301\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17\",\n \"https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b\",\n \"https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a\",\n \"https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17\",\n \"https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867\",\n \"https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b\",\n \"https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672\",\n \"https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/9p: fix uninit-value in p9_client_rpc()\\n\\nSyzbot with the help of KMSAN reported the following error:\\n\\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\\n path_mount+0x742/0x1f20 fs/namespace.c:3679\\n do_mount fs/namespace.c:3692 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nUninit was created at:\\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\\n __alloc_pages_node include/linux/gfp.h:238 [inline]\\n alloc_pages_node include/linux/gfp.h:261 [inline]\\n alloc_slab_page mm/slub.c:2175 [inline]\\n allocate_slab mm/slub.c:2338 [inline]\\n new_slab+0x2de/0x1400 mm/slub.c:2391\\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\\n __slab_alloc mm/slub.c:3610 [inline]\\n __slab_alloc_node mm/slub.c:3663 [inline]\\n slab_alloc_node mm/slub.c:3835 [inline]\\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\\n p9_tag_alloc net/9p/client.c:278 [inline]\\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\\n path_mount+0x742/0x1f20 fs/namespace.c:3679\\n do_mount fs/namespace.c:3692 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\\n do_syscall_64+0xd5/0x1f0\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\\nwill not be properly initialized. However, trace_9p_client_res()\\nends up trying to print it out anyway before p9_client_rpc()\\nfinishes.\\n\\nFix this issue by assigning default values to p9_fcall fields\\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\\nduring the tag allocation stage.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39301\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39362", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39362" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39362 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39362", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39362\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39362\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39362\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39362\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39362\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39362\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39463", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39463" + }, + { + "url": "https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409" + }, + { + "url": "https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456" + }, + { + "url": "https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5" + }, + { + "url": "https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39463 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39463", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39463\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39463\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39463\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39463\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39463\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409\",\n \"https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456\",\n \"https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5\",\n \"https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\n9p: add missing locking around taking dentry fid list\\n\\nFix a use-after-free on dentry's d_fsdata fid list when a thread\\nlooks up a fid through dentry while another thread unlinks it:\\n\\nUAF thread:\\nrefcount_t: addition on 0; use-after-free.\\n p9_fid_get linux/./include/net/9p/client.h:262\\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\\n\\nFreed by:\\n p9_fid_destroy (inlined)\\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\\n p9_fid_put linux/./include/net/9p/client.h:278\\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\\n\\nThe problem is that d_fsdata was not accessed under d_lock, because\\nd_release() normally is only called once the dentry is otherwise no\\nlonger accessible but since we also call it explicitly in v9fs_remove\\nthat lock is required:\\nmove the hlist out of the dentry under lock then unref its fids once\\nthey are no longer accessible.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39463\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39466", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39466" + }, + { + "url": "https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464" + }, + { + "url": "https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3" + }, + { + "url": "https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665" + }, + { + "url": "https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b" + }, + { + "url": "https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39466 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39466", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39466\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39466\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39466\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39466\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39466\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464\",\n \"https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3\",\n \"https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665\",\n \"https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b\",\n \"https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\\n\\nUp until now, the necessary scm availability check has not been\\nperformed, leading to possible null pointer dereferences (which did\\nhappen for me on RB1).\\n\\nFix that.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39466\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39467", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39467" + }, + { + "url": "https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98" + }, + { + "url": "https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717" + }, + { + "url": "https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57" + }, + { + "url": "https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff" + }, + { + "url": "https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0" + }, + { + "url": "https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba" + }, + { + "url": "https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39467 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39467", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39467\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39467\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39467\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39467\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39467\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98\",\n \"https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717\",\n \"https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57\",\n \"https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff\",\n \"https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0\",\n \"https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba\",\n \"https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\\n\\nsyzbot reports a kernel bug as below:\\n\\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\\n\\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\\n current_nat_addr fs/f2fs/node.h:213 [inline]\\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\\n ioctl_fiemap fs/ioctl.c:220 [inline]\\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\\n __do_sys_ioctl fs/ioctl.c:902 [inline]\\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nThe root cause is we missed to do sanity check on i_xattr_nid during\\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\\nkasan bug report, fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39467\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39468", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39468" + }, + { + "url": "https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15" + }, + { + "url": "https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720" + }, + { + "url": "https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a" + }, + { + "url": "https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47" + }, + { + "url": "https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261" + }, + { + "url": "https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39468 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39468", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39468\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39468\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39468\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39468\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39468\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15\",\n \"https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720\",\n \"https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a\",\n \"https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47\",\n \"https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261\",\n \"https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix deadlock in smb2_find_smb_tcon()\\n\\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\\ndeadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39468\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39469", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39469" + }, + { + "url": "https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd" + }, + { + "url": "https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82" + }, + { + "url": "https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428" + }, + { + "url": "https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3" + }, + { + "url": "https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5" + }, + { + "url": "https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c" + }, + { + "url": "https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1" + }, + { + "url": "https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39469 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39469", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39469\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39469\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39469\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39469\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39469\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd\",\n \"https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82\",\n \"https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428\",\n \"https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3\",\n \"https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5\",\n \"https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c\",\n \"https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1\",\n \"https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\\n\\nThe error handling in nilfs_empty_dir() when a directory folio/page read\\nfails is incorrect, as in the old ext2 implementation, and if the\\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\\ndetermine the directory as empty and corrupt the file system.\\n\\nIn addition, since nilfs_empty_dir() does not immediately return on a\\nfailed folio/page read, but continues to loop, this can cause a long loop\\nwith I/O if i_size of the directory's inode is also corrupted, causing the\\nlog writer thread to wait and hang, as reported by syzbot.\\n\\nFix these issues by making nilfs_empty_dir() immediately return a false\\nvalue (0) if it fails to get a directory folio/page.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39469\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39471", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39471" + }, + { + "url": "https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46" + }, + { + "url": "https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3" + }, + { + "url": "https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8" + }, + { + "url": "https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691" + }, + { + "url": "https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f" + }, + { + "url": "https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520" + }, + { + "url": "https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39471 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39471", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39471\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39471\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39471\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39471\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39471\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46\",\n \"https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3\",\n \"https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8\",\n \"https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691\",\n \"https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f\",\n \"https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520\",\n \"https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: add error handle to avoid out-of-bounds\\n\\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39471\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39472", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39472" + }, + { + "url": "https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a" + }, + { + "url": "https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f" + }, + { + "url": "https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5" + }, + { + "url": "https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39472 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39472", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39472\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39472\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39472\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39472\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39472\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a\",\n \"https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f\",\n \"https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5\",\n \"https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\\n\\nCommit a70f9fe52daa (\\\"xfs: detect and handle invalid iclog size set by\\nmkfs\\\") added a fixup for incorrect h_size values used for the initial\\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\\n(\\\"xfs: clean up calculation of LR header blocks\\\") cleaned up the log\\nreover buffer calculation, but stoped using the fixed up h_size value\\nto size the log recovery buffer, which can lead to an out of bounds\\naccess when the incorrect h_size does not come from the old mkfs\\ntool, but a fuzzer.\\n\\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\\ninto account for this calculation.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39472\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39475", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39475" + }, + { + "url": "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b" + }, + { + "url": "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089" + }, + { + "url": "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95" + }, + { + "url": "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339" + }, + { + "url": "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547" + }, + { + "url": "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8" + }, + { + "url": "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7" + }, + { + "url": "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39475 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39475", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39475\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39475\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39475\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39475\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39475\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b\",\n \"https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089\",\n \"https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95\",\n \"https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339\",\n \"https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547\",\n \"https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8\",\n \"https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7\",\n \"https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbdev: savage: Handle err return when savagefb_check_var failed\\n\\nThe commit 04e5eac8f3ab(\\\"fbdev: savage: Error out if pixclock equals zero\\\")\\nchecks the value of pixclock to avoid divide-by-zero error. However\\nthe function savagefb_probe doesn't handle the error return of\\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39475\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39476", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39476" + }, + { + "url": "https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a" + }, + { + "url": "https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa" + }, + { + "url": "https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b" + }, + { + "url": "https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4" + }, + { + "url": "https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787" + }, + { + "url": "https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347" + }, + { + "url": "https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447" + }, + { + "url": "https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39476 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39476", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39476\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39476\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39476\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39476\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39476\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a\",\n \"https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa\",\n \"https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b\",\n \"https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4\",\n \"https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787\",\n \"https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347\",\n \"https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447\",\n \"https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\\n\\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\\nsmall possibility, the root cause is exactly the same as commit\\nbed9e27baf52 (\\\"Revert \\\"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\\\"\\\")\\n\\nHowever, Dan reported another hang after that, and junxiao investigated\\nthe problem and found out that this is caused by plugged bio can't issue\\nfrom raid5d().\\n\\nCurrent implementation in raid5d() has a weird dependence:\\n\\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\\n MD_SB_CHANGE_PENDING;\\n2) raid5d() handles IO in a deadloop, until all IO are issued;\\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\\n\\nThis behaviour is introduce before v2.6, and for consequence, if other\\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\\n'reconfig_mutex' is released.\\n\\nRefer to the implementation from raid1 and raid10, fix this problem by\\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\\nis released. Meanwhile, the hang problem will be fixed as well.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39476\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39480", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39480" + }, + { + "url": "https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5" + }, + { + "url": "https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7" + }, + { + "url": "https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96" + }, + { + "url": "https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a" + }, + { + "url": "https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454" + }, + { + "url": "https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33" + }, + { + "url": "https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7" + }, + { + "url": "https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39480 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39480", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39480\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39480\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39480\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39480\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39480\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5\",\n \"https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7\",\n \"https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96\",\n \"https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a\",\n \"https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454\",\n \"https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33\",\n \"https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7\",\n \"https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkdb: Fix buffer overflow during tab-complete\\n\\nCurrently, when the user attempts symbol completion with the Tab key, kdb\\nwill use strncpy() to insert the completed symbol into the command buffer.\\nUnfortunately it passes the size of the source buffer rather than the\\ndestination to strncpy() with predictably horrible results. Most obviously\\nif the command buffer is already full but cp, the cursor position, is in\\nthe middle of the buffer, then we will write past the end of the supplied\\nbuffer.\\n\\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\\ncalls plus explicit boundary checks to make sure we have enough space\\nbefore we start moving characters around.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39480\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39482", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39482" + }, + { + "url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671" + }, + { + "url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b" + }, + { + "url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31" + }, + { + "url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023" + }, + { + "url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148" + }, + { + "url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39482 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39482", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39482\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39482\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39482\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39482\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39482\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671\",\n \"https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b\",\n \"https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31\",\n \"https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023\",\n \"https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148\",\n \"https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbcache: fix variable length array abuse in btree_iter\\n\\nbtree_iter is used in two ways: either allocated on the stack with a\\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\\nspecific cache set. Previously, the struct had a fixed-length array of\\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\\niterators, which causes UBSAN to complain.\\n\\nThis patch uses the same approach as in bcachefs's sort_iter and splits\\nthe iterator into a btree_iter with a flexible array member and a\\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\\ndata array.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39482\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39484", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is fixed for versions 5.15.0-119.129", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39484" + }, + { + "url": "https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584" + }, + { + "url": "https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3" + }, + { + "url": "https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e" + }, + { + "url": "https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4" + }, + { + "url": "https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb" + }, + { + "url": "https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39484 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39484", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39484\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39484\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39484\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [\n \"5.15.0-119.129\"\n ],\n \"state\": \"fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39484\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39484\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584\",\n \"https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3\",\n \"https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e\",\n \"https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4\",\n \"https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb\",\n \"https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmmc: davinci: Don't strip remove function when driver is builtin\\n\\nUsing __exit for the remove function results in the remove callback being\\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\\nusing sysfs or hotplug), the driver is just removed without the cleanup\\nbeing performed. This results in resource leaks. Fix it by compiling in the\\nremove callback unconditionally.\\n\\nThis also fixes a W=1 modpost warning:\\n\\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\\ndavinci_mmcsd_remove (section: .exit.text)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"< 5.15.0-119.129 (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39484\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39487", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39487" + }, + { + "url": "https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e" + }, + { + "url": "https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1" + }, + { + "url": "https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b" + }, + { + "url": "https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da" + }, + { + "url": "https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8" + }, + { + "url": "https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9" + }, + { + "url": "https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f" + }, + { + "url": "https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39487 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39487", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39487\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39487\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39487\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39487\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39487\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e\",\n \"https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1\",\n \"https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b\",\n \"https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da\",\n \"https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8\",\n \"https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9\",\n \"https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f\",\n \"https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\\n\\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\\nempty string, newval->string+1 will point to the byte after the\\nstring, causing an out-of-bound read.\\n\\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:364 [inline]\\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\\n strlen+0x7d/0xa0 lib/string.c:418\\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\\n bond_option_arp_ip_targets_set+0xc2/0x910\\ndrivers/net/bonding/bond_options.c:1201\\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\\n call_write_iter include/linux/fs.h:2020 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x96a/0xd80 fs/read_write.c:584\\n ksys_write+0x122/0x250 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n---[ end trace ]---\\n\\nFix it by adding a check of string length before using it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 7.1,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.2\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39487\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39488", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39488" + }, + { + "url": "https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e" + }, + { + "url": "https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0" + }, + { + "url": "https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8" + }, + { + "url": "https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d" + }, + { + "url": "https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c" + }, + { + "url": "https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7" + }, + { + "url": "https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea" + }, + { + "url": "https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39488 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39488", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39488\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39488\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39488\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39488\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39488\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e\",\n \"https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0\",\n \"https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8\",\n \"https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d\",\n \"https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c\",\n \"https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7\",\n \"https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea\",\n \"https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\\n\\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\\nto bug_table entries, and as a result the last entry in a bug table will\\nbe ignored, potentially leading to an unexpected panic(). All prior\\nentries in the table will be handled correctly.\\n\\nThe arm64 ABI requires that struct fields of up to 8 bytes are\\nnaturally-aligned, with padding added within a struct such that struct\\nare suitably aligned within arrays.\\n\\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\\n\\n\\tstruct bug_entry {\\n\\t\\tsigned int bug_addr_disp;\\t// 4 bytes\\n\\t\\tsigned int file_disp;\\t// 4 bytes\\n\\t\\tunsigned short line;\\t\\t// 2 bytes\\n\\t\\tunsigned short flags;\\t\\t// 2 bytes\\n\\t}\\n\\n... with 12 bytes total, requiring 4-byte alignment.\\n\\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\\n\\n\\tstruct bug_entry {\\n\\t\\tsigned int bug_addr_disp;\\t// 4 bytes\\n\\t\\tunsigned short flags;\\t\\t// 2 bytes\\n\\t\\t< implicit padding >\\t\\t// 2 bytes\\n\\t}\\n\\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\\npadding, requiring 4-byte alginment.\\n\\nWhen we create a bug_entry in assembly, we align the start of the entry\\nto 4 bytes, which implicitly handles padding for any prior entries.\\nHowever, we do not align the end of the entry, and so when\\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\\nbytes.\\n\\nFor the main kernel image this is not a problem as find_bug() doesn't\\ndepend on the trailing padding bytes when searching for entries:\\n\\n\\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\\n\\t\\tif (bugaddr == bug_addr(bug))\\n\\t\\t\\treturn bug;\\n\\nHowever for modules, module_bug_finalize() depends on the trailing\\nbytes when calculating the number of entries:\\n\\n\\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\\n\\n... and as the last bug_entry lacks the necessary padding bytes, this entry\\nwill not be counted, e.g. in the case of a single entry:\\n\\n\\tsechdrs[i].sh_size == 6\\n\\tsizeof(struct bug_entry) == 8;\\n\\n\\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\\n\\nConsequently module_find_bug() will miss the last bug_entry when it does:\\n\\n\\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\\n\\t\\tif (bugaddr == bug_addr(bug))\\n\\t\\t\\tgoto out;\\n\\n... which can lead to a kenrel panic due to an unhandled bug.\\n\\nThis can be demonstrated with the following module:\\n\\n\\tstatic int __init buginit(void)\\n\\t{\\n\\t\\tWARN(1, \\\"hello\\\\n\\\");\\n\\t\\treturn 0;\\n\\t}\\n\\n\\tstatic void __exit bugexit(void)\\n\\t{\\n\\t}\\n\\n\\tmodule_init(buginit);\\n\\tmodule_exit(bugexit);\\n\\tMODULE_LICENSE(\\\"GPL\\\");\\n\\n... which will trigger a kernel panic when loaded:\\n\\n\\t------------[ cut here ]------------\\n\\thello\\n\\tUnexpected kernel BRK exception at EL1\\n\\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\\n\\tModules linked in: hello(O+)\\n\\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\\n\\tHardware name: linux,dummy-virt (DT)\\n\\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n\\tpc : buginit+0x18/0x1000 [hello]\\n\\tlr : buginit+0x18/0x1000 [hello]\\n\\tsp : ffff800080533ae0\\n\\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\\n\\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\\n\\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\\n\\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\\n\\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\\n\\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\\n\\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\\n\\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\\n\\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\\n\\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\\n\\tCall trace:\\n\\t buginit+0x18/0x1000 [hello]\\n\\t do_one_initcall+0x80/0x1c8\\n\\t do_init_module+0x60/0x218\\n\\t load_module+0x1ba4/0x1d70\\n\\t __do_sys_init_module+0x198/0x1d0\\n\\t __arm64_sys_init_module+0x1c/0x28\\n\\t invoke_syscall+0x48/0x114\\n\\t el0_svc\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39488\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39489", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39489" + }, + { + "url": "https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6" + }, + { + "url": "https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3" + }, + { + "url": "https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821" + }, + { + "url": "https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c" + }, + { + "url": "https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976" + }, + { + "url": "https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be" + }, + { + "url": "https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6" + }, + { + "url": "https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39489 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39489", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39489\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39489\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39489\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39489\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39489\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6\",\n \"https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3\",\n \"https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821\",\n \"https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c\",\n \"https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976\",\n \"https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be\",\n \"https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6\",\n \"https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix memleak in seg6_hmac_init_algo\\n\\nseg6_hmac_init_algo returns without cleaning up the previous allocations\\nif one fails, so it's going to leak all that memory and the crypto tfms.\\n\\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\\nreuse the code directly.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39489\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39490", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39490" + }, + { + "url": "https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9" + }, + { + "url": "https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864" + }, + { + "url": "https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a" + }, + { + "url": "https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8" + }, + { + "url": "https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39490 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39490", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix missing sk_buff release in seg6_input_core\n\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\n\nThis issue was introduced in commit af3b5158b89d (\"ipv6: sr: fix BUG due\nto headroom too small after SRH push\") and persists even after commit\n7a3f5b0de364 (\"netfilter: add netfilter hooks to SRv6 data plane\"),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\n\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39490\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39490\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39490\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39490\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39490\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9\",\n \"https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864\",\n \"https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a\",\n \"https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8\",\n \"https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix missing sk_buff release in seg6_input_core\\n\\nThe seg6_input() function is responsible for adding the SRH into a\\npacket, delegating the operation to the seg6_input_core(). This function\\nuses the skb_cow_head() to ensure that there is sufficient headroom in\\nthe sk_buff for accommodating the link-layer header.\\nIn the event that the skb_cow_header() function fails, the\\nseg6_input_core() catches the error but it does not release the sk_buff,\\nwhich will result in a memory leak.\\n\\nThis issue was introduced in commit af3b5158b89d (\\\"ipv6: sr: fix BUG due\\nto headroom too small after SRH push\\\") and persists even after commit\\n7a3f5b0de364 (\\\"netfilter: add netfilter hooks to SRv6 data plane\\\"),\\nwhere the entire seg6_input() code was refactored to deal with netfilter\\nhooks.\\n\\nThe proposed patch addresses the identified memory leak by requiring the\\nseg6_input_core() function to release the sk_buff in the event that\\nskb_cow_head() fails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39490\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39493", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39493" + }, + { + "url": "https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8" + }, + { + "url": "https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd" + }, + { + "url": "https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a" + }, + { + "url": "https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960" + }, + { + "url": "https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3" + }, + { + "url": "https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246" + }, + { + "url": "https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26" + }, + { + "url": "https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39493 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39493", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\n\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it's still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\n\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39493\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39493\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39493\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39493\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39493\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8\",\n \"https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd\",\n \"https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a\",\n \"https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960\",\n \"https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3\",\n \"https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246\",\n \"https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26\",\n \"https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\\n\\nUsing completion_done to determine whether the caller has gone\\naway only works after a complete call. Furthermore it's still\\npossible that the caller has not yet called wait_for_completion,\\nresulting in another potential UAF.\\n\\nFix this by making the caller use cancel_work_sync and then freeing\\nthe memory safely.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39493\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39494", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39494" + }, + { + "url": "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4" + }, + { + "url": "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c" + }, + { + "url": "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de" + }, + { + "url": "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39494 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39494", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39494\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39494\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39494\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39494\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39494\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4\",\n \"https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c\",\n \"https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de\",\n \"https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nima: Fix use-after-free on a dentry's dname.name\\n\\n->d_name.name can change on rename and the earlier value can be freed;\\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\\nrename_lock), but none of those are met at any of the sites. Take a stable\\nsnapshot of the name instead.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39494\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39495", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39495" + }, + { + "url": "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445" + }, + { + "url": "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea" + }, + { + "url": "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83" + }, + { + "url": "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce" + }, + { + "url": "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201" + }, + { + "url": "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc" + }, + { + "url": "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39495 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39495", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39495\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39495\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39495\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39495\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39495\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445\",\n \"https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea\",\n \"https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83\",\n \"https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce\",\n \"https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201\",\n \"https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc\",\n \"https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\\n\\nIn gb_interface_create, &intf->mode_switch_completion is bound with\\ngb_interface_mode_switch_work. Then it will be started by\\ngb_interface_request_mode_switch. Here is the relevant code.\\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\\n\\t...\\n}\\n\\nIf we call gb_interface_release to make cleanup, there may be an\\nunfinished work. This function will call kfree to free the object\\n\\\"intf\\\". However, if gb_interface_mode_switch_work is scheduled to\\nrun after kfree, it may cause use-after-free error as\\ngb_interface_mode_switch_work will use the object \\\"intf\\\".\\nThe possible execution flow that may lead to the issue is as follows:\\n\\nCPU0 CPU1\\n\\n | gb_interface_create\\n | gb_interface_request_mode_switch\\ngb_interface_release |\\nkfree(intf) (free) |\\n | gb_interface_mode_switch_work\\n | mutex_lock(&intf->mutex) (use)\\n\\nFix it by canceling the work before kfree.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39495\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39496", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39496" + }, + { + "url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9" + }, + { + "url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6" + }, + { + "url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43" + }, + { + "url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39496 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39496", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39496\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39496\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39496\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39496\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39496\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9\",\n \"https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6\",\n \"https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43\",\n \"https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: zoned: fix use-after-free due to race with dev replace\\n\\nWhile loading a zone's info during creation of a block group, we can race\\nwith a device replace operation and then trigger a use-after-free on the\\ndevice that was just replaced (source device of the replace operation).\\n\\nThis happens because at btrfs_load_zone_info() we extract a device from\\nthe chunk map into a local variable and then use the device while not\\nunder the protection of the device replace rwsem. So if there's a device\\nreplace operation happening when we extract the device and that device\\nis the source of the replace operation, we will trigger a use-after-free\\nif before we finish using the device the replace operation finishes and\\nfrees the device.\\n\\nFix this by enlarging the critical section under the protection of the\\ndevice replace rwsem so that all uses of the device are done inside the\\ncritical section.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39496\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39497", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39497" + }, + { + "url": "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86" + }, + { + "url": "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263" + }, + { + "url": "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39497 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39497", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39497\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39497\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39497\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39497\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39497\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86\",\n \"https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263\",\n \"https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\\n\\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\\n\\nReturn -EINVAL early if COW mapping is detected.\\n\\nThis bug affects all drm drivers using default shmem helpers.\\nIt can be reproduced by this simple example:\\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\\nptr[0] = 0;\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39497\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39499", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39499" + }, + { + "url": "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81" + }, + { + "url": "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd" + }, + { + "url": "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb" + }, + { + "url": "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4" + }, + { + "url": "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae" + }, + { + "url": "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee" + }, + { + "url": "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8" + }, + { + "url": "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39499 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39499", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39499\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39499\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39499\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39499\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39499\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81\",\n \"https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd\",\n \"https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb\",\n \"https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4\",\n \"https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae\",\n \"https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee\",\n \"https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8\",\n \"https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\\n\\nCoverity spotted that event_msg is controlled by user-space,\\nevent_msg->event_data.event is passed to event_deliver() and used\\nas an index without sanitization.\\n\\nThis change ensures that the event index is sanitized to mitigate any\\npossibility of speculative information leaks.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\\n\\nOnly compile tested, no access to HW.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39499\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39500", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39500" + }, + { + "url": "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073" + }, + { + "url": "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d" + }, + { + "url": "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0" + }, + { + "url": "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50" + }, + { + "url": "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39500 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39500", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n \n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39500\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39500\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39500\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39500\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39500\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073\",\n \"https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d\",\n \"https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0\",\n \"https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50\",\n \"https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsock_map: avoid race between sock_map_close and sk_psock_put\\n\\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\\nwill happen when the last call of sk_psock_put is done. However,\\nsk_psock_drop may not have finished yet, so the close callback will still\\npoint to sock_map_close despite psock being NULL.\\n\\nThis can be reproduced with a thread deleting an element from the sock map,\\nwhile the second one creates a socket, adds it to the map and closes it.\\n\\nThat will trigger the WARN_ON_ONCE:\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\\nModules linked in:\\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\\nCall Trace:\\n \\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xbe/0x240 net/socket.c:1421\\n __fput+0x42b/0x8a0 fs/file_table.c:422\\n __do_sys_close fs/open.c:1556 [inline]\\n __se_sys_close fs/open.c:1541 [inline]\\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7fb37d618070\\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n \\n\\nUse sk_psock, which will only check that the pointer is not been set to\\nNULL yet, which should only happen after the callbacks are restored. If,\\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\\npsock->work.\\n\\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\\nless convoluted.\\n\\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\\nanymore.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39500\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39501", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39501" + }, + { + "url": "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69" + }, + { + "url": "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c" + }, + { + "url": "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad" + }, + { + "url": "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6" + }, + { + "url": "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90" + }, + { + "url": "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080" + }, + { + "url": "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0" + }, + { + "url": "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39501 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39501", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: core: synchronize really_probe() and dev_uevent()\n\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\nThese can run in different threads, what can result in the following\nrace condition for dev->driver uninitialization:\n\nThread #1:\n==========\n\nreally_probe() {\n...\nprobe_failed:\n...\ndevice_unbind_cleanup(dev) {\n ...\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\n ...\n }\n...\n}\n\nThread #2:\n==========\n\ndev_uevent() {\n...\nif (dev->driver)\n // If dev->driver is NULLed from really_probe() from here on,\n // after above check, the system crashes\n add_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n...\n}\n\nreally_probe() holds the lock, already. So nothing needs to be done\nthere. dev_uevent() is called with lock held, often, too. But not\nalways. What implies that we can't add any locking in dev_uevent()\nitself. So fix this race by adding the lock to the non-protected\npath. This is the path where above race is observed:\n\n dev_uevent+0x235/0x380\n uevent_show+0x10c/0x1f0 <= Add lock here\n dev_attr_show+0x3a/0xa0\n sysfs_kf_seq_show+0x17c/0x250\n kernfs_seq_show+0x7c/0x90\n seq_read_iter+0x2d7/0x940\n kernfs_fop_read_iter+0xc6/0x310\n vfs_read+0x5bc/0x6b0\n ksys_read+0xeb/0x1b0\n __x64_sys_read+0x42/0x50\n x64_sys_call+0x27ad/0x2d30\n do_syscall_64+0xcd/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSimilar cases are reported by syzkaller in\n\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\n\nBut these are regarding the *initialization* of dev->driver\n\ndev->driver = drv;\n\nAs this switches dev->driver to non-NULL these reports can be considered\nto be false-positives (which should be \"fixed\" by this commit, as well,\nthough).\n\nThe same issue was reported and tried to be fixed back in 2015 in\n\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\n\nalready.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39501\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39501\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39501\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39501\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39501\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69\",\n \"https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c\",\n \"https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad\",\n \"https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6\",\n \"https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90\",\n \"https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080\",\n \"https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0\",\n \"https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrivers: core: synchronize really_probe() and dev_uevent()\\n\\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\\nThese can run in different threads, what can result in the following\\nrace condition for dev->driver uninitialization:\\n\\nThread #1:\\n==========\\n\\nreally_probe() {\\n...\\nprobe_failed:\\n...\\ndevice_unbind_cleanup(dev) {\\n ...\\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\\n ...\\n }\\n...\\n}\\n\\nThread #2:\\n==========\\n\\ndev_uevent() {\\n...\\nif (dev->driver)\\n // If dev->driver is NULLed from really_probe() from here on,\\n // after above check, the system crashes\\n add_uevent_var(env, \\\"DRIVER=%s\\\", dev->driver->name);\\n...\\n}\\n\\nreally_probe() holds the lock, already. So nothing needs to be done\\nthere. dev_uevent() is called with lock held, often, too. But not\\nalways. What implies that we can't add any locking in dev_uevent()\\nitself. So fix this race by adding the lock to the non-protected\\npath. This is the path where above race is observed:\\n\\n dev_uevent+0x235/0x380\\n uevent_show+0x10c/0x1f0 <= Add lock here\\n dev_attr_show+0x3a/0xa0\\n sysfs_kf_seq_show+0x17c/0x250\\n kernfs_seq_show+0x7c/0x90\\n seq_read_iter+0x2d7/0x940\\n kernfs_fop_read_iter+0xc6/0x310\\n vfs_read+0x5bc/0x6b0\\n ksys_read+0xeb/0x1b0\\n __x64_sys_read+0x42/0x50\\n x64_sys_call+0x27ad/0x2d30\\n do_syscall_64+0xcd/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nSimilar cases are reported by syzkaller in\\n\\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\\n\\nBut these are regarding the *initialization* of dev->driver\\n\\ndev->driver = drv;\\n\\nAs this switches dev->driver to non-NULL these reports can be considered\\nto be false-positives (which should be \\\"fixed\\\" by this commit, as well,\\nthough).\\n\\nThe same issue was reported and tried to be fixed back in 2015 in\\n\\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\\n\\nalready.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39501\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39502", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39502" + }, + { + "url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7" + }, + { + "url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5" + }, + { + "url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84" + }, + { + "url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13" + }, + { + "url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e" + }, + { + "url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e" + }, + { + "url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39502 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39502", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L rx 1 tx 1 combined 0\n ethtool -L rx 0 tx 0 combined 1\n ethtool -L rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39502\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39502\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39502\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39502\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39502\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7\",\n \"https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5\",\n \"https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84\",\n \"https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13\",\n \"https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e\",\n \"https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e\",\n \"https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nionic: fix use after netif_napi_del()\\n\\nWhen queues are started, netif_napi_add() and napi_enable() are called.\\nIf there are 4 queues and only 3 queues are used for the current\\nconfiguration, only 3 queues' napi should be registered and enabled.\\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\\nenabling only the using queue' napi. Unused queues' napi will not be\\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\\nBut it couldn't distinguish whether the napi was unregistered or not\\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\\nunregistered by netif_napi_del().\\n\\nReproducer:\\n ethtool -L rx 1 tx 1 combined 0\\n ethtool -L rx 0 tx 0 combined 1\\n ethtool -L rx 0 tx 0 combined 4\\n\\nSplat looks like:\\nkernel BUG at net/core/dev.c:6666!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\\nWorkqueue: events ionic_lif_deferred_work [ionic]\\nRIP: 0010:napi_enable+0x3b/0x40\\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? die+0x33/0x90\\n ? do_trap+0xd9/0x100\\n ? napi_enable+0x3b/0x40\\n ? do_error_trap+0x83/0xb0\\n ? napi_enable+0x3b/0x40\\n ? napi_enable+0x3b/0x40\\n ? exc_invalid_op+0x4e/0x70\\n ? napi_enable+0x3b/0x40\\n ? asm_exc_invalid_op+0x16/0x20\\n ? napi_enable+0x3b/0x40\\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\\n process_one_work+0x145/0x360\\n worker_thread+0x2bb/0x3d0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xcc/0x100\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x2d/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39502\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39503", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39503" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568" + }, + { + "url": "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702" + }, + { + "url": "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6" + }, + { + "url": "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10" + }, + { + "url": "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08" + }, + { + "url": "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83" + }, + { + "url": "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39503 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39503", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39503\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39503\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39503\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39503\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39503\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568\",\n \"https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702\",\n \"https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6\",\n \"https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10\",\n \"https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08\",\n \"https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83\",\n \"https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\\n\\nLion Ackermann reported that there is a race condition between namespace cleanup\\nin ipset and the garbage collection of the list:set type. The namespace\\ncleanup can destroy the list:set type of sets while the gc of the set type is\\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\\nthus leads use after free. The patch contains the following parts:\\n\\n- When destroying all sets, first remove the garbage collectors, then wait\\n if needed and then destroy the sets.\\n- Fix the badly ordered \\\"wait then remove gc\\\" for the destroy a single set\\n case.\\n- Fix the missing rcu locking in the list:set type in the userspace test\\n case.\\n- Use proper RCU list handlings in the list:set type.\\n\\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39503\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39505", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39505" + }, + { + "url": "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69" + }, + { + "url": "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622" + }, + { + "url": "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56" + }, + { + "url": "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe" + }, + { + "url": "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23" + }, + { + "url": "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0" + }, + { + "url": "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39505 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39505", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39505\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39505\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39505\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39505\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39505\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69\",\n \"https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622\",\n \"https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56\",\n \"https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe\",\n \"https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23\",\n \"https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0\",\n \"https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/komeda: check for error-valued pointer\\n\\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\\ncheck the pointer for negative or null value before dereferencing.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39505\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39506", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39506" + }, + { + "url": "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2" + }, + { + "url": "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa" + }, + { + "url": "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c" + }, + { + "url": "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349" + }, + { + "url": "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347" + }, + { + "url": "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79" + }, + { + "url": "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee" + }, + { + "url": "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39506 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39506", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39506\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39506\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39506\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39506\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39506\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2\",\n \"https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa\",\n \"https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c\",\n \"https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349\",\n \"https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347\",\n \"https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79\",\n \"https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee\",\n \"https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\\n\\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\\nstrange and could lead to null pointer dereference.\\n\\nlio_vf_rep_copy_packet() call trace looks like:\\n\\tocteon_droq_process_packets\\n\\t octeon_droq_fast_process_packets\\n\\t octeon_droq_dispatch_pkt\\n\\t octeon_create_recv_info\\n\\t ...search in the dispatch_list...\\n\\t ->disp_fn(rdisp->rinfo, ...)\\n\\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\\nIn this path there is no code which sets pg_info->page to NULL.\\nSo this check looks unneeded and doesn't solve potential problem.\\nBut I guess the author had reason to add a check and I have no such card\\nand can't do real test.\\nIn addition, the code in the function liquidio_push_packet() in\\nliquidio/lio_core.c does exactly the same.\\n\\nBased on this, I consider the most acceptable compromise solution to\\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39506\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39507", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39507" + }, + { + "url": "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4" + }, + { + "url": "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48" + }, + { + "url": "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa" + }, + { + "url": "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63" + }, + { + "url": "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39507 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39507", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39507\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39507\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39507\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39507\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39507\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4\",\n \"https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48\",\n \"https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa\",\n \"https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63\",\n \"https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fix kernel crash problem in concurrent scenario\\n\\nWhen link status change, the nic driver need to notify the roce\\ndriver to handle this event, but at this time, the roce driver\\nmay uninit, then cause kernel crash.\\n\\nTo fix the problem, when link status change, need to check\\nwhether the roce registered, and when uninit, need to wait link\\nupdate finish.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39507\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39508", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39508" + }, + { + "url": "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf" + }, + { + "url": "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab" + }, + { + "url": "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39508 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39508", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39508\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39508\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39508\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39508\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39508\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf\",\n \"https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab\",\n \"https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\\n\\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\\nto address potential data races.\\n\\nThe structure io_worker->flags may be accessed through various data\\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\\ndata races occurring in io_worker_handle_work and\\nio_wq_activate_free_worker functions.\\n\\n\\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\\n\\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\\n\\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\\n\\t io_wq_worker (io_uring/io-wq.c:?)\\n\\n\\n\\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\\n\\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\\n\\t io_wq_enqueue (io_uring/io-wq.c:947)\\n\\t io_queue_iowq (io_uring/io_uring.c:524)\\n\\t io_req_task_submit (io_uring/io_uring.c:1511)\\n\\t io_handle_tw_list (io_uring/io_uring.c:1198)\\n\\n\\nLine numbers against commit 18daea77cca6 (\\\"Merge tag 'for-linus' of\\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\\\").\\n\\nThese races involve writes and reads to the same memory location by\\ndifferent tasks running on different CPUs. To mitigate this, refactor\\nthe code to use atomic operations such as set_bit(), test_bit(), and\\nclear_bit() instead of basic \\\"and\\\" and \\\"or\\\" operations. This ensures\\nthread-safe manipulation of worker flags.\\n\\nAlso, move `create_index` to avoid holes in the structure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39508\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39509", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39509" + }, + { + "url": "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f" + }, + { + "url": "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24" + }, + { + "url": "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5" + }, + { + "url": "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2" + }, + { + "url": "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26" + }, + { + "url": "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316" + }, + { + "url": "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd" + }, + { + "url": "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39509 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39509", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39509\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39509\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39509\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39509\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39509\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f\",\n \"https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24\",\n \"https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5\",\n \"https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2\",\n \"https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26\",\n \"https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316\",\n \"https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd\",\n \"https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: core: remove unnecessary WARN_ON() in implement()\\n\\nSyzkaller hit a warning [1] in a call to implement() when trying\\nto write a value into a field of smaller size in an output report.\\n\\nSince implement() already has a warn message printed out with the\\nhelp of hid_warn() and value in question gets trimmed with:\\n\\t...\\n\\tvalue &= m;\\n\\t...\\nWARN_ON may be considered superfluous. Remove it to suppress future\\nsyzkaller triggers.\\n\\n[1]\\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\\nModules linked in:\\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\\n...\\nCall Trace:\\n \\n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:904 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n...\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39509\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-39510", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-39510" + }, + { + "url": "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd" + }, + { + "url": "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d" + }, + { + "url": "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e" + }, + { + "url": "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-39510 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-39510", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-39510\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-39510\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-39510\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-39510\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-39510\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd\",\n \"https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d\",\n \"https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e\",\n \"https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\\n\\nWe got the following issue in a fuzz test of randomly issuing the restore\\ncommand:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\\n\\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\\nCall Trace:\\n kasan_report+0x93/0xc0\\n cachefiles_ondemand_daemon_read+0xb41/0xb60\\n vfs_read+0x169/0xb50\\n ksys_read+0xf5/0x1e0\\n\\nAllocated by task 116:\\n kmem_cache_alloc+0x140/0x3a0\\n cachefiles_lookup_cookie+0x140/0xcd0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n\\nFreed by task 792:\\n kmem_cache_free+0xfe/0x390\\n cachefiles_put_object+0x241/0x480\\n fscache_cookie_state_machine+0x5c8/0x1230\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\ncachefiles_withdraw_cookie\\n cachefiles_ondemand_clean_object(object)\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n msg->object_id = req->object->ondemand->ondemand_id\\n ------ restore ------\\n cachefiles_ondemand_restore\\n xas_for_each(&xas, req, ULONG_MAX)\\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n copy_to_user(_buffer, msg, n)\\n xa_erase(&cache->reqs, id)\\n complete(&REQ_A->done)\\n ------ close(fd) ------\\n cachefiles_ondemand_fd_release\\n cachefiles_put_object\\n cachefiles_put_object\\n kmem_cache_free(cachefiles_object_jar, object)\\n REQ_A->object->ondemand->ondemand_id\\n // object UAF !!!\\n\\nWhen we see the request within xa_lock, req->object must not have been\\nfreed yet, so grab the reference count of object before xa_unlock to\\navoid the above issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-39510\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40899" + }, + { + "url": "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc" + }, + { + "url": "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62" + }, + { + "url": "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0" + }, + { + "url": "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc\",\n \"https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62\",\n \"https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0\",\n \"https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\\n\\nWe got the following issue in a fuzz test of randomly issuing the restore\\ncommand:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\\n\\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\\nCall Trace:\\n kasan_report+0x94/0xc0\\n cachefiles_ondemand_daemon_read+0x609/0xab0\\n vfs_read+0x169/0xb50\\n ksys_read+0xf5/0x1e0\\n\\nAllocated by task 626:\\n __kmalloc+0x1df/0x4b0\\n cachefiles_ondemand_send_req+0x24d/0x690\\n cachefiles_create_tmpfile+0x249/0xb30\\n cachefiles_create_file+0x6f/0x140\\n cachefiles_look_up_object+0x29c/0xa60\\n cachefiles_lookup_cookie+0x37d/0xca0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n\\nFreed by task 626:\\n kfree+0xf1/0x2c0\\n cachefiles_ondemand_send_req+0x568/0x690\\n cachefiles_create_tmpfile+0x249/0xb30\\n cachefiles_create_file+0x6f/0x140\\n cachefiles_look_up_object+0x29c/0xa60\\n cachefiles_lookup_cookie+0x37d/0xca0\\n fscache_cookie_state_machine+0x43c/0x1230\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\n cachefiles_ondemand_init_object\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n cachefiles_ondemand_get_fd\\n copy_to_user(_buffer, msg, n)\\n process_open_req(REQ_A)\\n ------ restore ------\\n cachefiles_ondemand_restore\\n xas_for_each(&xas, req, ULONG_MAX)\\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\\n\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n REQ_A = cachefiles_ondemand_select_req\\n\\n write(devfd, (\\\"copen %u,%llu\\\", msg->msg_id, size));\\n cachefiles_ondemand_copen\\n xa_erase(&cache->reqs, id)\\n complete(&REQ_A->done)\\n kfree(REQ_A)\\n cachefiles_ondemand_get_fd(REQ_A)\\n fd = get_unused_fd_flags\\n file = anon_inode_getfile\\n fd_install(fd, file)\\n load = (void *)REQ_A->msg.data;\\n load->fd = fd;\\n // load UAF !!!\\n\\nThis issue is caused by issuing a restore command when the daemon is still\\nalive, which results in a request being processed multiple times thus\\ntriggering a UAF. So to avoid this problem, add an additional reference\\ncount to cachefiles_req, which is held while waiting and reading, and then\\nreleased when the waiting and reading is over.\\n\\nNote that since there is only one reference count for waiting, we need to\\navoid the same request being completed multiple times, so we can only\\ncomplete the request if it is successfully removed from the xarray.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40900" + }, + { + "url": "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013" + }, + { + "url": "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19" + }, + { + "url": "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598" + }, + { + "url": "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013\",\n \"https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19\",\n \"https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598\",\n \"https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: remove requests from xarray during flushing requests\\n\\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\\nfollowing concurrency the request may be used after it has been freed:\\n\\n mount | daemon_thread1 | daemon_thread2\\n------------------------------------------------------------\\n cachefiles_ondemand_init_object\\n cachefiles_ondemand_send_req\\n REQ_A = kzalloc(sizeof(*req) + data_len)\\n wait_for_completion(&REQ_A->done)\\n cachefiles_daemon_read\\n cachefiles_ondemand_daemon_read\\n // close dev fd\\n cachefiles_flush_reqs\\n complete(&REQ_A->done)\\n kfree(REQ_A)\\n xa_lock(&cache->reqs);\\n cachefiles_ondemand_select_req\\n req->msg.opcode != CACHEFILES_OP_READ\\n // req use-after-free !!!\\n xa_unlock(&cache->reqs);\\n xa_destroy(&cache->reqs)\\n\\nHence remove requests from cache->reqs when flushing them to avoid\\naccessing freed requests.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40901" + }, + { + "url": "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16" + }, + { + "url": "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674" + }, + { + "url": "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2" + }, + { + "url": "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41" + }, + { + "url": "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c" + }, + { + "url": "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801" + }, + { + "url": "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5" + }, + { + "url": "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16\",\n \"https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674\",\n \"https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2\",\n \"https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41\",\n \"https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c\",\n \"https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801\",\n \"https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5\",\n \"https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\\n\\nThere is a potential out-of-bounds access when using test_bit() on a single\\nword. The test_bit() and set_bit() functions operate on long values, and\\nwhen testing or setting a single word, they can exceed the word\\nboundary. KASAN detects this issue and produces a dump:\\n\\n\\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\\n\\n\\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\\n\\nFor full log, please look at [1].\\n\\nMake the allocation at least the size of sizeof(unsigned long) so that\\nset_bit() and test_bit() have sufficient room for read/write operations\\nwithout overwriting unallocated memory.\\n\\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40902" + }, + { + "url": "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a" + }, + { + "url": "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123" + }, + { + "url": "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69" + }, + { + "url": "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7" + }, + { + "url": "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f" + }, + { + "url": "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f" + }, + { + "url": "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f" + }, + { + "url": "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a\",\n \"https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123\",\n \"https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69\",\n \"https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7\",\n \"https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f\",\n \"https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f\",\n \"https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f\",\n \"https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: xattr: fix buffer overflow for invalid xattr\\n\\nWhen an xattr size is not what is expected, it is printed out to the\\nkernel log in hex format as a form of debugging. But when that xattr\\nsize is bigger than the expected size, printing it out can cause an\\naccess off the end of the buffer.\\n\\nFix this all up by properly restricting the size of the debug hex dump\\nin the kernel log.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n },\n {\n \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\n \"type\": \"Secondary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40904" + }, + { + "url": "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94" + }, + { + "url": "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28" + }, + { + "url": "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56" + }, + { + "url": "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46" + }, + { + "url": "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879" + }, + { + "url": "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a" + }, + { + "url": "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c" + }, + { + "url": "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94\",\n \"https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28\",\n \"https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56\",\n \"https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46\",\n \"https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879\",\n \"https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a\",\n \"https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c\",\n \"https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\\n\\nThe syzbot fuzzer found that the interrupt-URB completion callback in\\nthe cdc-wdm driver was taking too long, and the driver's immediate\\nresubmission of interrupt URBs with -EPROTO status combined with the\\ndummy-hcd emulation to cause a CPU lockup:\\n\\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\\nCPU#0 Utilization every 4s during lockup:\\n\\t#1: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#2: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#3: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#4: 98% system,\\t 0% softirq,\\t 3% hardirq,\\t 0% idle\\n\\t#5: 98% system,\\t 1% softirq,\\t 3% hardirq,\\t 0% idle\\nModules linked in:\\nirq event stamp: 73096\\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\n\\nTesting showed that the problem did not occur if the two error\\nmessages -- the first two lines above -- were removed; apparently adding\\nmaterial to the kernel log takes a surprisingly large amount of time.\\n\\nIn any case, the best approach for preventing these lockups and to\\navoid spamming the log with thousands of error messages per second is\\nto ratelimit the two dev_err() calls. Therefore we replace them with\\ndev_err_ratelimited().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40905" + }, + { + "url": "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914" + }, + { + "url": "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf" + }, + { + "url": "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef" + }, + { + "url": "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12" + }, + { + "url": "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f" + }, + { + "url": "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d" + }, + { + "url": "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914\",\n \"https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf\",\n \"https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef\",\n \"https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12\",\n \"https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f\",\n \"https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d\",\n \"https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix possible race in __fib6_drop_pcpu_from()\\n\\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\\n\\nIf compiler reads more than once (*ppcpu_rt),\\nsecond read could read NULL, if another cpu clears\\nthe value in rt6_get_pcpu_route().\\n\\nAdd a READ_ONCE() to prevent this race.\\n\\nAlso add rcu_read_lock()/rcu_read_unlock() because\\nwe rely on RCU protection while dereferencing pcpu_rt.\\n\\n[1]\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nWorkqueue: netns cleanup_net\\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\\n unregister_netdevice_many net/core/dev.c:11276 [inline]\\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\\n process_scheduled_works kernel/workqueue.c:3312 [inline]\\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40906" + }, + { + "url": "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a" + }, + { + "url": "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f" + }, + { + "url": "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a\",\n \"https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f\",\n \"https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8\",\n \"https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Always stop health timer during driver removal\\n\\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\\nteardown. This may lead to a UAF bug, which results in page fault\\nOops[1], since the health timer invokes after resources were freed.\\n\\nHence, stop the health monitor even if teardown_hca fails.\\n\\n[1]\\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\\nmlx5_core 0000:18:00.0: E-Switch: cleanup\\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\\nBUG: unable to handle page fault for address: ffffa26487064230\\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\\nOops: 0000 [#1] PREEMPT SMP PTI\\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\\nRIP: 0010:ioread32be+0x34/0x60\\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? exc_page_fault+0x175/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n ? ioread32be+0x34/0x60\\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n poll_health+0x42/0x230 [mlx5_core]\\n ? __next_timer_interrupt+0xbc/0x110\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n call_timer_fn+0x21/0x130\\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\\n __run_timers+0x222/0x2c0\\n run_timer_softirq+0x1d/0x40\\n __do_softirq+0xc9/0x2c8\\n __irq_exit_rcu+0xa6/0xc0\\n sysvec_apic_timer_interrupt+0x72/0x90\\n \\n \\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\\n ? cpuidle_enter_state+0xbd/0x440\\n cpuidle_enter+0x2d/0x40\\n do_idle+0x20d/0x270\\n cpu_startup_entry+0x2a/0x30\\n rest_init+0xd0/0xd0\\n arch_call_rest_init+0xe/0x30\\n start_kernel+0x709/0xa90\\n x86_64_start_reservations+0x18/0x30\\n x86_64_start_kernel+0x96/0xa0\\n secondary_startup_64_no_verify+0x18f/0x19b\\n---[ end trace 0000000000000000 ]---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40908" + }, + { + "url": "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d" + }, + { + "url": "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2" + }, + { + "url": "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4" + }, + { + "url": "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c" + }, + { + "url": "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d\",\n \"https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2\",\n \"https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4\",\n \"https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c\",\n \"https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Set run context for rawtp test_run callback\\n\\nsyzbot reported crash when rawtp program executed through the\\ntest_run interface calls bpf_get_attach_cookie helper or any\\nother helper that touches task->bpf_ctx pointer.\\n\\nSetting the run context (task->bpf_ctx pointer) for test_run\\ncallback.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40910" + }, + { + "url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774" + }, + { + "url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3" + }, + { + "url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964" + }, + { + "url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n \n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774\",\n \"https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3\",\n \"https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964\",\n \"https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nax25: Fix refcount imbalance on inbound connections\\n\\nWhen releasing a socket in ax25_release(), we call netdev_put() to\\ndecrease the refcount on the associated ax.25 device. However, the\\nexecution path for accepting an incoming connection never calls\\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\\nto kernel crashes.\\n\\nA typical call trace for the above situation will start with one of the\\nfollowing errors:\\n\\n refcount_t: decrement hit 0; leaking memory.\\n refcount_t: underflow; use-after-free.\\n\\nAnd will then have a trace like:\\n\\n Call Trace:\\n \\n ? show_regs+0x64/0x70\\n ? __warn+0x83/0x120\\n ? refcount_warn_saturate+0xb2/0x100\\n ? report_bug+0x158/0x190\\n ? prb_read_valid+0x20/0x30\\n ? handle_bug+0x3e/0x70\\n ? exc_invalid_op+0x1c/0x70\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? refcount_warn_saturate+0xb2/0x100\\n ? refcount_warn_saturate+0xb2/0x100\\n ax25_release+0x2ad/0x360\\n __sock_release+0x35/0xa0\\n sock_close+0x19/0x20\\n [...]\\n\\nOn reboot (or any attempt to remove the interface), the kernel gets\\nstuck in an infinite loop:\\n\\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\\n\\nThis patch corrects these issues by ensuring that we call netdev_hold()\\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\\ncases we increment the refcount, which is ultimately decremented in\\nax25_release().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40911" + }, + { + "url": "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a" + }, + { + "url": "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba" + }, + { + "url": "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae" + }, + { + "url": "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76" + }, + { + "url": "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a\",\n \"https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba\",\n \"https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae\",\n \"https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76\",\n \"https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\\n\\nWiphy should be locked before calling rdev_get_station() (see lockdep\\nassert in ieee80211_get_station()).\\n\\nThis fixes the following kernel NULL dereference:\\n\\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\\n Mem abort info:\\n ESR = 0x0000000096000006\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x06: level 2 translation fault\\n Data abort info:\\n ISV = 0, ISS = 0x00000006\\n CM = 0, WnR = 0\\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\\n Internal error: Oops: 0000000096000006 [#1] SMP\\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\\n Hardware name: RPT (r1) (DT)\\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\\n lr : sta_set_sinfo+0xcc/0xbd4\\n sp : ffff000007b43ad0\\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\\n Call trace:\\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\\n sta_set_sinfo+0xcc/0xbd4\\n ieee80211_get_station+0x2c/0x44\\n cfg80211_get_station+0x80/0x154\\n batadv_v_elp_get_throughput+0x138/0x1fc\\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\\n process_one_work+0x1ec/0x414\\n worker_thread+0x70/0x46c\\n kthread+0xdc/0xe0\\n ret_from_fork+0x10/0x20\\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\\n\\nThis happens because STA has time to disconnect and reconnect before\\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\\nthis situation, ath10k_sta_state() can be in the middle of resetting\\narsta data when the work queue get chance to be scheduled and ends up\\naccessing it. Locking wiphy prevents that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40912" + }, + { + "url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932" + }, + { + "url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e" + }, + { + "url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81" + }, + { + "url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485" + }, + { + "url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb" + }, + { + "url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f" + }, + { + "url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e" + }, + { + "url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932\",\n \"https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e\",\n \"https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81\",\n \"https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485\",\n \"https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb\",\n \"https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f\",\n \"https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e\",\n \"https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\\n\\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\\ntake this same lock ending in deadlock. Below is an example of rcu stall\\nthat arises in such situation.\\n\\n rcu: INFO: rcu_sched self-detected stall on CPU\\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\\n Hardware name: RPT (r1) (DT)\\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : queued_spin_lock_slowpath+0x58/0x2d0\\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\\n sp : ffff00001ef64660\\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\\n Call trace:\\n queued_spin_lock_slowpath+0x58/0x2d0\\n ieee80211_tx+0x80/0x12c\\n ieee80211_tx_pending+0x110/0x278\\n tasklet_action_common.constprop.0+0x10c/0x144\\n tasklet_action+0x20/0x28\\n _stext+0x11c/0x284\\n ____do_softirq+0xc/0x14\\n call_on_irq_stack+0x24/0x34\\n do_softirq_own_stack+0x18/0x20\\n do_softirq+0x74/0x7c\\n __local_bh_enable_ip+0xa0/0xa4\\n _ieee80211_wake_txqs+0x3b0/0x4b8\\n __ieee80211_wake_queue+0x12c/0x168\\n ieee80211_add_pending_skbs+0xec/0x138\\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\\n ieee80211_mps_sta_status_update+0x18/0x24\\n sta_apply_parameters+0x3bc/0x4c0\\n ieee80211_change_station+0x1b8/0x2dc\\n nl80211_set_station+0x444/0x49c\\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\\n genl_rcv_msg+0x1b0/0x244\\n netlink_rcv_skb+0x38/0x10c\\n genl_rcv+0x34/0x48\\n netlink_unicast+0x254/0x2bc\\n netlink_sendmsg+0x190/0x3b4\\n ____sys_sendmsg+0x1e8/0x218\\n ___sys_sendmsg+0x68/0x8c\\n __sys_sendmsg+0x44/0x84\\n __arm64_sys_sendmsg+0x20/0x28\\n do_el0_svc+0x6c/0xe8\\n el0_svc+0x14/0x48\\n el0t_64_sync_handler+0xb0/0xb4\\n el0t_64_sync+0x14c/0x150\\n\\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\\non the same CPU that is holding the lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40914" + }, + { + "url": "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9" + }, + { + "url": "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af" + }, + { + "url": "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf" + }, + { + "url": "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794" + }, + { + "url": "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9\",\n \"https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af\",\n \"https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf\",\n \"https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794\",\n \"https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/huge_memory: don't unpoison huge_zero_folio\\n\\nWhen I did memory failure tests recently, below panic occurs:\\n\\n kernel BUG at include/linux/mm.h:1135!\\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\\n Call Trace:\\n \\n do_shrink_slab+0x14f/0x6a0\\n shrink_slab+0xca/0x8c0\\n shrink_node+0x2d0/0x7d0\\n balance_pgdat+0x33a/0x720\\n kswapd+0x1f3/0x410\\n kthread+0xd5/0x100\\n ret_from_fork+0x2f/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \\n Modules linked in: mce_inject hwpoison_inject\\n ---[ end trace 0000000000000000 ]---\\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\\n\\nThe root cause is that HWPoison flag will be set for huge_zero_folio\\nwithout increasing the folio refcnt. But then unpoison_memory() will\\ndecrease the folio refcnt unexpectedly as it appears like a successfully\\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\\nreleasing huge_zero_folio.\\n\\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \\nWe're not prepared to unpoison huge_zero_folio yet.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40915", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40915" + }, + { + "url": "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb" + }, + { + "url": "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876" + }, + { + "url": "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915" + }, + { + "url": "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40915 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40915", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x1c/0x24\n[] show_stack+0x2c/0x38\n[] dump_stack_lvl+0x5a/0x72\n[] dump_stack+0x14/0x1c\n[] __might_resched+0x104/0x10e\n[] __might_sleep+0x3e/0x62\n[] down_write+0x20/0x72\n[] __set_memory+0x82/0x2fa\n[] __kernel_map_pages+0x5a/0xd4\n[] __alloc_pages_bulk+0x3b2/0x43a\n[] __vmalloc_node_range+0x196/0x6ba\n[] copy_process+0x72c/0x17ec\n[] kernel_clone+0x60/0x2fe\n[] kernel_thread+0x82/0xa0\n[] kthreadd+0x14a/0x1be\n[] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40915\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40915\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40915\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40915\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40915\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb\",\n \"https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876\",\n \"https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915\",\n \"https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\\n\\n__kernel_map_pages() is a debug function which clears the valid bit in page\\ntable entry for deallocated pages to detect illegal memory accesses to\\nfreed pages.\\n\\nThis function set/clear the valid bit using __set_memory(). __set_memory()\\nacquires init_mm's semaphore, and this operation may sleep. This is\\nproblematic, because __kernel_map_pages() can be called in atomic context,\\nand thus is illegal to sleep. An example warning that this causes:\\n\\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\\npreempt_count: 2, expected: 0\\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\\nHardware name: riscv-virtio,qemu (DT)\\nCall Trace:\\n[] dump_backtrace+0x1c/0x24\\n[] show_stack+0x2c/0x38\\n[] dump_stack_lvl+0x5a/0x72\\n[] dump_stack+0x14/0x1c\\n[] __might_resched+0x104/0x10e\\n[] __might_sleep+0x3e/0x62\\n[] down_write+0x20/0x72\\n[] __set_memory+0x82/0x2fa\\n[] __kernel_map_pages+0x5a/0xd4\\n[] __alloc_pages_bulk+0x3b2/0x43a\\n[] __vmalloc_node_range+0x196/0x6ba\\n[] copy_process+0x72c/0x17ec\\n[] kernel_clone+0x60/0x2fe\\n[] kernel_thread+0x82/0xa0\\n[] kthreadd+0x14a/0x1be\\n[] ret_from_fork+0xe/0x1c\\n\\nRewrite this function with apply_to_existing_page_range(). It is fine to\\nnot have any locking, because __kernel_map_pages() works with pages being\\nallocated/deallocated and those pages are not changed by anyone else in the\\nmeantime.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40915\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40916", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40916" + }, + { + "url": "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f" + }, + { + "url": "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9" + }, + { + "url": "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632" + }, + { + "url": "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028" + }, + { + "url": "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab" + }, + { + "url": "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec" + }, + { + "url": "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40916 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40916", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40916\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40916\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40916\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40916\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40916\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f\",\n \"https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9\",\n \"https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632\",\n \"https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028\",\n \"https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab\",\n \"https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec\",\n \"https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\\n\\nWhen reading EDID fails and driver reports no modes available, the DRM\\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\\nable to drive such mode, so report a safe 640x480 mode instead of nothing\\nin case of the EDID reading failure.\\n\\nThis fixes the following issue observed on Trats2 board since commit\\n13d5b040363c (\\\"drm/exynos: do not return negative values from .get_modes()\\\"):\\n\\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\\n------------[ cut here ]------------\\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\\n[CRTC:70:crtc-1] vblank wait timed out\\nModules linked in:\\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\\nHardware name: Samsung Exynos (Flattened Device Tree)\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n unwind_backtrace from show_stack+0x10/0x14\\n show_stack from dump_stack_lvl+0x68/0x88\\n dump_stack_lvl from __warn+0x7c/0x1c4\\n __warn from warn_slowpath_fmt+0x11c/0x1a8\\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\\n commit_tail from drm_atomic_helper_commit+0x168/0x190\\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\\n fbcon_init from visual_init+0xc0/0x108\\n visual_init from do_bind_con_driver+0x1b8/0x3a4\\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\\n drm_client_register from exynos_drm_bind+0x160/0x190\\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\\n __component_add from mixer_probe+0x74/0xcc\\n mixer_probe from platform_probe+0x5c/0xb8\\n platform_probe from really_probe+0xe0/0x3d8\\n really_probe from __driver_probe_device+0x9c/0x1e4\\n __driver_probe_device from driver_probe_device+0x30/0xc0\\n driver_probe_device from __device_attach_driver+0xa8/0x120\\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\\n bus_for_each_drv from __device_attach+0xac/0x1fc\\n __device_attach from bus_probe_device+0x8c/0x90\\n bus_probe_device from deferred_probe_work_func+0\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40916\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40918", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40918" + }, + { + "url": "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0" + }, + { + "url": "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49" + }, + { + "url": "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40918 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40918", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40918\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40918\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40918\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40918\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40918\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0\",\n \"https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49\",\n \"https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nparisc: Try to fix random segmentation faults in package builds\\n\\nPA-RISC systems with PA8800 and PA8900 processors have had problems\\nwith random segmentation faults for many years. Systems with earlier\\nprocessors are much more stable.\\n\\nSystems with PA8800 and PA8900 processors have a large L2 cache which\\nneeds per page flushing for decent performance when a large range is\\nflushed. The combined cache in these systems is also more sensitive to\\nnon-equivalent aliases than the caches in earlier systems.\\n\\nThe majority of random segmentation faults that I have looked at\\nappear to be memory corruption in memory allocated using mmap and\\nmalloc.\\n\\nMy first attempt at fixing the random faults didn't work. On\\nreviewing the cache code, I realized that there were two issues\\nwhich the existing code didn't handle correctly. Both relate\\nto cache move-in. Another issue is that the present bit in PTEs\\nis racy.\\n\\n1) PA-RISC caches have a mind of their own and they can speculatively\\nload data and instructions for a page as long as there is a entry in\\nthe TLB for the page which allows move-in. TLBs are local to each\\nCPU. Thus, the TLB entry for a page must be purged before flushing\\nthe page. This is particularly important on SMP systems.\\n\\nIn some of the flush routines, the flush routine would be called\\nand then the TLB entry would be purged. This was because the flush\\nroutine needed the TLB entry to do the flush.\\n\\n2) My initial approach to trying the fix the random faults was to\\ntry and use flush_cache_page_if_present for all flush operations.\\nThis actually made things worse and led to a couple of hardware\\nlockups. It finally dawned on me that some lines weren't being\\nflushed because the pte check code was racy. This resulted in\\nrandom inequivalent mappings to physical pages.\\n\\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\\nand it doesn't need the existing TLB entry. As long as we can find\\nthe pte pointer for the vm page, we can get the pfn and physical\\naddress of the page. We can also purge the TLB entry for the page\\nbefore doing the flush. Further, __flush_cache_page uses a special\\nTLB entry that inhibits cache move-in.\\n\\nWhen switching page mappings, we need to ensure that lines are\\nremoved from the cache. It is not sufficient to just flush the\\nlines to memory as they may come back.\\n\\nThis made it clear that we needed to implement all the required\\nflush operations using tmpalias routines. This includes flushes\\nfor user and kernel pages.\\n\\nAfter modifying the code to use tmpalias flushes, it became clear\\nthat the random segmentation faults were not fully resolved. The\\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\\nand systems with more CPUs (rp4440).\\n\\nThe warning that I added to flush_cache_page_if_present to detect\\npages that couldn't be flushed triggered frequently on some systems.\\n\\nHelge and I looked at the pages that couldn't be flushed and found\\nthat the PTE was either cleared or for a swap page. Ignoring pages\\nthat were swapped out seemed okay but pages with cleared PTEs seemed\\nproblematic.\\n\\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\\nThe default implementation just flushes the TLB entry. However, it was\\nobvious that on parisc we need to flush the cache page as well. If\\nwe don't flush the cache page, stale lines will be left in the cache\\nand cause random corruption. Once a PTE is cleared, there is no way\\nto find the physical address associated with the PTE and flush the\\nassociated page at a later time.\\n\\nI implemented an updated change with a parisc specific version of\\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\\nand rp3440, as well as on my c8000.\\n\\nAt this point, I realized that I could restore the code where we only\\nflush in flush_cache_page_if_present if the page has been accessed.\\nHowever, for this, we also need to flush the cache when the accessed\\nbit is cleared in\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40918\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40927", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40927" + }, + { + "url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228" + }, + { + "url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577" + }, + { + "url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a" + }, + { + "url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9" + }, + { + "url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40927 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40927", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40927\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40927\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40927\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40927\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40927\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228\",\n \"https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577\",\n \"https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a\",\n \"https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9\",\n \"https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: Handle TD clearing for multiple streams case\\n\\nWhen multiple streams are in use, multiple TDs might be in flight when\\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\\neach, to ensure everything is reset properly and the caches cleared.\\nChange the logic so that any N>1 TDs found active for different streams\\nare deferred until after the first one is processed, calling\\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\\nqueue another command until we are done with all of them. Also change\\nthe error/\\\"should never happen\\\" paths to ensure we at least clear any\\naffected TDs, even if we can't issue a command to clear the hardware\\ncache, and complain loudly with an xhci_warn() if this ever happens.\\n\\nThis problem case dates back to commit e9df17eb1408 (\\\"USB: xhci: Correct\\nassumptions about number of rings per endpoint.\\\") early on in the XHCI\\ndriver's life, when stream support was first added.\\nIt was then identified but not fixed nor made into a warning in commit\\n674f8438c121 (\\\"xhci: split handling halted endpoints into two steps\\\"),\\nwhich added a FIXME comment for the problem case (without materially\\nchanging the behavior as far as I can tell, though the new logic made\\nthe problem more obvious).\\n\\nThen later, in commit 94f339147fc3 (\\\"xhci: Fix failure to give back some\\ncached cancelled URBs.\\\"), it was acknowledged again.\\n\\n[Mathias: commit 94f339147fc3 (\\\"xhci: Fix failure to give back some cached\\ncancelled URBs.\\\") was a targeted regression fix to the previously mentioned\\npatch. Users reported issues with usb stuck after unmounting/disconnecting\\nUAS devices. This rolled back the TD clearing of multiple streams to its\\noriginal state.]\\n\\nApparently the commit author was aware of the problem (yet still chose\\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\\nadded to log the problem condition, and the remaining issue was mentioned\\nin the commit description. The choice of making the log type xhci_dbg()\\nfor what is, at this point, a completely unhandled and known broken\\ncondition is puzzling and unfortunate, as it guarantees that no actual\\nusers would see the log in production, thereby making it nigh\\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\\nreally hint at there being a problem at all).\\n\\nIt took me *months* of random xHC crashes to finally find a reliable\\nrepro and be able to do a deep dive debug session, which could all have\\nbeen avoided had this unhandled, broken condition been actually reported\\nwith a warning, as it should have been as a bug intentionally left in\\nunfixed (never mind that it shouldn't have been left in at all).\\n\\n> Another fix to solve clearing the caches of all stream rings with\\n> cancelled TDs is needed, but not as urgent.\\n\\n3 years after that statement and 14 years after the original bug was\\nintroduced, I think it's finally time to fix it. And maybe next time\\nlet's not leave bugs unfixed (that are actually worse than the original\\nbug), and let's actually get people to review kernel commits please.\\n\\nFixes xHC crashes and IOMMU faults with UAS devices when handling\\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\\nAt least in the case of JMicron controllers, the read errors end up\\nhaving to cancel two TDs (for two queued requests to different streams)\\nand the one that didn't get cleared properly ends up faulting the xHC\\nentirely when it tries to access DMA pages that have since been unmapped,\\nreferred to by the stale TDs. This normally happens quickly (after two\\nor three loops). After this fix, I left the `cat` in a loop running\\novernight and experienced no xHC failures, with all read errors\\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\\n(dwc3 host).\\n\\nOn systems without an IOMMU, this bug would instead silently corrupt\\nfreed memory, making this a\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40927\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40929", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40929" + }, + { + "url": "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a" + }, + { + "url": "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b" + }, + { + "url": "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281" + }, + { + "url": "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b" + }, + { + "url": "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614" + }, + { + "url": "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40929 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40929", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40929\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40929\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40929\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40929\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40929\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a\",\n \"https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b\",\n \"https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281\",\n \"https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b\",\n \"https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614\",\n \"https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\\n\\nIn some versions of cfg80211, the ssids poinet might be a valid one even\\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\\nout-of-bound access. Fix this by checking n_ssids first.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40929\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40931" + }, + { + "url": "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde" + }, + { + "url": "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726" + }, + { + "url": "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3" + }, + { + "url": "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce" + }, + { + "url": "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813" + }, + { + "url": "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde\",\n \"https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726\",\n \"https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3\",\n \"https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce\",\n \"https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813\",\n \"https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure snd_una is properly initialized on connect\\n\\nThis is strictly related to commit fb7a0d334894 (\\\"mptcp: ensure snd_nxt\\nis properly initialized on connect\\\"). It turns out that syzkaller can\\ntrigger the retransmit after fallback and before processing any other\\nincoming packet - so that snd_una is still left uninitialized.\\n\\nAddress the issue explicitly initializing snd_una together with snd_nxt\\nand write_seq.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40932", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40932" + }, + { + "url": "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003" + }, + { + "url": "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e" + }, + { + "url": "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819" + }, + { + "url": "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226" + }, + { + "url": "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224" + }, + { + "url": "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d" + }, + { + "url": "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1" + }, + { + "url": "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40932 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40932", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40932\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40932\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40932\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40932\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40932\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003\",\n \"https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e\",\n \"https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819\",\n \"https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226\",\n \"https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224\",\n \"https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d\",\n \"https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1\",\n \"https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/exynos/vidi: fix memory leak in .get_modes()\\n\\nThe duplicated EDID is never freed. Fix it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40932\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40934" + }, + { + "url": "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45" + }, + { + "url": "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98" + }, + { + "url": "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0" + }, + { + "url": "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213" + }, + { + "url": "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d" + }, + { + "url": "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3" + }, + { + "url": "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45\",\n \"https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98\",\n \"https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0\",\n \"https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213\",\n \"https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d\",\n \"https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3\",\n \"https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\\n\\nFix a memory leak on logi_dj_recv_send_report() error path.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40937", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40937" + }, + { + "url": "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037" + }, + { + "url": "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e" + }, + { + "url": "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc" + }, + { + "url": "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50" + }, + { + "url": "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40937 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40937", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40937\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40937\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40937\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40937\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40937\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037\",\n \"https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e\",\n \"https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc\",\n \"https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50\",\n \"https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngve: Clear napi->skb before dev_kfree_skb_any()\\n\\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\\nto napi_get_frags returning a dangling pointer.\\n\\nFix this by clearing napi->skb before the skb is freed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40937\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40941" + }, + { + "url": "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c" + }, + { + "url": "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7" + }, + { + "url": "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4" + }, + { + "url": "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de" + }, + { + "url": "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805" + }, + { + "url": "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940" + }, + { + "url": "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d" + }, + { + "url": "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c\",\n \"https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7\",\n \"https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4\",\n \"https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de\",\n \"https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805\",\n \"https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940\",\n \"https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d\",\n \"https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\\n\\nIn case the firmware sends a notification that claims it has more data\\nthan it has, we will read past that was allocated for the notification.\\nRemove the print of the buffer, we won't see it by default. If needed,\\nwe can see the content with tracing.\\n\\nThis was reported by KFENCE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40942" + }, + { + "url": "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b" + }, + { + "url": "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0" + }, + { + "url": "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4" + }, + { + "url": "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3" + }, + { + "url": "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84" + }, + { + "url": "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc" + }, + { + "url": "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549" + }, + { + "url": "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b\",\n \"https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0\",\n \"https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4\",\n \"https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3\",\n \"https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84\",\n \"https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc\",\n \"https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549\",\n \"https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\\n\\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\\ngets deleted, ex mesh interface is removed, the entries in that list will\\nnever get cleaned. Fix this by flushing all corresponding items of the\\npreq_queue in mesh_path_flush_pending().\\n\\nThis should take care of KASAN reports like this:\\n\\nunreferenced object 0xffff00000668d800 (size 128):\\n comm \\\"kworker/u8:4\\\", pid 67, jiffies 4295419552 (age 1836.444s)\\n hex dump (first 32 bytes):\\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\\n backtrace:\\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\\n [<00000000b36425d1>] worker_thread+0x9c/0x634\\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\\n [<000000005fccd770>] ret_from_fork+0x10/0x20\\nunreferenced object 0xffff000009051f00 (size 128):\\n comm \\\"kworker/u8:4\\\", pid 67, jiffies 4295419553 (age 1836.440s)\\n hex dump (first 32 bytes):\\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\\n backtrace:\\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\\n [<00000000b36425d1>] worker_thread+0x9c/0x634\\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\\n [<000000005fccd770>] ret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40943", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40943" + }, + { + "url": "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e" + }, + { + "url": "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2" + }, + { + "url": "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25" + }, + { + "url": "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9" + }, + { + "url": "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1" + }, + { + "url": "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18" + }, + { + "url": "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f" + }, + { + "url": "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40943 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40943", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40943\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40943\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40943\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40943\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40943\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e\",\n \"https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2\",\n \"https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25\",\n \"https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9\",\n \"https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1\",\n \"https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18\",\n \"https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f\",\n \"https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix races between hole punching and AIO+DIO\\n\\nAfter commit \\\"ocfs2: return real error code in ocfs2_dio_wr_get_block\\\",\\nfstests/generic/300 become from always failed to sometimes failed:\\n\\n========================================================================\\n[ 473.293420 ] run fstests generic/300\\n\\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\\n[ 494.292018 ] OCFS2: File system is now read-only.\\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\\n=========================================================================\\n\\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\\nextents to a list. extents are also inserted into extent tree in\\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\\nhole at one of the unwritten extent. The extent at cpos was removed by\\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\\nfound there is no such extent at the cpos.\\n\\n T1 T2 T3\\n inode lock\\n ...\\n insert extents\\n ...\\n inode unlock\\nocfs2_fallocate\\n __ocfs2_change_file_space\\n inode lock\\n lock ip_alloc_sem\\n ocfs2_remove_inode_range inode\\n ocfs2_remove_btree_range\\n ocfs2_remove_extent\\n ^---remove the extent at cpos 78723\\n ...\\n unlock ip_alloc_sem\\n inode unlock\\n ocfs2_dio_end_io\\n ocfs2_dio_end_io_write\\n lock ip_alloc_sem\\n ocfs2_mark_extent_written\\n ocfs2_change_extent_flag\\n ocfs2_search_extent_list\\n ^---failed to find extent\\n ...\\n unlock ip_alloc_sem\\n\\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\\nso fix it by adding to wait for all dio before fallocate/punch_hole like\\next4.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40943\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40945", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40945" + }, + { + "url": "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998" + }, + { + "url": "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e" + }, + { + "url": "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8" + }, + { + "url": "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6" + }, + { + "url": "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e" + }, + { + "url": "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40945 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40945", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40945\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40945\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40945\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40945\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40945\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998\",\n \"https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e\",\n \"https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8\",\n \"https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6\",\n \"https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e\",\n \"https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Return right value in iommu_sva_bind_device()\\n\\niommu_sva_bind_device() should return either a sva bond handle or an\\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\\ncheck the return value with IS_ERR(). This could potentially lead to\\na kernel NULL pointer dereference issue if the function returns NULL\\ninstead of an error pointer.\\n\\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\\nat all.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40945\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40953", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40953" + }, + { + "url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb" + }, + { + "url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c" + }, + { + "url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60" + }, + { + "url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40953 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40953", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40953\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40953\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40953\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40953\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40953\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb\",\n \"https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c\",\n \"https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60\",\n \"https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\\n\\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\\nloads and stores are atomic. In the extremely unlikely scenario the\\ncompiler tears the stores, it's theoretically possible for KVM to attempt\\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\\n257 vCPUs:\\n\\n CPU0 CPU1\\n last_boosted_vcpu = 0xff;\\n\\n (last_boosted_vcpu = 0x100)\\n last_boosted_vcpu[15:8] = 0x01;\\n i = (last_boosted_vcpu = 0x1ff)\\n last_boosted_vcpu[7:0] = 0x00;\\n\\n vcpu = kvm->vcpu_array[0x1ff];\\n\\nAs detected by KCSAN:\\n\\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\\n\\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\\n\\t\\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\\n __x64_sys_ioctl (fs/ioctl.c:890)\\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\\n do_syscall_64 (arch/x86/entry/common.c:?)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\\n\\t\\t\\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\\n __x64_sys_ioctl (fs/ioctl.c:890)\\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\\n do_syscall_64 (arch/x86/entry/common.c:?)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\n value changed: 0x00000012 -> 0x00000000\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40953\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40954", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40954" + }, + { + "url": "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5" + }, + { + "url": "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9" + }, + { + "url": "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2" + }, + { + "url": "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069" + }, + { + "url": "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40954 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40954", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40954\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40954\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40954\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40954\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40954\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5\",\n \"https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9\",\n \"https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2\",\n \"https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069\",\n \"https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: do not leave a dangling sk pointer, when socket creation fails\\n\\nIt is possible to trigger a use-after-free by:\\n * attaching an fentry probe to __sock_release() and the probe calling the\\n bpf_get_socket_cookie() helper\\n * running traceroute -I 1.1.1.1 on a freshly booted VM\\n\\nA KASAN enabled kernel will log something like below (decoded and stripped):\\n==================================================================\\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\\n\\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\nCall Trace:\\n \\ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nkasan_report (mm/kasan/report.c:603)\\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\\nbpf_trampoline_6442506592+0x47/0xaf\\n__sock_release (net/socket.c:652)\\n__sock_create (net/socket.c:1601)\\n...\\nAllocated by task 299 on cpu 2 at 78.328492s:\\nkasan_save_stack (mm/kasan/common.c:48)\\nkasan_save_track (mm/kasan/common.c:68)\\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\\nsk_prot_alloc (net/core/sock.c:2075)\\nsk_alloc (net/core/sock.c:2134)\\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\\n__sock_create (net/socket.c:1572)\\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\\n__x64_sys_socket (net/socket.c:1718)\\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nFreed by task 299 on cpu 2 at 78.328502s:\\nkasan_save_stack (mm/kasan/common.c:48)\\nkasan_save_track (mm/kasan/common.c:68)\\nkasan_save_free_info (mm/kasan/generic.c:582)\\npoison_slab_object (mm/kasan/common.c:242)\\n__kasan_slab_free (mm/kasan/common.c:256)\\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\\n__sock_create (net/socket.c:1572)\\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\\n__x64_sys_socket (net/socket.c:1718)\\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nFix this by clearing the struct socket reference in sk_common_release() to cover\\nall protocol families create functions, which may already attached the\\nreference to the sk object with sock_init_data().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40954\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40956", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40956" + }, + { + "url": "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33" + }, + { + "url": "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5" + }, + { + "url": "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd" + }, + { + "url": "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7" + }, + { + "url": "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40956 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40956", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40956\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40956\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40956\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40956\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40956\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33\",\n \"https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5\",\n \"https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd\",\n \"https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7\",\n \"https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\\n\\nUse list_for_each_entry_safe() to allow iterating through the list and\\ndeleting the entry in the iteration process. The descriptor is freed via\\nidxd_desc_complete() and there's a slight chance may cause issue for\\nthe list iterator when the descriptor is reused by another thread\\nwithout it being deleted from the list.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40956\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40957", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40957" + }, + { + "url": "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c" + }, + { + "url": "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779" + }, + { + "url": "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d" + }, + { + "url": "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6" + }, + { + "url": "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40957 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40957", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40957\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40957\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40957\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40957\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40957\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c\",\n \"https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779\",\n \"https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d\",\n \"https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6\",\n \"https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\\n\\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\\ndereference, as below:\\n\\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\\n [74830.655633] #PF: supervisor read access in kernel mode\\n [74830.657888] #PF: error_code(0x0000) - not-present page\\n [74830.659500] PGD 0 P4D 0\\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\\n ...\\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\\n ...\\n [74830.689725] Call Trace:\\n [74830.690402] \\n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\\n [74830.694275] ? __die_body.cold+0x8/0xd\\n [74830.695205] ? page_fault_oops+0xac/0x140\\n [74830.696244] ? exc_page_fault+0x62/0x150\\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\\n [74830.700758] ? ip6_route_input+0x19d/0x240\\n [74830.701752] nf_hook_slow+0x3f/0xb0\\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\\n [74830.703735] ? input_action_end_t+0xe0/0xe0\\n [74830.704734] seg6_local_input_core+0x2d/0x60\\n [74830.705782] lwtunnel_input+0x5b/0xb0\\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\\n [74830.707825] process_backlog+0x99/0x140\\n [74830.709538] __napi_poll+0x2c/0x160\\n [74830.710673] net_rx_action+0x296/0x350\\n [74830.711860] __do_softirq+0xcb/0x2ac\\n [74830.713049] do_softirq+0x63/0x90\\n\\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\\n\\n static bool\\n rpfilter_is_loopback(const struct sk_buff *skb,\\n \\t const struct net_device *in)\\n {\\n // in is NULL\\n return skb->pkt_type == PACKET_LOOPBACK ||\\n \\t in->flags & IFF_LOOPBACK;\\n }\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40957\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40958", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40958" + }, + { + "url": "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef" + }, + { + "url": "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b" + }, + { + "url": "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55" + }, + { + "url": "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b" + }, + { + "url": "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940" + }, + { + "url": "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876" + }, + { + "url": "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40958 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40958", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40958\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40958\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40958\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40958\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40958\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef\",\n \"https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b\",\n \"https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55\",\n \"https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b\",\n \"https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940\",\n \"https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876\",\n \"https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetns: Make get_net_ns() handle zero refcount net\\n\\nSyzkaller hit a warning:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\\nModules linked in:\\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ? show_regs+0xa3/0xc0\\n ? __warn+0xa5/0x1c0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? report_bug+0x1fc/0x2d0\\n ? refcount_warn_saturate+0xdf/0x1d0\\n ? handle_bug+0xa1/0x110\\n ? exc_invalid_op+0x3c/0xb0\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? __warn_printk+0xcc/0x140\\n ? __warn_printk+0xd5/0x140\\n ? refcount_warn_saturate+0xdf/0x1d0\\n get_net_ns+0xa4/0xc0\\n ? __pfx_get_net_ns+0x10/0x10\\n open_related_ns+0x5a/0x130\\n __tun_chr_ioctl+0x1616/0x2370\\n ? __sanitizer_cov_trace_switch+0x58/0xa0\\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\\n ? __pfx_tun_chr_ioctl+0x10/0x10\\n tun_chr_ioctl+0x2f/0x40\\n __x64_sys_ioctl+0x11b/0x160\\n x64_sys_call+0x1211/0x20d0\\n do_syscall_64+0x9e/0x1d0\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f5b28f165d7\\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\\n \\nKernel panic - not syncing: kernel: panic_on_warn set ...\\n\\nThis is trigger as below:\\n ns0 ns1\\ntun_set_iff() //dev is tun0\\n tun->dev = dev\\n//ip link set tun0 netns ns1\\n put_net() //ref is 0\\n__tun_chr_ioctl() //TUNGETDEVNETNS\\n net = dev_net(tun->dev);\\n open_related_ns(&net->ns, get_net_ns); //ns1\\n get_net_ns()\\n get_net() //addition on 0\\n\\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40958\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40959", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40959" + }, + { + "url": "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1" + }, + { + "url": "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf" + }, + { + "url": "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a" + }, + { + "url": "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08" + }, + { + "url": "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7" + }, + { + "url": "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3" + }, + { + "url": "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164" + }, + { + "url": "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40959 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40959", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40959\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40959\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40959\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40959\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40959\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1\",\n \"https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf\",\n \"https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a\",\n \"https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08\",\n \"https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7\",\n \"https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3\",\n \"https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164\",\n \"https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\\n\\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\\n\\nsyzbot reported:\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\\n process_scheduled_works kernel/workqueue.c:3312 [inline]\\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40959\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40960", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40960" + }, + { + "url": "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc" + }, + { + "url": "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2" + }, + { + "url": "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0" + }, + { + "url": "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b" + }, + { + "url": "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6" + }, + { + "url": "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37" + }, + { + "url": "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7" + }, + { + "url": "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40960 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40960", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40960\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40960\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40960\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40960\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40960\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc\",\n \"https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2\",\n \"https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0\",\n \"https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b\",\n \"https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6\",\n \"https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37\",\n \"https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7\",\n \"https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent possible NULL dereference in rt6_probe()\\n\\nsyzbot caught a NULL dereference in rt6_probe() [1]\\n\\nBail out if __in6_dev_get() returns NULL.\\n\\n[1]\\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\\n find_rr_leaf net/ipv6/route.c:853 [inline]\\n rt6_select net/ipv6/route.c:897 [inline]\\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\\n ksys_write+0x1f8/0x260 fs/read_write.c:643\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40960\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40961", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40961" + }, + { + "url": "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6" + }, + { + "url": "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade" + }, + { + "url": "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668" + }, + { + "url": "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4" + }, + { + "url": "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403" + }, + { + "url": "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727" + }, + { + "url": "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40961 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40961", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40961\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40961\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40961\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40961\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40961\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6\",\n \"https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade\",\n \"https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668\",\n \"https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4\",\n \"https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403\",\n \"https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727\",\n \"https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: prevent possible NULL deref in fib6_nh_init()\\n\\nsyzbot reminds us that in6_dev_get() can return NULL.\\n\\nfib6_nh_init()\\n ip6_validate_gw( &idev )\\n ip6_route_check_nh( idev )\\n *idev = in6_dev_get(dev); // can be NULL\\n\\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:907 [inline]\\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f940f07cea9\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40961\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40963", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40963" + }, + { + "url": "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373" + }, + { + "url": "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52" + }, + { + "url": "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d" + }, + { + "url": "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085" + }, + { + "url": "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27" + }, + { + "url": "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf" + }, + { + "url": "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40963 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40963", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40963\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40963\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40963\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40963\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40963\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373\",\n \"https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52\",\n \"https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d\",\n \"https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085\",\n \"https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27\",\n \"https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf\",\n \"https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmips: bmips: BCM6358: make sure CBR is correctly set\\n\\nIt was discovered that some device have CBR address set to 0 causing\\nkernel panic when arch_sync_dma_for_cpu_all is called.\\n\\nThis was notice in situation where the system is booted from TP1 and\\nBMIPS_GET_CBR() returns 0 instead of a valid address and\\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\\n\\nThe current check whether RAC flush should be disabled or not are not\\nenough hence lets check if CBR is a valid address or not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40963\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40965", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40965" + }, + { + "url": "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e" + }, + { + "url": "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40965 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40965", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40965\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40965\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40965\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40965\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40965\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e\",\n \"https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\\n\\nInstead of repeatedly calling clk_get_rate for each transfer, lock\\nthe clock rate and cache the value.\\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\\nthe system. When this clock provider adds its clock, the clk mutex is\\nlocked already, it needs to access i2c, which in return needs the mutex\\nfor clk_get_rate as well.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40965\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40966", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40966" + }, + { + "url": "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409" + }, + { + "url": "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937" + }, + { + "url": "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86" + }, + { + "url": "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40966 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40966", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40966\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40966\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40966\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40966\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40966\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409\",\n \"https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937\",\n \"https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86\",\n \"https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: add the option to have a tty reject a new ldisc\\n\\n... and use it to limit the virtual terminals to just N_TTY. They are\\nkind of special, and in particular, the \\\"con_write()\\\" routine violates\\nthe \\\"writes cannot sleep\\\" rule that some ldiscs rely on.\\n\\nThis avoids the\\n\\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\\n\\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\\ncalls con_write() while holding a spinlock, and con_write() then tries\\nto get the console lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40966\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40967", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40967" + }, + { + "url": "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701" + }, + { + "url": "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7" + }, + { + "url": "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916" + }, + { + "url": "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44" + }, + { + "url": "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40967 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40967", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40967\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40967\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40967\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40967\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40967\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701\",\n \"https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7\",\n \"https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916\",\n \"https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44\",\n \"https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: imx: Introduce timeout when waiting on transmitter empty\\n\\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\\ndeadlock.\\n\\nIn case of the timeout, there is not much we can do, so we simply ignore\\nthe transmitter state and optimistically try to continue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40967\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40968", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40968" + }, + { + "url": "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0" + }, + { + "url": "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799" + }, + { + "url": "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7" + }, + { + "url": "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9" + }, + { + "url": "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee" + }, + { + "url": "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419" + }, + { + "url": "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a" + }, + { + "url": "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40968 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40968", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40968\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40968\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40968\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40968\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40968\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0\",\n \"https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799\",\n \"https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7\",\n \"https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9\",\n \"https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee\",\n \"https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419\",\n \"https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a\",\n \"https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nMIPS: Octeon: Add PCIe link status check\\n\\nThe standard PCIe configuration read-write interface is used to\\naccess the configuration space of the peripheral PCIe devices\\nof the mips processor after the PCIe link surprise down, it can\\ngenerate kernel panic caused by \\\"Data bus error\\\". So it is\\nnecessary to add PCIe link status check for system protection.\\nWhen the PCIe link is down or in training, assigning a value\\nof 0 to the configuration address can prevent read-write behavior\\nto the configuration space of peripheral PCIe devices, thereby\\npreventing kernel panic.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40968\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40969", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40969" + }, + { + "url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a" + }, + { + "url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7" + }, + { + "url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40969 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40969", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40969\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40969\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40969\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40969\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40969\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a\",\n \"https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7\",\n \"https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: don't set RO when shutting down f2fs\\n\\nShutdown does not check the error of thaw_super due to readonly, which\\ncauses a deadlock like below.\\n\\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\\n - bdev_freeze\\n - freeze_super\\n - f2fs_stop_checkpoint()\\n - f2fs_handle_critical_error - sb_start_write\\n - set RO - waiting\\n - bdev_thaw\\n - thaw_super_locked\\n - return -EINVAL, if sb_rdonly()\\n - f2fs_stop_discard_thread\\n -> wait for kthread_stop(discard_thread);\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40969\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40970", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40970" + }, + { + "url": "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697" + }, + { + "url": "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5" + }, + { + "url": "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe" + }, + { + "url": "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e" + }, + { + "url": "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40970 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40970", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40970\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40970\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40970\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40970\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40970\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697\",\n \"https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5\",\n \"https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe\",\n \"https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e\",\n \"https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nAvoid hw_desc array overrun in dw-axi-dmac\\n\\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\\nkernel panic (hw_desc array will be overrun).\\n\\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\\naxi_desc_put() to handle the hw_desc array correctly.\\n\\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\\nthe transfer, since it was identified that unbalance can occur (started descriptors can\\nbe interrupted and transfer ignored due to DMA channel not being enabled).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40970\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40971", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40971" + }, + { + "url": "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71" + }, + { + "url": "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae" + }, + { + "url": "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4" + }, + { + "url": "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33" + }, + { + "url": "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66" + }, + { + "url": "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40971 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40971", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40971\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40971\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40971\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40971\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40971\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71\",\n \"https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae\",\n \"https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4\",\n \"https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33\",\n \"https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66\",\n \"https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: remove clear SB_INLINECRYPT flag in default_options\\n\\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\\nIf create new file or open file during this gap, these files\\nwill not use inlinecrypt. Worse case, it may lead to data\\ncorruption if wrappedkey_v0 is enable.\\n\\nThread A: Thread B:\\n\\n-f2fs_remount\\t\\t\\t\\t-f2fs_file_open or f2fs_new_inode\\n -default_options\\n\\t<- clear SB_INLINECRYPT flag\\n\\n -fscrypt_select_encryption_impl\\n\\n -parse_options\\n\\t<- set SB_INLINECRYPT again\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40971\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40972", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40972" + }, + { + "url": "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b" + }, + { + "url": "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752" + }, + { + "url": "https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40972 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40972", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40972\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40972\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40972\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40972\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40972\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b\",\n \"https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752\",\n \"https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: do not create EA inode under buffer lock\\n\\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\\non the external xattr block. This is problematic as it nests all the\\nallocation locking (which acquires locks on other buffers) under the\\nbuffer lock. This can even deadlock when the filesystem is corrupted and\\ne.g. quota file is setup to contain xattr block as data block. Move the\\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40972\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40973", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40973" + }, + { + "url": "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b" + }, + { + "url": "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b" + }, + { + "url": "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40973 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40973", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40973\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40973\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40973\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40973\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40973\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b\",\n \"https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b\",\n \"https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mtk-vcodec: potential null pointer deference in SCP\\n\\nThe return value of devm_kzalloc() needs to be checked to avoid\\nNULL pointer deference. This is similar to CVE-2022-3113.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40973\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40974", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40974" + }, + { + "url": "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca" + }, + { + "url": "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d" + }, + { + "url": "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048" + }, + { + "url": "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588" + }, + { + "url": "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c" + }, + { + "url": "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257" + }, + { + "url": "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18" + }, + { + "url": "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40974 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40974", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40974\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40974\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40974\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40974\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40974\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca\",\n \"https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d\",\n \"https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048\",\n \"https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588\",\n \"https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c\",\n \"https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257\",\n \"https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18\",\n \"https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Enforce hcall result buffer validity and size\\n\\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\\nprovide valid result buffers of certain minimum size. Currently this\\nis communicated only through comments in the code and the compiler has\\nno idea.\\n\\nFor example, if I write a bug like this:\\n\\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\\n\\nThis compiles with no diagnostics emitted, but likely results in stack\\ncorruption at runtime when plpar_hcall9() stores results past the end\\nof the array. (To be clear this is a contrived example and I have not\\nfound a real instance yet.)\\n\\nTo make this class of error less likely, we can use explicitly-sized\\narray parameters instead of pointers in the declarations for the hcall\\nAPIs. When compiled with -Warray-bounds[1], the code above now\\nprovokes a diagnostic like this:\\n\\nerror: array argument is too small;\\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\\n | ^ ~~~~~~\\n\\n[1] Enabled for LLVM builds but not GCC for now. See commit\\n 0da6e5fd6c37 (\\\"gcc: disable '-Warray-bounds' for gcc-13 too\\\") and\\n related changes.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40974\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40975", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40975" + }, + { + "url": "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe" + }, + { + "url": "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40975 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40975", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40975\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40975\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40975\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40975\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40975\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe\",\n \"https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\\n\\nNot all subsystems support a device getting removed while there are\\nstill consumers of the device with a reference to the device.\\n\\nOne example of this is the regulator subsystem. If a regulator gets\\nunregistered while there are still drivers holding a reference\\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\\n\\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\\n RIP: 0010:regulator_unregister\\n Call Trace:\\n \\n regulator_unregister\\n devres_release_group\\n i2c_device_remove\\n device_release_driver_internal\\n bus_remove_device\\n device_del\\n device_unregister\\n x86_android_tablet_remove\\n\\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\\na 5V boost converter output for powering USB devices connected to the micro\\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\\n\\nOn the 830 (8\\\") and 1050 (\\\"10\\\") models this regulator is controlled by\\na platform_device and x86_android_tablet_remove() removes platform_device-s\\nbefore i2c_clients so the consumer gets removed first.\\n\\nBut on the 1380 (13\\\") model there is a lc824206xa micro-USB switch\\nconnected over I2C and the extcon driver for that controls the regulator.\\nThe bq24190 i2c-client *must* be registered first, because that creates\\nthe regulator with the lc824206xa listed as its consumer. If the regulator\\nhas not been registered yet the lc824206xa driver will end up getting\\na dummy regulator.\\n\\nSince in this case both the regulator provider and consumer are I2C\\ndevices, the only way to ensure that the consumer is unregistered first\\nis to unregister the I2C devices in reverse order of in which they were\\ncreated.\\n\\nFor consistency and to avoid similar problems in the future change\\nx86_android_tablet_remove() to unregister all device types in reverse\\norder.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40975\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40976", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40976" + }, + { + "url": "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a" + }, + { + "url": "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db" + }, + { + "url": "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a" + }, + { + "url": "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344" + }, + { + "url": "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14" + }, + { + "url": "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40976 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40976", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40976\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40976\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40976\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40976\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40976\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a\",\n \"https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db\",\n \"https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a\",\n \"https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344\",\n \"https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14\",\n \"https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/lima: mask irqs in timeout path before hard reset\\n\\nThere is a race condition in which a rendering job might take just long\\nenough to trigger the drm sched job timeout handler but also still\\ncomplete before the hard reset is done by the timeout handler.\\nThis runs into race conditions not expected by the timeout handler.\\nIn some very specific cases it currently may result in a refcount\\nimbalance on lima_pm_idle, with a stack dump such as:\\n\\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\\n...\\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\\n...\\n[10136.669628] Call trace:\\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\\n[10136.669679] handle_irq_event+0x4c/0xc0\\n\\nWe can prevent that race condition entirely by masking the irqs at the\\nbeginning of the timeout handler, at which point we give up on waiting\\nfor that job entirely.\\nThe irqs will be enabled again at the next hard reset which is already\\ndone as a recovery by the timeout handler.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40976\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40977", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40977" + }, + { + "url": "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08" + }, + { + "url": "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02" + }, + { + "url": "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9" + }, + { + "url": "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40977 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40977", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40977\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40977\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40977\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40977\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40977\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08\",\n \"https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02\",\n \"https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9\",\n \"https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\\n\\nDuring chip recovery (e.g. chip reset), there is a possible situation that\\nkernel worker reset_work is holding the lock and waiting for kernel thread\\nstat_worker to be parked, while stat_worker is waiting for the release of\\nthe same lock.\\nIt causes a deadlock resulting in the dumping of hung tasks messages and\\npossible rebooting of the device.\\n\\nThis patch prevents the execution of stat_worker during the chip recovery.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40977\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40978", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40978" + }, + { + "url": "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7" + }, + { + "url": "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901" + }, + { + "url": "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5" + }, + { + "url": "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b" + }, + { + "url": "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0" + }, + { + "url": "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75" + }, + { + "url": "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241" + }, + { + "url": "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40978 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40978", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40978\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40978\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40978\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40978\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40978\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7\",\n \"https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901\",\n \"https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5\",\n \"https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b\",\n \"https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0\",\n \"https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75\",\n \"https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241\",\n \"https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedi: Fix crash while reading debugfs attribute\\n\\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\\non a __user pointer, which results into the crash.\\n\\nTo fix this issue, use a small local stack buffer for sprintf() and then\\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\\ncall.\\n\\nBUG: unable to handle page fault for address: 00007f4801111000\\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\\nOops: 0002 [#1] PREEMPT SMP PTI\\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\\nRIP: 0010:memcpy_orig+0xcd/0x130\\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body+0x1a/0x60\\n ? page_fault_oops+0x183/0x510\\n ? exc_page_fault+0x69/0x150\\n ? asm_exc_page_fault+0x22/0x30\\n ? memcpy_orig+0xcd/0x130\\n vsnprintf+0x102/0x4c0\\n sprintf+0x51/0x80\\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\\n full_proxy_read+0x50/0x80\\n vfs_read+0xa5/0x2e0\\n ? folio_add_new_anon_rmap+0x44/0xa0\\n ? set_pte_at+0x15/0x30\\n ? do_pte_missing+0x426/0x7f0\\n ksys_read+0xa5/0xe0\\n do_syscall_64+0x58/0x80\\n ? __count_memcg_events+0x46/0x90\\n ? count_memcg_event_mm+0x3d/0x60\\n ? handle_mm_fault+0x196/0x2f0\\n ? do_user_addr_fault+0x267/0x890\\n ? exc_page_fault+0x69/0x150\\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\\nRIP: 0033:0x7f4800f20b4d\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40978\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40979", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40979" + }, + { + "url": "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28" + }, + { + "url": "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40979 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40979", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40979\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40979\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40979\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40979\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40979\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28\",\n \"https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: fix kernel crash during resume\\n\\nCurrently during resume, QMI target memory is not properly handled, resulting\\nin kernel crash in case DMA remap is not supported:\\n\\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\\npage dumped because: nonzero _refcount\\nCall Trace:\\n bad_page\\n free_page_is_bad_report\\n __free_pages_ok\\n __free_pages\\n dma_direct_free\\n dma_free_attrs\\n ath12k_qmi_free_target_mem_chunk\\n ath12k_qmi_msg_mem_request_cb\\n\\nThe reason is:\\nOnce ath12k module is loaded, firmware sends memory request to host. In case\\nDMA remap not supported, ath12k refuses the first request due to failure in\\nallocating with large segment size:\\n\\nath12k_pci 0000:04:00.0: qmi firmware request memory request\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\\nath12k_pci 0000:04:00.0: qmi firmware request memory request\\n\\nLater firmware comes back with more but small segments and allocation\\nsucceeds:\\n\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\\n\\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\\nduring resume. As same as before, firmware requests two large segments at\\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\\nassigned:\\n\\n\\tab->qmi.mem_seg_count == 2\\n\\tab->qmi.target_mem[0].size == 7077888\\n\\tab->qmi.target_mem[1].size == 8454144\\n\\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\\nis called to free all allocated segments. Note the first segment is skipped\\nbecause its v.addr is cleared due to allocation failure:\\n\\n\\tchunk->v.addr = dma_alloc_coherent()\\n\\nAlso note that this leaks that segment because it has not been freed.\\n\\nWhile freeing the second segment, a size of 8454144 is passed to\\ndma_free_coherent(). However remember that this segment is allocated at\\nthe first time firmware is loaded, before suspend. So its real size is\\n524288, much smaller than 8454144. As a result kernel found we are freeing\\nsome memory which is in use and thus cras\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40979\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40980", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40980" + }, + { + "url": "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e" + }, + { + "url": "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334" + }, + { + "url": "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0" + }, + { + "url": "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5" + }, + { + "url": "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac" + }, + { + "url": "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195" + }, + { + "url": "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40980 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40980", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40980\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40980\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40980\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40980\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40980\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e\",\n \"https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334\",\n \"https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0\",\n \"https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5\",\n \"https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac\",\n \"https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195\",\n \"https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrop_monitor: replace spin_lock by raw_spin_lock\\n\\ntrace_drop_common() is called with preemption disabled, and it acquires\\na spin_lock. This is problematic for RT kernels because spin_locks are\\nsleeping locks in this configuration, which causes the following splat:\\n\\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\\npreempt_count: 1, expected: 0\\nRCU nest depth: 2, expected: 2\\n5 locks held by rcuc/47/449:\\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\\nirq event stamp: 139909\\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\\nPreemption disabled at:\\n[] rt_mutex_slowunlock+0xab/0x2e0\\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\\nCall Trace:\\n \\n dump_stack_lvl+0x8c/0xd0\\n dump_stack+0x14/0x20\\n __might_resched+0x21e/0x2f0\\n rt_spin_lock+0x5e/0x130\\n ? trace_drop_common.constprop.0+0xb5/0x290\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n trace_drop_common.constprop.0+0xb5/0x290\\n ? preempt_count_sub+0x1c/0xd0\\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\\n ? rt_mutex_slowunlock+0x26a/0x2e0\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\\n trace_kfree_skb_hit+0x15/0x20\\n trace_kfree_skb+0xe9/0x150\\n kfree_skb_reason+0x7b/0x110\\n skb_queue_purge_reason.part.0+0x1bf/0x230\\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\\n ? mark_lock.part.0+0x8a/0x520\\n...\\n\\ntrace_drop_common() also disables interrupts, but this is a minor issue\\nbecause we could easily replace it with a local_lock.\\n\\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\\ncontext.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40980\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40981", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40981" + }, + { + "url": "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2" + }, + { + "url": "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8" + }, + { + "url": "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0" + }, + { + "url": "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11" + }, + { + "url": "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030" + }, + { + "url": "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07" + }, + { + "url": "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a" + }, + { + "url": "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40981 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40981", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40981\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40981\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40981\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40981\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40981\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2\",\n \"https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8\",\n \"https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0\",\n \"https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11\",\n \"https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030\",\n \"https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07\",\n \"https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a\",\n \"https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\\n\\nMany syzbot reports are pointing to soft lockups in\\nbatadv_purge_orig_ref() [1]\\n\\nRoot cause is unknown, but we can avoid spending too much\\ntime there and perhaps get more interesting reports.\\n\\n[1]\\n\\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\\nModules linked in:\\nirq event stamp: 6182794\\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\nWorkqueue: bat_events batadv_purge_orig\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\\nsp : ffff800099007970\\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\\nCall trace:\\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\\n process_scheduled_works kernel/workqueue.c:2706 [inline]\\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\\n kthread+0x288/0x310 kernel/kthread.c:388\\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\\nSending NMI from CPU 0 to CPUs 1:\\nNMI backtrace for cpu 1\\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\\nsp : ffff800093a17d30\\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40981\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40982", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40982" + }, + { + "url": "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7" + }, + { + "url": "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56" + }, + { + "url": "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40982 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40982", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\n\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\nperforming the NULL check, potentially leading to a NULL pointer\ndereference if 'dev' is NULL.\n\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\nensuring that the pointer is valid before attempting to use it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40982\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40982\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40982\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40982\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40982\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7\",\n \"https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56\",\n \"https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\\n\\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\\nperforming the NULL check, potentially leading to a NULL pointer\\ndereference if 'dev' is NULL.\\n\\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\\nensuring that the pointer is valid before attempting to use it.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40982\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40983", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40983" + }, + { + "url": "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269" + }, + { + "url": "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8" + }, + { + "url": "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2" + }, + { + "url": "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930" + }, + { + "url": "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76" + }, + { + "url": "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40983 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40983", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40983\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40983\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40983\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40983\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40983\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269\",\n \"https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8\",\n \"https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2\",\n \"https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930\",\n \"https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76\",\n \"https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: force a dst refcount before doing decryption\\n\\nAs it says in commit 3bc07321ccc2 (\\\"xfrm: Force a dst refcount before\\nentering the xfrm type handlers\\\"):\\n\\n\\\"Crypto requests might return asynchronous. In this case we leave the\\n rcu protected region, so force a refcount on the skb's destination\\n entry before we enter the xfrm type input/output handlers.\\\"\\n\\nOn TIPC decryption path it has the same problem, and skb_dst_force()\\nshould be called before doing decryption to avoid a possible crash.\\n\\nShuang reported this issue when this warning is triggered:\\n\\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\\n [] Workqueue: crypto cryptd_queue_worker\\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\\n [] Call Trace:\\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\\n [] tipc_rcv+0xcf5/0x1060 [tipc]\\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\\n [] cryptd_aead_crypt+0xdb/0x190\\n [] cryptd_queue_worker+0xed/0x190\\n [] process_one_work+0x93d/0x17e0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40983\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40984", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40984" + }, + { + "url": "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3" + }, + { + "url": "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98" + }, + { + "url": "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d" + }, + { + "url": "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0" + }, + { + "url": "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c" + }, + { + "url": "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f" + }, + { + "url": "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239" + }, + { + "url": "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40984 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40984", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40984\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40984\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40984\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40984\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40984\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3\",\n \"https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98\",\n \"https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d\",\n \"https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0\",\n \"https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c\",\n \"https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f\",\n \"https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239\",\n \"https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nACPICA: Revert \\\"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\\\"\\n\\nUndo the modifications made in commit d410ee5109a1 (\\\"ACPICA: avoid\\n\\\"Info: mapping multiple BARs. Your kernel is fine.\\\"\\\"). The initial\\npurpose of this commit was to stop memory mappings for operation\\nregions from overlapping page boundaries, as it can trigger warnings\\nif different page attributes are present.\\n\\nHowever, it was found that when this situation arises, mapping\\ncontinues until the boundary's end, but there is still an attempt to\\nread/write the entire length of the map, leading to a NULL pointer\\ndeference. For example, if a four-byte mapping request is made but\\nonly one byte is mapped because it hits the current page boundary's\\nend, a four-byte read/write attempt is still made, resulting in a NULL\\npointer deference.\\n\\nInstead, map the entire length, as the ACPI specification does not\\nmandate that it must be within the same page boundary. It is\\npermissible for it to be mapped across different regions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40984\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40987", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40987" + }, + { + "url": "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4" + }, + { + "url": "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400" + }, + { + "url": "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc" + }, + { + "url": "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f" + }, + { + "url": "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f" + }, + { + "url": "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388" + }, + { + "url": "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6" + }, + { + "url": "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40987 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40987", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40987\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40987\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40987\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40987\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40987\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4\",\n \"https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400\",\n \"https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc\",\n \"https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f\",\n \"https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f\",\n \"https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388\",\n \"https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6\",\n \"https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\\n\\nAdds bounds check for sumo_vid_mapping_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40987\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40988", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40988" + }, + { + "url": "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b" + }, + { + "url": "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc" + }, + { + "url": "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42" + }, + { + "url": "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321" + }, + { + "url": "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad" + }, + { + "url": "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855" + }, + { + "url": "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447" + }, + { + "url": "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40988 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40988", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40988\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40988\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40988\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40988\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40988\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b\",\n \"https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc\",\n \"https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42\",\n \"https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321\",\n \"https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad\",\n \"https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855\",\n \"https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447\",\n \"https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: fix UBSAN warning in kv_dpm.c\\n\\nAdds bounds check for sumo_vid_mapping_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40988\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40989", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40989" + }, + { + "url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8" + }, + { + "url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76" + }, + { + "url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c" + }, + { + "url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40989 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40989", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40989\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40989\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40989\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40989\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40989\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8\",\n \"https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76\",\n \"https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c\",\n \"https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\\n\\nWhen tearing down a redistributor region, make sure we don't have\\nany dangling pointer to that region stored in a vcpu.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40989\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40990", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40990" + }, + { + "url": "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c" + }, + { + "url": "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d" + }, + { + "url": "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3" + }, + { + "url": "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511" + }, + { + "url": "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf" + }, + { + "url": "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40990 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40990", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40990\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40990\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40990\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40990\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40990\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c\",\n \"https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d\",\n \"https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3\",\n \"https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511\",\n \"https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf\",\n \"https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/mlx5: Add check for srq max_sge attribute\\n\\nmax_sge attribute is passed by the user, and is inserted and used\\nunchecked, so verify that the value doesn't exceed maximum allowed value\\nbefore using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40990\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40994", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40994" + }, + { + "url": "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e" + }, + { + "url": "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f" + }, + { + "url": "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0" + }, + { + "url": "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f" + }, + { + "url": "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40994 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40994", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40994\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40994\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40994\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40994\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40994\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e\",\n \"https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f\",\n \"https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0\",\n \"https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f\",\n \"https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nptp: fix integer overflow in max_vclocks_store\\n\\nOn 32bit systems, the \\\"4 * max\\\" multiply can overflow. Use kcalloc()\\nto do the allocation to prevent this.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40994\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40995", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40995" + }, + { + "url": "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74" + }, + { + "url": "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da" + }, + { + "url": "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2" + }, + { + "url": "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4" + }, + { + "url": "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335" + }, + { + "url": "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90" + }, + { + "url": "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40995 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40995", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40995\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40995\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40995\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40995\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40995\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74\",\n \"https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da\",\n \"https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2\",\n \"https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4\",\n \"https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335\",\n \"https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90\",\n \"https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\\n\\nsyzbot found hanging tasks waiting on rtnl_lock [1]\\n\\nA reproducer is available in the syzbot bug.\\n\\nWhen a request to add multiple actions with the same index is sent, the\\nsecond request will block forever on the first request. This holds\\nrtnl_lock, and causes tasks to hang.\\n\\nReturn -EAGAIN to prevent infinite looping, while keeping documented\\nbehavior.\\n\\n[1]\\n\\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\\n\\\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\\nWorkqueue: events_power_efficient reg_check_chans_work\\nCall Trace:\\n\\ncontext_switch kernel/sched/core.c:5409 [inline]\\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\\n__schedule_loop kernel/sched/core.c:6823 [inline]\\nschedule+0xe7/0x350 kernel/sched/core.c:6838\\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\\nwiphy_lock include/net/cfg80211.h:5953 [inline]\\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40995\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40997", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40997" + }, + { + "url": "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd" + }, + { + "url": "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582" + }, + { + "url": "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40997 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40997", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40997\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40997\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40997\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40997\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40997\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd\",\n \"https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582\",\n \"https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\\n\\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\\nnot freed in the analogous exit function, so fix that.\\n\\n[ rjw: Subject and changelog edits ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40997\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40998", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40998" + }, + { + "url": "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c" + }, + { + "url": "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798" + }, + { + "url": "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40998 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40998", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40998\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40998\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40998\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40998\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40998\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c\",\n \"https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798\",\n \"https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\\n\\nIn the following concurrency we will access the uninitialized rs->lock:\\n\\next4_fill_super\\n ext4_register_sysfs\\n // sysfs registered msg_ratelimit_interval_ms\\n // Other processes modify rs->interval to\\n // non-zero via msg_ratelimit_interval_ms\\n ext4_orphan_cleanup\\n ext4_msg(sb, KERN_INFO, \\\"Errors on filesystem, \\\"\\n __ext4_msg\\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\\n if (!rs->interval) // do nothing if interval is 0\\n return 1;\\n raw_spin_trylock_irqsave(&rs->lock, flags)\\n raw_spin_trylock(lock)\\n _raw_spin_trylock\\n __raw_spin_trylock\\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\\n lock_acquire\\n __lock_acquire\\n register_lock_class\\n assign_lock_key\\n dump_stack();\\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\\n raw_spin_lock_init(&rs->lock);\\n // init rs->lock here\\n\\nand get the following dump_stack:\\n\\n=========================================================\\nINFO: trying to register non-static key.\\nThe code is fine but needs lockdep annotation, or maybe\\nyou didn't initialize this object before use?\\nturning off the locking correctness validator.\\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\\n[...]\\nCall Trace:\\n dump_stack_lvl+0xc5/0x170\\n dump_stack+0x18/0x30\\n register_lock_class+0x740/0x7c0\\n __lock_acquire+0x69/0x13a0\\n lock_acquire+0x120/0x450\\n _raw_spin_trylock+0x98/0xd0\\n ___ratelimit+0xf6/0x220\\n __ext4_msg+0x7f/0x160 [ext4]\\n ext4_orphan_cleanup+0x665/0x740 [ext4]\\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\\n ext4_fill_super+0x14d/0x360 [ext4]\\n[...]\\n=========================================================\\n\\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\\n___ratelimit() does nothing. But registering sysfs precedes initializing\\nrs->lock, so it is possible to change rs->interval to a non-zero value\\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\\nuninitialized, and then a call to ext4_msg triggers the problem by\\naccessing an uninitialized rs->lock. Therefore register sysfs after all\\ninitializations are complete to avoid such problems.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40998\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-40999", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-40999" + }, + { + "url": "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e" + }, + { + "url": "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-40999 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-40999", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-40999\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-40999\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-40999\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-40999\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-40999\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e\",\n \"https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ena: Add validation for completion descriptors consistency\\n\\nValidate that `first` flag is set only for the first\\ndescriptor in multi-buffer packets.\\nIn case of an invalid descriptor, a reset will occur.\\nA new reset reason for RX data corruption has been added.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-40999\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41000", + "severity": "Low" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41000" + }, + { + "url": "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66" + }, + { + "url": "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e" + }, + { + "url": "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24" + }, + { + "url": "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9" + }, + { + "url": "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9" + }, + { + "url": "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41000 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41000", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] \n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41000\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41000\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41000\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41000\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41000\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66\",\n \"https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e\",\n \"https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24\",\n \"https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9\",\n \"https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9\",\n \"https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock/ioctl: prefer different overflow check\\n\\nRunning syzkaller with the newly reintroduced signed integer overflow\\nsanitizer shows this report:\\n\\n[ 62.982337] ------------[ cut here ]------------\\n[ 62.985692] cgroup: Invalid name\\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\\n[ 62.999369] random: crng reseeded on system resumption\\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[ 63.000682] Call Trace:\\n[ 63.000686] \\n[ 63.000731] dump_stack_lvl+0x93/0xd0\\n[ 63.000919] __get_user_pages+0x903/0xd30\\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\\n[ 63.001316] iomap_dio_rw+0x45/0xa0\\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\\n[ 63.001372] vfs_write+0x599/0xbd0\\n[ 63.001394] ksys_write+0xc8/0x190\\n[ 63.001403] do_syscall_64+0xd4/0x1b0\\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\\n...\\n[ 63.018142] ---[ end trace ]---\\n\\nHistorically, the signed integer overflow sanitizer did not work in the\\nkernel due to its interaction with `-fwrapv` but this has since been\\nchanged [1] in the newest version of Clang; It was re-enabled in the\\nkernel with Commit 557f8c582a9ba8ab (\\\"ubsan: Reintroduce signed overflow\\nsanitizer\\\").\\n\\nLet's rework this overflow checking logic to not actually perform an\\noverflow during the check itself, thus avoiding the UBSAN splat.\\n\\n[1]: https://github.com/llvm/llvm-project/pull/82432\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41000\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41001", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41001" + }, + { + "url": "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227" + }, + { + "url": "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667" + }, + { + "url": "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3" + }, + { + "url": "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41001 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41001", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41001\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41001\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41001\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41001\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41001\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227\",\n \"https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667\",\n \"https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3\",\n \"https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring/sqpoll: work around a potential audit memory leak\\n\\nkmemleak complains that there's a memory leak related to connect\\nhandling:\\n\\nunreferenced object 0xffff0001093bdf00 (size 128):\\ncomm \\\"iou-sqp-455\\\", pid 457, jiffies 4294894164\\nhex dump (first 32 bytes):\\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\nbacktrace (crc 2e481b1a):\\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\\n[<00000000d999b491>] ret_from_fork+0x10/0x20\\n\\nwhich can can happen if:\\n\\n1) The command type does something on the prep side that triggers an\\n audit call.\\n2) The thread hasn't done any operations before this that triggered\\n an audit call inside ->issue(), where we have audit_uring_entry()\\n and audit_uring_exit().\\n\\nWork around this by issuing a blanket NOP operation before the SQPOLL\\ndoes anything.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41001\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41002", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41002" + }, + { + "url": "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47" + }, + { + "url": "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6" + }, + { + "url": "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601" + }, + { + "url": "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2" + }, + { + "url": "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41002 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41002", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41002\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41002\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41002\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41002\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41002\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47\",\n \"https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6\",\n \"https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601\",\n \"https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2\",\n \"https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\\n\\nThe AIV is one of the SEC resources. When releasing resources,\\nit need to release the AIV resources at the same time.\\nOtherwise, memory leakage occurs.\\n\\nThe aiv resource release is added to the sec resource release\\nfunction.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41002\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41004", + "severity": "Negligible" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41004" + }, + { + "url": "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3" + }, + { + "url": "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88" + }, + { + "url": "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45" + }, + { + "url": "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9" + }, + { + "url": "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3" + }, + { + "url": "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41004 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41004", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41004\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41004\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Negligible\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41004\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41004\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41004\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3\",\n \"https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88\",\n \"https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45\",\n \"https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9\",\n \"https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3\",\n \"https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Build event generation tests only as modules\\n\\nThe kprobes and synth event generation test modules add events and lock\\n(get a reference) those event file reference in module init function,\\nand unlock and delete it in module exit function. This is because those\\nare designed for playing as modules.\\n\\nIf we make those modules as built-in, those events are left locked in the\\nkernel, and never be removed. This causes kprobe event self-test failure\\nas below.\\n\\n[ 97.349708] ------------[ cut here ]------------\\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.357106] Modules linked in:\\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 97.391196] Call Trace:\\n[ 97.391967] \\n[ 97.392647] ? __warn+0xcc/0x180\\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.395181] ? report_bug+0xbd/0x150\\n[ 97.396234] ? handle_bug+0x3e/0x60\\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\\n[ 97.404972] do_one_initcall+0x112/0x240\\n[ 97.406113] do_initcall_level+0x95/0xb0\\n[ 97.407286] ? kernel_init+0x1a/0x1a0\\n[ 97.408401] do_initcalls+0x3f/0x70\\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\\n[ 97.410662] ? rest_init+0x1f0/0x1f0\\n[ 97.411738] kernel_init+0x1a/0x1a0\\n[ 97.412788] ret_from_fork+0x39/0x50\\n[ 97.413817] ? rest_init+0x1f0/0x1f0\\n[ 97.414844] ret_from_fork_asm+0x11/0x20\\n[ 97.416285] \\n[ 97.417134] irq event stamp: 13437323\\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\\n[ 97.428850] ---[ end trace 0000000000000000 ]---\\n\\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\\nfailed too.\\n\\nTo avoid these issues, build these tests only as modules.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "skipped", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41004\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00", + "skip_message": "Manual review required because a Anchore Grype rating severity is set to `negligible` or `unknown`." + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41005", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41005" + }, + { + "url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d" + }, + { + "url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265" + }, + { + "url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c" + }, + { + "url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57" + }, + { + "url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916" + }, + { + "url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41005 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41005", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41005\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41005\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41005\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41005\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41005\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d\",\n \"https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265\",\n \"https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c\",\n \"https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57\",\n \"https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916\",\n \"https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetpoll: Fix race condition in netpoll_owner_active\\n\\nKCSAN detected a race condition in netpoll:\\n\\n\\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\\n\\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\\n\\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\\n\\n\\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\\n\\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\\n\\tnetpoll_send_udp (net/core/netpoll.c:?)\\n\\n\\tvalue changed: 0x0000000a -> 0xffffffff\\n\\nThis happens because netpoll_owner_active() needs to check if the\\ncurrent CPU is the owner of the lock, touching napi->poll_owner\\nnon atomically. The ->poll_owner field contains the current CPU holding\\nthe lock.\\n\\nUse an atomic read to check if the poll owner is the current CPU.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41005\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41006", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41006" + }, + { + "url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735" + }, + { + "url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937" + }, + { + "url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba" + }, + { + "url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b" + }, + { + "url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8" + }, + { + "url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712" + }, + { + "url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c" + }, + { + "url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41006 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41006", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41006\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41006\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41006\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41006\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41006\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735\",\n \"https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937\",\n \"https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba\",\n \"https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b\",\n \"https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8\",\n \"https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712\",\n \"https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c\",\n \"https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\\n\\nsyzbot reported a memory leak in nr_create() [0].\\n\\nCommit 409db27e3a2e (\\\"netrom: Fix use-after-free of a listening socket.\\\")\\nadded sock_hold() to the nr_heartbeat_expiry() function, where\\na) a socket has a SOCK_DESTROY flag or\\nb) a listening socket has a SOCK_DEAD flag.\\n\\nBut in the case \\\"a,\\\" when the SOCK_DESTROY flag is set, the file descriptor\\nhas already been closed and the nr_release() function has been called.\\nSo it makes no sense to hold the reference count because no one will\\ncall another nr_destroy_socket() and put it as in the case \\\"b.\\\"\\n\\nnr_connect\\n nr_establish_data_link\\n nr_start_heartbeat\\n\\nnr_release\\n switch (nr->state)\\n case NR_STATE_3\\n nr->state = NR_STATE_2\\n sock_set_flag(sk, SOCK_DESTROY);\\n\\n nr_rx_frame\\n nr_process_rx_frame\\n switch (nr->state)\\n case NR_STATE_2\\n nr_state2_machine()\\n nr_disconnect()\\n nr_sk(sk)->state = NR_STATE_0\\n sock_set_flag(sk, SOCK_DEAD)\\n\\n nr_heartbeat_expiry\\n switch (nr->state)\\n case NR_STATE_0\\n if (sock_flag(sk, SOCK_DESTROY) ||\\n (sk->sk_state == TCP_LISTEN\\n && sock_flag(sk, SOCK_DEAD)))\\n sock_hold() // ( !!! )\\n nr_destroy_socket()\\n\\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\\n\\nFound by InfoTeCS on behalf of Linux Verification Center\\n(linuxtesting.org) with Syzkaller.\\n\\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41006\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41007", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41007" + }, + { + "url": "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570" + }, + { + "url": "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982" + }, + { + "url": "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1" + }, + { + "url": "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4" + }, + { + "url": "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283" + }, + { + "url": "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969" + }, + { + "url": "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde" + }, + { + "url": "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41007 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41007", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41007\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41007\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41007\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41007\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41007\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570\",\n \"https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982\",\n \"https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1\",\n \"https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4\",\n \"https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283\",\n \"https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969\",\n \"https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde\",\n \"https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: avoid too many retransmit packets\\n\\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\\nretracted its window to zero, tcp_retransmit_timer() can\\nretransmit a packet every two jiffies (2 ms for HZ=1000),\\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\\n\\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\\nicsk->icsk_user_timeout into account.\\n\\nBefore blamed commit, the socket would not timeout after\\nicsk->icsk_user_timeout, but would use standard exponential\\nbackoff for the retransmits.\\n\\nAlso worth noting that before commit e89688e3e978 (\\\"net: tcp:\\nfix unexcepted socket die when snd_wnd is 0\\\"), the issue\\nwould last 2 minutes instead of 4.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\n \"metrics\": {\n \"baseScore\": 3.3,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41007\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41008", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41008" + }, + { + "url": "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41008 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41008", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm->task_info handling\n\nThis patch changes the handling and lifecycle of vm->task_info object.\nThe major changes are:\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm->task_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41008\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41008\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41008\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41008\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41008\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: change vm->task_info handling\\n\\nThis patch changes the handling and lifecycle of vm->task_info object.\\nThe major changes are:\\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\\n reference counted.\\n- introducing two new helper funcs for task_info lifecycle management\\n - amdgpu_vm_get_task_info: reference counts up task_info before\\n returning this info\\n - amdgpu_vm_put_task_info: reference counts down task_info\\n- last put to task_info() frees task_info from the vm.\\n\\nThis patch also does logistical changes required for existing usage\\nof vm->task_info.\\n\\nV2: Do not block all the prints when task_info not found (Felix)\\n\\nV3: Fixed review comments from Felix\\n - Fix wrong indentation\\n - No debug message for -ENOMEM\\n - Add NULL check for task_info\\n - Do not duplicate the debug messages (ti vs no ti)\\n - Get first reference of task_info in vm_init(), put last\\n in vm_fini()\\n\\nV4: Fixed review comments from Felix\\n - fix double reference increment in create_task_info\\n - change amdgpu_vm_get_task_info_pasid\\n - additional changes in amdgpu_gem.c while porting\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41008\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41009", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41009" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4" + }, + { + "url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225" + }, + { + "url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069" + }, + { + "url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f" + }, + { + "url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881" + }, + { + "url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41009 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41009", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk's\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We've tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41009\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41009\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41009\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41009\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41009\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4\",\n \"https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225\",\n \"https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069\",\n \"https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f\",\n \"https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881\",\n \"https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix overrunning reservations in ringbuf\\n\\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\\nconsumer counter to show which logical position the consumer consumed the\\ndata, and producer_pos which is the producer counter denoting the amount of\\ndata reserved by all producers.\\n\\nEach time a record is reserved, the producer that \\\"owns\\\" the record will\\nsuccessfully advance producer counter. In user space each time a record is\\nread, the consumer of the data advanced the consumer counter once it finished\\nprocessing. Both counters are stored in separate pages so that from user\\nspace, the producer counter is read-only and the consumer counter is read-write.\\n\\nOne aspect that simplifies and thus speeds up the implementation of both\\nproducers and consumers is how the data area is mapped twice contiguously\\nback-to-back in the virtual memory, allowing to not take any special measures\\nfor samples that have to wrap around at the end of the circular buffer data\\narea, because the next page after the last data page would be first data page\\nagain, and thus the sample will still appear completely contiguous in virtual\\nmemory.\\n\\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\\nbook-keeping the length and offset, and is inaccessible to the BPF program.\\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\\npossible to make a second allocated memory chunk overlapping with the first\\nchunk and as a result, the BPF program is now able to edit first chunk's\\nheader.\\n\\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\\npage and could cause a crash.\\n\\nFix it by calculating the oldest pending_pos and check whether the range\\nfrom the oldest outstanding record to the newest would span beyond the ring\\nbuffer size. If that is the case, then reject the request. We've tested with\\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\\nis still not significantly enough to matter.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41009\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41011", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41011" + }, + { + "url": "https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724" + }, + { + "url": "https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5" + }, + { + "url": "https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28" + }, + { + "url": "https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41011 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41011", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\n\nWe don't get the right offset in that case. The GPU has\nan unused 4K area of the register BAR space into which you can\nremap registers. We remap the HDP flush registers into this\nspace to allow userspace (CPU or GPU) to flush the HDP when it\nupdates VRAM. However, on systems with >4K pages, we end up\nexposing PAGE_SIZE of MMIO space.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41011\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41011\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41011\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41011\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41011\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724\",\n \"https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5\",\n \"https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28\",\n \"https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\\n\\nWe don't get the right offset in that case. The GPU has\\nan unused 4K area of the register BAR space into which you can\\nremap registers. We remap the HDP flush registers into this\\nspace to allow userspace (CPU or GPU) to flush the HDP when it\\nupdates VRAM. However, on systems with >4K pages, we end up\\nexposing PAGE_SIZE of MMIO space.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41011\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41012", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41012" + }, + { + "url": "https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9" + }, + { + "url": "https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22" + }, + { + "url": "https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240" + }, + { + "url": "https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763" + }, + { + "url": "https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224" + }, + { + "url": "https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250" + }, + { + "url": "https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235" + }, + { + "url": "https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41012 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41012", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can't corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41012\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41012\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41012\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41012\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41012\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9\",\n \"https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22\",\n \"https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240\",\n \"https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763\",\n \"https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224\",\n \"https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250\",\n \"https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235\",\n \"https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: Remove locks reliably when fcntl/close race is detected\\n\\nWhen fcntl_setlk() races with close(), it removes the created lock with\\ndo_lock_file_wait().\\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\\nSeparately, posix_lock_file() could also fail to\\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\\nin the middle).\\n\\nAfter the bug has been triggered, use-after-free reads will occur in\\nlock_get_status() when userspace reads /proc/locks. This can likely be used\\nto read arbitrary kernel memory, but can't corrupt kernel memory.\\n\\nFix it by calling locks_remove_posix() instead, which is designed to\\nreliably get rid of POSIX locks associated with the given file and\\nfiles_struct and is also used by filp_flush().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41012\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41013", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41013" + }, + { + "url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41013 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41013", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41013\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41013\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41013\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41013\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41013\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: don't walk off the end of a directory data block\\n\\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\\nto make sure don't stray beyond valid memory region. Before patching, the\\nloop simply checks that the start offset of the dup and dep is within the\\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\\nnext traversal, this space will be considered as dup or dep. We may\\nencounter an out of bound read when accessing the fixed members.\\n\\nIn the patch, we make sure that the remaining bytes large enough to hold\\nan unused entry before accessing xfs_dir2_data_unused and\\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\\nsure that the remaining bytes large enough to hold a dirent with a\\nsingle-byte name before accessing xfs_dir2_data_entry.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41013\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41014", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41014" + }, + { + "url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41014 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41014", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41014\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41014\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41014\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41014\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41014\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: add bounds checking to xlog_recover_process_data\\n\\nThere is a lack of verification of the space occupied by fixed members\\nof xlog_op_header in the xlog_recover_process_data.\\n\\nWe can create a crafted image to trigger an out of bounds read by\\nfollowing these steps:\\n 1) Mount an image of xfs, and do some file operations to leave records\\n 2) Before umounting, copy the image for subsequent steps to simulate\\n abnormal exit. Because umount will ensure that tail_blk and\\n head_blk are the same, which will result in the inability to enter\\n xlog_recover_process_data\\n 3) Write a tool to parse and modify the copied image in step 2\\n 4) Make the end of the xlog_op_header entries only 1 byte away from\\n xlog_rec_header->h_size\\n 5) xlog_rec_header->h_num_logops++\\n 6) Modify xlog_rec_header->h_crc\\n\\nFix:\\nAdd a check to make sure there is sufficient space to access fixed members\\nof xlog_op_header.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41014\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41015", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41015" + }, + { + "url": "https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2" + }, + { + "url": "https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb" + }, + { + "url": "https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7" + }, + { + "url": "https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0" + }, + { + "url": "https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c" + }, + { + "url": "https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176" + }, + { + "url": "https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd" + }, + { + "url": "https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59" + }, + { + "url": "https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41015 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41015", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41015\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41015\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41015\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41015\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41015\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2\",\n \"https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb\",\n \"https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7\",\n \"https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0\",\n \"https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c\",\n \"https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176\",\n \"https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd\",\n \"https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59\",\n \"https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: add bounds checking to ocfs2_check_dir_entry()\\n\\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\\nocfs2_dir_entry don't stray beyond valid memory region.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41015\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41016", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41016" + }, + { + "url": "https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41016 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41016", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41016\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41016\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41016\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41016\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41016\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\\n\\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\\nrequested. It's better to check if the memory is out of bound before\\nmemcmp, although this possibility mainly comes from crafted poisonous\\nimages.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41016\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41017", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41017" + }, + { + "url": "https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751" + }, + { + "url": "https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8" + }, + { + "url": "https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce" + }, + { + "url": "https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e" + }, + { + "url": "https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746" + }, + { + "url": "https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4" + }, + { + "url": "https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73" + }, + { + "url": "https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375" + }, + { + "url": "https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41017 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41017", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41017\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41017\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41017\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41017\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41017\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751\",\n \"https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8\",\n \"https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce\",\n \"https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e\",\n \"https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746\",\n \"https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4\",\n \"https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73\",\n \"https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375\",\n \"https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: don't walk off the end of ealist\\n\\nAdd a check before visiting the members of ea to\\nmake sure each ea stays within the ealist.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41017\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41019", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41019" + }, + { + "url": "https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0" + }, + { + "url": "https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06" + }, + { + "url": "https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4" + }, + { + "url": "https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a" + }, + { + "url": "https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440" + }, + { + "url": "https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41019 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41019", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41019\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41019\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41019\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41019\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41019\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0\",\n \"https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06\",\n \"https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4\",\n \"https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a\",\n \"https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440\",\n \"https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Validate ff offset\\n\\nThis adds sanity checks for ff offset. There is a check\\non rt->first_free at first, but walking through by ff\\nwithout any check. If the second ff is a large offset.\\nWe may encounter an out-of-bound read.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41019\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41020", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41020" + }, + { + "url": "https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f" + }, + { + "url": "https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2" + }, + { + "url": "https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02" + }, + { + "url": "https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c" + }, + { + "url": "https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860" + }, + { + "url": "https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d" + }, + { + "url": "https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4" + }, + { + "url": "https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca" + }, + { + "url": "https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41020 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41020", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41020\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41020\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41020\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41020\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41020\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f\",\n \"https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2\",\n \"https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02\",\n \"https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c\",\n \"https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860\",\n \"https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d\",\n \"https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4\",\n \"https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca\",\n \"https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: Fix fcntl/close race recovery compat path\\n\\nWhen I wrote commit 3cad1bc01041 (\\\"filelock: Remove locks reliably when\\nfcntl/close race is detected\\\"), I missed that there are two copies of the\\ncode I was patching: The normal version, and the version for 64-bit offsets\\non 32-bit kernels.\\nThanks to Greg KH for stumbling over this while doing the stable\\nbackport...\\n\\nApply exactly the same fix to the compat path for 32-bit kernels.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41020\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41022", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41022" + }, + { + "url": "https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06" + }, + { + "url": "https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287" + }, + { + "url": "https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2" + }, + { + "url": "https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a" + }, + { + "url": "https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7" + }, + { + "url": "https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d" + }, + { + "url": "https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41022 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41022", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41022\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41022\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41022\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41022\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41022\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3\",\n \"https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06\",\n \"https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287\",\n \"https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2\",\n \"https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a\",\n \"https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7\",\n \"https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d\",\n \"https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\\n\\nThe \\\"instance\\\" variable needs to be signed for the error handling to work.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41022\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41023", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41023" + }, + { + "url": "https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4" + }, + { + "url": "https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41023 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41023", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41023\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41023\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41023\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41023\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41023\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4\",\n \"https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/deadline: Fix task_struct reference leak\\n\\nDuring the execution of the following stress test with linux-rt:\\n\\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\\n\\nkmemleak frequently reported a memory leak concerning the task_struct:\\n\\nunreferenced object 0xffff8881305b8000 (size 16136):\\n comm \\\"stress-ng\\\", pid 614, jiffies 4294883961 (age 286.412s)\\n object hex dump (first 32 bytes):\\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\\n debug hex dump (first 16 bytes):\\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\\n backtrace:\\n [<00000000046b6790>] dup_task_struct+0x30/0x540\\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\\n [<00000000ced59777>] kernel_clone+0xb0/0x770\\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n\\nThe issue occurs in start_dl_timer(), which increments the task_struct\\nreference count and sets a timer. The timer callback, dl_task_timer,\\nis supposed to decrement the reference count upon expiration. However,\\nif enqueue_task_dl() is called before the timer expires and cancels it,\\nthe reference count is not decremented, leading to the leak.\\n\\nThis patch fixes the reference leak by ensuring the task_struct\\nreference count is properly decremented when the timer is canceled.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41023\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41027", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41027" + }, + { + "url": "https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6" + }, + { + "url": "https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694" + }, + { + "url": "https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7" + }, + { + "url": "https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384" + }, + { + "url": "https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41027 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41027", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41027\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41027\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41027\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41027\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41027\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6\",\n \"https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694\",\n \"https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7\",\n \"https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384\",\n \"https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nFix userfaultfd_api to return EINVAL as expected\\n\\nCurrently if we request a feature that is not set in the Kernel config we\\nfail silently and return all the available features. However, the man\\npage indicates we should return an EINVAL.\\n\\nWe need to fix this issue since we can end up with a Kernel warning should\\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\\nthe config not set with this feature.\\n\\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\\n [ 200.820738] Modules linked in:\\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41027\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41030", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41030" + }, + { + "url": "https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035" + }, + { + "url": "https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361" + }, + { + "url": "https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa" + }, + { + "url": "https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41030 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41030", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41030\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41030\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41030\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41030\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41030\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035\",\n \"https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361\",\n \"https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa\",\n \"https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nksmbd: discard write access to the directory open\\n\\nmay_open() does not allow a directory to be opened with the write access.\\nHowever, some writing flags set by client result in adding write access\\non server, making ksmbd incompatible with FUSE file system. Simply, let's\\ndiscard the write access when opening a directory.\\n\\nlist_add corruption. next is NULL.\\n------------[ cut here ]------------\\nkernel BUG at lib/list_debug.c:26!\\npc : __list_add_valid+0x88/0xbc\\nlr : __list_add_valid+0x88/0xbc\\nCall trace:\\n__list_add_valid+0x88/0xbc\\nfuse_finish_open+0x11c/0x170\\nfuse_open_common+0x284/0x5e8\\nfuse_dir_open+0x14/0x24\\ndo_dentry_open+0x2a4/0x4e0\\ndentry_open+0x50/0x80\\nsmb2_open+0xbe4/0x15a4\\nhandle_ksmbd_work+0x478/0x5ec\\nprocess_one_work+0x1b4/0x448\\nworker_thread+0x25c/0x430\\nkthread+0x104/0x1d4\\nret_from_fork+0x10/0x20\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41030\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41031", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41031" + }, + { + "url": "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21" + }, + { + "url": "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972" + }, + { + "url": "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41031 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41031", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41031\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41031\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41031\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41031\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41031\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21\",\n \"https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972\",\n \"https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/filemap: skip to create PMD-sized page cache if needed\\n\\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\\nPMD-sized page cache can't be supported by xarray as the following error\\nmessages indicate.\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\\\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\\\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\\\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\\\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\\\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\\\\ndimlib virtio_mmio\\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\npc : xas_split_alloc+0xf8/0x128\\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\\nsp : ffff800087a4f6c0\\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\\nCall trace:\\n xas_split_alloc+0xf8/0x128\\n split_huge_page_to_list_to_order+0x1c4/0x720\\n truncate_inode_partial_folio+0xdc/0x160\\n truncate_inode_pages_range+0x1b4/0x4a8\\n truncate_pagecache_range+0x84/0xa0\\n xfs_flush_unmap_range+0x70/0x90 [xfs]\\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\\n vfs_fallocate+0x124/0x2e8\\n ksys_fallocate+0x4c/0xa0\\n __arm64_sys_fallocate+0x24/0x38\\n invoke_syscall.constprop.0+0x7c/0xd8\\n do_el0_svc+0xb4/0xd0\\n el0_svc+0x44/0x1d8\\n el0t_64_sync_handler+0x134/0x150\\n el0t_64_sync+0x17c/0x180\\n\\nFix it by skipping to allocate PMD-sized page cache when its size is\\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\\nregular path where the readahead window is determined by BDI's sysfs file\\n(read_ahead_kb).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41031\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41034", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41034" + }, + { + "url": "https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231" + }, + { + "url": "https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e" + }, + { + "url": "https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5" + }, + { + "url": "https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd" + }, + { + "url": "https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d" + }, + { + "url": "https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b" + }, + { + "url": "https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4" + }, + { + "url": "https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41034 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41034", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41034\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41034\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41034\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41034\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41034\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231\",\n \"https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e\",\n \"https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5\",\n \"https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd\",\n \"https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d\",\n \"https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b\",\n \"https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4\",\n \"https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix kernel bug on rename operation of broken directory\\n\\nSyzbot reported that in rename directory operation on broken directory on\\nnilfs2, __block_write_begin_int() called to prepare block write may fail\\nBUG_ON check for access exceeding the folio/page size.\\n\\nThis is because nilfs_dotdot(), which gets parent directory reference\\nentry (\\\"..\\\") of the directory to be moved or renamed, does not check\\nconsistency enough, and may return location exceeding folio/page size for\\nbroken directories.\\n\\nFix this issue by checking required directory entries (\\\".\\\" and \\\"..\\\") in\\nthe first chunk of the directory in nilfs_dotdot().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41034\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41035", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41035" + }, + { + "url": "https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188" + }, + { + "url": "https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7" + }, + { + "url": "https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78" + }, + { + "url": "https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64" + }, + { + "url": "https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646" + }, + { + "url": "https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47" + }, + { + "url": "https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf" + }, + { + "url": "https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41035 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41035", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41035\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41035\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41035\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41035\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41035\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188\",\n \"https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7\",\n \"https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78\",\n \"https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64\",\n \"https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646\",\n \"https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47\",\n \"https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf\",\n \"https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\\n\\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\\ncaused by our assumption that the reserved bits in an endpoint\\ndescriptor's bEndpointAddress field will always be 0. As a result of\\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\\nother routines as well) may believe that two descriptors are for\\ndistinct endpoints, even though they have the same direction and\\nendpoint number. This can lead to confusion, including the bug\\nidentified by syzbot (two descriptors with matching endpoint numbers\\nand directions, where one was interrupt and the other was bulk).\\n\\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\\nspecs say these bits are \\\"Reserved, reset to zero\\\".) This requires us\\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\\nuse the copy instead of the original when checking for duplicates.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41035\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41036", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41036" + }, + { + "url": "https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c" + }, + { + "url": "https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0" + }, + { + "url": "https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05" + }, + { + "url": "https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41036 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41036", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41036\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41036\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41036\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41036\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41036\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c\",\n \"https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0\",\n \"https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05\",\n \"https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ks8851: Fix deadlock with the SPI chip variant\\n\\nWhen SMP is enabled and spinlocks are actually functional then there is\\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\\nand ks8851_irq:\\n\\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\\n call trace:\\n queued_spin_lock_slowpath+0x100/0x284\\n do_raw_spin_lock+0x34/0x44\\n ks8851_start_xmit_spi+0x30/0xb8\\n ks8851_start_xmit+0x14/0x20\\n netdev_start_xmit+0x40/0x6c\\n dev_hard_start_xmit+0x6c/0xbc\\n sch_direct_xmit+0xa4/0x22c\\n __qdisc_run+0x138/0x3fc\\n qdisc_run+0x24/0x3c\\n net_tx_action+0xf8/0x130\\n handle_softirqs+0x1ac/0x1f0\\n __do_softirq+0x14/0x20\\n ____do_softirq+0x10/0x1c\\n call_on_irq_stack+0x3c/0x58\\n do_softirq_own_stack+0x1c/0x28\\n __irq_exit_rcu+0x54/0x9c\\n irq_exit_rcu+0x10/0x1c\\n el1_interrupt+0x38/0x50\\n el1h_64_irq_handler+0x18/0x24\\n el1h_64_irq+0x64/0x68\\n __netif_schedule+0x6c/0x80\\n netif_tx_wake_queue+0x38/0x48\\n ks8851_irq+0xb8/0x2c8\\n irq_thread_fn+0x2c/0x74\\n irq_thread+0x10c/0x1b0\\n kthread+0xc8/0xd8\\n ret_from_fork+0x10/0x20\\n\\nThis issue has not been identified earlier because tests were done on\\na device with SMP disabled and so spinlocks were actually NOPs.\\n\\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\\nof softirq work synchronously that would lead to a deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41036\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41040", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41040" + }, + { + "url": "https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3" + }, + { + "url": "https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f" + }, + { + "url": "https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae" + }, + { + "url": "https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932" + }, + { + "url": "https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55" + }, + { + "url": "https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41040 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41040", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n \n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n \n \n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41040\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41040\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41040\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41040\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41040\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3\",\n \"https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f\",\n \"https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae\",\n \"https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932\",\n \"https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55\",\n \"https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Fix UAF when resolving a clash\\n\\nKASAN reports the following UAF:\\n\\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\\n\\n Call Trace:\\n \\n dump_stack_lvl+0x48/0x70\\n print_address_description.constprop.0+0x33/0x3d0\\n print_report+0xc0/0x2b0\\n kasan_report+0xd0/0x120\\n __asan_load1+0x6c/0x80\\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\\n tcf_ct_act+0x886/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n __irq_exit_rcu+0x82/0xc0\\n irq_exit_rcu+0xe/0x20\\n common_interrupt+0xa1/0xb0\\n \\n \\n asm_common_interrupt+0x27/0x40\\n\\n Allocated by task 6469:\\n kasan_save_stack+0x38/0x70\\n kasan_set_track+0x25/0x40\\n kasan_save_alloc_info+0x1e/0x40\\n __kasan_krealloc+0x133/0x190\\n krealloc+0xaa/0x130\\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\\n tcf_ct_act+0x1095/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n\\n Freed by task 6469:\\n kasan_save_stack+0x38/0x70\\n kasan_set_track+0x25/0x40\\n kasan_save_free_info+0x2b/0x60\\n ____kasan_slab_free+0x180/0x1f0\\n __kasan_slab_free+0x12/0x30\\n slab_free_freelist_hook+0xd2/0x1a0\\n __kmem_cache_free+0x1a2/0x2f0\\n kfree+0x78/0x120\\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\\n tcf_ct_act+0x12ad/0x1350 [act_ct]\\n tcf_action_exec+0xf8/0x1f0\\n fl_classify+0x355/0x360 [cls_flower]\\n __tcf_classify+0x1fd/0x330\\n tcf_classify+0x21c/0x3c0\\n sch_handle_ingress.constprop.0+0x2c5/0x500\\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\\n __netif_receive_skb_list_core+0x220/0x4c0\\n netif_receive_skb_list_internal+0x446/0x620\\n napi_complete_done+0x157/0x3d0\\n gro_cell_poll+0xcf/0x100\\n __napi_poll+0x65/0x310\\n net_rx_action+0x30c/0x5c0\\n __do_softirq+0x14f/0x491\\n\\nThe ct may be dropped if a clash has been resolved but is still passed to\\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\\ncan be fixed by retrieving ct from skb again after confirming conntrack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41040\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41041", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41041" + }, + { + "url": "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0" + }, + { + "url": "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd" + }, + { + "url": "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940" + }, + { + "url": "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba" + }, + { + "url": "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6" + }, + { + "url": "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e" + }, + { + "url": "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41041 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41041", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41041\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41041\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41041\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41041\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41041\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0\",\n \"https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd\",\n \"https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940\",\n \"https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba\",\n \"https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6\",\n \"https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e\",\n \"https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\\n\\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\\n\\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\\nperiod.\\n\\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\\nwindow:\\n\\n CPU1 CPU2\\n ---- ----\\n udp_v4_early_demux() udp_lib_get_port()\\n | |- hlist_add_head_rcu()\\n |- sk = __udp4_lib_demux_lookup() |\\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\\n `- sock_set_flag(sk, SOCK_RCU_FREE)\\n\\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\\\"net:\\nset SOCK_RCU_FREE before inserting socket into hashtable\\\").\\n\\nLet's apply the same fix for UDP.\\n\\n[0]:\\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\\nModules linked in:\\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\\nPKRU: 55555554\\nCall Trace:\\n \\n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\\n NF_HOOK include/linux/netfilter.h:314 [inline]\\n NF_HOOK include/linux/netfilter.h:308 [inline]\\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\\n tun_rx_batched drivers/net/tun.c:1549 [inline]\\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\\n ksys_write+0xbf/0x190 fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\nRIP: 0033:0x7fc44a68bc1f\\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\\nR\\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41041\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41042", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41042" + }, + { + "url": "https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f" + }, + { + "url": "https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b" + }, + { + "url": "https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0" + }, + { + "url": "https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e" + }, + { + "url": "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae" + }, + { + "url": "https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe" + }, + { + "url": "https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24" + }, + { + "url": "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41042 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41042", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41042\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41042\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41042\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41042\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41042\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f\",\n \"https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b\",\n \"https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0\",\n \"https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e\",\n \"https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae\",\n \"https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe\",\n \"https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24\",\n \"https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: prefer nft_chain_validate\\n\\nnft_chain_validate already performs loop detection because a cycle will\\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\\n\\nIt also follows maps via ->validate callback in nft_lookup, so there\\nappears no reason to iterate the maps again.\\n\\nnf_tables_check_loops() and all its helper functions can be removed.\\nThis improves ruleset load time significantly, from 23s down to 12s.\\n\\nThis also fixes a crash bug. Old loop detection code can result in\\nunbounded recursion:\\n\\nBUG: TASK stack guard page was hit at ....\\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\\n[..]\\n\\nwith a suitable ruleset during validation of register stores.\\n\\nI can't see any actual reason to attempt to check for this from\\nnft_validate_register_store(), at this point the transaction is still in\\nprogress, so we don't have a full picture of the rule graph.\\n\\nFor nf-next it might make sense to either remove it or make this depend\\non table->validate_state in case we could catch an error earlier\\n(for improved error reporting to userspace).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41042\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41044", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41044" + }, + { + "url": "https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78" + }, + { + "url": "https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492" + }, + { + "url": "https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56" + }, + { + "url": "https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3" + }, + { + "url": "https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37" + }, + { + "url": "https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e" + }, + { + "url": "https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f" + }, + { + "url": "https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41044 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41044", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41044\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41044\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41044\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41044\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41044\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78\",\n \"https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492\",\n \"https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56\",\n \"https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3\",\n \"https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37\",\n \"https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e\",\n \"https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f\",\n \"https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppp: reject claimed-as-LCP but actually malformed packets\\n\\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\\nLCP packet has an actual body beyond PPP_LCP header bytes, and\\nreject claimed-as-LCP but actually malformed data otherwise.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41044\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41045", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41045" + }, + { + "url": "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1" + }, + { + "url": "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41045 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41045", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41045\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41045\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41045\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41045\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41045\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1\",\n \"https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Defer work in bpf_timer_cancel_and_free\\n\\nCurrently, the same case as previous patch (two timer callbacks trying\\nto cancel each other) can be invoked through bpf_map_update_elem as\\nwell, or more precisely, freeing map elements containing timers. Since\\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\\nsituation as the previous patch.\\n\\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\\nas the timer cannot be enqueued after async_cancel_and_free. Once\\nasync_cancel_and_free has been done, the timer must be reinitialized\\nbefore it can be armed again. The callback running in parallel trying to\\narm the timer will fail, and freeing bpf_hrtimer without waiting is\\nsufficient (given kfree_rcu), and bpf_timer_cb will return\\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\\n\\nHowever, there exists a UAF scenario where the callback arms the timer\\nbefore entering this function, such that if cancellation fails (due to\\ntimer callback invoking this routine, or the target timer callback\\nrunning concurrently). In such a case, if the timer expiration is\\nsignificantly far in the future, the RCU grace period expiration\\nhappening before it will free the bpf_hrtimer state and along with it\\nthe struct hrtimer, that is enqueued.\\n\\nHence, it is clear cancellation needs to occur after\\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\\n_different_ points of time, so can share space).\\n\\nUpdate existing code comments to reflect the new state of affairs.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41045\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41046", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41046" + }, + { + "url": "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec" + }, + { + "url": "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1" + }, + { + "url": "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156" + }, + { + "url": "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f" + }, + { + "url": "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1" + }, + { + "url": "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54" + }, + { + "url": "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3" + }, + { + "url": "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41046 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41046", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41046\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41046\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41046\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41046\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41046\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec\",\n \"https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1\",\n \"https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156\",\n \"https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f\",\n \"https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1\",\n \"https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54\",\n \"https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3\",\n \"https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ethernet: lantiq_etop: fix double free in detach\\n\\nThe number of the currently released descriptor is never incremented\\nwhich results in the same skb being released multiple times.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41046\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41047", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41047" + }, + { + "url": "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc" + }, + { + "url": "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3" + }, + { + "url": "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff" + }, + { + "url": "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e" + }, + { + "url": "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41047 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41047", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] \n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] \n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41047\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41047\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41047\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41047\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41047\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc\",\n \"https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3\",\n \"https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff\",\n \"https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e\",\n \"https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni40e: Fix XDP program unloading while removing the driver\\n\\nThe commit 6533e558c650 (\\\"i40e: Fix reset path while removing\\nthe driver\\\") introduced a new PF state \\\"__I40E_IN_REMOVE\\\" to block\\nmodifying the XDP program while the driver is being removed.\\nUnfortunately, such a change is useful only if the \\\".ndo_bpf()\\\"\\ncallback was called out of the rmmod context because unloading the\\nexisting XDP program is also a part of driver removing procedure.\\nIn other words, from the rmmod context the driver is expected to\\nunload the XDP program without reporting any errors. Otherwise,\\nthe kernel warning with callstack is printed out to dmesg.\\n\\nExample failing scenario:\\n 1. Load the i40e driver.\\n 2. Load the XDP program.\\n 3. Unload the i40e driver (using \\\"rmmod\\\" command).\\n\\nThe example kernel warning log:\\n\\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\\n[...]\\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\\n[...]\\n[ +0.002726] Call Trace:\\n[ +0.002457] \\n[ +0.002119] ? __warn+0x80/0x120\\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\\n[ +0.005586] ? report_bug+0x164/0x190\\n[ +0.003678] ? handle_bug+0x3c/0x80\\n[ +0.003503] ? exc_invalid_op+0x17/0x70\\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\\n[ +0.004806] unregister_netdev+0x1c/0x30\\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\\n[ +0.004220] pci_device_remove+0x3f/0xb0\\n[ +0.003943] device_release_driver_internal+0x19f/0x200\\n[ +0.005243] driver_detach+0x48/0x90\\n[ +0.003586] bus_remove_driver+0x6d/0xf0\\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\\n[ +0.005153] do_syscall_64+0x85/0x170\\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\\n[ +0.004886] ? do_syscall_64+0x95/0x170\\n[ +0.003851] ? exc_page_fault+0x7e/0x180\\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\\n[ +0.007151] \\n[ +0.002204] ---[ end trace 0000000000000000 ]---\\n\\nFix this by checking if the XDP program is being loaded or unloaded.\\nThen, block only loading a new program while \\\"__I40E_IN_REMOVE\\\" is set.\\nAlso, move testing \\\"__I40E_IN_REMOVE\\\" flag to the beginning of XDP_SETUP\\ncallback to avoid unnecessary operations and checks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41047\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41048", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41048" + }, + { + "url": "https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632" + }, + { + "url": "https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc" + }, + { + "url": "https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b" + }, + { + "url": "https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97" + }, + { + "url": "https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41048 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41048", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41048\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41048\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41048\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41048\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41048\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632\",\n \"https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc\",\n \"https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b\",\n \"https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97\",\n \"https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nskmsg: Skip zero length skb in sk_msg_recvmsg\\n\\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\\nplatform, the following kernel panic occurs:\\n\\n [...]\\n Oops[#1]:\\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\\n ... ...\\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\\n PRMD: 0000000c (PPLV0 +PIE +PWE)\\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\\n BADV: 0000000000000040\\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\\n Stack : ...\\n Call Trace:\\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\\n [<9000000003731da4>] handle_syscall+0xc4/0x160\\n Code: ...\\n ---[ end trace 0000000000000000 ]---\\n Kernel panic - not syncing: Fatal exception\\n Kernel relocated by 0x3510000\\n .text @ 0x9000000003710000\\n .data @ 0x9000000004d70000\\n .bss @ 0x9000000006469400\\n ---[ end Kernel panic - not syncing: Fatal exception ]---\\n [...]\\n\\nThis crash happens every time when running sockmap_skb_verdict_shutdown\\nsubtest in sockmap_basic.\\n\\nThis crash is because a NULL pointer is passed to page_address() in the\\nsk_msg_recvmsg(). Due to the different implementations depending on the\\narchitecture, page_address(NULL) will trigger a panic on Loongarch\\nplatform but not on x86 platform. So this bug was hidden on x86 platform\\nfor a while, but now it is exposed on Loongarch platform. The root cause\\nis that a zero length skb (skb->len == 0) was put on the queue.\\n\\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\\ninvoked in test_sockmap_skb_verdict_shutdown():\\n\\n\\tshutdown(p1, SHUT_WR);\\n\\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\\nsge is queued into ingress_msg list.\\n\\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\\nto kmap_local_page() and to page_address(), then kernel panics.\\n\\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\\nif copy is zero, that means it's a zero length skb, skip invoking\\ncopy_page_to_iter(). We are using the EFAULT return triggered by\\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41048\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41049", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41049" + }, + { + "url": "https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967" + }, + { + "url": "https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2" + }, + { + "url": "https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92" + }, + { + "url": "https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197" + }, + { + "url": "https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a" + }, + { + "url": "https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0" + }, + { + "url": "https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41049 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41049", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41049\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41049\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41049\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41049\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41049\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967\",\n \"https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2\",\n \"https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92\",\n \"https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197\",\n \"https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a\",\n \"https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0\",\n \"https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfilelock: fix potential use-after-free in posix_lock_inode\\n\\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\\nThe request pointer had been changed earlier to point to a lock entry\\nthat was added to the inode's list. However, before the tracepoint could\\nfire, another task raced in and freed that lock.\\n\\nFix this by moving the tracepoint inside the spinlock, which should\\nensure that this doesn't happen.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41049\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41050", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41050" + }, + { + "url": "https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9" + }, + { + "url": "https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6" + }, + { + "url": "https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17" + }, + { + "url": "https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41050 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41050", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41050\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41050\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41050\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41050\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41050\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9\",\n \"https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6\",\n \"https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17\",\n \"https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: cyclic allocation of msg_id to avoid reuse\\n\\nReusing the msg_id after a maliciously completed reopen request may cause\\na read request to remain unprocessed and result in a hung, as shown below:\\n\\n t1 | t2 | t3\\n-------------------------------------------------\\ncachefiles_ondemand_select_req\\n cachefiles_ondemand_object_is_close(A)\\n cachefiles_ondemand_set_object_reopening(A)\\n queue_work(fscache_object_wq, &info->work)\\n ondemand_object_worker\\n cachefiles_ondemand_init_object(A)\\n cachefiles_ondemand_send_req(OPEN)\\n // get msg_id 6\\n wait_for_completion(&req_A->done)\\ncachefiles_ondemand_daemon_read\\n // read msg_id 6 req_A\\n cachefiles_ondemand_get_fd\\n copy_to_user\\n // Malicious completion msg_id 6\\n copen 6,-1\\n cachefiles_ondemand_copen\\n complete(&req_A->done)\\n // will not set the object to close\\n // because ondemand_id && fd is valid.\\n\\n // ondemand_object_worker() is done\\n // but the object is still reopening.\\n\\n // new open req_B\\n cachefiles_ondemand_init_object(B)\\n cachefiles_ondemand_send_req(OPEN)\\n // reuse msg_id 6\\nprocess_open_req\\n copen 6,A.size\\n // The expected failed copen was executed successfully\\n\\nExpect copen to fail, and when it does, it closes fd, which sets the\\nobject to close, and then close triggers reopen again. However, due to\\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\\nclosed until the daemon exits. Therefore read requests waiting for reopen\\nto complete may trigger hung task.\\n\\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\\nmsg_id for a very short duration of time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41050\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41055", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41055" + }, + { + "url": "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982" + }, + { + "url": "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7" + }, + { + "url": "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e" + }, + { + "url": "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509" + }, + { + "url": "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63" + }, + { + "url": "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41055 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41055", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41055\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41055\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41055\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41055\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41055\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982\",\n \"https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7\",\n \"https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e\",\n \"https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509\",\n \"https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63\",\n \"https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: prevent derefencing NULL ptr in pfn_section_valid()\\n\\nCommit 5ec8e8ea8b77 (\\\"mm/sparsemem: fix race in accessing\\nmemory_section->usage\\\") changed pfn_section_valid() to add a READ_ONCE()\\ncall around \\\"ms->usage\\\" to fix a race with section_deactivate() where\\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\\nto prevent NULL pointer dereference. We need to check its value before\\ndereferencing it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41055\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41057", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41057" + }, + { + "url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4" + }, + { + "url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1" + }, + { + "url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11" + }, + { + "url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41057 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41057", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41057\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41057\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41057\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41057\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41057\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4\",\n \"https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1\",\n \"https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11\",\n \"https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\\n\\nWe got the following issue in our fault injection stress test:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\\n\\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\\nCall Trace:\\n \\n kasan_report+0x93/0xc0\\n cachefiles_withdraw_cookie+0x4d9/0x600\\n fscache_cookie_state_machine+0x5c8/0x1230\\n fscache_cookie_worker+0x91/0x1c0\\n process_one_work+0x7fa/0x1800\\n [...]\\n\\nAllocated by task 117:\\n kmalloc_trace+0x1b3/0x3c0\\n cachefiles_acquire_volume+0xf3/0x9c0\\n fscache_create_volume_work+0x97/0x150\\n process_one_work+0x7fa/0x1800\\n [...]\\n\\nFreed by task 120301:\\n kfree+0xf1/0x2c0\\n cachefiles_withdraw_cache+0x3fa/0x920\\n cachefiles_put_unbind_pincount+0x1f6/0x250\\n cachefiles_daemon_release+0x13b/0x290\\n __fput+0x204/0xa00\\n task_work_run+0x139/0x230\\n do_exit+0x87a/0x29b0\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n p1 | p2\\n------------------------------------------------------------\\n fscache_begin_lookup\\n fscache_begin_volume_access\\n fscache_cache_is_live(fscache_cache)\\ncachefiles_daemon_release\\n cachefiles_put_unbind_pincount\\n cachefiles_daemon_unbind\\n cachefiles_withdraw_cache\\n fscache_withdraw_cache\\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\\n cachefiles_withdraw_objects(cache)\\n fscache_wait_for_objects(fscache)\\n atomic_read(&fscache_cache->object_count) == 0\\n fscache_perform_lookup\\n cachefiles_lookup_cookie\\n cachefiles_alloc_object\\n refcount_set(&object->ref, 1);\\n object->volume = volume\\n fscache_count_object(vcookie->cache);\\n atomic_inc(&fscache_cache->object_count)\\n cachefiles_withdraw_volumes\\n cachefiles_withdraw_volume\\n fscache_withdraw_volume\\n __cachefiles_free_volume\\n kfree(cachefiles_volume)\\n fscache_cookie_state_machine\\n cachefiles_withdraw_cookie\\n cache = object->volume->cache;\\n // cachefiles_volume UAF !!!\\n\\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\\nto complete first, and then wait for fscache_cache->object_count == 0 to\\navoid the cookie exiting after the volume has been freed and triggering\\nthe above issue. Therefore call fscache_withdraw_volume() before calling\\ncachefiles_withdraw_objects().\\n\\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\\ncases will occur:\\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\\n been executed before calling fscache_wait_for_objects().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41057\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41058", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41058" + }, + { + "url": "https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003" + }, + { + "url": "https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36" + }, + { + "url": "https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e" + }, + { + "url": "https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41058 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41058", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41058\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41058\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41058\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41058\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41058\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003\",\n \"https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36\",\n \"https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e\",\n \"https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\\n\\nWe got the following issue in our fault injection stress test:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\\n\\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\\nCall Trace:\\n kasan_check_range+0xf6/0x1b0\\n fscache_withdraw_volume+0x2e1/0x370\\n cachefiles_withdraw_volume+0x31/0x50\\n cachefiles_withdraw_cache+0x3ad/0x900\\n cachefiles_put_unbind_pincount+0x1f6/0x250\\n cachefiles_daemon_release+0x13b/0x290\\n __fput+0x204/0xa00\\n task_work_run+0x139/0x230\\n\\nAllocated by task 5820:\\n __kmalloc+0x1df/0x4b0\\n fscache_alloc_volume+0x70/0x600\\n __fscache_acquire_volume+0x1c/0x610\\n erofs_fscache_register_volume+0x96/0x1a0\\n erofs_fscache_register_fs+0x49a/0x690\\n erofs_fc_fill_super+0x6c0/0xcc0\\n vfs_get_super+0xa9/0x140\\n vfs_get_tree+0x8e/0x300\\n do_new_mount+0x28c/0x580\\n [...]\\n\\nFreed by task 5820:\\n kfree+0xf1/0x2c0\\n fscache_put_volume.part.0+0x5cb/0x9e0\\n erofs_fscache_unregister_fs+0x157/0x1b0\\n erofs_kill_sb+0xd9/0x1c0\\n deactivate_locked_super+0xa3/0x100\\n vfs_get_super+0x105/0x140\\n vfs_get_tree+0x8e/0x300\\n do_new_mount+0x28c/0x580\\n [...]\\n==================================================================\\n\\nFollowing is the process that triggers the issue:\\n\\n mount failed | daemon exit\\n------------------------------------------------------------\\n deactivate_locked_super cachefiles_daemon_release\\n erofs_kill_sb\\n erofs_fscache_unregister_fs\\n fscache_relinquish_volume\\n __fscache_relinquish_volume\\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\\n cachefiles_put_unbind_pincount\\n cachefiles_daemon_unbind\\n cachefiles_withdraw_cache\\n cachefiles_withdraw_volumes\\n list_del_init(&volume->cache_link)\\n fscache_free_volume(fscache_volume)\\n cache->ops->free_volume\\n cachefiles_free_volume\\n list_del_init(&cachefiles_volume->cache_link);\\n kfree(fscache_volume)\\n cachefiles_withdraw_volume\\n fscache_withdraw_volume\\n fscache_volume->n_accesses\\n // fscache_volume UAF !!!\\n\\nThe fscache_volume in cache->volumes must not have been freed yet, but its\\nreference count may be 0. So use the new fscache_try_get_volume() helper\\nfunction try to get its reference count.\\n\\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\\nfreeing it, so wait for it to be removed from cache->volumes.\\n\\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\\nreference count protection to avoid the above issue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41058\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41059", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41059" + }, + { + "url": "https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d" + }, + { + "url": "https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c" + }, + { + "url": "https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0" + }, + { + "url": "https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335" + }, + { + "url": "https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2" + }, + { + "url": "https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4" + }, + { + "url": "https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70" + }, + { + "url": "https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41059 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41059", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41059\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41059\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41059\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41059\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41059\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d\",\n \"https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c\",\n \"https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0\",\n \"https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335\",\n \"https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2\",\n \"https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4\",\n \"https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70\",\n \"https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfsplus: fix uninit-value in copy_name\\n\\n[syzbot reported]\\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\\n sized_strscpy+0xc4/0x160\\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\\n vfs_listxattr fs/xattr.c:493 [inline]\\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\\n path_listxattr fs/xattr.c:864 [inline]\\n __do_sys_listxattr fs/xattr.c:876 [inline]\\n __se_sys_listxattr fs/xattr.c:873 [inline]\\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3877 [inline]\\n slab_alloc_node mm/slub.c:3918 [inline]\\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\\n kmalloc include/linux/slab.h:628 [inline]\\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\\n vfs_listxattr fs/xattr.c:493 [inline]\\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\\n path_listxattr fs/xattr.c:864 [inline]\\n __do_sys_listxattr fs/xattr.c:876 [inline]\\n __se_sys_listxattr fs/xattr.c:873 [inline]\\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n[Fix]\\nWhen allocating memory to strbuf, initialize memory to 0.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41059\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41060", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41060" + }, + { + "url": "https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536" + }, + { + "url": "https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af" + }, + { + "url": "https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3" + }, + { + "url": "https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342" + }, + { + "url": "https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41060 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41060", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41060\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41060\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41060\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41060\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41060\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536\",\n \"https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af\",\n \"https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3\",\n \"https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342\",\n \"https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/radeon: check bo_va->bo is non-NULL before using it\\n\\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\\nwe have to check it before dereferencing it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41060\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41061", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41061" + }, + { + "url": "https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03" + }, + { + "url": "https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41061 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41061", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41061\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41061\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41061\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41061\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41061\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03\",\n \"https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\\n\\n[Why]\\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\\narray can be greater than 1.\\n\\n[How]\\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\\nelements. Always use index 0 in the condition to avoid out of bounds access.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41061\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41062", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41062" + }, + { + "url": "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629" + }, + { + "url": "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf" + }, + { + "url": "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe" + }, + { + "url": "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41062 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41062", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41062\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41062\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41062\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41062\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41062\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629\",\n \"https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf\",\n \"https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe\",\n \"https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbluetooth/l2cap: sync sock recv cb and release\\n\\nThe problem occurs between the system call to close the sock and hci_rx_work,\\nwhere the former releases the sock and the latter accesses it without lock protection.\\n\\n CPU0 CPU1\\n ---- ----\\n sock_close hci_rx_work\\n\\t l2cap_sock_release hci_acldata_packet\\n\\t l2cap_sock_kill l2cap_recv_frame\\n\\t sk_free l2cap_conless_channel\\n\\t l2cap_sock_recv_cb\\n\\nIf hci_rx_work processes the data that needs to be received before the sock is\\nclosed, then everything is normal; Otherwise, the work thread may access the\\nreleased sock when receiving data.\\n\\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\\nthe sock release and recv cb.\\n\\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41062\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41063", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41063" + }, + { + "url": "https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913" + }, + { + "url": "https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678" + }, + { + "url": "https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9" + }, + { + "url": "https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa" + }, + { + "url": "https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed" + }, + { + "url": "https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f" + }, + { + "url": "https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39" + }, + { + "url": "https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41063 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41063", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41063\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41063\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41063\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41063\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41063\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913\",\n \"https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678\",\n \"https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9\",\n \"https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa\",\n \"https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed\",\n \"https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f\",\n \"https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39\",\n \"https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\\n\\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\\ndestroy_workqueue(), for hci_error_reset() is called from\\nhdev->req_workqueue which destroy_workqueue() needs to flush.\\n\\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\\nqueued into hdev->req_workqueue are no longer running by the moment\\n\\n destroy_workqueue(hdev->workqueue);\\n destroy_workqueue(hdev->req_workqueue);\\n\\nare called from hci_release_dev().\\n\\nCall cancel_work_sync() on these work items from hci_unregister_dev()\\nas soon as hdev->list is removed from hci_dev_list.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41063\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41064", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41064" + }, + { + "url": "https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1" + }, + { + "url": "https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b" + }, + { + "url": "https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff" + }, + { + "url": "https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274" + }, + { + "url": "https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3" + }, + { + "url": "https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd" + }, + { + "url": "https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41064 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41064", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1\",\n \"https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b\",\n \"https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff\",\n \"https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274\",\n \"https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3\",\n \"https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd\",\n \"https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/eeh: avoid possible crash when edev->pdev changes\\n\\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\\nwill change and can cause a crash, hold the PCI rescan/remove lock\\nwhile taking a copy of edev->pdev->bus.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41064\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41065", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41065" + }, + { + "url": "https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4" + }, + { + "url": "https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586" + }, + { + "url": "https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2" + }, + { + "url": "https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd" + }, + { + "url": "https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6" + }, + { + "url": "https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a" + }, + { + "url": "https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41065 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41065", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41065\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41065\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41065\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41065\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41065\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4\",\n \"https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586\",\n \"https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2\",\n \"https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd\",\n \"https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6\",\n \"https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a\",\n \"https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\\n\\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\\nshown below.\\n\\n kernel BUG at mm/usercopy.c:102!\\n Oops: Exception in kernel mode, sig: 5 [#1]\\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\\n CFAR: c0000000001fdc80 IRQMASK: 0\\n [ ... GPRs omitted ... ]\\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\\n Call Trace:\\n usercopy_abort+0x74/0xb0 (unreliable)\\n __check_heap_object+0xf8/0x120\\n check_heap_object+0x218/0x240\\n __check_object_size+0x84/0x1a4\\n dtl_file_read+0x17c/0x2c4\\n full_proxy_read+0x8c/0x110\\n vfs_read+0xdc/0x3a0\\n ksys_read+0x84/0x144\\n system_call_exception+0x124/0x330\\n system_call_vectored_common+0x15c/0x2ec\\n --- interrupt: 3000 at 0x7fff81f3ab34\\n\\nCommit 6d07d1cd300f (\\\"usercopy: Restrict non-usercopy caches to size 0\\\")\\nrequires that only whitelisted areas in slab/slub objects can be copied to\\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\\nDtl contains hypervisor dispatch events which are expected to be read by\\nprivileged users. Hence mark this safe for user access.\\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\\nentire object.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41065\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41066", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41066" + }, + { + "url": "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561" + }, + { + "url": "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c" + }, + { + "url": "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06" + }, + { + "url": "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41066 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41066", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41066\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41066\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41066\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41066\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41066\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561\",\n \"https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c\",\n \"https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06\",\n \"https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nibmvnic: Add tx check to prevent skb leak\\n\\nBelow is a summary of how the driver stores a reference to an skb during\\ntransmit:\\n tx_buff[free_map[consumer_index]]->skb = new_skb;\\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\\n consumer_index ++;\\nWhere variable data looks like this:\\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\\n \\tconsumer_index^\\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\\n\\nThe driver has checks to ensure that free_map[consumer_index] pointed to\\na valid index but there was no check to ensure that this index pointed\\nto an unused/null skb address. So, if, by some chance, our free_map and\\ntx_buff lists become out of sync then we were previously risking an\\nskb memory leak. This could then cause tcp congestion control to stop\\nsending packets, eventually leading to ETIMEDOUT.\\n\\nTherefore, add a conditional to ensure that the skb address is null. If\\nnot then warn the user (because this is still a bug that should be\\npatched) and free the old pointer to prevent memleak/tcp problems.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41066\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41067", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41067" + }, + { + "url": "https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72" + }, + { + "url": "https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41067 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41067", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41067\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41067\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41067\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41067\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41067\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72\",\n \"https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: scrub: handle RST lookup error correctly\\n\\n[BUG]\\nWhen running btrfs/060 with forced RST feature, it would crash the\\nfollowing ASSERT() inside scrub_read_endio():\\n\\n\\tASSERT(sector_nr < stripe->nr_sectors);\\n\\nBefore that, we would have tree dump from\\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\\nthe range.\\n\\n[CAUSE]\\nInside scrub_submit_extent_sector_read() every time we allocated a new\\nbbio we immediately called btrfs_map_block() to make sure there was some\\nRST range covering the scrub target.\\n\\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\\nwhile the bbio is newly allocated, it's completely empty.\\n\\nThen inside scrub_read_endio(), we go through the bvecs to find\\nthe sector number (as bi_sector is no longer reliable if the bio is\\nsubmitted to lower layers).\\n\\nAnd since the bio is empty, such bvecs iteration would not find any\\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\\ntriggering the ASSERT().\\n\\n[FIX]\\nInstead of calling btrfs_map_block() after allocating a new bbio, call\\nbtrfs_map_block() first.\\n\\nSince our only objective of calling btrfs_map_block() is only to update\\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\\n\\nThis new timing would avoid the problem of handling empty bbio\\ncompletely, and in fact fixes a possible race window for the old code,\\nwhere if the submission thread is the only owner of the pending_io, the\\nscrub would never finish (since we didn't decrease the pending_io\\ncounter).\\n\\nAlthough the root cause of RST lookup failure still needs to be\\naddressed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41067\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41068", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41068" + }, + { + "url": "https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808" + }, + { + "url": "https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a" + }, + { + "url": "https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090" + }, + { + "url": "https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982" + }, + { + "url": "https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3" + }, + { + "url": "https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83" + }, + { + "url": "https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c" + }, + { + "url": "https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41068 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41068", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41068\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41068\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41068\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808\",\n \"https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a\",\n \"https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090\",\n \"https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982\",\n \"https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3\",\n \"https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83\",\n \"https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c\",\n \"https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/sclp: Fix sclp_init() cleanup on failure\\n\\nIf sclp_init() fails it only partially cleans up: if there are multiple\\nfailing calls to sclp_init() sclp_state_change_event will be added several\\ntimes to sclp_reg_list, which results in the following warning:\\n\\n------------[ cut here ]------------\\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\\n...\\nCall Trace:\\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\\n\\nFix this by removing sclp_state_change_event from sclp_reg_list when\\nsclp_init() fails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41068\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41069", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41069" + }, + { + "url": "https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1" + }, + { + "url": "https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d" + }, + { + "url": "https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2" + }, + { + "url": "https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41069 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41069", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41069\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41069\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41069\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41069\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41069\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1\",\n \"https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d\",\n \"https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2\",\n \"https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: topology: Fix references to freed memory\\n\\nMost users after parsing a topology file, release memory used by it, so\\nhaving pointer references directly into topology file contents is wrong.\\nUse devm_kmemdup(), to allocate memory as needed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41069\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41070", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41070" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0" + }, + { + "url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a" + }, + { + "url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf" + }, + { + "url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe" + }, + { + "url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63" + }, + { + "url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47" + }, + { + "url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41070 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41070", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41070\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41070\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41070\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41070\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41070\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0\",\n \"https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a\",\n \"https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf\",\n \"https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe\",\n \"https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63\",\n \"https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47\",\n \"https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\\n\\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\\n\\nIt looks up `stt` from tablefd, but then continues to use it after doing\\nfdput() on the returned fd. After the fdput() the tablefd is free to be\\nclosed by another thread. The close calls kvm_spapr_tce_release() and\\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\\n\\nAlthough there are calls to rcu_read_lock() in\\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\\nthe UAF, because `stt` is used outside the locked regions.\\n\\nWith an artifcial delay after the fdput() and a userspace program which\\ntriggers the race, KASAN detects the UAF:\\n\\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\\n Call Trace:\\n dump_stack_lvl+0xb4/0x108 (unreliable)\\n print_report+0x2b4/0x6ec\\n kasan_report+0x118/0x2b0\\n __asan_load4+0xb8/0xd0\\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\\n kvm_device_ioctl+0x144/0x240 [kvm]\\n sys_ioctl+0x62c/0x1810\\n system_call_exception+0x190/0x440\\n system_call_vectored_common+0x15c/0x2ec\\n ...\\n Freed by task 0:\\n ...\\n kfree+0xec/0x3e0\\n release_spapr_tce_table+0xd4/0x11c [kvm]\\n rcu_core+0x568/0x16a0\\n handle_softirqs+0x23c/0x920\\n do_softirq_own_stack+0x6c/0x90\\n do_softirq_own_stack+0x58/0x90\\n __irq_exit_rcu+0x218/0x2d0\\n irq_exit+0x30/0x80\\n arch_local_irq_restore+0x128/0x230\\n arch_local_irq_enable+0x1c/0x30\\n cpuidle_enter_state+0x134/0x5cc\\n cpuidle_enter+0x6c/0xb0\\n call_cpuidle+0x7c/0x100\\n do_idle+0x394/0x410\\n cpu_startup_entry+0x60/0x70\\n start_secondary+0x3fc/0x410\\n start_secondary_prolog+0x10/0x14\\n\\nFix it by delaying the fdput() until `stt` is no longer in use, which\\nis effectively the entire function. To keep the patch minimal add a call\\nto fdput() at each of the existing return paths. Future work can convert\\nthe function to goto or __cleanup style cleanup.\\n\\nWith the fix in place the test case no longer triggers the UAF.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41070\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41071", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41071" + }, + { + "url": "https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718" + }, + { + "url": "https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41071 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41071", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\n\nreq->n_channels must be set before req->channels[] can be used.\n\nThis patch fixes one of the issues encountered in [1].\n\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\n[...]\n[ 83.964264] Call Trace:\n[ 83.964267] \n[ 83.964269] dump_stack_lvl+0x3f/0xc0\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\n[ 83.964298] genl_rcv_msg+0x240/0x270\n[...]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41071\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41071\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41071\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41071\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41071\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718\",\n \"https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\\n\\nreq->n_channels must be set before req->channels[] can be used.\\n\\nThis patch fixes one of the issues encountered in [1].\\n\\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\\n[...]\\n[ 83.964264] Call Trace:\\n[ 83.964267] \\n[ 83.964269] dump_stack_lvl+0x3f/0xc0\\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\\n[ 83.964298] genl_rcv_msg+0x240/0x270\\n[...]\\n\\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41071\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41072", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41072" + }, + { + "url": "https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f" + }, + { + "url": "https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b" + }, + { + "url": "https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b" + }, + { + "url": "https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc" + }, + { + "url": "https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b" + }, + { + "url": "https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79" + }, + { + "url": "https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac" + }, + { + "url": "https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41072 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41072", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41072\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41072\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41072\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41072\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41072\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f\",\n \"https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b\",\n \"https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b\",\n \"https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc\",\n \"https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b\",\n \"https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79\",\n \"https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac\",\n \"https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\\n\\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41072\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41073", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41073" + }, + { + "url": "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b" + }, + { + "url": "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa" + }, + { + "url": "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057" + }, + { + "url": "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad" + }, + { + "url": "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41073 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41073", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41073\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41073\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41073\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41073\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41073\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b\",\n \"https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa\",\n \"https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057\",\n \"https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad\",\n \"https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: avoid double free special payload\\n\\nIf a discard request needs to be retried, and that retry may fail before\\na new special payload is added, a double free will result. Clear the\\nRQF_SPECIAL_LOAD when the request is cleaned.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41073\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41074", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41074" + }, + { + "url": "https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60" + }, + { + "url": "https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0" + }, + { + "url": "https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663" + }, + { + "url": "https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41074 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41074", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41074\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41074\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41074\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41074\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41074\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60\",\n \"https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0\",\n \"https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663\",\n \"https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: Set object to close if ondemand_id < 0 in copen\\n\\nIf copen is maliciously called in the user mode, it may delete the request\\ncorresponding to the random id. And the request may have not been read yet.\\n\\nNote that when the object is set to reopen, the open request will be done\\nwith the still reopen state in above case. As a result, the request\\ncorresponding to this object is always skipped in select_req function, so\\nthe read request is never completed and blocks other process.\\n\\nFix this issue by simply set object to close if its id < 0 in copen.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41074\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41075", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41075" + }, + { + "url": "https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539" + }, + { + "url": "https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a" + }, + { + "url": "https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a" + }, + { + "url": "https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41075 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41075", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41075\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41075\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41075\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41075\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41075\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539\",\n \"https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a\",\n \"https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a\",\n \"https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncachefiles: add consistency check for copen/cread\\n\\nThis prevents malicious processes from completing random copen/cread\\nrequests and crashing the system. Added checks are listed below:\\n\\n * Generic, copen can only complete open requests, and cread can only\\n complete read requests.\\n * For copen, ondemand_id must not be 0, because this indicates that the\\n request has not been read by the daemon.\\n * For cread, the object corresponding to fd and req should be the same.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41075\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41076" + }, + { + "url": "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c" + }, + { + "url": "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68" + }, + { + "url": "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e" + }, + { + "url": "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c\",\n \"https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68\",\n \"https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e\",\n \"https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFSv4: Fix memory leak in nfs4_set_security_label\\n\\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41077", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41077" + }, + { + "url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7" + }, + { + "url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e" + }, + { + "url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1" + }, + { + "url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0" + }, + { + "url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053" + }, + { + "url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41077 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41077", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41077\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41077\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41077\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41077\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41077\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7\",\n \"https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e\",\n \"https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1\",\n \"https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0\",\n \"https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053\",\n \"https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnull_blk: fix validation of block size\\n\\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\\ncheck does not validate this, so update the check.\\n\\nWithout this patch, null_blk would Oops due to a null pointer deref when\\nloaded with bs=1536 [1].\\n\\n\\n[axboe: remove unnecessary braces and != 0 check]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41077\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41078", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41078" + }, + { + "url": "https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51" + }, + { + "url": "https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff" + }, + { + "url": "https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf" + }, + { + "url": "https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757" + }, + { + "url": "https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53" + }, + { + "url": "https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41078 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41078", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41078\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41078\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41078\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41078\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41078\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51\",\n \"https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff\",\n \"https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf\",\n \"https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757\",\n \"https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53\",\n \"https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: qgroup: fix quota root leak after quota disable failure\\n\\nIf during the quota disable we fail when cleaning the quota tree or when\\ndeleting the root from the root tree, we jump to the 'out' label without\\never dropping the reference on the quota root, resulting in a leak of the\\nroot since fs_info->quota_root is no longer pointing to the root (we have\\nset it to NULL just before those steps).\\n\\nFix this by always doing a btrfs_put_root() call under the 'out' label.\\nThis is a problem that exists since qgroups were first added in 2012 by\\ncommit bed92eae26cc (\\\"Btrfs: qgroup implementation and prototypes\\\"), but\\nback then we missed a kfree on the quota root and free_extent_buffer()\\ncalls on its root and commit root nodes, since back then roots were not\\nyet reference counted.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41078\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41079", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41079" + }, + { + "url": "https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319" + }, + { + "url": "https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d" + }, + { + "url": "https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2" + }, + { + "url": "https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41079 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41079", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41079\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41079\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41079\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41079\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41079\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319\",\n \"https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d\",\n \"https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2\",\n \"https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: always initialize cqe.result\\n\\nThe spec doesn't mandate that the first two double words (aka results)\\nfor the command queue entry need to be set to 0 when they are not\\nused (not specified). Though, the target implemention returns 0 for TCP\\nand FC but not for RDMA.\\n\\nLet's make RDMA behave the same and thus explicitly initializing the\\nresult field. This prevents leaking any data from the stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41079\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41080", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41080" + }, + { + "url": "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf" + }, + { + "url": "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41080 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41080", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41080\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41080\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41080\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41080\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41080\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf\",\n \"https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\\n\\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\\nwhich acquires the sqd->lock without releasing the uring_lock.\\nSimilar to the commit 009ad9f0c6ee (\\\"io_uring: drop ctx->uring_lock\\nbefore acquiring sqd->lock\\\"), this can lead to a potential deadlock\\nsituation.\\n\\nTo resolve this issue, the uring_lock is released before calling\\nio_put_sq_data(), and then it is re-acquired after the function call.\\n\\nThis change ensures that the locks are acquired in the correct\\norder, preventing the possibility of a deadlock.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41080\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41081", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41081" + }, + { + "url": "https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316" + }, + { + "url": "https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da" + }, + { + "url": "https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a" + }, + { + "url": "https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c" + }, + { + "url": "https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a" + }, + { + "url": "https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f" + }, + { + "url": "https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c" + }, + { + "url": "https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41081 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41081", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41081\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41081\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41081\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41081\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41081\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316\",\n \"https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da\",\n \"https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a\",\n \"https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c\",\n \"https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a\",\n \"https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f\",\n \"https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c\",\n \"https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nila: block BH in ila_output()\\n\\nAs explained in commit 1378817486d6 (\\\"tipc: block BH\\nbefore using dst_cache\\\"), net/core/dst_cache.c\\nhelpers need to be called with BH disabled.\\n\\nila_output() is called from lwtunnel_output()\\npossibly from process context, and under rcu_read_lock().\\n\\nWe might be interrupted by a softirq, re-enter ila_output()\\nand corrupt dst_cache data structures.\\n\\nFix the race by using local_bh_disable().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41081\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41082" + }, + { + "url": "https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb" + }, + { + "url": "https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41082", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb\",\n \"https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-fabrics: use reserved tag for reg read/write command\\n\\nIn some scenarios, if too many commands are issued by nvme command in\\nthe same time by user tasks, this may exhaust all tags of admin_q. If\\na reset (nvme reset or IO timeout) occurs before these commands finish,\\nreconnect routine may fail to update nvme regs due to insufficient tags,\\nwhich will cause kernel hang forever. In order to workaround this issue,\\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\\ntags. This maybe safe for nvmf:\\n\\n1. For the disable ctrl path, we will not issue connect command\\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\\n are called serially.\\n\\nSo the reserved tags may still be enough while reg_xx() use reserved tags.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41087", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41087" + }, + { + "url": "https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe" + }, + { + "url": "https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3" + }, + { + "url": "https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2" + }, + { + "url": "https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f" + }, + { + "url": "https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047" + }, + { + "url": "https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5" + }, + { + "url": "https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76" + }, + { + "url": "https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41087 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41087", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\n\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41087\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41087\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41087\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41087\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41087\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe\",\n \"https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3\",\n \"https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2\",\n \"https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f\",\n \"https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047\",\n \"https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5\",\n \"https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76\",\n \"https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nata: libata-core: Fix double free on error\\n\\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\\nto the err_out label, which will call devres_release_group().\\ndevres_release_group() will trigger a call to ata_host_release().\\nata_host_release() calls kfree(host), so executing the kfree(host) in\\nata_host_alloc() will lead to a double free:\\n\\nkernel BUG at mm/slub.c:553!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\nRIP: 0010:kfree+0x2cf/0x2f0\\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body.cold+0x19/0x27\\n ? die+0x2e/0x50\\n ? do_trap+0xca/0x110\\n ? do_error_trap+0x6a/0x90\\n ? kfree+0x2cf/0x2f0\\n ? exc_invalid_op+0x50/0x70\\n ? kfree+0x2cf/0x2f0\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? ata_host_alloc+0xf5/0x120 [libata]\\n ? ata_host_alloc+0xf5/0x120 [libata]\\n ? kfree+0x2cf/0x2f0\\n ata_host_alloc+0xf5/0x120 [libata]\\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\\n ahci_init_one+0x6c9/0xd20 [ahci]\\n\\nEnsure that we will not call kfree(host) twice, by performing the kfree()\\nonly if the devres_open_group() call failed.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41087\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41088", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41088" + }, + { + "url": "https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b" + }, + { + "url": "https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729" + }, + { + "url": "https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510" + }, + { + "url": "https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41088 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41088", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: fix infinite loop when xmit fails\n\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\n\nError messages:\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\n\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\n\nThe problem occurs because tx_ring->head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\n\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring->head, remove skb from the echo stack, and drop the message.\n\n[mkl: use more imperative wording in patch description]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41088\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41088\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41088\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41088\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41088\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b\",\n \"https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729\",\n \"https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510\",\n \"https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncan: mcp251xfd: fix infinite loop when xmit fails\\n\\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\\nprocessing messages, and the interrupt routine does not return,\\nrunning indefinitely even after killing the running application.\\n\\nError messages:\\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\\n... and repeat forever.\\n\\nThe issue can be triggered when multiple devices share the same SPI\\ninterface. And there is concurrent access to the bus.\\n\\nThe problem occurs because tx_ring->head increments even if\\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\\npackage while still expecting a response in\\nmcp251xfd_handle_tefif_one().\\n\\nResolve the issue by starting a workqueue to write the tx obj\\nsynchronously if err = -EBUSY. In case of another error, decrement\\ntx_ring->head, remove skb from the echo stack, and drop the message.\\n\\n[mkl: use more imperative wording in patch description]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41088\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41089", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41089" + }, + { + "url": "https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50" + }, + { + "url": "https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad" + }, + { + "url": "https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d" + }, + { + "url": "https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0" + }, + { + "url": "https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843" + }, + { + "url": "https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59" + }, + { + "url": "https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637" + }, + { + "url": "https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41089 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41089", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\n\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41089\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41089\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41089\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41089\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41089\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50\",\n \"https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad\",\n \"https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d\",\n \"https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0\",\n \"https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843\",\n \"https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59\",\n \"https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637\",\n \"https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\\n\\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\\nAdd a check to avoid null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41089\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41090", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41090" + }, + { + "url": "https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da" + }, + { + "url": "https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f" + }, + { + "url": "https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea" + }, + { + "url": "https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa" + }, + { + "url": "https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309" + }, + { + "url": "https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6" + }, + { + "url": "https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3" + }, + { + "url": "https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41090 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41090", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41090\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41090\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41090\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41090\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41090\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da\",\n \"https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f\",\n \"https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea\",\n \"https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa\",\n \"https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309\",\n \"https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6\",\n \"https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3\",\n \"https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntap: add missing verification for short frame\\n\\nThe cited commit missed to check against the validity of the frame length\\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\\nsent downstack. Even before the skb is transmitted, the\\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\\naccess beyond the actual length, or confuse the underlayer with incorrect\\nor inconsistent header length in the skb metadata.\\n\\nIn the alternative path, tap_get_user() already prohibits short frame which\\nhas the length less than Ethernet header size from being transmitted.\\n\\nThis is to drop any frame shorter than the Ethernet header size just like\\nhow tap_get_user() does.\\n\\nCVE: CVE-2024-41090\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41090\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41091", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41091" + }, + { + "url": "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3" + }, + { + "url": "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9" + }, + { + "url": "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2" + }, + { + "url": "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319" + }, + { + "url": "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5" + }, + { + "url": "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb" + }, + { + "url": "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146" + }, + { + "url": "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41091 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41091", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41091\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41091\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41091\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41091\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41091\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3\",\n \"https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9\",\n \"https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2\",\n \"https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319\",\n \"https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5\",\n \"https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb\",\n \"https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146\",\n \"https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: add missing verification for short frame\\n\\nThe cited commit missed to check against the validity of the frame length\\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\\ndownstack. Even before the skb is transmitted, the\\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\\ncan be less than ETH_HLEN. Once transmitted, this could either cause\\nout-of-bound access beyond the actual length, or confuse the underlayer\\nwith incorrect or inconsistent header length in the skb metadata.\\n\\nIn the alternative path, tun_get_user() already prohibits short frame which\\nhas the length less than Ethernet header size from being transmitted for\\nIFF_TAP.\\n\\nThis is to drop any frame shorter than the Ethernet header size just like\\nhow tun_get_user() does.\\n\\nCVE: CVE-2024-41091\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41091\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41092", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41092" + }, + { + "url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7" + }, + { + "url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d" + }, + { + "url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc" + }, + { + "url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50" + }, + { + "url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6" + }, + { + "url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41092 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41092", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] \n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41092\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41092\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41092\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41092\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41092\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7\",\n \"https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d\",\n \"https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc\",\n \"https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50\",\n \"https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6\",\n \"https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\\n\\nCI has been sporadically reporting the following issue triggered by\\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\\n\\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\\n...\\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\\n...\\n<4>[ 609.603992] ------------[ cut here ]------------\\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\\n...\\n<4>[ 609.604271] Call Trace:\\n<4>[ 609.604273] \\n...\\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\\n...\\n\\nIn the past, there were similar failures reported by CI from other IGT\\ntests, observed on other platforms.\\n\\nBefore commit 63baf4f3d587 (\\\"drm/i915/gt: Only wait for GPU activity\\nbefore unbinding a GGTT fence\\\"), i915_vma_revoke_fence() was waiting for\\nidleness of vma->active via fence_update(). That commit introduced\\nvma->fence->active in order for the fence_update() to be able to wait\\nselectively on that one instead of vma->active since only idleness of\\nfence registers was needed. But then, another commit 0d86ee35097a\\n(\\\"drm/i915/gt: Make fence revocation unequivocal\\\") replaced the call to\\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\\nNo justification was provided on why we might then expect idleness of\\nvma->fence->active without first waiting on it.\\n\\nThe issue can be potentially caused by a race among revocation of fence\\nregisters on one side and sequential execution of signal callbacks invoked\\non completion of a request that was using them on the other, still\\nprocessed in parallel to revocation of those fence registers. Fix it by\\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\\n\\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41092\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41093", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41093" + }, + { + "url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800" + }, + { + "url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447" + }, + { + "url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc" + }, + { + "url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb" + }, + { + "url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41093 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41093", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41093\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41093\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41093\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41093\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41093\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800\",\n \"https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447\",\n \"https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc\",\n \"https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb\",\n \"https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: avoid using null object of framebuffer\\n\\nInstead of using state->fb->obj[0] directly, get object from framebuffer\\nby calling drm_gem_fb_get_obj() and return error code when object is\\nnull to avoid using null object of framebuffer.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41093\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41095" + }, + { + "url": "https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49" + }, + { + "url": "https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389" + }, + { + "url": "https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726" + }, + { + "url": "https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e" + }, + { + "url": "https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714" + }, + { + "url": "https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72" + }, + { + "url": "https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb" + }, + { + "url": "https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41095", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\n\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49\",\n \"https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389\",\n \"https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726\",\n \"https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e\",\n \"https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714\",\n \"https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72\",\n \"https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb\",\n \"https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\\n\\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41097" + }, + { + "url": "https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a" + }, + { + "url": "https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47" + }, + { + "url": "https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51" + }, + { + "url": "https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a" + }, + { + "url": "https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727" + }, + { + "url": "https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506" + }, + { + "url": "https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781" + }, + { + "url": "https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41097 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41097", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\n\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\n\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\n\nUnfortunately, this patch has not been tested on real hardware.\n\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41097\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41097\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41097\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a\",\n \"https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47\",\n \"https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51\",\n \"https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a\",\n \"https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727\",\n \"https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506\",\n \"https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781\",\n \"https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\\n\\nSyzbot is still reporting quite an old issue [1] that occurs due to\\nincomplete checking of present usb endpoints. As such, wrong\\nendpoints types may be used at urb sumbitting stage which in turn\\ntriggers a warning in usb_submit_urb().\\n\\nFix the issue by verifying that required endpoint types are present\\nfor both in and out endpoints, taking into account cmd endpoint type.\\n\\nUnfortunately, this patch has not been tested on real hardware.\\n\\n[1] Syzbot report:\\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\nModules linked in:\\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nWorkqueue: usb_hub_wq hub_event\\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\\n...\\nCall Trace:\\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\\n call_driver_probe drivers/base/dd.c:517 [inline]\\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41097\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-41098", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-41098" + }, + { + "url": "https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28" + }, + { + "url": "https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e" + }, + { + "url": "https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-41098 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-41098", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix null pointer dereference on error\n\nIf the ata_port_alloc() call in ata_host_alloc() fails,\nata_host_release() will get called.\n\nHowever, the code in ata_host_release() tries to free ata_port struct\nmembers unconditionally, which can lead to the following:\n\nBUG: unable to handle page fault for address: 0000000000003990\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? ata_host_release.cold+0x2f/0x6e [libata]\n ? ata_host_release.cold+0x2f/0x6e [libata]\n release_nodes+0x35/0xb0\n devres_release_group+0x113/0x140\n ata_host_alloc+0xed/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nDo not access ata_port struct members unconditionally.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-41098\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-41098\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-41098\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-41098\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41098\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28\",\n \"https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e\",\n \"https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nata: libata-core: Fix null pointer dereference on error\\n\\nIf the ata_port_alloc() call in ata_host_alloc() fails,\\nata_host_release() will get called.\\n\\nHowever, the code in ata_host_release() tries to free ata_port struct\\nmembers unconditionally, which can lead to the following:\\n\\nBUG: unable to handle page fault for address: 0000000000003990\\nPGD 0 P4D 0\\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \\n ? __die_body.cold+0x19/0x27\\n ? page_fault_oops+0x15a/0x2f0\\n ? exc_page_fault+0x7e/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? ata_host_release.cold+0x2f/0x6e [libata]\\n ? ata_host_release.cold+0x2f/0x6e [libata]\\n release_nodes+0x35/0xb0\\n devres_release_group+0x113/0x140\\n ata_host_alloc+0xed/0x120 [libata]\\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\\n ahci_init_one+0x6c9/0xd20 [ahci]\\n\\nDo not access ata_port struct members unconditionally.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-41098\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42063", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42063" + }, + { + "url": "https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12" + }, + { + "url": "https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5" + }, + { + "url": "https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf" + }, + { + "url": "https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42063 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42063", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\n\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\n\n==========\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\n==========\n\nThe reproducer should be in the interpreter mode.\n\nThe C reproducer is trying to run the following bpf prog:\n\n 0: (18) r0 = 0x0\n 2: (18) r1 = map[id:49]\n 4: (b7) r8 = 16777216\n 5: (7b) *(u64 *)(r10 -8) = r8\n 6: (bf) r2 = r10\n 7: (07) r2 += -229\n ^^^^^^^^^^\n\n 8: (b7) r3 = 8\n 9: (b7) r4 = 0\n 10: (85) call dev_map_lookup_elem#1543472\n 11: (95) exit\n\nIt is due to the \"void *key\" (r2) passed to the helper. bpf allows uninit\nstack memory access for bpf prog with the right privileges. This patch\nuses kmsan_unpoison_memory() to mark the stack as initialized.\n\nThis should address different syzbot reports on the uninit \"void *key\"\nargument during map_{lookup,delete}_elem.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42063\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42063\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42063\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42063\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42063\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12\",\n \"https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5\",\n \"https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf\",\n \"https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\\n\\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\\n\\n==========\\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\\n==========\\n\\nThe reproducer should be in the interpreter mode.\\n\\nThe C reproducer is trying to run the following bpf prog:\\n\\n 0: (18) r0 = 0x0\\n 2: (18) r1 = map[id:49]\\n 4: (b7) r8 = 16777216\\n 5: (7b) *(u64 *)(r10 -8) = r8\\n 6: (bf) r2 = r10\\n 7: (07) r2 += -229\\n ^^^^^^^^^^\\n\\n 8: (b7) r3 = 8\\n 9: (b7) r4 = 0\\n 10: (85) call dev_map_lookup_elem#1543472\\n 11: (95) exit\\n\\nIt is due to the \\\"void *key\\\" (r2) passed to the helper. bpf allows uninit\\nstack memory access for bpf prog with the right privileges. This patch\\nuses kmsan_unpoison_memory() to mark the stack as initialized.\\n\\nThis should address different syzbot reports on the uninit \\\"void *key\\\"\\nargument during map_{lookup,delete}_elem.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42063\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42064", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42064" + }, + { + "url": "https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0" + }, + { + "url": "https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42064 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42064", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip pipe if the pipe idx not set properly\n\n[why]\nDriver crashes when pipe idx not set properly\n\n[how]\nAdd code to skip the pipe that idx not set properly", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42064\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42064\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42064\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42064\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42064\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0\",\n \"https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip pipe if the pipe idx not set properly\\n\\n[why]\\nDriver crashes when pipe idx not set properly\\n\\n[how]\\nAdd code to skip the pipe that idx not set properly\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42064\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42065", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42065" + }, + { + "url": "https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74" + }, + { + "url": "https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42065 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42065", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42065\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42065\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42065\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42065\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42065\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74\",\n \"https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\\n\\nAdd an explicit check to ensure that the mgr is not NULL.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42065\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42066", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42066" + }, + { + "url": "https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b" + }, + { + "url": "https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42066 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42066", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix potential integer overflow in page size calculation\n\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\nprevent overflow when assigning to min_page_size.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42066\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42066\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42066\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42066\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42066\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b\",\n \"https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Fix potential integer overflow in page size calculation\\n\\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\\nprevent overflow when assigning to min_page_size.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42066\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42067", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42067" + }, + { + "url": "https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a" + }, + { + "url": "https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7" + }, + { + "url": "https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730" + }, + { + "url": "https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42067 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42067", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\n\nset_memory_rox() can fail, leaving memory unprotected.\n\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42067\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42067\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42067\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42067\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42067\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a\",\n \"https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7\",\n \"https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730\",\n \"https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\\n\\nset_memory_rox() can fail, leaving memory unprotected.\\n\\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\\nan error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42067\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42068", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42068" + }, + { + "url": "https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a" + }, + { + "url": "https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8" + }, + { + "url": "https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03" + }, + { + "url": "https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89" + }, + { + "url": "https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720" + }, + { + "url": "https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42068 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42068", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\n\nset_memory_ro() can fail, leaving memory unprotected.\n\nCheck its return and take it into account as an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42068\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42068\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42068\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42068\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42068\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a\",\n \"https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8\",\n \"https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03\",\n \"https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89\",\n \"https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720\",\n \"https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\\n\\nset_memory_ro() can fail, leaving memory unprotected.\\n\\nCheck its return and take it into account as an error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42068\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42070", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42070" + }, + { + "url": "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4" + }, + { + "url": "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f" + }, + { + "url": "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f" + }, + { + "url": "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8" + }, + { + "url": "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf" + }, + { + "url": "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c" + }, + { + "url": "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564" + }, + { + "url": "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42070 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42070", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42070\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42070\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42070\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42070\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42070\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4\",\n \"https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f\",\n \"https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f\",\n \"https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8\",\n \"https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf\",\n \"https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c\",\n \"https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564\",\n \"https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\\n\\nregister store validation for NFT_DATA_VALUE is conditional, however,\\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\\nonly requires a new helper function to infer the register type from the\\nset datatype so this conditional check can be removed. Otherwise,\\npointer to chain object can be leaked through the registers.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42070\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42076", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42076" + }, + { + "url": "https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f" + }, + { + "url": "https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf" + }, + { + "url": "https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4" + }, + { + "url": "https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f" + }, + { + "url": "https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134" + }, + { + "url": "https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298" + }, + { + "url": "https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42076 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42076", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: Initialize unused data in j1939_send_one()\n\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1313 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\n\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42076\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42076\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42076\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42076\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42076\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f\",\n \"https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf\",\n \"https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4\",\n \"https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f\",\n \"https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134\",\n \"https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298\",\n \"https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: can: j1939: Initialize unused data in j1939_send_one()\\n\\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\\ncreates full frame including unused data, but it doesn't initialize\\nit. This causes the kernel-infoleak issue. Fix this by initializing\\nunused data.\\n\\n[1]\\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\\n copy_to_user_iter lib/iov_iter.c:24 [inline]\\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\\n copy_to_iter include/linux/uio.h:196 [inline]\\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\\n sock_recvmsg_nosec net/socket.c:1046 [inline]\\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\\n __sys_recvmmsg net/socket.c:3018 [inline]\\n __do_sys_recvmmsg net/socket.c:3041 [inline]\\n __se_sys_recvmmsg net/socket.c:3034 [inline]\\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was created at:\\n slab_post_alloc_hook mm/slub.c:3804 [inline]\\n slab_alloc_node mm/slub.c:3845 [inline]\\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\\n alloc_skb include/linux/skbuff.h:1313 [inline]\\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\\n __sys_sendmsg net/socket.c:2667 [inline]\\n __do_sys_sendmsg net/socket.c:2676 [inline]\\n __se_sys_sendmsg net/socket.c:2674 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nBytes 12-15 of 16 are uninitialized\\nMemory access of size 16 starts at ffff888120969690\\nData copied to user address 00000000200017c0\\n\\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42076\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42077", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42077" + }, + { + "url": "https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a" + }, + { + "url": "https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6" + }, + { + "url": "https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4" + }, + { + "url": "https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687" + }, + { + "url": "https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36" + }, + { + "url": "https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42077 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42077", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix DIO failure due to insufficient transaction credits\n\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits(). This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\n\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases. For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents. Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error. This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\n\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\n\nHeming Zhao said:\n\n------\nPANIC: \"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\"\n\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \"SubmitThread-CA\"\n #0 machine_kexec at ffffffff8c069932\n #1 __crash_kexec at ffffffff8c1338fa\n #2 panic at ffffffff8c1d69b9\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42077\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42077\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42077\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42077\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42077\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a\",\n \"https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6\",\n \"https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4\",\n \"https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687\",\n \"https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36\",\n \"https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix DIO failure due to insufficient transaction credits\\n\\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\\ntransaction credits using ocfs2_calc_extend_credits(). This however does\\nnot take into account that the IO could be arbitrarily large and can\\ncontain arbitrary number of extents.\\n\\nExtent tree manipulations do often extend the current transaction but not\\nin all of the cases. For example if we have only single block extents in\\nthe tree, ocfs2_mark_extent_written() will end up calling\\nocfs2_replace_extent_rec() all the time and we will never extend the\\ncurrent transaction and eventually exhaust all the transaction credits if\\nthe IO contains many single block extents. Once that happens a\\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\\nthis error. This was actually triggered by one of our customers on a\\nheavily fragmented OCFS2 filesystem.\\n\\nTo fix the issue make sure the transaction always has enough credits for\\none extent insert before each call of ocfs2_mark_extent_written().\\n\\nHeming Zhao said:\\n\\n------\\nPANIC: \\\"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\\\"\\n\\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \\\"SubmitThread-CA\\\"\\n #0 machine_kexec at ffffffff8c069932\\n #1 __crash_kexec at ffffffff8c1338fa\\n #2 panic at ffffffff8c1d69b9\\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\\n#11 dio_complete at ffffffff8c2b9fa7\\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\\n#14 generic_file_direct_write at ffffffff8c1dcf14\\n#15 __generic_file_write_iter at ffffffff8c1dd07b\\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\\n#17 aio_write at ffffffff8c2cc72e\\n#18 kmem_cache_alloc at ffffffff8c248dde\\n#19 do_io_submit at ffffffff8c2ccada\\n#20 do_syscall_64 at ffffffff8c004984\\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42077\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42079", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42079" + }, + { + "url": "https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce" + }, + { + "url": "https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828" + }, + { + "url": "https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42079 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42079", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\ngfs2_log_flush).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42079\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42079\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42079\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42079\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42079\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce\",\n \"https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828\",\n \"https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\\n\\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\\nlock to provide exclusion against gfs2_log_flush().\\n\\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\\ndereferencing it. Otherwise, we could run into a NULL pointer\\ndereference when outstanding glock work races with an unmount\\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\\ngfs2_log_flush).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42079\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42080", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42080" + }, + { + "url": "https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d" + }, + { + "url": "https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5" + }, + { + "url": "https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9" + }, + { + "url": "https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8" + }, + { + "url": "https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42080 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42080", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Fix potential invalid address access\n\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\nin ib_create_cq(), while if the module exited but forgot del this\nrdma_restrack_entry, it would cause a invalid address access in\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\n\nThese code is used to help find one forgotten PD release in one of the\nULPs. But it is not needed anymore, so delete them.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42080\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42080\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42080\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42080\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42080\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d\",\n \"https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5\",\n \"https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9\",\n \"https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8\",\n \"https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/restrack: Fix potential invalid address access\\n\\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\\nin ib_create_cq(), while if the module exited but forgot del this\\nrdma_restrack_entry, it would cause a invalid address access in\\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\\n\\nThese code is used to help find one forgotten PD release in one of the\\nULPs. But it is not needed anymore, so delete them.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42080\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42082", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42082" + }, + { + "url": "https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0" + }, + { + "url": "https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c" + }, + { + "url": "https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54" + }, + { + "url": "https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2" + }, + { + "url": "https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4" + }, + { + "url": "https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42082 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42082", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: Remove WARN() from __xdp_reg_mem_model()\n\nsyzkaller reports a warning in __xdp_reg_mem_model().\n\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\nreturns the error in two cases:\n\n 1. memory allocation fails;\n 2. rhashtable_init() fails when some fields of rhashtable_params\n struct are not initialized properly.\n\nThe second case cannot happen since there is a static const rhashtable_params\nstruct with valid fields. So, warning is only triggered when there is a\nproblem with memory allocation.\n\nThus, there is no sense in using WARN() to handle this error and it can be\nsafely removed.\n\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCall Trace:\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42082\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42082\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42082\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42082\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42082\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0\",\n \"https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c\",\n \"https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54\",\n \"https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2\",\n \"https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4\",\n \"https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: Remove WARN() from __xdp_reg_mem_model()\\n\\nsyzkaller reports a warning in __xdp_reg_mem_model().\\n\\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\\nreturns the error in two cases:\\n\\n 1. memory allocation fails;\\n 2. rhashtable_init() fails when some fields of rhashtable_params\\n struct are not initialized properly.\\n\\nThe second case cannot happen since there is a static const rhashtable_params\\nstruct with valid fields. So, warning is only triggered when there is a\\nproblem with memory allocation.\\n\\nThus, there is no sense in using WARN() to handle this error and it can be\\nsafely removed.\\n\\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\\n\\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\\n\\nCall Trace:\\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\\n do_syscall_64+0xfb/0x240\\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\\n\\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42082\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42084", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42084" + }, + { + "url": "https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0" + }, + { + "url": "https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa" + }, + { + "url": "https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a" + }, + { + "url": "https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a" + }, + { + "url": "https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27" + }, + { + "url": "https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9" + }, + { + "url": "https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007" + }, + { + "url": "https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42084 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42084", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nftruncate: pass a signed offset\n\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\n\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\n\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42084\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42084\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42084\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42084\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42084\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0\",\n \"https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa\",\n \"https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a\",\n \"https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a\",\n \"https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27\",\n \"https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9\",\n \"https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007\",\n \"https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nftruncate: pass a signed offset\\n\\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\\nextension when called in compat mode on 64-bit architectures. As a\\nresult, passing a negative length accidentally succeeds in truncating\\nto file size between 2GiB and 4GiB.\\n\\nChanging the type of the compat syscall to the signed compat_off_t\\nchanges the behavior so it instead returns -EINVAL.\\n\\nThe native entry point, the truncate() syscall and the corresponding\\nloff_t based variants are all correct already and do not suffer\\nfrom this mistake.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42084\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42085", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42085" + }, + { + "url": "https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649" + }, + { + "url": "https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c" + }, + { + "url": "https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136" + }, + { + "url": "https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63" + }, + { + "url": "https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42085 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42085", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\n\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\nto enter suspend status with below command:\necho mem > /sys/power/state\nThere will be a deadlock issue occurring. Detailed invoking path as\nbelow:\ndwc3_suspend_common()\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\n dwc3_gadget_suspend(dwc);\n dwc3_gadget_soft_disconnect(dwc);\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\nThis issue is exposed by commit c7ebd8149ee5 (\"usb: dwc3: gadget: Fix\nNULL pointer dereference in dwc3_gadget_suspend\") that removes the code\nof checking whether dwc->gadget_driver is NULL or not. It causes the\nfollowing code is executed and deadlock occurs when trying to get the\nspinlock. In fact, the root cause is the commit 5265397f9442(\"usb: dwc3:\nRemove DWC3 locking during gadget suspend/resume\") that forgot to remove\nthe lock of otg mode. So, remove the redundant lock of otg mode during\ngadget suspend/resume.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42085\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42085\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42085\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42085\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42085\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649\",\n \"https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c\",\n \"https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136\",\n \"https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63\",\n \"https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\\n\\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\\nto enter suspend status with below command:\\necho mem > /sys/power/state\\nThere will be a deadlock issue occurring. Detailed invoking path as\\nbelow:\\ndwc3_suspend_common()\\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\\n dwc3_gadget_suspend(dwc);\\n dwc3_gadget_soft_disconnect(dwc);\\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\\nThis issue is exposed by commit c7ebd8149ee5 (\\\"usb: dwc3: gadget: Fix\\nNULL pointer dereference in dwc3_gadget_suspend\\\") that removes the code\\nof checking whether dwc->gadget_driver is NULL or not. It causes the\\nfollowing code is executed and deadlock occurs when trying to get the\\nspinlock. In fact, the root cause is the commit 5265397f9442(\\\"usb: dwc3:\\nRemove DWC3 locking during gadget suspend/resume\\\") that forgot to remove\\nthe lock of otg mode. So, remove the redundant lock of otg mode during\\ngadget suspend/resume.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42085\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42086", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42086" + }, + { + "url": "https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e" + }, + { + "url": "https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e" + }, + { + "url": "https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9" + }, + { + "url": "https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb" + }, + { + "url": "https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e" + }, + { + "url": "https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a" + }, + { + "url": "https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517" + }, + { + "url": "https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42086 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42086", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: bme680: Fix overflows in compensate() functions\n\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\"iio:\nchemical: Add support for Bosch BME680 sensor\").\n\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42086\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42086\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42086\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42086\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42086\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e\",\n \"https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e\",\n \"https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9\",\n \"https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb\",\n \"https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e\",\n \"https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a\",\n \"https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517\",\n \"https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niio: chemical: bme680: Fix overflows in compensate() functions\\n\\nThere are cases in the compensate functions of the driver that\\nthere could be overflows of variables due to bit shifting ops.\\nThese implications were initially discussed here [1] and they\\nwere mentioned in log message of Commit 1b3bd8592780 (\\\"iio:\\nchemical: Add support for Bosch BME680 sensor\\\").\\n\\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42086\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42087", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42087" + }, + { + "url": "https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60" + }, + { + "url": "https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044" + }, + { + "url": "https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9" + }, + { + "url": "https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a" + }, + { + "url": "https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b" + }, + { + "url": "https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0" + }, + { + "url": "https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47" + }, + { + "url": "https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42087 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42087", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\n\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42087\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42087\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42087\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42087\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42087\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60\",\n \"https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044\",\n \"https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9\",\n \"https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a\",\n \"https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b\",\n \"https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0\",\n \"https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47\",\n \"https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\\n\\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\\ngpiod_set_value() function. This complains loudly when the GPIO\\ncontroller needs to sleep. As the caller can sleep, use\\ngpiod_set_value_cansleep() to fix the issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42087\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42089", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42089" + }, + { + "url": "https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed" + }, + { + "url": "https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9" + }, + { + "url": "https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a" + }, + { + "url": "https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6" + }, + { + "url": "https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a" + }, + { + "url": "https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac" + }, + { + "url": "https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245" + }, + { + "url": "https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42089 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42089", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl-asoc-card: set priv->pdev before using it\n\npriv->pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\n\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv->dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won't crash\nprobably due to compiler optimisations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42089\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42089\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42089\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42089\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42089\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed\",\n \"https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9\",\n \"https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a\",\n \"https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6\",\n \"https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a\",\n \"https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac\",\n \"https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245\",\n \"https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nASoC: fsl-asoc-card: set priv->pdev before using it\\n\\npriv->pdev pointer was set after being used in\\nfsl_asoc_card_audmux_init().\\nMove this assignment at the start of the probe function, so\\nsub-functions can correctly use pdev through priv.\\n\\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\\ndev struct, used with dev_err macros.\\nAs priv is zero-initialised, there would be a NULL pointer dereference.\\nNote that if priv->dev is dereferenced before assignment but never used,\\nfor example if there is no error to be printed, the driver won't crash\\nprobably due to compiler optimisations.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42089\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42090", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42090" + }, + { + "url": "https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e" + }, + { + "url": "https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc" + }, + { + "url": "https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0" + }, + { + "url": "https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd" + }, + { + "url": "https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1" + }, + { + "url": "https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6" + }, + { + "url": "https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b" + }, + { + "url": "https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42090 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42090", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\n\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\n\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42090\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42090\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42090\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42090\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42090\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e\",\n \"https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc\",\n \"https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0\",\n \"https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd\",\n \"https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1\",\n \"https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6\",\n \"https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b\",\n \"https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\\n\\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\\na potential deadlock.\\n\\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\\ncalling pinctrl_free(), preventing the deadlock.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42090\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42091", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42091" + }, + { + "url": "https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb" + }, + { + "url": "https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42091 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42091", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Check pat.ops before dumping PAT settings\n\nWe may leave pat.ops unset when running on brand new platform or\nwhen running as a VF. While the former is unlikely, the latter\nis valid (future) use case and will cause NPD when someone will\ntry to dump PAT settings by debugfs.\n\nIt's better to check pointer to pat.ops instead of specific .dump\nhook, as we have this hook always defined for every .ops variant.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42091\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42091\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42091\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42091\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42091\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb\",\n \"https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Check pat.ops before dumping PAT settings\\n\\nWe may leave pat.ops unset when running on brand new platform or\\nwhen running as a VF. While the former is unlikely, the latter\\nis valid (future) use case and will cause NPD when someone will\\ntry to dump PAT settings by debugfs.\\n\\nIt's better to check pointer to pat.ops instead of specific .dump\\nhook, as we have this hook always defined for every .ops variant.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42091\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42092", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42092" + }, + { + "url": "https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782" + }, + { + "url": "https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b" + }, + { + "url": "https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164" + }, + { + "url": "https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d" + }, + { + "url": "https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684" + }, + { + "url": "https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470" + }, + { + "url": "https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd" + }, + { + "url": "https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42092 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42092", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: davinci: Validate the obtained number of IRQs\n\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips->irqs array boundaries access in\ndavinci_gpio_probe().\n\nValidate the obtained nirq value so that it won't exceed the maximum\nnumber of IRQs per bank.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42092\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42092\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42092\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42092\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42092\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782\",\n \"https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b\",\n \"https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164\",\n \"https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d\",\n \"https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684\",\n \"https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470\",\n \"https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd\",\n \"https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: davinci: Validate the obtained number of IRQs\\n\\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\\nDT due to any error this value can be any. Without this value validation\\nthere can be out of chips->irqs array boundaries access in\\ndavinci_gpio_probe().\\n\\nValidate the obtained nirq value so that it won't exceed the maximum\\nnumber of IRQs per bank.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42092\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42093", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42093" + }, + { + "url": "https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0" + }, + { + "url": "https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527" + }, + { + "url": "https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2" + }, + { + "url": "https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509" + }, + { + "url": "https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d" + }, + { + "url": "https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1" + }, + { + "url": "https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42093 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42093", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42093\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42093\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42093\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42093\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42093\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0\",\n \"https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527\",\n \"https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2\",\n \"https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509\",\n \"https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d\",\n \"https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1\",\n \"https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\\n\\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\\nvariable on stack is not recommended since it can cause potential stack\\noverflow.\\n\\nInstead, kernel code should always use *cpumask_var API(s) to allocate\\ncpumask var in config-neutral way, leaving allocation strategy to\\nCONFIG_CPUMASK_OFFSTACK.\\n\\nUse *cpumask_var API(s) to address it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42093\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42094", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42094" + }, + { + "url": "https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53" + }, + { + "url": "https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d" + }, + { + "url": "https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959" + }, + { + "url": "https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756" + }, + { + "url": "https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a" + }, + { + "url": "https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71" + }, + { + "url": "https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9" + }, + { + "url": "https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42094 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42094", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42094\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42094\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42094\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42094\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42094\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53\",\n \"https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d\",\n \"https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959\",\n \"https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756\",\n \"https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a\",\n \"https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71\",\n \"https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9\",\n \"https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/iucv: Avoid explicit cpumask var allocation on stack\\n\\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\\nvariable on stack is not recommended since it can cause potential stack\\noverflow.\\n\\nInstead, kernel code should always use *cpumask_var API(s) to allocate\\ncpumask var in config-neutral way, leaving allocation strategy to\\nCONFIG_CPUMASK_OFFSTACK.\\n\\nUse *cpumask_var API(s) to address it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42094\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42095", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42095" + }, + { + "url": "https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e" + }, + { + "url": "https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b" + }, + { + "url": "https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0" + }, + { + "url": "https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826" + }, + { + "url": "https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de" + }, + { + "url": "https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42095 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42095", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_omap: Implementation of Errata i2310\n\nAs per Errata i2310[0], Erroneous timeout can be triggered,\nif this Erroneous interrupt is not cleared then it may leads\nto storm of interrupts, therefore apply Errata i2310 solution.\n\n[0] https://www.ti.com/lit/pdf/sprz536 page 23", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42095\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42095\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42095\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42095\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42095\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e\",\n \"https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b\",\n \"https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0\",\n \"https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826\",\n \"https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de\",\n \"https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: 8250_omap: Implementation of Errata i2310\\n\\nAs per Errata i2310[0], Erroneous timeout can be triggered,\\nif this Erroneous interrupt is not cleared then it may leads\\nto storm of interrupts, therefore apply Errata i2310 solution.\\n\\n[0] https://www.ti.com/lit/pdf/sprz536 page 23\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42095\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42096", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42096" + }, + { + "url": "https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca" + }, + { + "url": "https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b" + }, + { + "url": "https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92" + }, + { + "url": "https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29" + }, + { + "url": "https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77" + }, + { + "url": "https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4" + }, + { + "url": "https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e" + }, + { + "url": "https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42096 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42096", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: stop playing stack games in profile_pc()\n\nThe 'profile_pc()' function is used for timer-based profiling, which\nisn't really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren't necessarily\nvalid.\n\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit's not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\n\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases. We've lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\n\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\n\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\n\n\tEflags always has bits 22 and up cleared unlike kernel addresses\n\nbut that basic stack layout assumption assumes that there isn't any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\n\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\n\nWith no real practical reason for this any more, just remove the code.\n\nJust for historical interest, here's some background commits relating to\nthis code from 2006:\n\n 0cb91a229364 (\"i386: Account spinlocks to the caller during profiling for !FP kernels\")\n 31679f38d886 (\"Simplify profile_pc on x86-64\")\n\nand a code unification from 2009:\n\n ef4512882dbe (\"x86: time_32/64.c unify profile_pc\")\n\nbut the basics of this thing actually goes back to before the git tree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42096\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42096\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42096\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42096\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42096\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca\",\n \"https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b\",\n \"https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92\",\n \"https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29\",\n \"https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77\",\n \"https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4\",\n \"https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e\",\n \"https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86: stop playing stack games in profile_pc()\\n\\nThe 'profile_pc()' function is used for timer-based profiling, which\\nisn't really all that relevant any more to begin with, but it also ends\\nup making assumptions based on the stack layout that aren't necessarily\\nvalid.\\n\\nBasically, the code tries to account the time spent in spinlocks to the\\ncaller rather than the spinlock, and while I support that as a concept,\\nit's not worth the code complexity or the KASAN warnings when no serious\\nprofiling is done using timers anyway these days.\\n\\nAnd the code really does depend on stack layout that is only true in the\\nsimplest of cases. We've lost the comment at some point (I think when\\nthe 32-bit and 64-bit code was unified), but it used to say:\\n\\n\\tAssume the lock function has either no stack frame or a copy\\n\\tof eflags from PUSHF.\\n\\nwhich explains why it just blindly loads a word or two straight off the\\nstack pointer and then takes a minimal look at the values to just check\\nif they might be eflags or the return pc:\\n\\n\\tEflags always has bits 22 and up cleared unlike kernel addresses\\n\\nbut that basic stack layout assumption assumes that there isn't any lock\\ndebugging etc going on that would complicate the code and cause a stack\\nframe.\\n\\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\\nothers [2].\\n\\nWith no real practical reason for this any more, just remove the code.\\n\\nJust for historical interest, here's some background commits relating to\\nthis code from 2006:\\n\\n 0cb91a229364 (\\\"i386: Account spinlocks to the caller during profiling for !FP kernels\\\")\\n 31679f38d886 (\\\"Simplify profile_pc on x86-64\\\")\\n\\nand a code unification from 2009:\\n\\n ef4512882dbe (\\\"x86: time_32/64.c unify profile_pc\\\")\\n\\nbut the basics of this thing actually goes back to before the git tree.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42096\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42097", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42097" + }, + { + "url": "https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab" + }, + { + "url": "https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3" + }, + { + "url": "https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69" + }, + { + "url": "https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14" + }, + { + "url": "https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f" + }, + { + "url": "https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e" + }, + { + "url": "https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6" + }, + { + "url": "https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42097 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42097", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emux: improve patch ioctl data validation\n\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\n\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42097\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42097\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42097\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42097\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42097\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab\",\n \"https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3\",\n \"https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69\",\n \"https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14\",\n \"https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f\",\n \"https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e\",\n \"https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6\",\n \"https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: emux: improve patch ioctl data validation\\n\\nIn load_data(), make the validation of and skipping over the main info\\nblock match that in load_guspatch().\\n\\nIn load_guspatch(), add checking that the specified patch length matches\\nthe actually supplied data, like load_data() already did.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42097\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42098", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42098" + }, + { + "url": "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8" + }, + { + "url": "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9" + }, + { + "url": "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975" + }, + { + "url": "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df" + }, + { + "url": "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42098 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42098", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42098\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42098\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42098\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42098\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42098\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8\",\n \"https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9\",\n \"https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975\",\n \"https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df\",\n \"https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: ecdh - explicitly zeroize private_key\\n\\nprivate_key is overwritten with the key parameter passed in by the\\ncaller (if present), or alternatively a newly generated private key.\\nHowever, it is possible that the caller provides a key (or the newly\\ngenerated key) which is shorter than the previous key. In that\\nscenario, some key material from the previous key would not be\\noverwritten. The easiest solution is to explicitly zeroize the entire\\nprivate_key array first.\\n\\nNote that this patch slightly changes the behavior of this function:\\npreviously, if the ecc_gen_privkey failed, the old private_key would\\nremain. Now, the private_key is always zeroized. This behavior is\\nconsistent with the case where params.key is set and ecc_is_key_valid\\nfails.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42098\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42101", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42101" + }, + { + "url": "https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef" + }, + { + "url": "https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d" + }, + { + "url": "https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9" + }, + { + "url": "https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e" + }, + { + "url": "https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4" + }, + { + "url": "https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e" + }, + { + "url": "https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a" + }, + { + "url": "https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42101 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42101", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\n\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42101\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42101\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42101\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42101\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42101\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef\",\n \"https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d\",\n \"https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9\",\n \"https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e\",\n \"https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4\",\n \"https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e\",\n \"https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a\",\n \"https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\\n\\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a possible NULL pointer\\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42101\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42102", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42102" + }, + { + "url": "https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec" + }, + { + "url": "https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c" + }, + { + "url": "https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807" + }, + { + "url": "https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a" + }, + { + "url": "https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59" + }, + { + "url": "https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63" + }, + { + "url": "https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00" + }, + { + "url": "https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42102 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42102", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\"\n\nPatch series \"mm: Avoid possible overflows in dirty throttling\".\n\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits. This patch series makes sure this is true (see patch 2/2 for\nmore details).\n\n\nThis patch (of 2):\n\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\n\nThe commit is broken in several ways. Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this). Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42102\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42102\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42102\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42102\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42102\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec\",\n \"https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c\",\n \"https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807\",\n \"https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a\",\n \"https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59\",\n \"https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63\",\n \"https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00\",\n \"https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\\\"\\n\\nPatch series \\\"mm: Avoid possible overflows in dirty throttling\\\".\\n\\nDirty throttling logic assumes dirty limits in page units fit into\\n32-bits. This patch series makes sure this is true (see patch 2/2 for\\nmore details).\\n\\n\\nThis patch (of 2):\\n\\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\\n\\nThe commit is broken in several ways. Firstly, the removed (u64) cast\\nfrom the multiplication will introduce a multiplication overflow on 32-bit\\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\\ndefault settings with 4GB of RAM will trigger this). Secondly, the\\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\\nblow up in many other spectacular ways anyway so trying to fix one\\npossible overflow is just moot.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42102\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42104", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42104" + }, + { + "url": "https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95" + }, + { + "url": "https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180" + }, + { + "url": "https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf" + }, + { + "url": "https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7" + }, + { + "url": "https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d" + }, + { + "url": "https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131" + }, + { + "url": "https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458" + }, + { + "url": "https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42104 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42104", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: add missing check for inode numbers on directory entries\n\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\n\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\n\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\n\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\n\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42104\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42104\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42104\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42104\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42104\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95\",\n \"https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180\",\n \"https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf\",\n \"https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7\",\n \"https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d\",\n \"https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131\",\n \"https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458\",\n \"https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: add missing check for inode numbers on directory entries\\n\\nSyzbot reported that mounting and unmounting a specific pattern of\\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\\nfile inodes, which triggers a kernel bug in lru_add_fn().\\n\\nAs Jan Kara pointed out, this is because the link count of a metadata file\\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\\ntries to delete that inode (ifile inode in this case).\\n\\nThe inconsistency occurs because directories containing the inode numbers\\nof these metadata files that should not be visible in the namespace are\\nread without checking.\\n\\nFix this issue by treating the inode numbers of these internal files as\\nerrors in the sanity check helper when reading directory folios/pages.\\n\\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\\nanalysis.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42104\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42105", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42105" + }, + { + "url": "https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4" + }, + { + "url": "https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a" + }, + { + "url": "https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987" + }, + { + "url": "https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476" + }, + { + "url": "https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5" + }, + { + "url": "https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783" + }, + { + "url": "https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4" + }, + { + "url": "https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42105 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42105", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2's internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs->ns_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs->ns_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42105\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42105\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42105\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42105\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42105\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4\",\n \"https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a\",\n \"https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987\",\n \"https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476\",\n \"https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5\",\n \"https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783\",\n \"https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4\",\n \"https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix inode number range checks\\n\\nPatch series \\\"nilfs2: fix potential issues related to reserved inodes\\\".\\n\\nThis series fixes one use-after-free issue reported by syzbot, caused by\\nnilfs2's internal inode being exposed in the namespace on a corrupted\\nfilesystem, and a couple of flaws that cause problems if the starting\\nnumber of non-reserved inodes written in the on-disk super block is\\nintentionally (or corruptly) changed from its default value. \\n\\n\\nThis patch (of 3):\\n\\nIn the current implementation of nilfs2, \\\"nilfs->ns_first_ino\\\", which\\ngives the first non-reserved inode number, is read from the superblock,\\nbut its lower limit is not checked.\\n\\nAs a result, if a number that overlaps with the inode number range of\\nreserved inodes such as the root directory or metadata files is set in the\\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\\nNILFS_VALID_INODE) will not function properly.\\n\\nIn addition, these test macros use left bit-shift calculations using with\\nthe inode number as the shift count via the BIT macro, but the result of a\\nshift calculation that exceeds the bit width of an integer is undefined in\\nthe C specification, so if \\\"ns_first_ino\\\" is set to a large value other\\nthan the default value NILFS_USER_INO (=11), the macros may potentially\\nmalfunction depending on the environment.\\n\\nFix these issues by checking the lower bound of \\\"nilfs->ns_first_ino\\\" and\\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\\nconstant in the inode number test macros.\\n\\nAlso, change the type of \\\"ns_first_ino\\\" from signed integer to unsigned\\ninteger to avoid the need for type casting in comparisons such as the\\nlower bound check introduced this time.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42105\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42106", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42106" + }, + { + "url": "https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2" + }, + { + "url": "https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f" + }, + { + "url": "https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9" + }, + { + "url": "https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c" + }, + { + "url": "https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4" + }, + { + "url": "https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a" + }, + { + "url": "https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb" + }, + { + "url": "https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42106 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42106", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: Initialize pad field in struct inet_diag_req_v2\n\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\n\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\n\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42106\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42106\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42106\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42106\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42106\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2\",\n \"https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f\",\n \"https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9\",\n \"https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c\",\n \"https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4\",\n \"https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a\",\n \"https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb\",\n \"https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninet_diag: Initialize pad field in struct inet_diag_req_v2\\n\\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\\nsockets uses the pad field in struct inet_diag_req_v2 for the\\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\\nfield in struct inet_diag_req_raw.\\n\\ninet_diag_get_exact_compat() converts inet_diag_req to\\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\\n\\nFix this by initializing the pad field in\\ninet_diag_get_exact_compat(). Also, do the same fix in\\ninet_diag_dump_compat() to avoid the similar issue in the future.\\n\\n[1]\\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\\n inet_diag_cmd_exact+0x7d9/0x980\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\\n __sys_sendmsg net/socket.c:2668 [inline]\\n __do_sys_sendmsg net/socket.c:2677 [inline]\\n __se_sys_sendmsg net/socket.c:2675 [inline]\\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nUninit was stored to memory at:\\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\\n inet_diag_cmd_exact+0x7d9/0x980\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\\n __sys_sendmsg net/socket.c:2668 [inline]\\n __do_sys_sendmsg net/socket.c:2677 [inline]\\n __se_sys_sendmsg net/socket.c:2675 [inline]\\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nLocal variable req.i created at:\\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\\n\\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42106\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42107", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42107" + }, + { + "url": "https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b" + }, + { + "url": "https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42107 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42107", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't process extts if PTP is disabled\n\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\nresult in a NULL pointer dereference which leads to a kernel panic.\n\nPanic occurs because the ice_ptp_extts_event() function calls\nptp_clock_event() with a NULL pointer. The ice driver has already\nreleased the PTP clock by the time the interrupt for the next external\ntimestamp event occurs.\n\nTo fix this, modify the ice_ptp_extts_event() function to check the\nPTP state and bail early if PTP is not ready.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42107\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42107\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42107\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42107\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42107\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b\",\n \"https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Don't process extts if PTP is disabled\\n\\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\\nresult in a NULL pointer dereference which leads to a kernel panic.\\n\\nPanic occurs because the ice_ptp_extts_event() function calls\\nptp_clock_event() with a NULL pointer. The ice driver has already\\nreleased the PTP clock by the time the interrupt for the next external\\ntimestamp event occurs.\\n\\nTo fix this, modify the ice_ptp_extts_event() function to check the\\nPTP state and bail early if PTP is not ready.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42107\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42109", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42109" + }, + { + "url": "https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e" + }, + { + "url": "https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4" + }, + { + "url": "https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c" + }, + { + "url": "https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1" + }, + { + "url": "https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42109 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42109", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally flush pending work before notifier\n\nsyzbot reports:\n\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\n[..]\nWorkqueue: events nf_tables_trans_destroy_work\nCall Trace:\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\n\nProblem is that the notifier does a conditional flush, but its possible\nthat the table-to-be-removed is still referenced by transactions being\nprocessed by the worker, so we need to flush unconditionally.\n\nWe could make the flush_work depend on whether we found a table to delete\nin nf-next to avoid the flush for most cases.\n\nAFAICS this problem is only exposed in nf-next, with\ncommit e169285f8c56 (\"netfilter: nf_tables: do not store nft_ctx in transaction objects\"),\nwith this commit applied there is an unconditional fetch of\ntable->family which is whats triggering the above splat.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42109\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42109\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42109\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42109\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42109\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e\",\n \"https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4\",\n \"https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c\",\n \"https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1\",\n \"https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: unconditionally flush pending work before notifier\\n\\nsyzbot reports:\\n\\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\\n[..]\\nWorkqueue: events nf_tables_trans_destroy_work\\nCall Trace:\\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\\n\\nProblem is that the notifier does a conditional flush, but its possible\\nthat the table-to-be-removed is still referenced by transactions being\\nprocessed by the worker, so we need to flush unconditionally.\\n\\nWe could make the flush_work depend on whether we found a table to delete\\nin nf-next to avoid the flush for most cases.\\n\\nAFAICS this problem is only exposed in nf-next, with\\ncommit e169285f8c56 (\\\"netfilter: nf_tables: do not store nft_ctx in transaction objects\\\"),\\nwith this commit applied there is an unconditional fetch of\\ntable->family which is whats triggering the above splat.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42109\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42110", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42110" + }, + { + "url": "https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f" + }, + { + "url": "https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3" + }, + { + "url": "https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf" + }, + { + "url": "https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42110 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42110", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\n\nThe following is emitted when using idxd (DSA) dmanegine as the data\nmover for ntb_transport that ntb_netdev uses.\n\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\n[74412.556784] caller is netif_rx_internal+0x42/0x130\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\n[74412.581699] Call Trace:\n[74412.584514] \n[74412.586933] dump_stack_lvl+0x55/0x70\n[74412.591129] check_preemption_disabled+0xc8/0xf0\n[74412.596374] netif_rx_internal+0x42/0x130\n[74412.600957] __netif_rx+0x20/0xd0\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\n[74412.634046] irq_thread_fn+0x21/0x60\n[74412.638134] ? irq_thread+0xa8/0x290\n[74412.642218] irq_thread+0x1a0/0x290\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\n[74412.660686] kthread+0x100/0x130\n[74412.664384] ? __pfx_kthread+0x10/0x10\n[74412.668639] ret_from_fork+0x31/0x50\n[74412.672716] ? __pfx_kthread+0x10/0x10\n[74412.676978] ret_from_fork_asm+0x1a/0x30\n[74412.681457] \n\nThe cause is due to the idxd driver interrupt completion handler uses\nthreaded interrupt and the threaded handler is not hard or soft interrupt\ncontext. However __netif_rx() can only be called from interrupt context.\nChange the call to netif_rx() in order to allow completion via normal\ncontext for dmaengine drivers that utilize threaded irq handling.\n\nWhile the following commit changed from netif_rx() to __netif_rx(),\nbaebdf48c360 (\"net: dev: Makes sure netif_rx() can be invoked in any context.\"),\nthe change should've been a noop instead. However, the code precedes this\nfix should've been using netif_rx_ni() or netif_rx_any_context().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42110\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42110\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42110\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42110\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42110\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f\",\n \"https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3\",\n \"https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf\",\n \"https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\\n\\nThe following is emitted when using idxd (DSA) dmanegine as the data\\nmover for ntb_transport that ntb_netdev uses.\\n\\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\\n[74412.556784] caller is netif_rx_internal+0x42/0x130\\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\\n[74412.581699] Call Trace:\\n[74412.584514] \\n[74412.586933] dump_stack_lvl+0x55/0x70\\n[74412.591129] check_preemption_disabled+0xc8/0xf0\\n[74412.596374] netif_rx_internal+0x42/0x130\\n[74412.600957] __netif_rx+0x20/0xd0\\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\\n[74412.634046] irq_thread_fn+0x21/0x60\\n[74412.638134] ? irq_thread+0xa8/0x290\\n[74412.642218] irq_thread+0x1a0/0x290\\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\\n[74412.660686] kthread+0x100/0x130\\n[74412.664384] ? __pfx_kthread+0x10/0x10\\n[74412.668639] ret_from_fork+0x31/0x50\\n[74412.672716] ? __pfx_kthread+0x10/0x10\\n[74412.676978] ret_from_fork_asm+0x1a/0x30\\n[74412.681457] \\n\\nThe cause is due to the idxd driver interrupt completion handler uses\\nthreaded interrupt and the threaded handler is not hard or soft interrupt\\ncontext. However __netif_rx() can only be called from interrupt context.\\nChange the call to netif_rx() in order to allow completion via normal\\ncontext for dmaengine drivers that utilize threaded irq handling.\\n\\nWhile the following commit changed from netif_rx() to __netif_rx(),\\nbaebdf48c360 (\\\"net: dev: Makes sure netif_rx() can be invoked in any context.\\\"),\\nthe change should've been a noop instead. However, the code precedes this\\nfix should've been using netif_rx_ni() or netif_rx_any_context().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42110\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42114", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42114" + }, + { + "url": "https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22" + }, + { + "url": "https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec" + }, + { + "url": "https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53" + }, + { + "url": "https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa" + }, + { + "url": "https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993" + }, + { + "url": "https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42114 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42114", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\n\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\n\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __list_del include/linux/list.h:195 [inline]\n pc : __list_del_entry include/linux/list.h:218 [inline]\n pc : list_move_tail include/linux/list.h:310 [inline]\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n lr : __list_del_entry include/linux/list.h:218 [inline]\n lr : list_move_tail include/linux/list.h:310 [inline]\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n __list_del include/linux/list.h:195 [inline]\n __list_del_entry include/linux/list.h:218 [inline]\n list_move_tail include/linux/list.h:310 [inline]\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_fini\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42114\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42114\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42114\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42114\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42114\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22\",\n \"https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec\",\n \"https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53\",\n \"https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa\",\n \"https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993\",\n \"https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\\n\\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\\nto 2^31.\\n\\nWe had a similar issue in sch_fq, fixed with commit\\nd9e15a273306 (\\\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\\\")\\n\\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\\nModules linked in:\\nirq event stamp: 131135\\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nWorkqueue: mld mld_ifc_work\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : __list_del include/linux/list.h:195 [inline]\\n pc : __list_del_entry include/linux/list.h:218 [inline]\\n pc : list_move_tail include/linux/list.h:310 [inline]\\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\\n lr : __list_del_entry include/linux/list.h:218 [inline]\\n lr : list_move_tail include/linux/list.h:310 [inline]\\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\\nsp : ffff800093d36700\\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\\nCall trace:\\n __list_del include/linux/list.h:195 [inline]\\n __list_del_entry include/linux/list.h:218 [inline]\\n list_move_tail include/linux/list.h:310 [inline]\\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\\n xmit_one net/core/dev.c:3531 [inline]\\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\\n neigh_output include/net/neighbour.h:542 [inline]\\n ip6_fini\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42114\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42115", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42115" + }, + { + "url": "https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c" + }, + { + "url": "https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67" + }, + { + "url": "https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65" + }, + { + "url": "https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789" + }, + { + "url": "https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc" + }, + { + "url": "https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830" + }, + { + "url": "https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8" + }, + { + "url": "https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42115 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42115", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Fix potential illegal address access in jffs2_free_inode\n\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829] ESR = 0x96000004\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564] SET = 0, FnV = 0\n[ 2430.650795] EA = 0, S1PTW = 0\n[ 2430.651032] FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683] ISV = 0, ISS = 0x00000004\n[ 2430.652001] CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528] kfree+0x78/0x348\n[ 2430.664855] jffs2_free_inode+0x24/0x48\n[ 2430.665233] i_callback+0x24/0x50\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\n[ 2430.665892] rcu_core+0x28c/0x3c8\n[ 2430.666151] rcu_core_si+0x18/0x28\n[ 2430.666473] __do_softirq+0x138/0x3cc\n[ 2430.666781] irq_exit+0xf0/0x110\n[ 2430.667065] handle_domain_irq+0x6c/0x98\n[ 2430.667447] gic_handle_irq+0xac/0xe8\n[ 2430.667739] call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\n\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\n\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42115\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42115\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42115\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42115\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42115\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c\",\n \"https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67\",\n \"https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65\",\n \"https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789\",\n \"https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc\",\n \"https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830\",\n \"https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8\",\n \"https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njffs2: Fix potential illegal address access in jffs2_free_inode\\n\\nDuring the stress testing of the jffs2 file system,the following\\nabnormal printouts were found:\\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\\n[ 2430.649622] Mem abort info:\\n[ 2430.649829] ESR = 0x96000004\\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 2430.650564] SET = 0, FnV = 0\\n[ 2430.650795] EA = 0, S1PTW = 0\\n[ 2430.651032] FSC = 0x04: level 0 translation fault\\n[ 2430.651446] Data abort info:\\n[ 2430.651683] ISV = 0, ISS = 0x00000004\\n[ 2430.652001] CM = 0, WnR = 0\\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 2430.656142] pc : kfree+0x78/0x348\\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\\n[ 2430.657051] sp : ffff800009eebd10\\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\\n[ 2430.664217] Call trace:\\n[ 2430.664528] kfree+0x78/0x348\\n[ 2430.664855] jffs2_free_inode+0x24/0x48\\n[ 2430.665233] i_callback+0x24/0x50\\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\\n[ 2430.665892] rcu_core+0x28c/0x3c8\\n[ 2430.666151] rcu_core_si+0x18/0x28\\n[ 2430.666473] __do_softirq+0x138/0x3cc\\n[ 2430.666781] irq_exit+0xf0/0x110\\n[ 2430.667065] handle_domain_irq+0x6c/0x98\\n[ 2430.667447] gic_handle_irq+0xac/0xe8\\n[ 2430.667739] call_on_irq_stack+0x28/0x54\\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\\nfunction jffs2_i_init_once, while other members are initialized in\\nthe function jffs2_init_inode_info.\\n\\nThe function jffs2_init_inode_info is called after iget_locked,\\nbut in the iget_locked function, the destroy_inode process is triggered,\\nwhich releases the inode and consequently, the target member of the inode\\nis not initialized.In concurrent high pressure scenarios, iget_locked\\nmay enter the destroy_inode branch as described in the code.\\n\\nSince the destroy_inode functionality of jffs2 only releases the target,\\nthe fix method is to set target to NULL in jffs2_i_init_once.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42115\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42116", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42116" + }, + { + "url": "https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b" + }, + { + "url": "https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6" + }, + { + "url": "https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79" + }, + { + "url": "https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda" + }, + { + "url": "https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42116 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42116", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix a log entry using uninitialized netdev\n\nDuring successful probe, igc logs this:\n\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nThe reason is that igc_ptp_init() is called very early, even before\nregister_netdev() has been called. So the netdev_info() call works\non a partially uninitialized netdev.\n\nFix this by calling igc_ptp_init() after register_netdev(), right\nafter the media autosense check, just as in igb. Add a comment,\njust as in igb.\n\nNow the log message is fine:\n\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42116\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42116\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42116\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42116\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42116\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b\",\n \"https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6\",\n \"https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79\",\n \"https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda\",\n \"https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nigc: fix a log entry using uninitialized netdev\\n\\nDuring successful probe, igc logs this:\\n\\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\\nThe reason is that igc_ptp_init() is called very early, even before\\nregister_netdev() has been called. So the netdev_info() call works\\non a partially uninitialized netdev.\\n\\nFix this by calling igc_ptp_init() after register_netdev(), right\\nafter the media autosense check, just as in igb. Add a comment,\\njust as in igb.\\n\\nNow the log message is fine:\\n\\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42116\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42117", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42117" + }, + { + "url": "https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765" + }, + { + "url": "https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42117 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42117", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\n\n[WHY]\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\nan array index and they return -1 when not found; however, -1 is not a\nvalid index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a positive number (which is\nfewer than callers' array size) instead.\n\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42117\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42117\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42117\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42117\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42117\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765\",\n \"https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\\n\\n[WHY]\\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\\nan array index and they return -1 when not found; however, -1 is not a\\nvalid index number.\\n\\n[HOW]\\nWhen this happens, call ASSERT(), and return a positive number (which is\\nfewer than callers' array size) instead.\\n\\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42117\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42118", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42118" + }, + { + "url": "https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57" + }, + { + "url": "https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42118 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42118", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not return negative stream id for array\n\n[WHY]\nresource_stream_to_stream_idx returns an array index and it return -1\nwhen not found; however, -1 is not a valid array index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a zero instead.\n\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42118\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42118\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42118\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42118\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42118\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57\",\n \"https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Do not return negative stream id for array\\n\\n[WHY]\\nresource_stream_to_stream_idx returns an array index and it return -1\\nwhen not found; however, -1 is not a valid array index number.\\n\\n[HOW]\\nWhen this happens, call ASSERT(), and return a zero instead.\\n\\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42118\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42119", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42119" + }, + { + "url": "https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3" + }, + { + "url": "https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca" + }, + { + "url": "https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14" + }, + { + "url": "https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879" + }, + { + "url": "https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9" + }, + { + "url": "https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488" + }, + { + "url": "https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18" + }, + { + "url": "https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42119 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42119", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip finding free audio for unknown engine_id\n\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\n\n[HOW]\nSkip and return NULL.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42119\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42119\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42119\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42119\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42119\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3\",\n \"https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca\",\n \"https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14\",\n \"https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879\",\n \"https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9\",\n \"https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488\",\n \"https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18\",\n \"https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip finding free audio for unknown engine_id\\n\\n[WHY]\\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\\nalso means it is uninitialized and does not need free audio.\\n\\n[HOW]\\nSkip and return NULL.\\n\\nThis fixes 2 OVERRUN issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42119\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42120", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42120" + }, + { + "url": "https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329" + }, + { + "url": "https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6" + }, + { + "url": "https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1" + }, + { + "url": "https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6" + }, + { + "url": "https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4" + }, + { + "url": "https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42120 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42120", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check pipe offset before setting vblank\n\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\n\nThis fixes an OVERRUN issue reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42120\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42120\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42120\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42120\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42120\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329\",\n \"https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6\",\n \"https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1\",\n \"https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6\",\n \"https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4\",\n \"https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check pipe offset before setting vblank\\n\\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\\nthe array.\\n\\nThis fixes an OVERRUN issue reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42120\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42121", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42121" + }, + { + "url": "https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03" + }, + { + "url": "https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb" + }, + { + "url": "https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e" + }, + { + "url": "https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4" + }, + { + "url": "https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567" + }, + { + "url": "https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42121 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42121", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index msg_id before read or write\n\n[WHAT]\nmsg_id is used as an array index and it cannot be a negative value, and\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\n\n[HOW]\nCheck whether msg_id is valid before reading and setting.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42121\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42121\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42121\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42121\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42121\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03\",\n \"https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb\",\n \"https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e\",\n \"https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4\",\n \"https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567\",\n \"https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check index msg_id before read or write\\n\\n[WHAT]\\nmsg_id is used as an array index and it cannot be a negative value, and\\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\\n\\n[HOW]\\nCheck whether msg_id is valid before reading and setting.\\n\\nThis fixes 4 OVERRUN issues reported by Coverity.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42121\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42122", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42122" + }, + { + "url": "https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70" + }, + { + "url": "https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42122 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42122", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42122\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42122\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42122\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42122\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42122\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70\",\n \"https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL pointer check for kzalloc\\n\\n[Why & How]\\nCheck return pointer of kzalloc before using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42122\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42123", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42123" + }, + { + "url": "https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d" + }, + { + "url": "https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42123 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42123", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix double free err_addr pointer warnings\n\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\nwill be run many times so that double free err_addr in some special case.\nSo set the err_addr to NULL to avoid the warnings.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42123\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42123\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42123\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42123\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42123\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d\",\n \"https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix double free err_addr pointer warnings\\n\\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\\nwill be run many times so that double free err_addr in some special case.\\nSo set the err_addr to NULL to avoid the warnings.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42123\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42124", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42124" + }, + { + "url": "https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920" + }, + { + "url": "https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec" + }, + { + "url": "https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea" + }, + { + "url": "https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748" + }, + { + "url": "https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b" + }, + { + "url": "https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062" + }, + { + "url": "https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42124 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42124", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\n\nStop calling smp_processor_id() from preemptible code in\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\n\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42124\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42124\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42124\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42124\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42124\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920\",\n \"https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec\",\n \"https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea\",\n \"https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748\",\n \"https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b\",\n \"https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062\",\n \"https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\\n\\nStop calling smp_processor_id() from preemptible code in\\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\\n\\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42124\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42125", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42125" + }, + { + "url": "https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9" + }, + { + "url": "https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42125 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42125", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\n\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\nto avoid crash.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42125\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42125\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42125\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42125\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42125\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9\",\n \"https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\\n\\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\\nto avoid crash.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42125\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42126", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42126" + }, + { + "url": "https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70" + }, + { + "url": "https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e" + }, + { + "url": "https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8" + }, + { + "url": "https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252" + }, + { + "url": "https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057" + }, + { + "url": "https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42126 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42126", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\n\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\n\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\n\nWith kernel command line \"percpu_alloc=page\" we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\n\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[ 1.215719] --- interrupt: 200\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\n\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42126\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42126\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42126\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42126\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42126\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70\",\n \"https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e\",\n \"https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8\",\n \"https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252\",\n \"https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057\",\n \"https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\\n\\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\\ninterrupt handler) if percpu allocation comes from vmalloc area.\\n\\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\\npercpu allocation is from the embedded first chunk. However with\\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\\nallocation can come from the vmalloc area.\\n\\nWith kernel command line \\\"percpu_alloc=page\\\" we can force percpu allocation\\nto come from vmalloc area and can see kernel crash in machine_check_early:\\n\\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\\n[ 1.215719] --- interrupt: 200\\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\\n\\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\\nfirst chunk is not embedded.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42126\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42127", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42127" + }, + { + "url": "https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770" + }, + { + "url": "https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9" + }, + { + "url": "https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13" + }, + { + "url": "https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af" + }, + { + "url": "https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8" + }, + { + "url": "https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e" + }, + { + "url": "https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42127 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42127", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix shared irq handling on driver remove\n\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42127\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42127\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42127\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42127\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42127\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770\",\n \"https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9\",\n \"https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13\",\n \"https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af\",\n \"https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8\",\n \"https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e\",\n \"https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/lima: fix shared irq handling on driver remove\\n\\nlima uses a shared interrupt, so the interrupt handlers must be prepared\\nto be called at any time. At driver removal time, the clocks are\\ndisabled early and the interrupts stay registered until the very end of\\nthe remove process due to the devm usage.\\nThis is potentially a bug as the interrupts access device registers\\nwhich assumes clocks are enabled. A crash can be triggered by removing\\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\\nThis patch frees the interrupts at each lima device finishing callback\\nso that the handlers are already unregistered by the time we fully\\ndisable clocks.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42127\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42128", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42128" + }, + { + "url": "https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8" + }, + { + "url": "https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077" + }, + { + "url": "https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42128 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42128", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: an30259a: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42128\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42128\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42128\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42128\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42128\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8\",\n \"https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077\",\n \"https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: an30259a: Use devm_mutex_init() for mutex initialization\\n\\nIn this driver LEDs are registered using devm_led_classdev_register()\\nso they are automatically unregistered after module's remove() is done.\\nled_classdev_unregister() calls module's led_set_brightness() to turn off\\nthe LEDs and that callback uses mutex which was destroyed already\\nin module's remove() so use devm API instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42128\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42129", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42129" + }, + { + "url": "https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51" + }, + { + "url": "https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42129 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42129", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42129\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42129\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42129\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42129\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42129\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51\",\n \"https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\\n\\nIn this driver LEDs are registered using devm_led_classdev_register()\\nso they are automatically unregistered after module's remove() is done.\\nled_classdev_unregister() calls module's led_set_brightness() to turn off\\nthe LEDs and that callback uses mutex which was destroyed already\\nin module's remove() so use devm API instead.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42129\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42130", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42130" + }, + { + "url": "https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a" + }, + { + "url": "https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979" + }, + { + "url": "https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08" + }, + { + "url": "https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42" + }, + { + "url": "https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42130 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42130", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc/nci: Add the inconsistency check between the input data length and count\n\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\"610501\"], 0xf)\n\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\nof 15, which passed too little data to meet the basic requirements of the function\nnci_rf_intf_activated_ntf_packet().\n\nTherefore, increasing the comparison between data length and count value to avoid\nproblems caused by inconsistent data length and count.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42130\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42130\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42130\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42130\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42130\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a\",\n \"https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979\",\n \"https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08\",\n \"https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42\",\n \"https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfc/nci: Add the inconsistency check between the input data length and count\\n\\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\\\"610501\\\"], 0xf)\\n\\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\\nof 15, which passed too little data to meet the basic requirements of the function\\nnci_rf_intf_activated_ntf_packet().\\n\\nTherefore, increasing the comparison between data length and count value to avoid\\nproblems caused by inconsistent data length and count.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42130\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42131", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42131" + }, + { + "url": "https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff" + }, + { + "url": "https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2" + }, + { + "url": "https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a" + }, + { + "url": "https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290" + }, + { + "url": "https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805" + }, + { + "url": "https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2" + }, + { + "url": "https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0" + }, + { + "url": "https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42131 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42131", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42131\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42131\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42131\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42131\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42131\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff\",\n \"https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2\",\n \"https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a\",\n \"https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290\",\n \"https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805\",\n \"https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2\",\n \"https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0\",\n \"https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: avoid overflows in dirty throttling logic\\n\\nThe dirty throttling logic is interspersed with assumptions that dirty\\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\\nfit into 64-bits). If limits end up being larger, we will hit overflows,\\npossible divisions by 0 etc. Fix these problems by never allowing so\\nlarge dirty limits as they have dubious practical value anyway. For\\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\\nsimple as the dirty limit is computed from the amount of available memory\\nwhich can change due to memory hotplug etc. So when converting dirty\\nlimits from ratios to numbers of pages, we just don't allow the result to\\nexceed UINT_MAX.\\n\\nThis is root-only triggerable problem which occurs when the operator\\nsets dirty limits to >16 TB.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42131\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42134", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42134" + }, + { + "url": "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106" + }, + { + "url": "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42134 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42134", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev->is_avq.\n\n[fix]\nCheck whether it is vp_dev->is_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42134\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42134\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42134\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42134\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42134\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106\",\n \"https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio-pci: Check if is_avq is NULL\\n\\n[bug]\\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\\n may be empty. For installations, virtio_pci_legacy does not assign a value\\n to vp_dev->is_avq.\\n\\n[fix]\\nCheck whether it is vp_dev->is_avq before use.\\n\\n[test]\\nTest with virsh Attach device\\nBefore this patch, the following command would crash the guest system\\n\\nAfter applying the patch, everything seems to be working fine.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42134\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42135", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42135" + }, + { + "url": "https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af" + }, + { + "url": "https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233" + }, + { + "url": "https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42135 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42135", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_task: Handle SIGKILL by flushing work and exiting\n\nInstead of lingering until the device is closed, this has us handle\nSIGKILL by:\n\n1. marking the worker as killed so we no longer try to use it with\n new virtqueues and new flush operations.\n2. setting the virtqueue to worker mapping so no new works are queued.\n3. running all the exiting works.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42135\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42135\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42135\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42135\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42135\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af\",\n \"https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233\",\n \"https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvhost_task: Handle SIGKILL by flushing work and exiting\\n\\nInstead of lingering until the device is closed, this has us handle\\nSIGKILL by:\\n\\n1. marking the worker as killed so we no longer try to use it with\\n new virtqueues and new flush operations.\\n2. setting the virtqueue to worker mapping so no new works are queued.\\n3. running all the exiting works.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42135\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42136", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42136" + }, + { + "url": "https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b" + }, + { + "url": "https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3" + }, + { + "url": "https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c" + }, + { + "url": "https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42136 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42136", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42136\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42136\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42136\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42136\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42136\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b\",\n \"https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3\",\n \"https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c\",\n \"https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncdrom: rearrange last_media_change check to avoid unintentional overflow\\n\\nWhen running syzkaller with the newly reintroduced signed integer wrap\\nsanitizer we encounter this splat:\\n\\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[ 366.027518] Call Trace:\\n[ 366.027523] \\n[ 366.027533] dump_stack_lvl+0x93/0xd0\\n[ 366.027899] handle_overflow+0x171/0x1b0\\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\\n[ 366.077642] blkdev_ioctl+0x419/0x500\\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\\n...\\n\\nHistorically, the signed integer overflow sanitizer did not work in the\\nkernel due to its interaction with `-fwrapv` but this has since been\\nchanged [1] in the newest version of Clang. It was re-enabled in the\\nkernel with Commit 557f8c582a9ba8ab (\\\"ubsan: Reintroduce signed overflow\\nsanitizer\\\").\\n\\nLet's rearrange the check to not perform any arithmetic, thus not\\ntripping the sanitizer.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42136\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42137", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42137" + }, + { + "url": "https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb" + }, + { + "url": "https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11" + }, + { + "url": "https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26" + }, + { + "url": "https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b" + }, + { + "url": "https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5" + }, + { + "url": "https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42137 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42137", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42137\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42137\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42137\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42137\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42137\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb\",\n \"https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11\",\n \"https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26\",\n \"https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b\",\n \"https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5\",\n \"https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\\n\\nCommit 272970be3dab (\\\"Bluetooth: hci_qca: Fix driver shutdown on closed\\nserdev\\\") will cause below regression issue:\\n\\nBT can't be enabled after below steps:\\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\\n\\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\\nby adding condition to avoid the serdev is flushed or wrote after closed\\nbut also introduces this regression issue regarding above steps since the\\nVSC is not sent to reset controller during warm reboot.\\n\\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\\nonce BT was ever enabled, and the use-after-free issue is also fixed by\\nthis change since the serdev is still opened before it is flushed or wrote.\\n\\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\\nkernel commits:\\ncommit e00fc2700a3f (\\\"Bluetooth: btusb: Fix triggering coredump\\nimplementation for QCA\\\") of bluetooth-next tree.\\ncommit b23d98d46d28 (\\\"Bluetooth: btusb: Fix triggering coredump\\nimplementation for QCA\\\") of linus mainline tree.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42137\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42139", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42139" + }, + { + "url": "https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc" + }, + { + "url": "https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42139 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42139", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper extts handling\n\nExtts events are disabled and enabled by the application ts2phc.\nHowever, in case where the driver is removed when the application is\nrunning, a specific extts event remains enabled and can cause a kernel\ncrash.\nAs a side effect, when the driver is reloaded and application is started\nagain, remaining extts event for the channel from a previous run will\nkeep firing and the message \"extts on unexpected channel\" might be\nprinted to the user.\n\nTo avoid that, extts events shall be disabled when PTP is released.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42139\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42139\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42139\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42139\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42139\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc\",\n \"https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Fix improper extts handling\\n\\nExtts events are disabled and enabled by the application ts2phc.\\nHowever, in case where the driver is removed when the application is\\nrunning, a specific extts event remains enabled and can cause a kernel\\ncrash.\\nAs a side effect, when the driver is reloaded and application is started\\nagain, remaining extts event for the channel from a previous run will\\nkeep firing and the message \\\"extts on unexpected channel\\\" might be\\nprinted to the user.\\n\\nTo avoid that, extts events shall be disabled when PTP is released.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42139\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42140", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42140" + }, + { + "url": "https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692" + }, + { + "url": "https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c" + }, + { + "url": "https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155" + }, + { + "url": "https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d" + }, + { + "url": "https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42140 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42140", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kexec: Avoid deadlock in kexec crash path\n\nIf the kexec crash code is called in the interrupt context, the\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\nirq_set_irqchip_state() function.\n\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\nwithout any use. So we simply remove it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42140\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42140\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42140\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42140\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42140\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692\",\n \"https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c\",\n \"https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155\",\n \"https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d\",\n \"https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: kexec: Avoid deadlock in kexec crash path\\n\\nIf the kexec crash code is called in the interrupt context, the\\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\\nirq_set_irqchip_state() function.\\n\\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\\nwithout any use. So we simply remove it.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42140\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42143", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42143" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42143 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42143", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42143\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42143\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42143\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42143\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42143\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42143\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42144", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42144" + }, + { + "url": "https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9" + }, + { + "url": "https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d" + }, + { + "url": "https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42144 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42144", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42144\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42144\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42144\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42144\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42144\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9\",\n \"https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d\",\n \"https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\\n\\nVerify that lvts_data is not NULL before using it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42144\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42145", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42145" + }, + { + "url": "https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb" + }, + { + "url": "https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f" + }, + { + "url": "https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa" + }, + { + "url": "https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4" + }, + { + "url": "https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b" + }, + { + "url": "https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6" + }, + { + "url": "https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894" + }, + { + "url": "https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42145 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42145", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Implement a limit on UMAD receive List\n\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\n\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\n\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42145\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42145\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42145\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42145\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42145\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb\",\n \"https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f\",\n \"https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa\",\n \"https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4\",\n \"https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b\",\n \"https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6\",\n \"https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894\",\n \"https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/core: Implement a limit on UMAD receive List\\n\\nThe existing behavior of ib_umad, which maintains received MAD\\npackets in an unbounded list, poses a risk of uncontrolled growth.\\nAs user-space applications extract packets from this list, the rate\\nof extraction may not match the rate of incoming packets, leading\\nto potential list overflow.\\n\\nTo address this, we introduce a limit to the size of the list. After\\nconsidering typical scenarios, such as OpenSM processing, which can\\nhandle approximately 100k packets per second, and the 1-second retry\\ntimeout for most packets, we set the list size limit to 200k. Packets\\nreceived beyond this limit are dropped, assuming they are likely timed\\nout by the time they are handled by user-space.\\n\\nNotably, packets queued on the receive list due to reasons like\\ntimed-out sends are preserved even when the list is full.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42145\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42146", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42146" + }, + { + "url": "https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994" + }, + { + "url": "https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42146 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42146", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\n\nAny kunit doing any memory access should get their own runtime_pm\nouter references since they don't use the standard driver API\nentries. In special this dma_buf from the same driver.\n\nFound by pre-merge CI on adding WARN calls for unprotected\ninner callers:\n\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\n<4> [318.639957] ------------[ cut here ]------------\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42146\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42146\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42146\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42146\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42146\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994\",\n \"https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\\n\\nAny kunit doing any memory access should get their own runtime_pm\\nouter references since they don't use the standard driver API\\nentries. In special this dma_buf from the same driver.\\n\\nFound by pre-merge CI on adding WARN calls for unprotected\\ninner callers:\\n\\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\\n<4> [318.639957] ------------[ cut here ]------------\\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42146\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42147", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42147" + }, + { + "url": "https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e" + }, + { + "url": "https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739" + }, + { + "url": "https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3" + }, + { + "url": "https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42147 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42147", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\n\nDuring the zip probe process, the debugfs failure does not stop\nthe probe. When debugfs initialization fails, jumping to the\nerror branch will also release regs, in addition to its own\nrollback operation.\n\nAs a result, it may be released repeatedly during the regs\nuninit process. Therefore, the null check needs to be added to\nthe regs uninit process.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42147\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42147\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42147\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42147\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42147\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e\",\n \"https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739\",\n \"https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3\",\n \"https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\\n\\nDuring the zip probe process, the debugfs failure does not stop\\nthe probe. When debugfs initialization fails, jumping to the\\nerror branch will also release regs, in addition to its own\\nrollback operation.\\n\\nAs a result, it may be released repeatedly during the regs\\nuninit process. Therefore, the null check needs to be added to\\nthe regs uninit process.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42147\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42148", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42148" + }, + { + "url": "https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b" + }, + { + "url": "https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7" + }, + { + "url": "https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f" + }, + { + "url": "https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce" + }, + { + "url": "https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d" + }, + { + "url": "https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f" + }, + { + "url": "https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e" + }, + { + "url": "https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42148 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42148", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\n\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\n\nCurrently there is a read/write out of bounds that occurs on the array\n\"struct stats_query_entry query\" present inside the \"bnx2x_fw_stats_req\"\nstruct in \"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\".\nLooking at the definition of the \"struct stats_query_entry query\" array:\n\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n BNX2X_FIRST_QUEUE_QUERY_IDX];\n\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \"struct stats_query_entry query\" are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\n\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\n\n/*\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n * control by the number of fast-path status blocks supported by the\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n * status block represents an independent interrupts context that can\n * serve a regular L2 networking queue. However special L2 queues such\n * as the FCoE queue do not require a FP-SB and other components like\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\n *\n * If the maximum number of FP-SB available is X then:\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n * regular L2 queues is Y=X-1\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\n * is Y+1\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\n * FP interrupt context for the CNIC).\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\n */\n\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\"bnx2x: Add 57712 support\").\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \"stats_query_entry query\" was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\n\nThis patch increases the size of the \"stats_query_entry query\" array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\n\nStack traces:\n\nUBSAN: array-index-out-of-bounds in\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type 'stats_query_entry [19]'\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42148\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42148\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42148\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42148\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42148\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b\",\n \"https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7\",\n \"https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f\",\n \"https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce\",\n \"https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d\",\n \"https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f\",\n \"https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e\",\n \"https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\\n\\nFix UBSAN warnings that occur when using a system with 32 physical\\ncpu cores or more, or when the user defines a number of Ethernet\\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\\nmodule parameter.\\n\\nCurrently there is a read/write out of bounds that occurs on the array\\n\\\"struct stats_query_entry query\\\" present inside the \\\"bnx2x_fw_stats_req\\\"\\nstruct in \\\"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\\\".\\nLooking at the definition of the \\\"struct stats_query_entry query\\\" array:\\n\\nstruct stats_query_entry query[FP_SB_MAX_E1x+\\n BNX2X_FIRST_QUEUE_QUERY_IDX];\\n\\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\\nmeaning the array has a total size of 19.\\nSince accesses to \\\"struct stats_query_entry query\\\" are offset-ted by\\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\\nis reserved for FCOE and thus the number of Ethernet queues should be set\\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\\nit is not.\\n\\nThis is also described in a comment in the source code in\\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\\nfor this patch\\n\\n/*\\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\\n * control by the number of fast-path status blocks supported by the\\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\\n * status block represents an independent interrupts context that can\\n * serve a regular L2 networking queue. However special L2 queues such\\n * as the FCoE queue do not require a FP-SB and other components like\\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\\n *\\n * If the maximum number of FP-SB available is X then:\\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\\n * regular L2 queues is Y=X-1\\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\\n * is Y+1\\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\\n * FP interrupt context for the CNIC).\\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\\n */\\n\\nHowever this driver also supports NICs that use the E2 controller which can\\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\\nLooking at the commits when the E2 support was added, it was originally\\nusing the E1x parameters: commit f2e0899f0f27 (\\\"bnx2x: Add 57712 support\\\").\\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\\nwas later updated to take full advantage of the E2 instead of having it be\\nlimited to the capabilities of the E1x. But as far as we can tell, the\\narray \\\"stats_query_entry query\\\" was still limited to using the FP-SB\\navailable to the E1x cards as part of an oversignt when the driver was\\nupdated to take full advantage of the E2, and now with the driver being\\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\\nwarnings seen in the stack traces below.\\n\\nThis patch increases the size of the \\\"stats_query_entry query\\\" array by\\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\\nboth types of NICs.\\n\\nStack traces:\\n\\nUBSAN: array-index-out-of-bounds in\\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\\nindex 20 is out of range for type 'stats_query_entry [19]'\\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\\n\\t #202405052133\\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42148\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42151", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42151" + }, + { + "url": "https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d" + }, + { + "url": "https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42151 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42151", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\n\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\nparameter of the test_1() function. Mark this parameter as nullable to\nmake verifier aware of such possibility.\nOtherwise, NULL check in the test_1() code:\n\n SEC(\"struct_ops/test_1\")\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\n {\n if (!state)\n return ...;\n\n ... access state ...\n }\n\nMight be removed by verifier, thus triggering NULL pointer dereference\nunder certain conditions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42151\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42151\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42151\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42151\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42151\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d\",\n \"https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\\n\\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\\nparameter of the test_1() function. Mark this parameter as nullable to\\nmake verifier aware of such possibility.\\nOtherwise, NULL check in the test_1() code:\\n\\n SEC(\\\"struct_ops/test_1\\\")\\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\\n {\\n if (!state)\\n return ...;\\n\\n ... access state ...\\n }\\n\\nMight be removed by verifier, thus triggering NULL pointer dereference\\nunder certain conditions.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42151\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42152", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42152" + }, + { + "url": "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa" + }, + { + "url": "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1" + }, + { + "url": "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33" + }, + { + "url": "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da" + }, + { + "url": "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5" + }, + { + "url": "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42152 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42152", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42152\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42152\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42152\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42152\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42152\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa\",\n \"https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1\",\n \"https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33\",\n \"https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da\",\n \"https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5\",\n \"https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\\n\\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\\nknow that a ctrl was allocated (in the admin connect request handler)\\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\\n(for nvme-loop primarily), and drop the final reference on the ctrl.\\n\\nHowever, a small window is possible where nvmet_sq_destroy starts (as\\na result of the client giving up and disconnecting) concurrently with\\nthe nvme admin connect cmd (which may be in an early stage). But *before*\\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\\nlive reference). In this case, sq->ctrl was allocated however after it was\\ncaptured in a local variable in nvmet_sq_destroy.\\nThis prevented the final reference drop on the ctrl.\\n\\nSolve this by re-capturing the sq->ctrl after all inflight request has\\ncompleted, where for sure sq->ctrl reference is final, and move forward\\nbased on that.\\n\\nThis issue was observed in an environment with many hosts connecting\\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\\nleading up to this race window.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42152\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42153", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42153" + }, + { + "url": "https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289" + }, + { + "url": "https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2" + }, + { + "url": "https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176" + }, + { + "url": "https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f" + }, + { + "url": "https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3" + }, + { + "url": "https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6" + }, + { + "url": "https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af" + }, + { + "url": "https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42153 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42153", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\n\nWhen del_timer_sync() is called in an interrupt context it throws a warning\nbecause of potential deadlock. The timer is used only to exit from\nwait_for_completion() after a timeout so replacing the call with\nwait_for_completion_timeout() allows to remove the problematic timer and\nits related functions altogether.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42153\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42153\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42153\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42153\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42153\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289\",\n \"https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2\",\n \"https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176\",\n \"https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f\",\n \"https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3\",\n \"https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6\",\n \"https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af\",\n \"https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\\n\\nWhen del_timer_sync() is called in an interrupt context it throws a warning\\nbecause of potential deadlock. The timer is used only to exit from\\nwait_for_completion() after a timeout so replacing the call with\\nwait_for_completion_timeout() allows to remove the problematic timer and\\nits related functions altogether.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42153\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42154", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42154" + }, + { + "url": "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9" + }, + { + "url": "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c" + }, + { + "url": "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3" + }, + { + "url": "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321" + }, + { + "url": "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff" + }, + { + "url": "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99" + }, + { + "url": "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98" + }, + { + "url": "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42154 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42154", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn't have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42154\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42154\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42154\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42154\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42154\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Critical\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9\",\n \"https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c\",\n \"https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3\",\n \"https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321\",\n \"https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff\",\n \"https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99\",\n \"https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98\",\n \"https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp_metrics: validate source addr length\\n\\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\\nis at least 4 bytes long, and the policy doesn't have an entry\\nfor this attribute at all (neither does it for IPv6 but v6 is\\nmanually validated).\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 9.8,\n \"exploitabilityScore\": 3.9,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42154\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42155", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42155" + }, + { + "url": "https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b" + }, + { + "url": "https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42155 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42155", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of protected- and secure-keys\n\nAlthough the clear-key of neither protected- nor secure-keys is\naccessible, this key material should only be visible to the calling\nprocess. So wipe all copies of protected- or secure-keys from stack,\neven in case of an error.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42155\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42155\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42155\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42155\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42155\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Low\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b\",\n \"https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe copies of protected- and secure-keys\\n\\nAlthough the clear-key of neither protected- nor secure-keys is\\naccessible, this key material should only be visible to the calling\\nprocess. So wipe all copies of protected- or secure-keys from stack,\\neven in case of an error.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 1.9,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 1.4\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42155\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42156", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42156" + }, + { + "url": "https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d" + }, + { + "url": "https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42156 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42156", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of clear-key structures on failure\n\nWipe all sensitive data from stack for all IOCTLs, which convert a\nclear-key into a protected- or secure-key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42156\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42156\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42156\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42156\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42156\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d\",\n \"https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe copies of clear-key structures on failure\\n\\nWipe all sensitive data from stack for all IOCTLs, which convert a\\nclear-key into a protected- or secure-key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42156\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42157", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42157" + }, + { + "url": "https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9" + }, + { + "url": "https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581" + }, + { + "url": "https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02" + }, + { + "url": "https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487" + }, + { + "url": "https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad" + }, + { + "url": "https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250" + }, + { + "url": "https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575" + }, + { + "url": "https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42157 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42157", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe sensitive data on failure\n\nWipe sensitive data from stack also if the copy_to_user() fails.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42157\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42157\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42157\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42157\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42157\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9\",\n \"https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581\",\n \"https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02\",\n \"https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487\",\n \"https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad\",\n \"https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250\",\n \"https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575\",\n \"https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Wipe sensitive data on failure\\n\\nWipe sensitive data from stack also if the copy_to_user() fails.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42157\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42158", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42158" + }, + { + "url": "https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694" + }, + { + "url": "https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42158 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42158", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\n\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\nwarnings reported by Coccinelle:\n\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42158\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42158\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42158\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42158\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42158\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694\",\n \"https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\\n\\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\\nwarnings reported by Coccinelle:\\n\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42158\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42160", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42160" + }, + { + "url": "https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e" + }, + { + "url": "https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77" + }, + { + "url": "https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d" + }, + { + "url": "https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42160 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42160", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42160\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42160\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42160\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42160\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42160\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e\",\n \"https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77\",\n \"https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d\",\n \"https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\\n\\n- It missed to check validation of fault attrs in parse_options(),\\nlet's fix to add check condition in f2fs_build_fault_attr().\\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42160\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42161", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42161" + }, + { + "url": "https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db" + }, + { + "url": "https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3" + }, + { + "url": "https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f" + }, + { + "url": "https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff" + }, + { + "url": "https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6" + }, + { + "url": "https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42161 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42161", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\n\n[Changes from V1:\n - Use a default branch in the switch statement to initialize `val'.]\n\nGCC warns that `val' may be used uninitialized in the\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\n\n\t[...]\n\tunsigned long long val;\t\t\t\t\t\t \\\n\t[...]\t\t\t\t\t\t\t\t \\\n\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\t\t\t \\\n\tcase 1: val = *(const unsigned char *)p; break;\t\t\t \\\n\tcase 2: val = *(const unsigned short *)p; break;\t\t \\\n\tcase 4: val = *(const unsigned int *)p; break;\t\t\t \\\n\tcase 8: val = *(const unsigned long long *)p; break;\t\t \\\n } \t\t\t\t\t\t\t \\\n\t[...]\n\tval;\t\t\t\t\t\t\t\t \\\n\t}\t\t\t\t\t\t\t\t \\\n\nThis patch adds a default entry in the switch statement that sets\n`val' to zero in order to avoid the warning, and random values to be\nused in case __builtin_preserve_field_info returns unexpected values\nfor BPF_FIELD_BYTE_SIZE.\n\nTested in bpf-next master.\nNo regressions.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42161\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42161\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42161\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42161\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42161\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db\",\n \"https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3\",\n \"https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f\",\n \"https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff\",\n \"https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6\",\n \"https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\\n\\n[Changes from V1:\\n - Use a default branch in the switch statement to initialize `val'.]\\n\\nGCC warns that `val' may be used uninitialized in the\\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\\n\\n\\t[...]\\n\\tunsigned long long val;\\t\\t\\t\\t\\t\\t \\\\\\n\\t[...]\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\\t\\t\\t \\\\\\n\\tcase 1: val = *(const unsigned char *)p; break;\\t\\t\\t \\\\\\n\\tcase 2: val = *(const unsigned short *)p; break;\\t\\t \\\\\\n\\tcase 4: val = *(const unsigned int *)p; break;\\t\\t\\t \\\\\\n\\tcase 8: val = *(const unsigned long long *)p; break;\\t\\t \\\\\\n } \\t\\t\\t\\t\\t\\t\\t \\\\\\n\\t[...]\\n\\tval;\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\t}\\t\\t\\t\\t\\t\\t\\t\\t \\\\\\n\\nThis patch adds a default entry in the switch statement that sets\\n`val' to zero in order to avoid the warning, and random values to be\\nused in case __builtin_preserve_field_info returns unexpected values\\nfor BPF_FIELD_BYTE_SIZE.\\n\\nTested in bpf-next master.\\nNo regressions.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42161\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42223", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42223" + }, + { + "url": "https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8" + }, + { + "url": "https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd" + }, + { + "url": "https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07" + }, + { + "url": "https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce" + }, + { + "url": "https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a" + }, + { + "url": "https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1" + }, + { + "url": "https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af" + }, + { + "url": "https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42223 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42223", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: tda10048: Fix integer overflow\n\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\n\nCreate a new 64 bit variable to hold the calculations.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42223\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42223\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42223\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42223\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42223\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8\",\n \"https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd\",\n \"https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07\",\n \"https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce\",\n \"https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a\",\n \"https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1\",\n \"https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af\",\n \"https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: dvb-frontends: tda10048: Fix integer overflow\\n\\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\\nwhen multiplied by pll_mfactor.\\n\\nCreate a new 64 bit variable to hold the calculations.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42223\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42224", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42224" + }, + { + "url": "https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5" + }, + { + "url": "https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618" + }, + { + "url": "https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d" + }, + { + "url": "https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee" + }, + { + "url": "https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b" + }, + { + "url": "https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114" + }, + { + "url": "https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89" + }, + { + "url": "https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42224 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42224", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Correct check for empty list\n\nSince commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\") mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\n\nThis appears to be intended to guard against the list chip->mdios being\nempty. However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\n\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\n\nFlagged by Smatch.\nCompile tested only.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42224\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42224\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42224\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42224\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42224\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5\",\n \"https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618\",\n \"https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d\",\n \"https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee\",\n \"https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b\",\n \"https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114\",\n \"https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89\",\n \"https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: mv88e6xxx: Correct check for empty list\\n\\nSince commit a3c53be55c95 (\\\"net: dsa: mv88e6xxx: Support multiple MDIO\\nbusses\\\") mv88e6xxx_default_mdio_bus() has checked that the\\nreturn value of list_first_entry() is non-NULL.\\n\\nThis appears to be intended to guard against the list chip->mdios being\\nempty. However, it is not the correct check as the implementation of\\nlist_first_entry is not designed to return NULL for empty lists.\\n\\nInstead, use list_first_entry_or_null() which does return NULL if the\\nlist is empty.\\n\\nFlagged by Smatch.\\nCompile tested only.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42224\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42225", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42225" + }, + { + "url": "https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657" + }, + { + "url": "https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074" + }, + { + "url": "https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578" + }, + { + "url": "https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2" + }, + { + "url": "https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42225 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42225", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42225\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42225\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42225\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42225\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42225\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657\",\n \"https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074\",\n \"https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578\",\n \"https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2\",\n \"https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mt76: replace skb_put with skb_put_zero\\n\\nAvoid potentially reusing uninitialized data\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.5,\n \"exploitabilityScore\": 1.6,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42225\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42226", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42226" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42226 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42226", + "desc": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42226\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42226\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42226\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42226\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42226\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [],\n \"description\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42226\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42228", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42228" + }, + { + "url": "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef" + }, + { + "url": "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944" + }, + { + "url": "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42228 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42228", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42228\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42228\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42228\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42228\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42228\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef\",\n \"https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944\",\n \"https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\\n\\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\\nV2: To really improve the handling we would actually\\n need to have a separate value of 0xffffffff.(Christian)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7,\n \"exploitabilityScore\": 1,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42228\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42229", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42229" + }, + { + "url": "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210" + }, + { + "url": "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534" + }, + { + "url": "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d" + }, + { + "url": "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133" + }, + { + "url": "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb" + }, + { + "url": "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42229 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42229", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42229\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42229\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42229\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42229\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42229\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210\",\n \"https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534\",\n \"https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d\",\n \"https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133\",\n \"https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb\",\n \"https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: aead,cipher - zeroize key buffer after use\\n\\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\\ncryptographic information should be zeroized once they are no longer\\nneeded. Accomplish this by using kfree_sensitive for buffers that\\npreviously held the private key.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\n \"metrics\": {\n \"baseScore\": 4.1,\n \"exploitabilityScore\": 0.5,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42229\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42230", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42230" + }, + { + "url": "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011" + }, + { + "url": "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3" + }, + { + "url": "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c" + }, + { + "url": "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42230 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42230", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn't easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42230\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42230\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42230\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42230\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42230\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011\",\n \"https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3\",\n \"https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c\",\n \"https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/pseries: Fix scv instruction crash with kexec\\n\\nkexec on pseries disables AIL (reloc_on_exc), required for scv\\ninstruction support, before other CPUs have been shut down. This means\\nthey can execute scv instructions after AIL is disabled, which causes an\\ninterrupt at an unexpected entry location that crashes the kernel.\\n\\nChange the kexec sequence to disable AIL after other CPUs have been\\nbrought down.\\n\\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\\nfixed-location head code probably couldn't easily deal with implementing\\nsuch high addresses so it was just decided not to support that interrupt\\nat all.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 4.4,\n \"exploitabilityScore\": 0.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42230\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42232", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42232" + }, + { + "url": "https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf" + }, + { + "url": "https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7" + }, + { + "url": "https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a" + }, + { + "url": "https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e" + }, + { + "url": "https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c" + }, + { + "url": "https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea" + }, + { + "url": "https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883" + }, + { + "url": "https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42232 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42232", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting(). Both of\nthese can requeue the delayed work which wouldn't be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn't mess with the delayed work in order\nto avoid interfering with the hunting interval logic. This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon < 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc->auth and monc->monmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc->cur_mon and monc->hunting as part of closing the session\n in ceph_monc_stop()\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\n- call cancel_delayed_work_sync() after the session is closed", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42232\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42232\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42232\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42232\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42232\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf\",\n \"https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7\",\n \"https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a\",\n \"https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e\",\n \"https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c\",\n \"https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea\",\n \"https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883\",\n \"https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlibceph: fix race between delayed_work() and ceph_monc_stop()\\n\\nThe way the delayed work is handled in ceph_monc_stop() is prone to\\nraces with mon_fault() and possibly also finish_hunting(). Both of\\nthese can requeue the delayed work which wouldn't be canceled by any of\\nthe following code in case that happens after cancel_delayed_work_sync()\\nruns -- __close_session() doesn't mess with the delayed work in order\\nto avoid interfering with the hunting interval logic. This part was\\nmissed in commit b5d91704f53e (\\\"libceph: behave in mon_fault() if\\ncur_mon < 0\\\") and use-after-free can still ensue on monc and objects\\nthat hang off of it, with monc->auth and monc->monmap being\\nparticularly susceptible to quickly being reused.\\n\\nTo fix this:\\n\\n- clear monc->cur_mon and monc->hunting as part of closing the session\\n in ceph_monc_stop()\\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\\n- call cancel_delayed_work_sync() after the session is closed\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42232\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42236", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42236" + }, + { + "url": "https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70" + }, + { + "url": "https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0" + }, + { + "url": "https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce" + }, + { + "url": "https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0" + }, + { + "url": "https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa" + }, + { + "url": "https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a" + }, + { + "url": "https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490" + }, + { + "url": "https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42236 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42236", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\n\nUserspace provided string 's' could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == '\\n') followed closely by an OOB write in the form\n`str[0 - 1] = '\\0'`.\n\nThere is already a validating check to catch strings that are too long.\nLet's supply an additional check for invalid strings that are too short.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42236\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42236\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42236\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42236\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42236\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70\",\n \"https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0\",\n \"https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce\",\n \"https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0\",\n \"https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa\",\n \"https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a\",\n \"https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490\",\n \"https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\\n\\nUserspace provided string 's' could trivially have the length zero. Left\\nunchecked this will firstly result in an OOB read in the form\\n`if (str[0 - 1] == '\\\\n') followed closely by an OOB write in the form\\n`str[0 - 1] = '\\\\0'`.\\n\\nThere is already a validating check to catch strings that are too long.\\nLet's supply an additional check for invalid strings that are too short.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42236\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42239", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42239" + }, + { + "url": "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a" + }, + { + "url": "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7" + }, + { + "url": "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42239 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42239", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42239\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42239\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42239\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42239\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42239\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a\",\n \"https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7\",\n \"https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fail bpf_timer_cancel when callback is being cancelled\\n\\nGiven a schedule:\\n\\ntimer1 cb\\t\\t\\ttimer2 cb\\n\\nbpf_timer_cancel(timer2);\\tbpf_timer_cancel(timer1);\\n\\nBoth bpf_timer_cancel calls would wait for the other callback to finish\\nexecuting, introducing a lockup.\\n\\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\\ntrack of all in-flight cancellation requests for a given BPF timer.\\nWhenever cancelling a BPF timer, we must check if we have outstanding\\ncancellation requests, and if so, we must fail the operation with an\\nerror (-EDEADLK) since cancellation is synchronous and waits for the\\ncallback to finish executing. This implies that we can enter a deadlock\\nsituation involving two or more timer callbacks executing in parallel\\nand attempting to cancel one another.\\n\\nNote that we avoid incrementing the cancelling counter for the target\\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\\na callback, to avoid spurious errors. The whole point of detecting\\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\\n(which may or may not lead to a lockup). This does not apply in case the\\ncaller is in a non-callback context, the other side can continue to\\ncancel as it sees fit without running into errors.\\n\\nBackground on prior attempts:\\n\\nEarlier versions of this patch used a bool 'cancelling' bit and used the\\nfollowing pattern under timer->lock to publish cancellation status.\\n\\nlock(t->lock);\\nt->cancelling = true;\\nmb();\\nif (cur->cancelling)\\n\\treturn -EDEADLK;\\nunlock(t->lock);\\nhrtimer_cancel(t->timer);\\nt->cancelling = false;\\n\\nThe store outside the critical section could overwrite a parallel\\nrequests t->cancelling assignment to true, to ensure the parallely\\nexecuting callback observes its cancellation status.\\n\\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\\nis done, but lack of serialization introduced races. Another option was\\nexplored where bpf_timer_start would clear the bit when (re)starting the\\ntimer under timer->lock. This would ensure serialized access to the\\ncancelling bit, but may allow it to be cleared before in-flight\\nhrtimer_cancel has finished executing, such that lockups can occur\\nagain.\\n\\nThus, we choose an atomic counter to keep track of all outstanding\\ncancellation requests and use it to prevent lockups in case callbacks\\nattempt to cancel each other while executing in parallel.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42239\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42240", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42240" + }, + { + "url": "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513" + }, + { + "url": "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364" + }, + { + "url": "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0" + }, + { + "url": "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf" + }, + { + "url": "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42240 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42240", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n <#DB>\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \n \n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \n\n [ bp: Massage commit message. ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42240\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42240\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42240\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42240\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42240\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513\",\n \"https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364\",\n \"https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0\",\n \"https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf\",\n \"https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\\n\\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\\nentry_SYSENTER_compat() function.\\n\\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\\nafter making sure the TF flag is cleared.\\n\\nThe problem can be reproduced with the following sequence:\\n\\n $ cat sysenter_step.c\\n int main()\\n { asm(\\\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\\\"); }\\n\\n $ gcc -o sysenter_step sysenter_step.c\\n\\n $ ./sysenter_step\\n Segmentation fault (core dumped)\\n\\nThe program is expected to crash, and the #DB handler will issue a warning.\\n\\nKernel log:\\n\\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\\n ...\\n RIP: 0010:exc_debug_kernel+0xd2/0x160\\n ...\\n Call Trace:\\n <#DB>\\n ? show_regs+0x68/0x80\\n ? __warn+0x8c/0x140\\n ? exc_debug_kernel+0xd2/0x160\\n ? report_bug+0x175/0x1a0\\n ? handle_bug+0x44/0x90\\n ? exc_invalid_op+0x1c/0x70\\n ? asm_exc_invalid_op+0x1f/0x30\\n ? exc_debug_kernel+0xd2/0x160\\n exc_debug+0x43/0x50\\n asm_exc_debug+0x1e/0x40\\n RIP: 0010:clear_bhb_loop+0x0/0xb0\\n ...\\n \\n \\n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\\n \\n\\n [ bp: Massage commit message. ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42240\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42243", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42243" + }, + { + "url": "https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b" + }, + { + "url": "https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a" + }, + { + "url": "https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42243 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42243", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can't support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc > 1 && !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd < 0) {\n\t\tfprintf(stderr, \"Unable to open <%s>\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42243\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42243\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42243\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42243\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42243\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b\",\n \"https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a\",\n \"https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\\n\\nPatch series \\\"mm/filemap: Limit page cache size to that supported by\\nxarray\\\", v2.\\n\\nCurrently, xarray can't support arbitrary page cache size. More details\\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\\nwhere the base page size is 64KB and huge page size is 512MB. The issue\\nwas reported long time ago and some discussions on it can be found here\\n[1].\\n\\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\\n\\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\\nsupported by xarray and avoid PMD-sized page cache if needed. The code\\nchanges are suggested by David Hildenbrand.\\n\\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\\n\\nTest program\\n============\\n# cat test.c\\n#define _GNU_SOURCE\\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n\\n#define TEST_XFS_FILENAME\\t\\\"/tmp/data\\\"\\n#define TEST_SHMEM_FILENAME\\t\\\"/dev/shm/data\\\"\\n#define TEST_MEM_SIZE\\t\\t0x20000000\\n\\nint main(int argc, char **argv)\\n{\\n\\tconst char *filename;\\n\\tint fd = 0;\\n\\tvoid *buf = (void *)-1, *p;\\n\\tint pgsize = getpagesize();\\n\\tint ret;\\n\\n\\tif (pgsize != 0x10000) {\\n\\t\\tfprintf(stderr, \\\"64KB base page size is required\\\\n\\\");\\n\\t\\treturn -EPERM;\\n\\t}\\n\\n\\tsystem(\\\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\\\");\\n\\tsystem(\\\"rm -fr /tmp/data\\\");\\n\\tsystem(\\\"rm -fr /dev/shm/data\\\");\\n\\tsystem(\\\"echo 1 > /proc/sys/vm/drop_caches\\\");\\n\\n\\t/* Open xfs or shmem file */\\n\\tfilename = TEST_XFS_FILENAME;\\n\\tif (argc > 1 && !strcmp(argv[1], \\\"shmem\\\"))\\n\\t\\tfilename = TEST_SHMEM_FILENAME;\\n\\n\\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\\n\\tif (fd < 0) {\\n\\t\\tfprintf(stderr, \\\"Unable to open <%s>\\\\n\\\", filename);\\n\\t\\treturn -EIO;\\n\\t}\\n\\n\\t/* Extend file size */\\n\\tret = ftruncate(fd, TEST_MEM_SIZE);\\n\\tif (ret) {\\n\\t\\tfprintf(stderr, \\\"Error %d to ftruncate()\\\\n\\\", ret);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Create VMA */\\n\\tbuf = mmap(NULL, TEST_MEM_SIZE,\\n\\t\\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\\n\\tif (buf == (void *)-1) {\\n\\t\\tfprintf(stderr, \\\"Unable to mmap <%s>\\\\n\\\", filename);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\tfprintf(stdout, \\\"mapped buffer at 0x%p\\\\n\\\", buf);\\n\\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\\n if (ret) {\\n\\t\\tfprintf(stderr, \\\"Unable to madvise(MADV_HUGEPAGE)\\\\n\\\");\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Populate VMA */\\n\\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\\n\\tif (ret) {\\n\\t\\tfprintf(stderr, \\\"Error %d to madvise(MADV_POPULATE_WRITE)\\\\n\\\", ret);\\n\\t\\tgoto cleanup;\\n\\t}\\n\\n\\t/* Punch the file to enforce xarray split */\\n\\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\\n \\t\\tTEST_MEM_SIZE - pgsize, pgsize);\\n\\tif (ret)\\n\\t\\tfprintf(stderr, \\\"Error %d to fallocate()\\\\n\\\", ret);\\n\\ncleanup:\\n\\tif (buf != (void *)-1)\\n\\t\\tmunmap(buf, TEST_MEM_SIZE);\\n\\tif (fd > 0)\\n\\t\\tclose(fd);\\n\\n\\treturn 0;\\n}\\n\\n# gcc test.c -o test\\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\\nKernelPageSize: 64 kB\\n# ./test shmem\\n :\\n------------[ cut here ]------------\\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\\\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\\\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\\\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\\\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\\\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\\\\ndimlib virtio_mmio\\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42243\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42244", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42244" + }, + { + "url": "https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856" + }, + { + "url": "https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4" + }, + { + "url": "https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348" + }, + { + "url": "https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33" + }, + { + "url": "https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4" + }, + { + "url": "https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42244 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42244", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42244\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42244\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42244\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42244\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42244\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856\",\n \"https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4\",\n \"https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348\",\n \"https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33\",\n \"https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4\",\n \"https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: serial: mos7840: fix crash on resume\\n\\nSince commit c49cfa917025 (\\\"USB: serial: use generic method if no\\nalternative is provided in usb serial layer\\\"), USB serial core calls the\\ngeneric resume implementation when the driver has not provided one.\\n\\nThis can trigger a crash on resume with mos7840 since support for\\nmultiple read URBs was added back in 2011. Specifically, both port read\\nURBs are now submitted on resume for open ports, but the context pointer\\nof the second URB is left set to the core rather than mos7840 port\\nstructure.\\n\\nFix this by implementing dedicated suspend and resume functions for\\nmos7840.\\n\\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\\n\\n[ johan: analyse crash and rewrite commit message; set busy flag on\\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42244\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42246", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42246" + }, + { + "url": "https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde" + }, + { + "url": "https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414" + }, + { + "url": "https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6" + }, + { + "url": "https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42246 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42246", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\n\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\nthe kernel to potentially freeze up.\n\nNeil suggested:\n\n This will propagate -EPERM up into other layers which might not be ready\n to handle it. It might be safer to map EPERM to an error we would be more\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\n\nECONNREFUSED as error seems reasonable. For programs setting a different error\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\nwhich do not have f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err\ninstead of allow boolean\"), thus given that it is better to simply remap for\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42246\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42246\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42246\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42246\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42246\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde\",\n \"https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414\",\n \"https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6\",\n \"https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\\n\\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\\nthe kernel to potentially freeze up.\\n\\nNeil suggested:\\n\\n This will propagate -EPERM up into other layers which might not be ready\\n to handle it. It might be safer to map EPERM to an error we would be more\\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\\n\\nECONNREFUSED as error seems reasonable. For programs setting a different error\\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\\nwhich do not have f10d05966196 (\\\"bpf: Make BPF_PROG_RUN_ARRAY return -err\\ninstead of allow boolean\\\"), thus given that it is better to simply remap for\\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42246\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42247", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42247" + }, + { + "url": "https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801" + }, + { + "url": "https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf" + }, + { + "url": "https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74" + }, + { + "url": "https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8" + }, + { + "url": "https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75" + }, + { + "url": "https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42247 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42247", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\n\nOn the parisc platform, the kernel issues kernel warnings because\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\nmemory location:\n\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\n\nAvoid such unaligned memory accesses by instead using the\nget_unaligned_be64() helper macro.\n\n[Jason: replace src[8] in original patch with src+8]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42247\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42247\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42247\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42247\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42247\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801\",\n \"https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf\",\n \"https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74\",\n \"https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8\",\n \"https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75\",\n \"https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\\n\\nOn the parisc platform, the kernel issues kernel warnings because\\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\\nmemory location:\\n\\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\\n\\nAvoid such unaligned memory accesses by instead using the\\nget_unaligned_be64() helper macro.\\n\\n[Jason: replace src[8] in original patch with src+8]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42247\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42252", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42252" + }, + { + "url": "https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812" + }, + { + "url": "https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42252 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42252", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nclosures: Change BUG_ON() to WARN_ON()\n\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\n\nFor reference, this has popped up once in the CI, and we'll need more\ninfo to debug it:\n\n03240 ------------[ cut here ]------------\n03240 kernel BUG at lib/closure.c:21!\n03240 kernel BUG at lib/closure.c:21!\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n03240 Modules linked in:\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\n03240 Hardware name: linux,dummy-virt (DT)\n03240 Workqueue: btree_update btree_interior_update_work\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n03240 pc : closure_put+0x224/0x2a0\n03240 lr : closure_put+0x24/0x2a0\n03240 sp : ffff0000d12071c0\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\n03240 Call trace:\n03240 closure_put+0x224/0x2a0\n03240 bch2_check_for_deadlock+0x910/0x1028\n03240 bch2_six_check_for_deadlock+0x1c/0x30\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\n03240 six_lock_ip_waiter+0xa8/0xf8\n03240 __bch2_btree_node_lock_write+0x14c/0x298\n03240 bch2_trans_lock_write+0x6d4/0xb10\n03240 __bch2_trans_commit+0x135c/0x5520\n03240 btree_interior_update_work+0x1248/0x1c10\n03240 process_scheduled_works+0x53c/0xd90\n03240 worker_thread+0x370/0x8c8\n03240 kthread+0x258/0x2e8\n03240 ret_from_fork+0x10/0x20\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\n03240 ---[ end trace 0000000000000000 ]---\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\n03240 SMP: stopping secondary CPUs\n03241 SMP: failed to stop secondary CPUs 13,15\n03241 Kernel Offset: disabled\n03241 CPU features: 0x00,00000003,80000008,4240500b\n03241 Memory Limit: none\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42252\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42252\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42252\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42252\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42252\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812\",\n \"https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclosures: Change BUG_ON() to WARN_ON()\\n\\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\\n\\nFor reference, this has popped up once in the CI, and we'll need more\\ninfo to debug it:\\n\\n03240 ------------[ cut here ]------------\\n03240 kernel BUG at lib/closure.c:21!\\n03240 kernel BUG at lib/closure.c:21!\\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\\n03240 Modules linked in:\\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\\n03240 Hardware name: linux,dummy-virt (DT)\\n03240 Workqueue: btree_update btree_interior_update_work\\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\\n03240 pc : closure_put+0x224/0x2a0\\n03240 lr : closure_put+0x24/0x2a0\\n03240 sp : ffff0000d12071c0\\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\\n03240 Call trace:\\n03240 closure_put+0x224/0x2a0\\n03240 bch2_check_for_deadlock+0x910/0x1028\\n03240 bch2_six_check_for_deadlock+0x1c/0x30\\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\\n03240 six_lock_ip_waiter+0xa8/0xf8\\n03240 __bch2_btree_node_lock_write+0x14c/0x298\\n03240 bch2_trans_lock_write+0x6d4/0xb10\\n03240 __bch2_trans_commit+0x135c/0x5520\\n03240 btree_interior_update_work+0x1248/0x1c10\\n03240 process_scheduled_works+0x53c/0xd90\\n03240 worker_thread+0x370/0x8c8\\n03240 kthread+0x258/0x2e8\\n03240 ret_from_fork+0x10/0x20\\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\\n03240 ---[ end trace 0000000000000000 ]---\\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\\n03240 SMP: stopping secondary CPUs\\n03241 SMP: failed to stop secondary CPUs 13,15\\n03241 Kernel Offset: disabled\\n03241 CPU features: 0x00,00000003,80000008,4240500b\\n03241 Memory Limit: none\\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42252\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42253", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42253" + }, + { + "url": "https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34" + }, + { + "url": "https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904" + }, + { + "url": "https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41" + }, + { + "url": "https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42253 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42253", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\n\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\npca953x_irq_bus_sync_unlock() in order to avoid races.\n\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\nlock is held before calling pca953x_write_regs().\n\nThe problem occurred when a request raced against irq_bus_sync_unlock()\napproximately once per thousand reboots on an i.MX8MP based system.\n\n * Normal case\n\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n\n * Race case\n\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42253\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42253\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42253\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42253\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42253\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34\",\n \"https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904\",\n \"https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41\",\n \"https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\\n\\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\\npca953x_irq_bus_sync_unlock() in order to avoid races.\\n\\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\\nlock is held before calling pca953x_write_regs().\\n\\nThe problem occurred when a request raced against irq_bus_sync_unlock()\\napproximately once per thousand reboots on an i.MX8MP based system.\\n\\n * Normal case\\n\\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\\n\\n * Race case\\n\\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42253\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42259", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42259" + }, + { + "url": "https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60" + }, + { + "url": "https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d" + }, + { + "url": "https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab" + }, + { + "url": "https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3" + }, + { + "url": "https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7" + }, + { + "url": "https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39" + }, + { + "url": "https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b" + }, + { + "url": "https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42259 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42259", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\n\nCalculating the size of the mapped area as the lesser value\nbetween the requested size and the actual size does not consider\nthe partial mapping offset. This can cause page fault access.\n\nFix the calculation of the starting and ending addresses, the\ntotal size is now deduced from the difference between the end and\nstart addresses.\n\nAdditionally, the calculations have been rewritten in a clearer\nand more understandable form.\n\n[Joonas: Add Requires: tag]\nRequires: 60a2066c5005 (\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\")\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42259\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42259\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42259\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42259\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42259\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60\",\n \"https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d\",\n \"https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab\",\n \"https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3\",\n \"https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7\",\n \"https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39\",\n \"https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b\",\n \"https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\\n\\nCalculating the size of the mapped area as the lesser value\\nbetween the requested size and the actual size does not consider\\nthe partial mapping offset. This can cause page fault access.\\n\\nFix the calculation of the starting and ending addresses, the\\ntotal size is now deduced from the difference between the end and\\nstart addresses.\\n\\nAdditionally, the calculations have been rewritten in a clearer\\nand more understandable form.\\n\\n[Joonas: Add Requires: tag]\\nRequires: 60a2066c5005 (\\\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\\\")\\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42259\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42267", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42267" + }, + { + "url": "https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40" + }, + { + "url": "https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864" + }, + { + "url": "https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146" + }, + { + "url": "https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f" + }, + { + "url": "https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2" + }, + { + "url": "https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42267 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42267", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\n\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\nkill the process and we don't BUG() the kernel.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42267\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42267\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42267\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42267\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42267\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40\",\n \"https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864\",\n \"https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146\",\n \"https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f\",\n \"https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2\",\n \"https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\\n\\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\\nkill the process and we don't BUG() the kernel.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42267\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42269", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42269" + }, + { + "url": "https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e" + }, + { + "url": "https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226" + }, + { + "url": "https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601" + }, + { + "url": "https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34" + }, + { + "url": "https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42269 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42269", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\n\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\nbut the function is exposed to user space before the entry is allocated\nvia register_pernet_subsys().\n\nLet's call register_pernet_subsys() before xt_register_template().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42269\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42269\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42269\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42269\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42269\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e\",\n \"https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226\",\n \"https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601\",\n \"https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34\",\n \"https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\\n\\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\\nbut the function is exposed to user space before the entry is allocated\\nvia register_pernet_subsys().\\n\\nLet's call register_pernet_subsys() before xt_register_template().\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42269\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42270", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42270" + }, + { + "url": "https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc" + }, + { + "url": "https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d" + }, + { + "url": "https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626" + }, + { + "url": "https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b" + }, + { + "url": "https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42270 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42270", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42270\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42270\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42270\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42270\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42270\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc\",\n \"https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d\",\n \"https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626\",\n \"https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b\",\n \"https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\\n\\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\\nat boot time. [0]\\n\\nThe problem is that iptable_nat_table_init() is exposed to user space\\nbefore the kernel fully initialises netns.\\n\\nIn the small race window, a user could call iptable_nat_table_init()\\nthat accesses net_generic(net, iptable_nat_net_id), which is available\\nonly after registering iptable_nat_net_ops.\\n\\nLet's call register_pernet_subsys() before xt_register_template().\\n\\n[0]:\\nbpfilter: Loaded bpfilter_umh pid 11702\\nStarted bpfilter\\nBUG: kernel NULL pointer dereference, address: 0000000000000013\\n PF: supervisor write access in kernel mode\\n PF: error_code(0x0002) - not-present page\\nPGD 0 P4D 0\\nPREEMPT SMP NOPTI\\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nPKRU: 55555554\\nCall Trace:\\n \\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\\n ? page_fault_oops (arch/x86/mm/fault.c:727)\\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\\n get_info (net/ipv4/netfilter/ip_tables.c:965)\\n ? security_capable (security/security.c:809 (discriminator 13))\\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\\n __sys_getsockopt (net/socket.c:2327)\\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\\nRIP: 0033:0x7f62844685ee\\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\\nR13: 00007f6284\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42270\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42271", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42271" + }, + { + "url": "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84" + }, + { + "url": "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0" + }, + { + "url": "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d" + }, + { + "url": "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01" + }, + { + "url": "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876" + }, + { + "url": "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5" + }, + { + "url": "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895" + }, + { + "url": "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42271 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42271", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv->path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42271\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42271\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42271\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42271\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42271\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84\",\n \"https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0\",\n \"https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d\",\n \"https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01\",\n \"https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876\",\n \"https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5\",\n \"https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895\",\n \"https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/iucv: fix use after free in iucv_sock_close()\\n\\niucv_sever_path() is called from process context and from bh context.\\niucv->path is used as indicator whether somebody else is taking care of\\nsevering the path (or it is already removed / never existed).\\nThis needs to be done with atomic compare and swap, otherwise there is a\\nsmall window where iucv_sock_close() will try to work with a path that has\\nalready been severed and freed by iucv_callback_connrej() called by\\niucv_tasklet_fn().\\n\\nExample:\\n[452744.123844] Call Trace:\\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\\n[452744.125319] Last Breaking-Event-Address:\\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\\n[452744.125324]\\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\\n\\nNote that bh_lock_sock() is not serializing the tasklet context against\\nprocess context, because the check for sock_owned_by_user() and\\ncorresponding handling is missing.\\n\\nIdeas for a future clean-up patch:\\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\\nRe-enqueue, if needed. This may require adding return values to the\\ntasklet functions and thus changes to all users of iucv.\\n\\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42271\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42272", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42272" + }, + { + "url": "https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738" + }, + { + "url": "https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab" + }, + { + "url": "https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2" + }, + { + "url": "https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee" + }, + { + "url": "https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64" + }, + { + "url": "https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42272 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42272", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42272\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42272\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42272\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42272\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42272\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738\",\n \"https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab\",\n \"https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2\",\n \"https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee\",\n \"https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64\",\n \"https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched: act_ct: take care of padding in struct zones_ht_key\\n\\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\\nbecause zones_ht_key got a struct net pointer.\\n\\nMake sure rhashtable_lookup() is not using the padding bytes\\nwhich are not initialized.\\n\\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\\n tcf_action_add net/sched/act_api.c:2061 [inline]\\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\\n __sys_sendmsg net/socket.c:2680 [inline]\\n __do_sys_sendmsg net/socket.c:2689 [inline]\\n __se_sys_sendmsg net/socket.c:2687 [inline]\\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nLocal variable key created at:\\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42272\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42273", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42273" + }, + { + "url": "https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791" + }, + { + "url": "https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439" + }, + { + "url": "https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1" + }, + { + "url": "https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42273 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42273", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\n\nmkdir /mnt/test/comp\nf2fs_io setflags compression /mnt/test/comp\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\ntruncate --size 13 /mnt/test/comp/testfile\n\nIn the above scenario, we can get a BUG_ON.\n kernel BUG at fs/f2fs/segment.c:3589!\n Call Trace:\n do_write_page+0x78/0x390 [f2fs]\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\n do_writepages+0xcf/0x270\n __writeback_single_inode+0x44/0x350\n writeback_sb_inodes+0x242/0x530\n __writeback_inodes_wb+0x54/0xf0\n wb_writeback+0x192/0x310\n wb_workfn+0x30d/0x400\n\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\npage was set the gcing flag by set_cluster_dirty().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42273\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42273\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42273\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42273\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42273\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791\",\n \"https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439\",\n \"https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1\",\n \"https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\\n\\nmkdir /mnt/test/comp\\nf2fs_io setflags compression /mnt/test/comp\\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\\ntruncate --size 13 /mnt/test/comp/testfile\\n\\nIn the above scenario, we can get a BUG_ON.\\n kernel BUG at fs/f2fs/segment.c:3589!\\n Call Trace:\\n do_write_page+0x78/0x390 [f2fs]\\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\\n do_writepages+0xcf/0x270\\n __writeback_single_inode+0x44/0x350\\n writeback_sb_inodes+0x242/0x530\\n __writeback_inodes_wb+0x54/0xf0\\n wb_writeback+0x192/0x310\\n wb_workfn+0x30d/0x400\\n\\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\\npage was set the gcing flag by set_cluster_dirty().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42273\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42274", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42274" + }, + { + "url": "https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef" + }, + { + "url": "https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323" + }, + { + "url": "https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1" + }, + { + "url": "https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9" + }, + { + "url": "https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42274 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42274", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elapse event in process context\"\n\nCommit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period elapse event\nin process context\") removed the process context workqueue from\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\nits overhead.\n\nWith RME Fireface 800, this lead to a regression since\nKernels 5.14.0, causing an AB/BA deadlock competition for the\nsubstream lock with eventual system freeze under ALSA operation:\n\nthread 0:\n * (lock A) acquire substream lock by\n\tsnd_pcm_stream_lock_irq() in\n\tsnd_pcm_status64()\n * (lock B) wait for tasklet to finish by calling\n \ttasklet_unlock_spin_wait() in\n\ttasklet_disable_in_atomic() in\n\tohci_flush_iso_completions() of ohci.c\n\nthread 1:\n * (lock B) enter tasklet\n * (lock A) attempt to acquire substream lock,\n \twaiting for it to be released:\n\tsnd_pcm_stream_lock_irqsave() in\n \tsnd_pcm_period_elapsed() in\n\tupdate_pcm_pointers() in\n\tprocess_ctx_payloads() in\n\tprocess_rx_packets() of amdtp-stream.c\n\n? tasklet_unlock_spin_wait\n \n \nohci_flush_iso_completions firewire_ohci\namdtp_domain_stream_pcm_pointer snd_firewire_lib\nsnd_pcm_update_hw_ptr0 snd_pcm\nsnd_pcm_status64 snd_pcm\n\n? native_queued_spin_lock_slowpath\n \n \n_raw_spin_lock_irqsave\nsnd_pcm_period_elapsed snd_pcm\nprocess_rx_packets snd_firewire_lib\nirq_target_callback snd_firewire_lib\nhandle_it_packet firewire_ohci\ncontext_tasklet firewire_ohci\n\nRestore the process context work queue to prevent deadlock\nAB/BA deadlock competition for ALSA substream lock of\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\n\nrevert commit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period\nelapse event in process context\")\n\nReplace inline description to prevent future deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42274\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42274\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42274\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42274\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42274\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef\",\n \"https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323\",\n \"https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1\",\n \"https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9\",\n \"https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"ALSA: firewire-lib: operate for period elapse event in process context\\\"\\n\\nCommit 7ba5ca32fe6e (\\\"ALSA: firewire-lib: operate for period elapse event\\nin process context\\\") removed the process context workqueue from\\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\\nits overhead.\\n\\nWith RME Fireface 800, this lead to a regression since\\nKernels 5.14.0, causing an AB/BA deadlock competition for the\\nsubstream lock with eventual system freeze under ALSA operation:\\n\\nthread 0:\\n * (lock A) acquire substream lock by\\n\\tsnd_pcm_stream_lock_irq() in\\n\\tsnd_pcm_status64()\\n * (lock B) wait for tasklet to finish by calling\\n \\ttasklet_unlock_spin_wait() in\\n\\ttasklet_disable_in_atomic() in\\n\\tohci_flush_iso_completions() of ohci.c\\n\\nthread 1:\\n * (lock B) enter tasklet\\n * (lock A) attempt to acquire substream lock,\\n \\twaiting for it to be released:\\n\\tsnd_pcm_stream_lock_irqsave() in\\n \\tsnd_pcm_period_elapsed() in\\n\\tupdate_pcm_pointers() in\\n\\tprocess_ctx_payloads() in\\n\\tprocess_rx_packets() of amdtp-stream.c\\n\\n? tasklet_unlock_spin_wait\\n \\n \\nohci_flush_iso_completions firewire_ohci\\namdtp_domain_stream_pcm_pointer snd_firewire_lib\\nsnd_pcm_update_hw_ptr0 snd_pcm\\nsnd_pcm_status64 snd_pcm\\n\\n? native_queued_spin_lock_slowpath\\n \\n \\n_raw_spin_lock_irqsave\\nsnd_pcm_period_elapsed snd_pcm\\nprocess_rx_packets snd_firewire_lib\\nirq_target_callback snd_firewire_lib\\nhandle_it_packet firewire_ohci\\ncontext_tasklet firewire_ohci\\n\\nRestore the process context work queue to prevent deadlock\\nAB/BA deadlock competition for ALSA substream lock of\\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\\n\\nrevert commit 7ba5ca32fe6e (\\\"ALSA: firewire-lib: operate for period\\nelapse event in process context\\\")\\n\\nReplace inline description to prevent future deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42274\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42276", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42276" + }, + { + "url": "https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec" + }, + { + "url": "https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7" + }, + { + "url": "https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83" + }, + { + "url": "https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c" + }, + { + "url": "https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba" + }, + { + "url": "https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd" + }, + { + "url": "https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42276 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42276", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: add missing condition check for existence of mapped data\n\nnvme_map_data() is called when request has physical segments, hence\nthe nvme_unmap_data() should have same condition to avoid dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42276\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42276\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42276\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42276\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42276\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec\",\n \"https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7\",\n \"https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83\",\n \"https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c\",\n \"https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba\",\n \"https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd\",\n \"https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme-pci: add missing condition check for existence of mapped data\\n\\nnvme_map_data() is called when request has physical segments, hence\\nthe nvme_unmap_data() should have same condition to avoid dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42276\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42277", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42277" + }, + { + "url": "https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8" + }, + { + "url": "https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922" + }, + { + "url": "https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb" + }, + { + "url": "https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c" + }, + { + "url": "https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42277 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42277", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\n\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\ndom->sdev is equal to NULL, which leads to null dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42277\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42277\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42277\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42277\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42277\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8\",\n \"https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922\",\n \"https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb\",\n \"https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c\",\n \"https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\\n\\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\\ndom->sdev is equal to NULL, which leads to null dereference.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42277\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42280", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42280" + }, + { + "url": "https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80" + }, + { + "url": "https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402" + }, + { + "url": "https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803" + }, + { + "url": "https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0" + }, + { + "url": "https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629" + }, + { + "url": "https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2" + }, + { + "url": "https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3" + }, + { + "url": "https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42280 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42280", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix a use after free in hfcmulti_tx()\n\nDon't dereference *sp after calling dev_kfree_skb(*sp).", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42280\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42280\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42280\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42280\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42280\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80\",\n \"https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402\",\n \"https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803\",\n \"https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0\",\n \"https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629\",\n \"https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2\",\n \"https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3\",\n \"https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmISDN: Fix a use after free in hfcmulti_tx()\\n\\nDon't dereference *sp after calling dev_kfree_skb(*sp).\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42280\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42281", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42281" + }, + { + "url": "https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2" + }, + { + "url": "https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc" + }, + { + "url": "https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf" + }, + { + "url": "https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a" + }, + { + "url": "https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733" + }, + { + "url": "https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be" + }, + { + "url": "https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42281 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42281", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a segment issue when downgrading gso_size\n\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42281\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42281\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42281\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42281\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42281\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2\",\n \"https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc\",\n \"https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf\",\n \"https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a\",\n \"https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733\",\n \"https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be\",\n \"https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix a segment issue when downgrading gso_size\\n\\nLinearize the skb when downgrading gso_size because it may trigger a\\nBUG_ON() later when the skb is segmented as described in [1,2].\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42281\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42283", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42283" + }, + { + "url": "https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b" + }, + { + "url": "https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8" + }, + { + "url": "https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2" + }, + { + "url": "https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb" + }, + { + "url": "https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0" + }, + { + "url": "https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96" + }, + { + "url": "https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42283 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42283", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n # ip nexthop add id 1 dev lo\n # ip nexthop add id 101 group 1\n # strace -e recvmsg ip nexthop get id 101\n ...\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42283\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42283\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42283\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42283\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42283\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b\",\n \"https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8\",\n \"https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2\",\n \"https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb\",\n \"https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0\",\n \"https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96\",\n \"https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nexthop: Initialize all fields in dumped nexthops\\n\\nstruct nexthop_grp contains two reserved fields that are not initialized by\\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\\nstrace (edited for clarity):\\n\\n # ip nexthop add id 1 dev lo\\n # ip nexthop add id 101 group 1\\n # strace -e recvmsg ip nexthop get id 101\\n ...\\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\\n\\nThe fields are reserved and therefore not currently used. But as they are, they\\nleak kernel memory, and the fact they are not just zero complicates repurposing\\nof the fields for new ends. Initialize the full structure.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42283\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42284", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42284" + }, + { + "url": "https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f" + }, + { + "url": "https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a" + }, + { + "url": "https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69" + }, + { + "url": "https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813" + }, + { + "url": "https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28" + }, + { + "url": "https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b" + }, + { + "url": "https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8" + }, + { + "url": "https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42284 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42284", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Return non-zero value from tipc_udp_addr2str() on error\n\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42284\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42284\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42284\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42284\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42284\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f\",\n \"https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a\",\n \"https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69\",\n \"https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813\",\n \"https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28\",\n \"https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b\",\n \"https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8\",\n \"https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: Return non-zero value from tipc_udp_addr2str() on error\\n\\ntipc_udp_addr2str() should return non-zero value if the UDP media\\naddress is invalid. Otherwise, a buffer overflow access can occur in\\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\\nmedia address.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42284\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42285", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42285" + }, + { + "url": "https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6" + }, + { + "url": "https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574" + }, + { + "url": "https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79" + }, + { + "url": "https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4" + }, + { + "url": "https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6" + }, + { + "url": "https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5" + }, + { + "url": "https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae" + }, + { + "url": "https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42285 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42285", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n conn_id->cm_id.iw = cm_id;\n cm_id->context = conn_id;\n cm_id->cm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42285\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42285\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42285\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42285\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42285\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6\",\n \"https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574\",\n \"https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79\",\n \"https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4\",\n \"https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6\",\n \"https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5\",\n \"https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae\",\n \"https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\\n\\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\\nan existing struct iw_cm_id (cm_id) as follows:\\n\\n conn_id->cm_id.iw = cm_id;\\n cm_id->context = conn_id;\\n cm_id->cm_handler = cma_iw_handler;\\n\\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\\nsure that cm_work_handler() does not trigger a use-after-free by only\\nfreeing of the struct rdma_id_private after all pending work has finished.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42285\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42286", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42286" + }, + { + "url": "https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b" + }, + { + "url": "https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430" + }, + { + "url": "https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e" + }, + { + "url": "https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c" + }, + { + "url": "https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f" + }, + { + "url": "https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c" + }, + { + "url": "https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9" + }, + { + "url": "https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42286 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42286", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: validate nvme_local_port correctly\n\nThe driver load failed with error message,\n\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\n\nand with a kernel crash,\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\n\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\n\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\n\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\n\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\n\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\n\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\n\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\n\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\n\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\n\tCall Trace:\n\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\n\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\n\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\n\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\n\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\nfails and correctly validate nvme_local_port.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42286\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42286\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42286\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42286\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42286\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b\",\n \"https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430\",\n \"https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e\",\n \"https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c\",\n \"https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f\",\n \"https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c\",\n \"https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9\",\n \"https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: validate nvme_local_port correctly\\n\\nThe driver load failed with error message,\\n\\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\\n\\nand with a kernel crash,\\n\\n\\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\\n\\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\\n\\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\\n\\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\\n\\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\\n\\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\\n\\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\\n\\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\\n\\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\\n\\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\\n\\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n\\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\\n\\tCall Trace:\\n\\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\\n\\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\\n\\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\\n\\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\\n\\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\\nfails and correctly validate nvme_local_port.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42286\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42287", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42287" + }, + { + "url": "https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232" + }, + { + "url": "https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb" + }, + { + "url": "https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3" + }, + { + "url": "https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553" + }, + { + "url": "https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee" + }, + { + "url": "https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6" + }, + { + "url": "https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42287 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42287", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Complete command early within lock\n\nA crash was observed while performing NPIV and FW reset,\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x16f/0x4a0\n ? do_user_addr_fault+0x174/0x7f0\n ? exc_page_fault+0x69/0x1a0\n ? asm_exc_page_fault+0x22/0x30\n ? dma_direct_unmap_sg+0x51/0x1e0\n ? preempt_count_sub+0x96/0xe0\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\n\nThe command completion was done early while aborting the commands in driver\nunload path but outside lock to avoid the WARN_ON condition of performing\ndma_free_attr within the lock. However this caused race condition while\ncommand completion via multiple paths causing system crash.\n\nHence complete the command early in unload path but within the lock to\navoid race condition.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42287\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42287\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42287\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42287\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42287\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232\",\n \"https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb\",\n \"https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3\",\n \"https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553\",\n \"https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee\",\n \"https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6\",\n \"https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Complete command early within lock\\n\\nA crash was observed while performing NPIV and FW reset,\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000001c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n PKRU: 55555554\\n Call Trace:\\n \\n ? __die_body+0x1a/0x60\\n ? page_fault_oops+0x16f/0x4a0\\n ? do_user_addr_fault+0x174/0x7f0\\n ? exc_page_fault+0x69/0x1a0\\n ? asm_exc_page_fault+0x22/0x30\\n ? dma_direct_unmap_sg+0x51/0x1e0\\n ? preempt_count_sub+0x96/0xe0\\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\\n\\nThe command completion was done early while aborting the commands in driver\\nunload path but outside lock to avoid the WARN_ON condition of performing\\ndma_free_attr within the lock. However this caused race condition while\\ncommand completion via multiple paths causing system crash.\\n\\nHence complete the command early in unload path but within the lock to\\navoid race condition.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42287\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42288", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42288" + }, + { + "url": "https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e" + }, + { + "url": "https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b" + }, + { + "url": "https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b" + }, + { + "url": "https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d" + }, + { + "url": "https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce" + }, + { + "url": "https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a" + }, + { + "url": "https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42288 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42288", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix for possible memory corruption\n\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42288\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42288\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42288\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42288\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42288\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e\",\n \"https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b\",\n \"https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b\",\n \"https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d\",\n \"https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce\",\n \"https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a\",\n \"https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Fix for possible memory corruption\\n\\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42288\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42289", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42289" + }, + { + "url": "https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe" + }, + { + "url": "https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52" + }, + { + "url": "https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2" + }, + { + "url": "https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7" + }, + { + "url": "https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef" + }, + { + "url": "https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede" + }, + { + "url": "https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313" + }, + { + "url": "https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42289 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42289", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: During vport delete send async logout explicitly\n\nDuring vport delete, it is observed that during unload we hit a crash\nbecause of stale entries in outstanding command array. For all these stale\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\nI/Os could not complete while vport delete is in process of deleting.\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\n Call Trace:\n \n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\n ? qla2x00_status_entry+0x768/0x2830\n ? newidle_balance+0x2f0/0x430\n ? dequeue_entity+0x100/0x3c0\n ? qla24xx_process_response_queue+0x6a1/0x19e0\n ? __schedule+0x2d5/0x1140\n ? qla_do_work+0x47/0x60\n ? process_one_work+0x267/0x440\n ? process_one_work+0x440/0x440\n ? worker_thread+0x2d/0x3d0\n ? process_one_work+0x440/0x440\n ? kthread+0x156/0x180\n ? set_kthread_struct+0x50/0x50\n ? ret_from_fork+0x22/0x30\n \n\nSend out async logout explicitly for all the ports during vport delete.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42289\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42289\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42289\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42289\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42289\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe\",\n \"https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52\",\n \"https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2\",\n \"https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7\",\n \"https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef\",\n \"https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede\",\n \"https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313\",\n \"https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: During vport delete send async logout explicitly\\n\\nDuring vport delete, it is observed that during unload we hit a crash\\nbecause of stale entries in outstanding command array. For all these stale\\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\\nI/Os could not complete while vport delete is in process of deleting.\\n\\n BUG: kernel NULL pointer dereference, address: 000000000000001c\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\\n Call Trace:\\n \\n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\\n ? qla2x00_status_entry+0x768/0x2830\\n ? newidle_balance+0x2f0/0x430\\n ? dequeue_entity+0x100/0x3c0\\n ? qla24xx_process_response_queue+0x6a1/0x19e0\\n ? __schedule+0x2d5/0x1140\\n ? qla_do_work+0x47/0x60\\n ? process_one_work+0x267/0x440\\n ? process_one_work+0x440/0x440\\n ? worker_thread+0x2d/0x3d0\\n ? process_one_work+0x440/0x440\\n ? kthread+0x156/0x180\\n ? set_kthread_struct+0x50/0x50\\n ? ret_from_fork+0x22/0x30\\n \\n\\nSend out async logout explicitly for all the ports during vport delete.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42289\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42290", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42290" + }, + { + "url": "https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565" + }, + { + "url": "https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea" + }, + { + "url": "https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1" + }, + { + "url": "https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894" + }, + { + "url": "https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9" + }, + { + "url": "https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44" + }, + { + "url": "https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42290 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42290", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/imx-irqsteer: Handle runtime power management correctly\n\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\ncontext switch path during device probing:\n\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n __schedule_bug+0x54/0x6c\n __schedule+0x7f0/0xa94\n schedule+0x5c/0xc4\n schedule_preempt_disabled+0x24/0x40\n __mutex_lock.constprop.0+0x2c0/0x540\n __mutex_lock_slowpath+0x14/0x20\n mutex_lock+0x48/0x54\n clk_prepare_lock+0x44/0xa0\n clk_prepare+0x20/0x44\n imx_irqsteer_resume+0x28/0xe0\n pm_generic_runtime_resume+0x2c/0x44\n __genpd_runtime_resume+0x30/0x80\n genpd_runtime_resume+0xc8/0x2c0\n __rpm_callback+0x48/0x1d8\n rpm_callback+0x6c/0x78\n rpm_resume+0x490/0x6b4\n __pm_runtime_resume+0x50/0x94\n irq_chip_pm_get+0x2c/0xa0\n __irq_do_set_handler+0x178/0x24c\n irq_set_chained_handler_and_data+0x60/0xa4\n mxc_gpio_probe+0x160/0x4b0\n\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\n\n[ tglx: Rewrote change log, added Fixes tag ]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42290\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42290\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42290\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42290\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42290\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565\",\n \"https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea\",\n \"https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1\",\n \"https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894\",\n \"https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9\",\n \"https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44\",\n \"https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/imx-irqsteer: Handle runtime power management correctly\\n\\nThe power domain is automatically activated from clk_prepare(). However, on\\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\\ncontext switch path during device probing:\\n\\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\\n Call trace:\\n __schedule_bug+0x54/0x6c\\n __schedule+0x7f0/0xa94\\n schedule+0x5c/0xc4\\n schedule_preempt_disabled+0x24/0x40\\n __mutex_lock.constprop.0+0x2c0/0x540\\n __mutex_lock_slowpath+0x14/0x20\\n mutex_lock+0x48/0x54\\n clk_prepare_lock+0x44/0xa0\\n clk_prepare+0x20/0x44\\n imx_irqsteer_resume+0x28/0xe0\\n pm_generic_runtime_resume+0x2c/0x44\\n __genpd_runtime_resume+0x30/0x80\\n genpd_runtime_resume+0xc8/0x2c0\\n __rpm_callback+0x48/0x1d8\\n rpm_callback+0x6c/0x78\\n rpm_resume+0x490/0x6b4\\n __pm_runtime_resume+0x50/0x94\\n irq_chip_pm_get+0x2c/0xa0\\n __irq_do_set_handler+0x178/0x24c\\n irq_set_chained_handler_and_data+0x60/0xa4\\n mxc_gpio_probe+0x160/0x4b0\\n\\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\\ncallbacks and handle power management in them as they are invoked from\\nnon-atomic context.\\n\\n[ tglx: Rewrote change log, added Fixes tag ]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42290\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42291", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42291" + }, + { + "url": "https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f" + }, + { + "url": "https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97" + }, + { + "url": "https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559" + }, + { + "url": "https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42291 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42291", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add a per-VF limit on number of FDIR filters\n\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\nfilters that the VF can request, a malicious VF driver can request more\nthan that and exhaust the resources for other VFs.\n\nAdd a similar limit in ice.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42291\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42291\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42291\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42291\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42291\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f\",\n \"https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97\",\n \"https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559\",\n \"https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Add a per-VF limit on number of FDIR filters\\n\\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\\nfilters that the VF can request, a malicious VF driver can request more\\nthan that and exhaust the resources for other VFs.\\n\\nAdd a similar limit in ice.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42291\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42292", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42292" + }, + { + "url": "https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762" + }, + { + "url": "https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2" + }, + { + "url": "https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168" + }, + { + "url": "https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d" + }, + { + "url": "https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90" + }, + { + "url": "https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5" + }, + { + "url": "https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d" + }, + { + "url": "https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42292 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42292", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject_uevent: Fix OOB access within zap_modalias_env()\n\nzap_modalias_env() wrongly calculates size of memory block to move, so\nwill cause OOB memory access issue if variable MODALIAS is not the last\none within its @env parameter, fixed by correcting size to memmove.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42292\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42292\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42292\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42292\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42292\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762\",\n \"https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2\",\n \"https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168\",\n \"https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d\",\n \"https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90\",\n \"https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5\",\n \"https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d\",\n \"https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkobject_uevent: Fix OOB access within zap_modalias_env()\\n\\nzap_modalias_env() wrongly calculates size of memory block to move, so\\nwill cause OOB memory access issue if variable MODALIAS is not the last\\none within its @env parameter, fixed by correcting size to memmove.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42292\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42294", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42294" + }, + { + "url": "https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9" + }, + { + "url": "https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b" + }, + { + "url": "https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42294 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42294", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between sd_remove & sd_release\n\nOur test report the following hung task:\n\n[ 2538.459400] INFO: task \"kworker/0:0\":7 blocked for more than 188 seconds.\n[ 2538.459427] Call trace:\n[ 2538.459430] __switch_to+0x174/0x338\n[ 2538.459436] __schedule+0x628/0x9c4\n[ 2538.459442] schedule+0x7c/0xe8\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\n[ 2538.459459] mutex_lock+0x30/0xd8\n[ 2538.459462] del_gendisk+0xdc/0x350\n[ 2538.459466] sd_remove+0x30/0x60\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459474] device_release_driver+0x18/0x28\n[ 2538.459478] bus_remove_device+0x15c/0x174\n[ 2538.459483] device_del+0x1d0/0x358\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\n[ 2538.459493] scsi_forget_host+0x50/0x70\n[ 2538.459497] scsi_remove_host+0x80/0x180\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459514] device_release_driver+0x18/0x28\n[ 2538.459518] bus_remove_device+0x15c/0x174\n[ 2538.459523] device_del+0x1d0/0x358\n[ 2538.459528] usb_disable_device+0x84/0x194\n[ 2538.459532] usb_disconnect+0xec/0x300\n[ 2538.459537] hub_event+0xb80/0x1870\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\n[ 2538.459545] worker_thread+0x244/0x334\n[ 2538.459549] kthread+0x114/0x1bc\n\n[ 2538.461001] INFO: task \"fsck.\":15415 blocked for more than 188 seconds.\n[ 2538.461014] Call trace:\n[ 2538.461016] __switch_to+0x174/0x338\n[ 2538.461021] __schedule+0x628/0x9c4\n[ 2538.461025] schedule+0x7c/0xe8\n[ 2538.461030] blk_queue_enter+0xc4/0x160\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\n[ 2538.461051] sd_release+0x50/0x94\n[ 2538.461054] blkdev_put+0x190/0x28c\n[ 2538.461058] blkdev_release+0x28/0x40\n[ 2538.461063] __fput+0xf8/0x2a8\n[ 2538.461066] __fput_sync+0x28/0x5c\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\n[ 2538.461073] invoke_syscall+0x58/0x114\n[ 2538.461078] el0_svc_common+0xac/0xe0\n[ 2538.461082] do_el0_svc+0x1c/0x28\n[ 2538.461087] el0_svc+0x38/0x68\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\n\n T1:\t\t\t\tT2:\n sd_remove\n del_gendisk\n __blk_mark_disk_dead\n blk_freeze_queue_start\n ++q->mq_freeze_depth\n \t\t\t\tbdev_release\n \t\t\t\tmutex_lock(&disk->open_mutex)\n \t\t\t\tsd_release\n \t\t\t\tscsi_execute_cmd\n \t\t\t\tblk_queue_enter\n \t\t\t\twait_event(!q->mq_freeze_depth)\n mutex_lock(&disk->open_mutex)\n\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\nmake sure we don't try to acquire disk->open_mutex after freezing\nthe queue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42294\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42294\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42294\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42294\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42294\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9\",\n \"https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b\",\n \"https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: fix deadlock between sd_remove & sd_release\\n\\nOur test report the following hung task:\\n\\n[ 2538.459400] INFO: task \\\"kworker/0:0\\\":7 blocked for more than 188 seconds.\\n[ 2538.459427] Call trace:\\n[ 2538.459430] __switch_to+0x174/0x338\\n[ 2538.459436] __schedule+0x628/0x9c4\\n[ 2538.459442] schedule+0x7c/0xe8\\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\\n[ 2538.459459] mutex_lock+0x30/0xd8\\n[ 2538.459462] del_gendisk+0xdc/0x350\\n[ 2538.459466] sd_remove+0x30/0x60\\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\\n[ 2538.459474] device_release_driver+0x18/0x28\\n[ 2538.459478] bus_remove_device+0x15c/0x174\\n[ 2538.459483] device_del+0x1d0/0x358\\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\\n[ 2538.459493] scsi_forget_host+0x50/0x70\\n[ 2538.459497] scsi_remove_host+0x80/0x180\\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\\n[ 2538.459514] device_release_driver+0x18/0x28\\n[ 2538.459518] bus_remove_device+0x15c/0x174\\n[ 2538.459523] device_del+0x1d0/0x358\\n[ 2538.459528] usb_disable_device+0x84/0x194\\n[ 2538.459532] usb_disconnect+0xec/0x300\\n[ 2538.459537] hub_event+0xb80/0x1870\\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\\n[ 2538.459545] worker_thread+0x244/0x334\\n[ 2538.459549] kthread+0x114/0x1bc\\n\\n[ 2538.461001] INFO: task \\\"fsck.\\\":15415 blocked for more than 188 seconds.\\n[ 2538.461014] Call trace:\\n[ 2538.461016] __switch_to+0x174/0x338\\n[ 2538.461021] __schedule+0x628/0x9c4\\n[ 2538.461025] schedule+0x7c/0xe8\\n[ 2538.461030] blk_queue_enter+0xc4/0x160\\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\\n[ 2538.461051] sd_release+0x50/0x94\\n[ 2538.461054] blkdev_put+0x190/0x28c\\n[ 2538.461058] blkdev_release+0x28/0x40\\n[ 2538.461063] __fput+0xf8/0x2a8\\n[ 2538.461066] __fput_sync+0x28/0x5c\\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\\n[ 2538.461073] invoke_syscall+0x58/0x114\\n[ 2538.461078] el0_svc_common+0xac/0xe0\\n[ 2538.461082] do_el0_svc+0x1c/0x28\\n[ 2538.461087] el0_svc+0x38/0x68\\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\\n\\n T1:\\t\\t\\t\\tT2:\\n sd_remove\\n del_gendisk\\n __blk_mark_disk_dead\\n blk_freeze_queue_start\\n ++q->mq_freeze_depth\\n \\t\\t\\t\\tbdev_release\\n \\t\\t\\t\\tmutex_lock(&disk->open_mutex)\\n \\t\\t\\t\\tsd_release\\n \\t\\t\\t\\tscsi_execute_cmd\\n \\t\\t\\t\\tblk_queue_enter\\n \\t\\t\\t\\twait_event(!q->mq_freeze_depth)\\n mutex_lock(&disk->open_mutex)\\n\\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\\nmake sure we don't try to acquire disk->open_mutex after freezing\\nthe queue.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42294\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42295", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42295" + }, + { + "url": "https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2" + }, + { + "url": "https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44" + }, + { + "url": "https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62" + }, + { + "url": "https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a" + }, + { + "url": "https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787" + }, + { + "url": "https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e" + }, + { + "url": "https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899" + }, + { + "url": "https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42295 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42295", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\n\nSyzbot reported that a buffer state inconsistency was detected in\nnilfs_btnode_create_block(), triggering a kernel bug.\n\nIt is not appropriate to treat this inconsistency as a bug; it can occur\nif the argument block address (the buffer index of the newly created\nblock) is a virtual block number and has been reallocated due to\ncorruption of the bitmap used to manage its allocation state.\n\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\npossible filesystem error, rather than triggering a kernel bug.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42295\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42295\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42295\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42295\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42295\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2\",\n \"https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44\",\n \"https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62\",\n \"https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a\",\n \"https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787\",\n \"https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e\",\n \"https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899\",\n \"https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\\n\\nSyzbot reported that a buffer state inconsistency was detected in\\nnilfs_btnode_create_block(), triggering a kernel bug.\\n\\nIt is not appropriate to treat this inconsistency as a bug; it can occur\\nif the argument block address (the buffer index of the newly created\\nblock) is a virtual block number and has been reallocated due to\\ncorruption of the bitmap used to manage its allocation state.\\n\\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\\npossible filesystem error, rather than triggering a kernel bug.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42295\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42296", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42296" + }, + { + "url": "https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5" + }, + { + "url": "https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8" + }, + { + "url": "https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2" + }, + { + "url": "https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b" + }, + { + "url": "https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42296 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42296", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_convert_inline_inode()\n\nIf device is readonly, make f2fs_convert_inline_inode()\nreturn EROFS instead of zero, otherwise it may trigger\npanic during writeback of inline inode's dirty page as\nbelow:\n\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\n generic_write_sync include/linux/fs.h:2806 [inline]\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\n call_write_iter include/linux/fs.h:2114 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42296\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42296\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42296\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42296\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42296\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5\",\n \"https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8\",\n \"https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2\",\n \"https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b\",\n \"https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix return value of f2fs_convert_inline_inode()\\n\\nIf device is readonly, make f2fs_convert_inline_inode()\\nreturn EROFS instead of zero, otherwise it may trigger\\npanic during writeback of inline inode's dirty page as\\nbelow:\\n\\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\\n generic_write_sync include/linux/fs.h:2806 [inline]\\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\\n call_write_iter include/linux/fs.h:2114 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0xa72/0xc90 fs/read_write.c:590\\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42296\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42297", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42297" + }, + { + "url": "https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8" + }, + { + "url": "https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3" + }, + { + "url": "https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf" + }, + { + "url": "https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915" + }, + { + "url": "https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6" + }, + { + "url": "https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4" + }, + { + "url": "https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5" + }, + { + "url": "https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42297 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42297", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't dirty inode for readonly filesystem\n\nsyzbot reports f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n - __f2fs_find_entry\n - f2fs_i_depth_write\n - f2fs_mark_inode_dirty_sync\n - f2fs_dirty_inode\n - set_inode_flag(inode, FI_DIRTY_INODE)\n\n- umount\n - kill_f2fs_super\n - kill_block_super\n - generic_shutdown_super\n - sync_filesystem\n : sb is readonly, skip sync_filesystem()\n - evict_inodes\n - iput\n - f2fs_evict_inode\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n : trigger kernel panic\n\nWhen we try to repair i_current_depth in readonly filesystem, let's\nskip dirty inode to avoid panic in later f2fs_evict_inode().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42297\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42297\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42297\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42297\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42297\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8\",\n \"https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3\",\n \"https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf\",\n \"https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915\",\n \"https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6\",\n \"https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4\",\n \"https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5\",\n \"https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to don't dirty inode for readonly filesystem\\n\\nsyzbot reports f2fs bug as below:\\n\\nkernel BUG at fs/f2fs/inode.c:933!\\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\\nCall Trace:\\n evict+0x2a4/0x620 fs/inode.c:664\\n dispose_list fs/inode.c:697 [inline]\\n evict_inodes+0x5f8/0x690 fs/inode.c:747\\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\\n kill_block_super+0x44/0x90 fs/super.c:1667\\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\\n task_work_run+0x24a/0x300 kernel/task_work.c:180\\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\\n syscall_exit_work kernel/entry/common.c:251 [inline]\\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nThe root cause is:\\n- do_sys_open\\n - f2fs_lookup\\n - __f2fs_find_entry\\n - f2fs_i_depth_write\\n - f2fs_mark_inode_dirty_sync\\n - f2fs_dirty_inode\\n - set_inode_flag(inode, FI_DIRTY_INODE)\\n\\n- umount\\n - kill_f2fs_super\\n - kill_block_super\\n - generic_shutdown_super\\n - sync_filesystem\\n : sb is readonly, skip sync_filesystem()\\n - evict_inodes\\n - iput\\n - f2fs_evict_inode\\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\\n : trigger kernel panic\\n\\nWhen we try to repair i_current_depth in readonly filesystem, let's\\nskip dirty inode to avoid panic in later f2fs_evict_inode().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42297\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42299", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42299" + }, + { + "url": "https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9" + }, + { + "url": "https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420" + }, + { + "url": "https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f" + }, + { + "url": "https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696" + }, + { + "url": "https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42299 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42299", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\n\nIf an NTFS file system is mounted to another system with different\nPAGE_SIZE from the original system, log->page_size will change in\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\nThis will cause a panic because \"u32 bytes = log->page_size - page_off\"\nwill get a negative value in the later read_log_page().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42299\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42299\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42299\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42299\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42299\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9\",\n \"https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420\",\n \"https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f\",\n \"https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696\",\n \"https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\\n\\nIf an NTFS file system is mounted to another system with different\\nPAGE_SIZE from the original system, log->page_size will change in\\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\\nThis will cause a panic because \\\"u32 bytes = log->page_size - page_off\\\"\\nwill get a negative value in the later read_log_page().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42299\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42301", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42301" + }, + { + "url": "https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8" + }, + { + "url": "https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d" + }, + { + "url": "https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a" + }, + { + "url": "https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84" + }, + { + "url": "https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0" + }, + { + "url": "https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5" + }, + { + "url": "https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e" + }, + { + "url": "https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42301 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42301", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndev/parport: fix the array out-of-bounds risk\n\nFixed array out-of-bounds issues caused by sprintf\nby replacing it with snprintf for safer data copying,\nensuring the destination buffer is not overflowed.\n\nBelow is the stack trace I encountered during the actual issue:\n\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42301\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42301\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42301\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42301\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42301\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8\",\n \"https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d\",\n \"https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a\",\n \"https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84\",\n \"https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0\",\n \"https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5\",\n \"https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e\",\n \"https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndev/parport: fix the array out-of-bounds risk\\n\\nFixed array out-of-bounds issues caused by sprintf\\nby replacing it with snprintf for safer data copying,\\nensuring the destination buffer is not overflowed.\\n\\nBelow is the stack trace I encountered during the actual issue:\\n\\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42301\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42302", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42302" + }, + { + "url": "https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed" + }, + { + "url": "https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7" + }, + { + "url": "https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f" + }, + { + "url": "https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62" + }, + { + "url": "https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d" + }, + { + "url": "https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42302 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42302", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred. To do so, it polls the\nconfig space of the first child device on the secondary bus. If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device. Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume. Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently. (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase. And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event. Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently. The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n BUG: unable to handle page fault for address: 00000000091400c0\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n RIP: pci_bus_read_config_dword+0x17/0x50\n pci_dev_wait()\n pci_bridge_wait_for_secondary_bus()\n dpc_reset_link()\n pcie_do_recovery()\n dpc_handler()", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42302\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42302\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42302\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42302\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42302\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed\",\n \"https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7\",\n \"https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f\",\n \"https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62\",\n \"https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d\",\n \"https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\\n\\nKeith reports a use-after-free when a DPC event occurs concurrently to\\nhot-removal of the same portion of the hierarchy:\\n\\nThe dpc_handler() awaits readiness of the secondary bus below the\\nDownstream Port where the DPC event occurred. To do so, it polls the\\nconfig space of the first child device on the secondary bus. If that\\nchild device is concurrently removed, accesses to its struct pci_dev\\ncause the kernel to oops.\\n\\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\\nreference on the child device. Before v6.3, the function was only\\ncalled on resume from system sleep or on runtime resume. Holding a\\nreference wasn't necessary back then because the pciehp IRQ thread\\ncould never run concurrently. (On resume from system sleep, IRQs are\\nnot enabled until after the resume_noirq phase. And runtime resume is\\nalways awaited before a PCI device is removed.)\\n\\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\\ncalled on a DPC event. Commit 53b54ad074de (\\\"PCI/DPC: Await readiness\\nof secondary bus after reset\\\"), which introduced that, failed to\\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\\nreference on the child device because dpc_handler() and pciehp may\\nindeed run concurrently. The commit was backported to v5.10+ stable\\nkernels, so that's the oldest one affected.\\n\\nAdd the missing reference acquisition.\\n\\nAbridged stack trace:\\n\\n BUG: unable to handle page fault for address: 00000000091400c0\\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\\n RIP: pci_bus_read_config_dword+0x17/0x50\\n pci_dev_wait()\\n pci_bridge_wait_for_secondary_bus()\\n dpc_reset_link()\\n pcie_do_recovery()\\n dpc_handler()\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42302\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42304", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42304" + }, + { + "url": "https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1" + }, + { + "url": "https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a" + }, + { + "url": "https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac" + }, + { + "url": "https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5" + }, + { + "url": "https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe" + }, + { + "url": "https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136" + }, + { + "url": "https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa" + }, + { + "url": "https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42304 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42304", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: make sure the first directory block is not a hole\n\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\n\n ext4_mknod\n ...\n ext4_add_entry\n // Read block 0\n ext4_read_dirblock(dir, block, DIRENT)\n bh = ext4_bread(NULL, inode, block, 0)\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\n // The first directory block is a hole\n // But type == DIRENT, so no error is reported.\n\nAfter that, we get a directory block without '.' and '..' but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\n\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42304\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42304\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42304\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42304\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42304\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1\",\n \"https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a\",\n \"https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac\",\n \"https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5\",\n \"https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe\",\n \"https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136\",\n \"https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa\",\n \"https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: make sure the first directory block is not a hole\\n\\nThe syzbot constructs a directory that has no dirblock but is non-inline,\\ni.e. the first directory block is a hole. And no errors are reported when\\ncreating files in this directory in the following flow.\\n\\n ext4_mknod\\n ...\\n ext4_add_entry\\n // Read block 0\\n ext4_read_dirblock(dir, block, DIRENT)\\n bh = ext4_bread(NULL, inode, block, 0)\\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\\n // The first directory block is a hole\\n // But type == DIRENT, so no error is reported.\\n\\nAfter that, we get a directory block without '.' and '..' but with a valid\\ndentry. This may cause some code that relies on dot or dotdot (such as\\nmake_indexed_dir()) to crash.\\n\\nTherefore when ext4_read_dirblock() finds that the first directory block\\nis a hole report that the filesystem is corrupted and return an error to\\navoid loading corrupted data from disk causing something bad.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42304\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42305", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42305" + }, + { + "url": "https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8" + }, + { + "url": "https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa" + }, + { + "url": "https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7" + }, + { + "url": "https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a" + }, + { + "url": "https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2" + }, + { + "url": "https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c" + }, + { + "url": "https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db" + }, + { + "url": "https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42305 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42305", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check dot and dotdot of dx_root before making dir indexed\n\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\n\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\n\n do_split\n unsigned split\n dx_make_map\n count = 1\n split = count/2 = 0;\n continued = hash2 == map[split - 1].hash;\n ---> map[4294967295]\n\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\n\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\n\n bus dentry1 hole dentry2 free\n|xx--|xx-------------|...............|xx-------------|...............|\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\n\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\n\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That's why count is equal to 1.\n\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42305\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42305\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42305\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42305\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42305\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8\",\n \"https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa\",\n \"https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7\",\n \"https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a\",\n \"https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2\",\n \"https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c\",\n \"https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db\",\n \"https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: check dot and dotdot of dx_root before making dir indexed\\n\\nSyzbot reports a issue as follows:\\n============================================\\nBUG: unable to handle page fault for address: ffffed11022e24fe\\nPGD 23ffee067 P4D 23ffee067 PUD 0\\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\\nCall Trace:\\n \\n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\\n ext4_rename fs/ext4/namei.c:3936 [inline]\\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\\n[...]\\n============================================\\n\\nThe immediate cause of this problem is that there is only one valid dentry\\nfor the block to be split during do_split, so split==0 results in out of\\nbounds accesses to the map triggering the issue.\\n\\n do_split\\n unsigned split\\n dx_make_map\\n count = 1\\n split = count/2 = 0;\\n continued = hash2 == map[split - 1].hash;\\n ---> map[4294967295]\\n\\nThe maximum length of a filename is 255 and the minimum block size is 1024,\\nso it is always guaranteed that the number of entries is greater than or\\nequal to 2 when do_split() is called.\\n\\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\\ndistribution in dirblock is as follows:\\n\\n bus dentry1 hole dentry2 free\\n|xx--|xx-------------|...............|xx-------------|...............|\\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\\n\\nSo when renaming dentry1 increases its name_len length by 1, neither hole\\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\\ncalled.\\n\\nIn make_indexed_dir() it is assumed that the first two entries of the\\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\\nbecause they are treated as dot and dotdot, and only dentry2 is moved\\nto the new leaf block. That's why count is equal to 1.\\n\\nTherefore add the ext4_check_dx_root() helper function to add more sanity\\nchecks to dot and dotdot before starting the conversion to avoid the above\\nissue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42305\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42306", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42306" + }, + { + "url": "https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5" + }, + { + "url": "https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd" + }, + { + "url": "https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af" + }, + { + "url": "https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64" + }, + { + "url": "https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65" + }, + { + "url": "https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f" + }, + { + "url": "https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42306 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42306", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid using corrupted block bitmap buffer\n\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42306\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42306\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42306\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42306\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42306\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5\",\n \"https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd\",\n \"https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af\",\n \"https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64\",\n \"https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65\",\n \"https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f\",\n \"https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudf: Avoid using corrupted block bitmap buffer\\n\\nWhen the filesystem block bitmap is corrupted, we detect the corruption\\nwhile loading the bitmap and fail the allocation with error. However the\\nnext allocation from the same bitmap will notice the bitmap buffer is\\nalready loaded and tries to allocate from the bitmap with mixed results\\n(depending on the exact nature of the bitmap corruption). Fix the\\nproblem by using BH_verified bit to indicate whether the bitmap is valid\\nor not.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42306\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42308", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42308" + }, + { + "url": "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89" + }, + { + "url": "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa" + }, + { + "url": "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a" + }, + { + "url": "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692" + }, + { + "url": "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb" + }, + { + "url": "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40" + }, + { + "url": "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42308 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42308", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why & how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42308\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42308\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42308\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42308\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42308\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89\",\n \"https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa\",\n \"https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a\",\n \"https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692\",\n \"https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb\",\n \"https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40\",\n \"https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Check for NULL pointer\\n\\n[why & how]\\nNeed to make sure plane_state is initialized\\nbefore accessing its members.\\n\\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42308\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42309", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42309" + }, + { + "url": "https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee" + }, + { + "url": "https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6" + }, + { + "url": "https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692" + }, + { + "url": "https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14" + }, + { + "url": "https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9" + }, + { + "url": "https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c" + }, + { + "url": "https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc" + }, + { + "url": "https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42309 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42309", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\n\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42309\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42309\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42309\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42309\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42309\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee\",\n \"https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6\",\n \"https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692\",\n \"https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14\",\n \"https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9\",\n \"https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c\",\n \"https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc\",\n \"https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\\n\\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\\nassigned to mode, which will lead to a possible NULL pointer dereference\\non failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42309\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42310", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42310" + }, + { + "url": "https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d" + }, + { + "url": "https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23" + }, + { + "url": "https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6" + }, + { + "url": "https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc" + }, + { + "url": "https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5" + }, + { + "url": "https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79" + }, + { + "url": "https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56" + }, + { + "url": "https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42310 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42310", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\n\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42310\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42310\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42310\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42310\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42310\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d\",\n \"https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23\",\n \"https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6\",\n \"https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc\",\n \"https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5\",\n \"https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79\",\n \"https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56\",\n \"https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\\n\\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\\nis assigned to mode, which will lead to a NULL pointer dereference on\\nfailure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42310\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42311", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42311" + }, + { + "url": "https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65" + }, + { + "url": "https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b" + }, + { + "url": "https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2" + }, + { + "url": "https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971" + }, + { + "url": "https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4" + }, + { + "url": "https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1" + }, + { + "url": "https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3" + }, + { + "url": "https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42311 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42311", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\n\nSyzbot reports uninitialized value access issue as below:\n\nloop0: detected capacity change from 0 to 64\n=====================================================\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n d_revalidate fs/namei.c:862 [inline]\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\n walk_component fs/namei.c:2001 [inline]\n link_path_walk+0x817/0x1480 fs/namei.c:2332\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\n filename_lookup+0x22e/0x740 fs/namei.c:2515\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\n user_path_at include/linux/namei.h:57 [inline]\n do_mount fs/namespace.c:3689 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\n do_read_cache_page mm/filemap.c:3595 [inline]\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\n read_mapping_page include/linux/pagemap.h:755 [inline]\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\n mount_bdev+0x628/0x920 fs/super.c:1359\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2190 [inline]\n allocate_slab mm/slub.c:2354 [inline]\n new_slab+0x2d7/0x1400 mm/slub.c:2407\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\n __slab_alloc mm/slub.c:3625 [inline]\n __slab_alloc_node mm/slub.c:3678 [inline]\n slab_alloc_node mm/slub.c:3850 [inline]\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3018 [inline]\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\n alloc_inode+0x83/0x440 fs/inode.c:260\n new_inode_pseudo fs/inode.c:1005 [inline]\n new_inode+0x38/0x4f0 fs/inode.c:1031\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\n do_mkdirat+0x529/0x810 fs/namei.c:4149\n __do_sys_mkdirat fs/namei.c:4164 [inline]\n __se_sys_mkdirat fs/namei.c:4162 [inline]\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42311\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42311\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42311\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42311\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42311\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65\",\n \"https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b\",\n \"https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2\",\n \"https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971\",\n \"https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4\",\n \"https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1\",\n \"https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3\",\n \"https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\\n\\nSyzbot reports uninitialized value access issue as below:\\n\\nloop0: detected capacity change from 0 to 64\\n=====================================================\\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\\n d_revalidate fs/namei.c:862 [inline]\\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\\n walk_component fs/namei.c:2001 [inline]\\n link_path_walk+0x817/0x1480 fs/namei.c:2332\\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\\n filename_lookup+0x22e/0x740 fs/namei.c:2515\\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\\n user_path_at include/linux/namei.h:57 [inline]\\n do_mount fs/namespace.c:3689 [inline]\\n __do_sys_mount fs/namespace.c:3898 [inline]\\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\\n do_read_cache_page mm/filemap.c:3595 [inline]\\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\\n read_mapping_page include/linux/pagemap.h:755 [inline]\\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\\n mount_bdev+0x628/0x920 fs/super.c:1359\\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\\n do_mount fs/namespace.c:3488 [inline]\\n __do_sys_mount fs/namespace.c:3697 [inline]\\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\\n\\nUninit was created at:\\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\\n __alloc_pages_node include/linux/gfp.h:238 [inline]\\n alloc_pages_node include/linux/gfp.h:261 [inline]\\n alloc_slab_page mm/slub.c:2190 [inline]\\n allocate_slab mm/slub.c:2354 [inline]\\n new_slab+0x2d7/0x1400 mm/slub.c:2407\\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\\n __slab_alloc mm/slub.c:3625 [inline]\\n __slab_alloc_node mm/slub.c:3678 [inline]\\n slab_alloc_node mm/slub.c:3850 [inline]\\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\\n alloc_inode_sb include/linux/fs.h:3018 [inline]\\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\\n alloc_inode+0x83/0x440 fs/inode.c:260\\n new_inode_pseudo fs/inode.c:1005 [inline]\\n new_inode+0x38/0x4f0 fs/inode.c:1031\\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\\n do_mkdirat+0x529/0x810 fs/namei.c:4149\\n __do_sys_mkdirat fs/namei.c:4164 [inline]\\n __se_sys_mkdirat fs/namei.c:4162 [inline]\\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42311\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42312", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42312" + }, + { + "url": "https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05" + }, + { + "url": "https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab" + }, + { + "url": "https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4" + }, + { + "url": "https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955" + }, + { + "url": "https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536" + }, + { + "url": "https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42312 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42312", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: always initialize i_uid/i_gid\n\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\ncan safely skip setting them.\n\nCommit 5ec27ec735ba (\"fs/proc/proc_sysctl.c: fix the default values of\ni_uid/i_gid on /proc/sys inodes.\") added defaults for i_uid/i_gid when\nset_ownership() was not implemented. It also missed adjusting\nnet_ctl_set_ownership() to use the same default values in case the\ncomputation of a better value failed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42312\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42312\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42312\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42312\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42312\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05\",\n \"https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab\",\n \"https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4\",\n \"https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955\",\n \"https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536\",\n \"https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsysctl: always initialize i_uid/i_gid\\n\\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\\ncan safely skip setting them.\\n\\nCommit 5ec27ec735ba (\\\"fs/proc/proc_sysctl.c: fix the default values of\\ni_uid/i_gid on /proc/sys inodes.\\\") added defaults for i_uid/i_gid when\\nset_ownership() was not implemented. It also missed adjusting\\nnet_ctl_set_ownership() to use the same default values in case the\\ncomputation of a better value failed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42312\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42313", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42313" + }, + { + "url": "https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36" + }, + { + "url": "https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635" + }, + { + "url": "https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2" + }, + { + "url": "https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567" + }, + { + "url": "https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e" + }, + { + "url": "https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6" + }, + { + "url": "https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad" + }, + { + "url": "https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42313 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42313", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free in vdec_close\n\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\n\nFix it by cancelling the work in vdec_close.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42313\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42313\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42313\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42313\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42313\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36\",\n \"https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635\",\n \"https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2\",\n \"https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567\",\n \"https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e\",\n \"https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6\",\n \"https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad\",\n \"https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: venus: fix use after free in vdec_close\\n\\nThere appears to be a possible use after free with vdec_close().\\nThe firmware will add buffer release work to the work queue through\\nHFI callbacks as a normal part of decoding. Randomly closing the\\ndecoder device from userspace during normal decoding can incur\\na read after free for inst.\\n\\nFix it by cancelling the work in vdec_close.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42313\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42315", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42315" + }, + { + "url": "https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62" + }, + { + "url": "https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9" + }, + { + "url": "https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42315 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42315", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi->s_lock between the two processes may occur.\n\n CPU0 CPU1\n ---- ----\n kswapd\n balance_pgdat\n lock(fs_reclaim)\n exfat_iterate\n lock(&sbi->s_lock)\n exfat_readdir\n exfat_get_uniname_from_ext_entry\n exfat_get_dentry_set\n __exfat_get_dentry_set\n kmalloc_array\n ...\n lock(fs_reclaim)\n ...\n evict\n exfat_evict_inode\n lock(&sbi->s_lock)\n\nTo fix this, let's allocate bh-array with GFP_NOFS.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42315\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42315\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42315\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42315\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42315\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62\",\n \"https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9\",\n \"https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nexfat: fix potential deadlock on __exfat_get_dentry_set\\n\\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\\na deadlock for sbi->s_lock between the two processes may occur.\\n\\n CPU0 CPU1\\n ---- ----\\n kswapd\\n balance_pgdat\\n lock(fs_reclaim)\\n exfat_iterate\\n lock(&sbi->s_lock)\\n exfat_readdir\\n exfat_get_uniname_from_ext_entry\\n exfat_get_dentry_set\\n __exfat_get_dentry_set\\n kmalloc_array\\n ...\\n lock(fs_reclaim)\\n ...\\n evict\\n exfat_evict_inode\\n lock(&sbi->s_lock)\\n\\nTo fix this, let's allocate bh-array with GFP_NOFS.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42315\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42318", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42318" + }, + { + "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2566" + }, + { + "url": "https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c" + }, + { + "url": "https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49" + }, + { + "url": "https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1" + }, + { + "url": "https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117" + }, + { + "url": "https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff" + }, + { + "url": "https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2024/08/17/2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42318 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42318", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don't lose track of restrictions on cred_transfer\n\nWhen a process' cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42318\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42318\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42318\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42318\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42318\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://bugs.chromium.org/p/project-zero/issues/detail?id=2566\",\n \"https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c\",\n \"https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49\",\n \"https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1\",\n \"https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117\",\n \"https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff\",\n \"https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/\",\n \"https://www.openwall.com/lists/oss-security/2024/08/17/2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlandlock: Don't lose track of restrictions on cred_transfer\\n\\nWhen a process' cred struct is replaced, this _almost_ always invokes\\nthe cred_prepare LSM hook; but in one special case (when\\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\\ncred_transfer LSM hook is used instead. Landlock only implements the\\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\\nall information on Landlock restrictions to be lost.\\n\\nThis basically means that a process with the ability to use the fork()\\nand keyctl() syscalls can get rid of all Landlock restrictions on\\nitself.\\n\\nFix it by adding a cred_transfer hook that does the same thing as the\\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\\ncall hook_cred_transfer() so that the two functions are less likely to\\naccidentally diverge in the future.)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42318\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42319", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42319" + }, + { + "url": "https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911" + }, + { + "url": "https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42319 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42319", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\n\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\npm_runtime_get_sync() < 0 occurs.\n\nAccording to the call tracei below:\n cmdq_mbox_shutdown\n mbox_free_channel\n mbox_controller_unregister\n __devm_mbox_controller_unregister\n ...\n\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\ncalling pm_runtime_disable() as observed below:\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\n to bind the cmdq device to the mbox_controller, so\n devm_mbox_controller_unregister() will automatically unregister\n the device bound to the mailbox controller when the device-managed\n resource is removed. That means devm_mbox_controller_unregister()\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\n will be called after cmdq_remove(), but before\n devm_mbox_controller_unregister().\n\nTo fix this problem, cmdq_probe() needs to move\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\ndevm_pm_runtime_disable() be called after\ndevm_mbox_controller_unregister().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42319\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42319\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42319\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42319\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42319\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911\",\n \"https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\\n\\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\\npm_runtime_get_sync() < 0 occurs.\\n\\nAccording to the call tracei below:\\n cmdq_mbox_shutdown\\n mbox_free_channel\\n mbox_controller_unregister\\n __devm_mbox_controller_unregister\\n ...\\n\\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\\ncalling pm_runtime_disable() as observed below:\\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\\n to bind the cmdq device to the mbox_controller, so\\n devm_mbox_controller_unregister() will automatically unregister\\n the device bound to the mailbox controller when the device-managed\\n resource is removed. That means devm_mbox_controller_unregister()\\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\\n will be called after cmdq_remove(), but before\\n devm_mbox_controller_unregister().\\n\\nTo fix this problem, cmdq_probe() needs to move\\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\\ndevm_pm_runtime_disable() be called after\\ndevm_mbox_controller_unregister().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42319\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42320", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42320" + }, + { + "url": "https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2" + }, + { + "url": "https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8" + }, + { + "url": "https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace" + }, + { + "url": "https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42320 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42320", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42320\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42320\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42320\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42320\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42320\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2\",\n \"https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8\",\n \"https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace\",\n \"https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/dasd: fix error checks in dasd_copy_pair_store()\\n\\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\\nfails. However, two callsites in dasd_copy_pair_store() do not check\\nthe result, potentially resulting in a NULL pointer dereference. Fix\\nthis by checking the result with IS_ERR() and returning the error up\\nthe stack.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42320\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42321", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42321" + }, + { + "url": "https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b" + }, + { + "url": "https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107" + }, + { + "url": "https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0" + }, + { + "url": "https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42321 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42321", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nThe following splat is easy to reproduce upstream as well as in -stable\nkernels. Florian Westphal provided the following commit:\n\n d1dab4f71d37 (\"net: add and use __skb_get_hash_symmetric_net\")\n\nbut this complementary fix has been also suggested by Willem de Bruijn\nand it can be easily backported to -stable kernel which consists in\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\nto identify packets in traces.\n\n[69133.561393] ------------[ cut here ]------------\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\n[...]\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\n[69133.562040] Call Trace:\n[69133.562044] \n[69133.562049] ? __warn+0x9f/0x1a0\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\n[...]\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\n[ 1211.841753] __skb_get_hash+0x97/0x280\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\n[ 1211.841776] ? mod_find+0xbf/0xe0\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\n[ 1211.841964] ? get_stack_info+0x2b/0x80\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42321\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42321\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42321\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42321\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42321\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b\",\n \"https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107\",\n \"https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0\",\n \"https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\\n\\nThe following splat is easy to reproduce upstream as well as in -stable\\nkernels. Florian Westphal provided the following commit:\\n\\n d1dab4f71d37 (\\\"net: add and use __skb_get_hash_symmetric_net\\\")\\n\\nbut this complementary fix has been also suggested by Willem de Bruijn\\nand it can be easily backported to -stable kernel which consists in\\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\\nto identify packets in traces.\\n\\n[69133.561393] ------------[ cut here ]------------\\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\\n[...]\\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\\n[69133.562040] Call Trace:\\n[69133.562044] \\n[69133.562049] ? __warn+0x9f/0x1a0\\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\\n[...]\\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\\n[ 1211.841753] __skb_get_hash+0x97/0x280\\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\\n[ 1211.841776] ? mod_find+0xbf/0xe0\\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\\n[ 1211.841964] ? get_stack_info+0x2b/0x80\\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42321\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-42322", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-42322" + }, + { + "url": "https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77" + }, + { + "url": "https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5" + }, + { + "url": "https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-42322 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-42322", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: properly dereference pe in ip_vs_add_service\n\nUse pe directly to resolve sparse warning:\n\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-42322\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-42322\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-42322\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-42322\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-42322\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77\",\n \"https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5\",\n \"https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipvs: properly dereference pe in ip_vs_add_service\\n\\nUse pe directly to resolve sparse warning:\\n\\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-42322\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43817", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43817" + }, + { + "url": "https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f" + }, + { + "url": "https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775" + }, + { + "url": "https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf" + }, + { + "url": "https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8" + }, + { + "url": "https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43817 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43817", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: missing check virtio\n\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\nto crash kernels again\n\n1. After the skb_segment function the buffer may become non-linear\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\nthe __skb_linearize function will not be executed, then the buffer will\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\n\n2. The struct sk_buff and struct virtio_net_hdr members must be\nmathematically related.\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) may be 0 if division is without remainder.\n\noffset+2 (4191) > skb_headlen() (1116)\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nModules linked in:\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:451 [inline]\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3545 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n __sys_sendto+0x255/0x340 net/socket.c:2190\n __do_sys_sendto net/socket.c:2202 [inline]\n __se_sys_sendto net/socket.c:2198 [inline]\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43817\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43817\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43817\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43817\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43817\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f\",\n \"https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775\",\n \"https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf\",\n \"https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8\",\n \"https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: missing check virtio\\n\\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\\nto crash kernels again\\n\\n1. After the skb_segment function the buffer may become non-linear\\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\\nthe __skb_linearize function will not be executed, then the buffer will\\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\\n\\n2. The struct sk_buff and struct virtio_net_hdr members must be\\nmathematically related.\\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\\n(remainder) may be 0 if division is without remainder.\\n\\noffset+2 (4191) > skb_headlen() (1116)\\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\\nModules linked in:\\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\\n dst_output include/net/dst.h:451 [inline]\\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\\n xmit_one net/core/dev.c:3545 [inline]\\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\\n packet_snd net/packet/af_packet.c:3087 [inline]\\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\\n __sys_sendto+0x255/0x340 net/socket.c:2190\\n __do_sys_sendto net/socket.c:2202 [inline]\\n __se_sys_sendto net/socket.c:2198 [inline]\\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43817\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43819", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43819" + }, + { + "url": "https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6" + }, + { + "url": "https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43819 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43819", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43819\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43819\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43819\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43819\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43819\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6\",\n \"https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkvm: s390: Reject memory region operations for ucontrol VMs\\n\\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\\nwould thus result in a null pointer dereference further in.\\nMemory management needs to be performed in userspace and using the\\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\\n\\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\\nand KVM_SET_USER_MEMORY_REGION2.\\n\\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43819\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43823", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43823" + }, + { + "url": "https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23" + }, + { + "url": "https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775" + }, + { + "url": "https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506" + }, + { + "url": "https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43823 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43823", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\n\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\n\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43823\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43823\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43823\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43823\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43823\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23\",\n \"https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775\",\n \"https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506\",\n \"https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\\n\\nIf IORESOURCE_MEM is not provided in Device Tree due to\\nany error, resource_list_first_type() will return NULL and\\npci_parse_request_of_pci_ranges() will just emit a warning.\\n\\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\\nreturn check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43823\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43824", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43824" + }, + { + "url": "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a" + }, + { + "url": "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43824 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43824", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), 'epc_features' got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43824\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43824\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43824\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43824\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43824\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a\",\n \"https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\\n\\nInstead of getting the epc_features from pci_epc_get_features() API, use\\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\\nthe NULL check is already performed in pci_epf_test_bind(), having one more\\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\\nhit the NULL pointer dereference.\\n\\nAlso with commit a01e7214bef9 (\\\"PCI: endpoint: Remove \\\"core_init_notifier\\\"\\nflag\\\"), 'epc_features' got dereferenced without the NULL check, leading to\\nthe following false positive Smatch warning:\\n\\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\\n\\nThus, remove the redundant NULL check and also use the epc_features::\\n{msix_capable/msi_capable} flags directly to avoid local variables.\\n\\n[kwilczynski: commit log]\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43824\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43828", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43828" + }, + { + "url": "https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121" + }, + { + "url": "https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2" + }, + { + "url": "https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1" + }, + { + "url": "https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178" + }, + { + "url": "https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706" + }, + { + "url": "https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43828 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43828", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix infinite loop when replaying fast_commit\n\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the 'es' variable.\n\nBecause 'es' contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\n\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\n\nThanks to Zhang Yi, for figuring out the real problem!", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43828\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43828\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43828\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43828\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43828\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121\",\n \"https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2\",\n \"https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1\",\n \"https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178\",\n \"https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706\",\n \"https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix infinite loop when replaying fast_commit\\n\\nWhen doing fast_commit replay an infinite loop may occur due to an\\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\\nnot detect the replay and calls ext4_es_find_extent_range(), which will\\nreturn immediately without initializing the 'es' variable.\\n\\nBecause 'es' contains garbage, an integer overflow may happen causing an\\ninfinite loop in this function, easily reproducible using fstest generic/039.\\n\\nThis commit fixes this issue by unconditionally initializing the structure\\nin function ext4_es_find_extent_range().\\n\\nThanks to Zhang Yi, for figuring out the real problem!\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43828\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43829", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43829" + }, + { + "url": "https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c" + }, + { + "url": "https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f" + }, + { + "url": "https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f" + }, + { + "url": "https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03" + }, + { + "url": "https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3" + }, + { + "url": "https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b" + }, + { + "url": "https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43829 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43829", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/qxl: Add check for drm_cvt_mode\n\nAdd check for the return value of drm_cvt_mode() and return the error if\nit fails in order to avoid NULL pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43829\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43829\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43829\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43829\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43829\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c\",\n \"https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f\",\n \"https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f\",\n \"https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03\",\n \"https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3\",\n \"https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b\",\n \"https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/qxl: Add check for drm_cvt_mode\\n\\nAdd check for the return value of drm_cvt_mode() and return the error if\\nit fails in order to avoid NULL pointer dereference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43829\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43830", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43830" + }, + { + "url": "https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2" + }, + { + "url": "https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6" + }, + { + "url": "https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d" + }, + { + "url": "https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea" + }, + { + "url": "https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3" + }, + { + "url": "https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156" + }, + { + "url": "https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374" + }, + { + "url": "https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43830 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43830", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: Unregister sysfs attributes before calling deactivate()\n\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\n\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\n\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\n\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43830\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43830\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43830\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43830\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43830\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2\",\n \"https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6\",\n \"https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d\",\n \"https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea\",\n \"https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3\",\n \"https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156\",\n \"https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374\",\n \"https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nleds: trigger: Unregister sysfs attributes before calling deactivate()\\n\\nTriggers which have trigger specific sysfs attributes typically store\\nrelated data in trigger-data allocated by the activate() callback and\\nfreed by the deactivate() callback.\\n\\nCalling device_remove_groups() after calling deactivate() leaves a window\\nwhere the sysfs attributes show/store functions could be called after\\ndeactivation and then operate on the just freed trigger-data.\\n\\nMove the device_remove_groups() call to before deactivate() to close\\nthis race window.\\n\\nThis also makes the deactivation path properly do things in reverse order\\nof the activation path which calls the activate() callback before calling\\ndevice_add_groups().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43830\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43831", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43831" + }, + { + "url": "https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db" + }, + { + "url": "https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f" + }, + { + "url": "https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43831 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43831", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Handle invalid decoder vsi\n\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43831\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43831\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43831\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43831\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43831\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db\",\n \"https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f\",\n \"https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: mediatek: vcodec: Handle invalid decoder vsi\\n\\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\\nis valid for future use.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43831\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43832", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43832" + }, + { + "url": "https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7" + }, + { + "url": "https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d" + }, + { + "url": "https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb" + }, + { + "url": "https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43832 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43832", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/uv: Don't call folio_wait_writeback() without a folio reference\n\nfolio_wait_writeback() requires that no spinlocks are held and that\na folio reference is held, as documented. After we dropped the PTL, the\nfolio could get freed concurrently. So grab a temporary reference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43832\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43832\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43832\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43832\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43832\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7\",\n \"https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d\",\n \"https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb\",\n \"https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/uv: Don't call folio_wait_writeback() without a folio reference\\n\\nfolio_wait_writeback() requires that no spinlocks are held and that\\na folio reference is held, as documented. After we dropped the PTL, the\\nfolio could get freed concurrently. So grab a temporary reference.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43832\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43834", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43834" + }, + { + "url": "https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537" + }, + { + "url": "https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26" + }, + { + "url": "https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec" + }, + { + "url": "https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a" + }, + { + "url": "https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd" + }, + { + "url": "https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43834 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43834", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: fix invalid wait context of page_pool_destroy()\n\nIf the driver uses a page pool, it creates a page pool with\npage_pool_create().\nThe reference count of page pool is 1 as default.\nA page pool will be destroyed only when a reference count reaches 0.\npage_pool_destroy() is used to destroy page pool, it decreases a\nreference count.\nWhen a page pool is destroyed, ->disconnect() is called, which is\nmem_allocator_disconnect().\nThis function internally acquires mutex_lock().\n\nIf the driver uses XDP, it registers a memory model with\nxdp_rxq_info_reg_mem_model().\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\nreference count if a memory model is a page pool.\nNow the reference count is 2.\n\nTo destroy a page pool, the driver should call both page_pool_destroy()\nand xdp_unreg_mem_model().\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\nOnly page_pool_destroy() decreases a reference count.\n\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\nwill face an invalid wait context warning.\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\nrcu_read_lock().\nThe page_pool_destroy() internally acquires mutex_lock().\n\nSplat looks like:\n=============================\n[ BUG: Invalid wait context ]\n6.10.0-rc6+ #4 Tainted: G W\n-----------------------------\nethtool/1806 is trying to lock:\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\nother info that might help us debug this:\ncontext-{5:5}\n3 locks held by ethtool/1806:\nstack backtrace:\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nCall Trace:\n\ndump_stack_lvl+0x7e/0xc0\n__lock_acquire+0x1681/0x4de0\n? _printk+0x64/0xe0\n? __pfx_mark_lock.part.0+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\nlock_acquire+0x1b3/0x580\n? mem_allocator_disconnect+0x73/0x150\n? __wake_up_klogd.part.0+0x16/0xc0\n? __pfx_lock_acquire+0x10/0x10\n? dump_stack_lvl+0x91/0xc0\n__mutex_lock+0x15c/0x1690\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_prb_read_valid+0x10/0x10\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_llist_add_batch+0x10/0x10\n? console_unlock+0x193/0x1b0\n? lockdep_hardirqs_on+0xbe/0x140\n? __pfx___mutex_lock+0x10/0x10\n? tick_nohz_tick_stopped+0x16/0x90\n? __irq_work_queue_local+0x1e5/0x330\n? irq_work_queue+0x39/0x50\n? __wake_up_klogd.part.0+0x79/0xc0\n? mem_allocator_disconnect+0x73/0x150\nmem_allocator_disconnect+0x73/0x150\n? __pfx_mem_allocator_disconnect+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? rcu_is_watching+0x11/0xb0\npage_pool_release+0x36e/0x6d0\npage_pool_destroy+0xd7/0x440\nxdp_unreg_mem_model+0x1a7/0x2a0\n? __pfx_xdp_unreg_mem_model+0x10/0x10\n? kfree+0x125/0x370\n? bnxt_free_ring.isra.0+0x2eb/0x500\n? bnxt_free_mem+0x5ac/0x2500\nxdp_rxq_info_unreg+0x4a/0xd0\nbnxt_free_mem+0x1356/0x2500\nbnxt_close_nic+0xf0/0x3b0\n? __pfx_bnxt_close_nic+0x10/0x10\n? ethnl_parse_bit+0x2c6/0x6d0\n? __pfx___nla_validate_parse+0x10/0x10\n? __pfx_ethnl_parse_bit+0x10/0x10\nbnxt_set_features+0x2a8/0x3e0\n__netdev_update_features+0x4dc/0x1370\n? ethnl_parse_bitset+0x4ff/0x750\n? __pfx_ethnl_parse_bitset+0x10/0x10\n? __pfx___netdev_update_features+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? _raw_spin_unlock_irqrestore+0x42/0x70\n? __pm_runtime_resume+0x7d/0x110\nethnl_set_features+0x32d/0xa20\n\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\nrhashtable_lookup() with rcu_read_lock().\nUsing xa without rcu_read_lock() here is safe.\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\ncall_rcu() of mem_xa_remove().\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\ncount reaches 0.\nThe xa is already protected by the reference count mechanism well in the\ncontrol plane.\nSo removing rcu_read_lock() for page_pool_destroy() is safe.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43834\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43834\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43834\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43834\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43834\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537\",\n \"https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26\",\n \"https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec\",\n \"https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a\",\n \"https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd\",\n \"https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp: fix invalid wait context of page_pool_destroy()\\n\\nIf the driver uses a page pool, it creates a page pool with\\npage_pool_create().\\nThe reference count of page pool is 1 as default.\\nA page pool will be destroyed only when a reference count reaches 0.\\npage_pool_destroy() is used to destroy page pool, it decreases a\\nreference count.\\nWhen a page pool is destroyed, ->disconnect() is called, which is\\nmem_allocator_disconnect().\\nThis function internally acquires mutex_lock().\\n\\nIf the driver uses XDP, it registers a memory model with\\nxdp_rxq_info_reg_mem_model().\\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\\nreference count if a memory model is a page pool.\\nNow the reference count is 2.\\n\\nTo destroy a page pool, the driver should call both page_pool_destroy()\\nand xdp_unreg_mem_model().\\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\\nOnly page_pool_destroy() decreases a reference count.\\n\\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\\nwill face an invalid wait context warning.\\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\\nrcu_read_lock().\\nThe page_pool_destroy() internally acquires mutex_lock().\\n\\nSplat looks like:\\n=============================\\n[ BUG: Invalid wait context ]\\n6.10.0-rc6+ #4 Tainted: G W\\n-----------------------------\\nethtool/1806 is trying to lock:\\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\\nother info that might help us debug this:\\ncontext-{5:5}\\n3 locks held by ethtool/1806:\\nstack backtrace:\\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\\nCall Trace:\\n\\ndump_stack_lvl+0x7e/0xc0\\n__lock_acquire+0x1681/0x4de0\\n? _printk+0x64/0xe0\\n? __pfx_mark_lock.part.0+0x10/0x10\\n? __pfx___lock_acquire+0x10/0x10\\nlock_acquire+0x1b3/0x580\\n? mem_allocator_disconnect+0x73/0x150\\n? __wake_up_klogd.part.0+0x16/0xc0\\n? __pfx_lock_acquire+0x10/0x10\\n? dump_stack_lvl+0x91/0xc0\\n__mutex_lock+0x15c/0x1690\\n? mem_allocator_disconnect+0x73/0x150\\n? __pfx_prb_read_valid+0x10/0x10\\n? mem_allocator_disconnect+0x73/0x150\\n? __pfx_llist_add_batch+0x10/0x10\\n? console_unlock+0x193/0x1b0\\n? lockdep_hardirqs_on+0xbe/0x140\\n? __pfx___mutex_lock+0x10/0x10\\n? tick_nohz_tick_stopped+0x16/0x90\\n? __irq_work_queue_local+0x1e5/0x330\\n? irq_work_queue+0x39/0x50\\n? __wake_up_klogd.part.0+0x79/0xc0\\n? mem_allocator_disconnect+0x73/0x150\\nmem_allocator_disconnect+0x73/0x150\\n? __pfx_mem_allocator_disconnect+0x10/0x10\\n? mark_held_locks+0xa5/0xf0\\n? rcu_is_watching+0x11/0xb0\\npage_pool_release+0x36e/0x6d0\\npage_pool_destroy+0xd7/0x440\\nxdp_unreg_mem_model+0x1a7/0x2a0\\n? __pfx_xdp_unreg_mem_model+0x10/0x10\\n? kfree+0x125/0x370\\n? bnxt_free_ring.isra.0+0x2eb/0x500\\n? bnxt_free_mem+0x5ac/0x2500\\nxdp_rxq_info_unreg+0x4a/0xd0\\nbnxt_free_mem+0x1356/0x2500\\nbnxt_close_nic+0xf0/0x3b0\\n? __pfx_bnxt_close_nic+0x10/0x10\\n? ethnl_parse_bit+0x2c6/0x6d0\\n? __pfx___nla_validate_parse+0x10/0x10\\n? __pfx_ethnl_parse_bit+0x10/0x10\\nbnxt_set_features+0x2a8/0x3e0\\n__netdev_update_features+0x4dc/0x1370\\n? ethnl_parse_bitset+0x4ff/0x750\\n? __pfx_ethnl_parse_bitset+0x10/0x10\\n? __pfx___netdev_update_features+0x10/0x10\\n? mark_held_locks+0xa5/0xf0\\n? _raw_spin_unlock_irqrestore+0x42/0x70\\n? __pm_runtime_resume+0x7d/0x110\\nethnl_set_features+0x32d/0xa20\\n\\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\\nrhashtable_lookup() with rcu_read_lock().\\nUsing xa without rcu_read_lock() here is safe.\\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\\ncall_rcu() of mem_xa_remove().\\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\\ncount reaches 0.\\nThe xa is already protected by the reference count mechanism well in the\\ncontrol plane.\\nSo removing rcu_read_lock() for page_pool_destroy() is safe.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43834\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43835", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43835" + }, + { + "url": "https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd" + }, + { + "url": "https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43835 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43835", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix napi_skb_cache_put warning\n\nAfter the commit bdacf3e34945 (\"net: Use nested-BH locking for\nnapi_alloc_cache.\") was merged, the following warning began to appear:\n\n\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\n\n\t __warn+0x12f/0x340\n\t napi_skb_cache_put+0x82/0x4b0\n\t napi_skb_cache_put+0x82/0x4b0\n\t report_bug+0x165/0x370\n\t handle_bug+0x3d/0x80\n\t exc_invalid_op+0x1a/0x50\n\t asm_exc_invalid_op+0x1a/0x20\n\t __free_old_xmit+0x1c8/0x510\n\t napi_skb_cache_put+0x82/0x4b0\n\t __free_old_xmit+0x1c8/0x510\n\t __free_old_xmit+0x1c8/0x510\n\t __pfx___free_old_xmit+0x10/0x10\n\nThe issue arises because virtio is assuming it's running in NAPI context\neven when it's not, such as in the netpoll case.\n\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\nis available. Same for virtnet_poll_cleantx(), which always assumed that\nit was in a NAPI context.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43835\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43835\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43835\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43835\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43835\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd\",\n \"https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio_net: Fix napi_skb_cache_put warning\\n\\nAfter the commit bdacf3e34945 (\\\"net: Use nested-BH locking for\\nnapi_alloc_cache.\\\") was merged, the following warning began to appear:\\n\\n\\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\\n\\n\\t __warn+0x12f/0x340\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t report_bug+0x165/0x370\\n\\t handle_bug+0x3d/0x80\\n\\t exc_invalid_op+0x1a/0x50\\n\\t asm_exc_invalid_op+0x1a/0x20\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t napi_skb_cache_put+0x82/0x4b0\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t __free_old_xmit+0x1c8/0x510\\n\\t __pfx___free_old_xmit+0x10/0x10\\n\\nThe issue arises because virtio is assuming it's running in NAPI context\\neven when it's not, such as in the netpoll case.\\n\\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\\nis available. Same for virtnet_poll_cleantx(), which always assumed that\\nit was in a NAPI context.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43835\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43839", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43839" + }, + { + "url": "https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1" + }, + { + "url": "https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3" + }, + { + "url": "https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef" + }, + { + "url": "https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43" + }, + { + "url": "https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76" + }, + { + "url": "https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da" + }, + { + "url": "https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5" + }, + { + "url": "https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43839 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43839", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43839\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43839\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43839\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43839\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43839\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1\",\n \"https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3\",\n \"https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef\",\n \"https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43\",\n \"https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76\",\n \"https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da\",\n \"https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5\",\n \"https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\\n\\nTo have enough space to write all possible sprintf() args. Currently\\n'name' size is 16, but the first '%s' specifier may already need at\\nleast 16 characters, since 'bnad->netdev->name' is used there.\\n\\nFor '%d' specifiers, assume that they require:\\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\\n is 16\\n\\nAnd replace sprintf with snprintf.\\n\\nDetected using the static analysis tool - Svace.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43839\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43841", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43841" + }, + { + "url": "https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414" + }, + { + "url": "https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29" + }, + { + "url": "https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d" + }, + { + "url": "https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942" + }, + { + "url": "https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d" + }, + { + "url": "https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7" + }, + { + "url": "https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43841 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43841", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\n\nWhen user issues a connection with a different SSID than the one\nvirt_wifi has advertised, the __cfg80211_connect_result() will\ntrigger the warning: WARN_ON(bss_not_found).\n\nThe issue is because the connection code in virt_wifi does not\ncheck the SSID from user space (it only checks the BSSID), and\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\neven if the SSID is different from the one virt_wifi has advertised.\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\nthe warning.\n\nFixed it by checking the SSID (from user space) in the connection code.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43841\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43841\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43841\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43841\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43841\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414\",\n \"https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29\",\n \"https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d\",\n \"https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942\",\n \"https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d\",\n \"https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7\",\n \"https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\\n\\nWhen user issues a connection with a different SSID than the one\\nvirt_wifi has advertised, the __cfg80211_connect_result() will\\ntrigger the warning: WARN_ON(bss_not_found).\\n\\nThe issue is because the connection code in virt_wifi does not\\ncheck the SSID from user space (it only checks the BSSID), and\\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\\neven if the SSID is different from the one virt_wifi has advertised.\\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\\nthe warning.\\n\\nFixed it by checking the SSID (from user space) in the connection code.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43841\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43842", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43842" + }, + { + "url": "https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74" + }, + { + "url": "https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891" + }, + { + "url": "https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58" + }, + { + "url": "https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43842 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43842", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\n\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\n\"copy-paste\" mistake.\n\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43842\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43842\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43842\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43842\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43842\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74\",\n \"https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891\",\n \"https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58\",\n \"https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\\n\\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\\n\\\"copy-paste\\\" mistake.\\n\\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43842\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43844", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43844" + }, + { + "url": "https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296" + }, + { + "url": "https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43844 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43844", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\n\nWe mistakenly put skb too large and that may exceed skb->end.\nTherefore, we fix it.\n\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:192!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:skb_panic+0x5d/0x60\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? skb_panic+0x5d/0x60\n ? do_error_trap+0x6d/0x90\n ? skb_panic+0x5d/0x60\n ? handle_invalid_op+0x30/0x40\n ? skb_panic+0x5d/0x60\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_panic+0x5d/0x60\n skb_put+0x49/0x50\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n dpm_run_callback+0x3c/0x140\n device_resume+0x1f9/0x3c0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n process_scheduled_works+0x1d8/0x3d0\n worker_thread+0x1fc/0x2f0\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\n cfg80211 ecc\ngsmi: Log Shutdown \n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43844\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43844\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43844\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43844\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43844\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296\",\n \"https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\\n\\nWe mistakenly put skb too large and that may exceed skb->end.\\nTherefore, we fix it.\\n\\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\\n------------[ cut here ]------------\\nkernel BUG at net/core/skbuff.c:192!\\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\\nWorkqueue: events_unbound async_run_entry_fn\\nRIP: 0010:skb_panic+0x5d/0x60\\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\\nCall Trace:\\n \\n ? __die_body+0x1f/0x70\\n ? die+0x3d/0x60\\n ? do_trap+0xa4/0x110\\n ? skb_panic+0x5d/0x60\\n ? do_error_trap+0x6d/0x90\\n ? skb_panic+0x5d/0x60\\n ? handle_invalid_op+0x30/0x40\\n ? skb_panic+0x5d/0x60\\n ? exc_invalid_op+0x3c/0x50\\n ? asm_exc_invalid_op+0x16/0x20\\n ? skb_panic+0x5d/0x60\\n skb_put+0x49/0x50\\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n ? dev_printk_emit+0x51/0x70\\n ? _dev_info+0x6e/0x90\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\\n dpm_run_callback+0x3c/0x140\\n device_resume+0x1f9/0x3c0\\n ? __pfx_dpm_watchdog_handler+0x10/0x10\\n async_resume+0x1d/0x30\\n async_run_entry_fn+0x29/0xd0\\n process_scheduled_works+0x1d8/0x3d0\\n worker_thread+0x1fc/0x2f0\\n kthread+0xed/0x110\\n ? __pfx_worker_thread+0x10/0x10\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x38/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \\nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\\n cfg80211 ecc\\ngsmi: Log Shutdown \\n---truncated---\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43844\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43846", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43846" + }, + { + "url": "https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb" + }, + { + "url": "https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc" + }, + { + "url": "https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc" + }, + { + "url": "https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170" + }, + { + "url": "https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7" + }, + { + "url": "https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a" + }, + { + "url": "https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43846 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43846", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: objagg: Fix general protection fault\n\nThe library supports aggregation of objects into other objects only if\nthe parent object does not have a parent itself. That is, nesting is not\nsupported.\n\nAggregation happens in two cases: Without and with hints, where hints\nare a pre-computed recommendation on how to aggregate the provided\nobjects.\n\nNesting is not possible in the first case due to a check that prevents\nit, but in the second case there is no check because the assumption is\nthat nesting cannot happen when creating objects based on hints. The\nviolation of this assumption leads to various warnings and eventually to\na general protection fault [1].\n\nBefore fixing the root cause, error out when nesting happens and warn.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43846\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43846\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43846\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43846\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43846\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb\",\n \"https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc\",\n \"https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc\",\n \"https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170\",\n \"https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7\",\n \"https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a\",\n \"https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlib: objagg: Fix general protection fault\\n\\nThe library supports aggregation of objects into other objects only if\\nthe parent object does not have a parent itself. That is, nesting is not\\nsupported.\\n\\nAggregation happens in two cases: Without and with hints, where hints\\nare a pre-computed recommendation on how to aggregate the provided\\nobjects.\\n\\nNesting is not possible in the first case due to a check that prevents\\nit, but in the second case there is no check because the assumption is\\nthat nesting cannot happen when creating objects based on hints. The\\nviolation of this assumption leads to various warnings and eventually to\\na general protection fault [1].\\n\\nBefore fixing the root cause, error out when nesting happens and warn.\\n\\n[1]\\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\\n[...]\\nCall Trace:\\n \\n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\\n worker_thread+0x2cb/0x3e0\\n kthread+0xd0/0x100\\n ret_from_fork+0x34/0x50\\n ret_from_fork_asm+0x1a/0x30\\n \",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43846\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43849", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43849" + }, + { + "url": "https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84" + }, + { + "url": "https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08" + }, + { + "url": "https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80" + }, + { + "url": "https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc" + }, + { + "url": "https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c" + }, + { + "url": "https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43849 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43849", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: protect locator_addr with the main mutex\n\nIf the service locator server is restarted fast enough, the PDR can\nrewrite locator_addr fields concurrently. Protect them by placing\nmodification of those fields under the main pdr->lock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43849\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43849\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43849\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43849\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43849\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84\",\n \"https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08\",\n \"https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80\",\n \"https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc\",\n \"https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c\",\n \"https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: pdr: protect locator_addr with the main mutex\\n\\nIf the service locator server is restarted fast enough, the PDR can\\nrewrite locator_addr fields concurrently. Protect them by placing\\nmodification of those fields under the main pdr->lock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43849\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43853", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43853" + }, + { + "url": "https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a" + }, + { + "url": "https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4" + }, + { + "url": "https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e" + }, + { + "url": "https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43853 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43853", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nAn UAF can happen when /proc/cpuset is read as reported in [1].\n\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc//cpuset repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/ repeatly.\n\nThe race that cause this bug can be shown as below:\n\n(umount)\t\t|\t(cat /proc//cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css->cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(&cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\n\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n&cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\n\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp->root will not be freed.\n\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\"cgroup: Make operations on the cgroup root_list RCU safe\"),\ncss->cgroup won't be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\n\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43853\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43853\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43853\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43853\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43853\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a\",\n \"https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4\",\n \"https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e\",\n \"https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\\n\\nAn UAF can happen when /proc/cpuset is read as reported in [1].\\n\\nThis can be reproduced by the following methods:\\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\\n cgroup_path_ns function.\\n2.$cat /proc//cpuset repeatly.\\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\\n$umount /sys/fs/cgroup/cpuset/ repeatly.\\n\\nThe race that cause this bug can be shown as below:\\n\\n(umount)\\t\\t|\\t(cat /proc//cpuset)\\ncss_release\\t\\t|\\tproc_cpuset_show\\ncss_release_work_fn\\t|\\tcss = task_get_css(tsk, cpuset_cgrp_id);\\ncss_free_rwork_fn\\t|\\tcgroup_path_ns(css->cgroup, ...);\\ncgroup_destroy_root\\t|\\tmutex_lock(&cgroup_mutex);\\nrebind_subsystems\\t|\\ncgroup_free_root \\t|\\n\\t\\t\\t|\\t// cgrp was freed, UAF\\n\\t\\t\\t|\\tcgroup_path_ns_locked(cgrp,..);\\n\\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\\n&cgroup_root.cgrp. When the umount operation is executed,\\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\\n\\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\\nwhere the cgroup_root allocated by setting up the root for cgroup v1\\nis cached. This could lead to a Use-After-Free (UAF) if it is\\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\\nfreed after the css is released. However, the css of the root will never\\nbe released, yet the cgroup_root should be freed when it is unmounted.\\nThis means that obtaining a reference to the css of the root does\\nnot guarantee that css.cgrp->root will not be freed.\\n\\nFix this problem by using rcu_read_lock in proc_cpuset_show().\\nAs cgroup_root is kfree_rcu after commit d23b5c577715\\n(\\\"cgroup: Make operations on the cgroup root_list RCU safe\\\"),\\ncss->cgroup won't be freed during the critical section.\\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\\nreplace task_get_css with task_css.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43853\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43854", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43854" + }, + { + "url": "https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644" + }, + { + "url": "https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f" + }, + { + "url": "https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2" + }, + { + "url": "https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1" + }, + { + "url": "https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43854 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43854", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn't used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43854\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43854\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43854\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43854\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43854\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644\",\n \"https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f\",\n \"https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2\",\n \"https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1\",\n \"https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: initialize integrity buffer to zero before writing it to media\\n\\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\\nto random kernel memory being written media. For PI metadata this is\\nlimited to the app tag that isn't used by kernel generated metadata,\\nbut for non-PI metadata the entire buffer leaks kernel memory.\\n\\nFix this by adding the __GFP_ZERO flag to allocations for writes.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43854\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43856", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43856" + }, + { + "url": "https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130" + }, + { + "url": "https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e" + }, + { + "url": "https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7" + }, + { + "url": "https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20" + }, + { + "url": "https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9" + }, + { + "url": "https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954" + }, + { + "url": "https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb" + }, + { + "url": "https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43856 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43856", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43856\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43856\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43856\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43856\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43856\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130\",\n \"https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e\",\n \"https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7\",\n \"https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20\",\n \"https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9\",\n \"https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954\",\n \"https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb\",\n \"https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndma: fix call order in dmam_free_coherent\\n\\ndmam_free_coherent() frees a DMA allocation, which makes the\\nfreed vaddr available for reuse, then calls devres_destroy()\\nto remove and free the data structure used to track the DMA\\nallocation. Between the two calls, it is possible for a\\nconcurrent task to make an allocation with the same vaddr\\nand add it to the devres list.\\n\\nIf this happens, there will be two entries in the devres list\\nwith the same vaddr and devres_destroy() can free the wrong\\nentry, triggering the WARN_ON() in dmam_match.\\n\\nFix by destroying the devres entry before freeing the DMA\\nallocation.\\n\\n kokonut //net/encryption\\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43856\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43858", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43858" + }, + { + "url": "https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80" + }, + { + "url": "https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00" + }, + { + "url": "https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9" + }, + { + "url": "https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42" + }, + { + "url": "https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28" + }, + { + "url": "https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862" + }, + { + "url": "https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a" + }, + { + "url": "https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43858 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43858", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix array-index-out-of-bounds in diFree", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43858\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43858\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43858\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43858\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43858\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80\",\n \"https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00\",\n \"https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9\",\n \"https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42\",\n \"https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28\",\n \"https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862\",\n \"https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a\",\n \"https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: Fix array-index-out-of-bounds in diFree\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43858\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43860", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43860" + }, + { + "url": "https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982" + }, + { + "url": "https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21" + }, + { + "url": "https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa" + }, + { + "url": "https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66" + }, + { + "url": "https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2" + }, + { + "url": "https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0" + }, + { + "url": "https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8" + }, + { + "url": "https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43860 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43860", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43860\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43860\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43860\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43860\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43860\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982\",\n \"https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21\",\n \"https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa\",\n \"https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66\",\n \"https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2\",\n \"https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0\",\n \"https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8\",\n \"https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\\n\\nIn imx_rproc_addr_init() \\\"nph = of_count_phandle_with_args()\\\" just counts\\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\\nAdjust this issue by adding NULL-return check.\\n\\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\\n\\n[Fixed title to fit within the prescribed 70-75 charcters]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43860\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43861", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43861" + }, + { + "url": "https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4" + }, + { + "url": "https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662" + }, + { + "url": "https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202" + }, + { + "url": "https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f" + }, + { + "url": "https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882" + }, + { + "url": "https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446" + }, + { + "url": "https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5" + }, + { + "url": "https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43861 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43861", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43861\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43861\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43861\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43861\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43861\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4\",\n \"https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662\",\n \"https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202\",\n \"https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f\",\n \"https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882\",\n \"https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446\",\n \"https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5\",\n \"https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: usb: qmi_wwan: fix memory leak for not ip packets\\n\\nFree the unused skb when not ip packets arrive.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43861\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43863", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43863" + }, + { + "url": "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc" + }, + { + "url": "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237" + }, + { + "url": "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e" + }, + { + "url": "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3" + }, + { + "url": "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43863 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43863", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43863\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43863\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43863\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43863\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43863\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc\",\n \"https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237\",\n \"https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e\",\n \"https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3\",\n \"https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\\n\\nIntroduce a version of the fence ops that on release doesn't remove\\nthe fence from the pending list, and thus doesn't require a lock to\\nfix poll->fence wait->fence unref deadlocks.\\n\\nvmwgfx overwrites the wait callback to iterate over the list of all\\nfences and update their status, to do that it holds a lock to prevent\\nthe list modifcations from other threads. The fence destroy callback\\nboth deletes the fence and removes it from the list of pending\\nfences, for which it holds a lock.\\n\\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\\ncalls the wait, which signals the fences, which are being destroyed.\\nThe destruction tries to acquire the lock on the pending fences list\\nwhich it can never get because it's held by the wait from which it\\nwas called.\\n\\nOld bug, but not a lot of userspace apps were using dma-buf polling\\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43863\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43866", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43866" + }, + { + "url": "https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393" + }, + { + "url": "https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285" + }, + { + "url": "https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43866 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43866", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43866\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43866\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43866\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43866\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43866\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393\",\n \"https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285\",\n \"https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: Always drain health in shutdown callback\\n\\nThere is no point in recovery during device shutdown. if health\\nwork started need to wait for it to avoid races and NULL pointer\\naccess.\\n\\nHence, drain health WQ on shutdown callback.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43866\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43867", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43867" + }, + { + "url": "https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6" + }, + { + "url": "https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f" + }, + { + "url": "https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef" + }, + { + "url": "https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf" + }, + { + "url": "https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95" + }, + { + "url": "https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10" + }, + { + "url": "https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43867 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43867", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43867\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43867\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43867\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43867\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43867\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6\",\n \"https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f\",\n \"https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef\",\n \"https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf\",\n \"https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95\",\n \"https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10\",\n \"https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/nouveau: prime: fix refcount underflow\\n\\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\\nhence the backing ttm_bo) leads to a refcount underflow.\\n\\nInstead of calling nouveau_bo_ref() in the unwind path of\\ndrm_gem_object_init(), clean things up manually.\\n\\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43867\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43869", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43869" + }, + { + "url": "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4" + }, + { + "url": "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840" + }, + { + "url": "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0" + }, + { + "url": "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99" + }, + { + "url": "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43869 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43869", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> \n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= \n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> \n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= \n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43869\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43869\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43869\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43869\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43869\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4\",\n \"https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840\",\n \"https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0\",\n \"https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99\",\n \"https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: Fix event leak upon exec and file release\\n\\nThe perf pending task work is never waited upon the matching event\\nrelease. In the case of a child event, released via free_event()\\ndirectly, this can potentially result in a leaked event, such as in the\\nfollowing scenario that doesn't even require a weak IRQ work\\nimplementation to trigger:\\n\\nschedule()\\n prepare_task_switch()\\n=======> \\n perf_event_overflow()\\n event->pending_sigtrap = ...\\n irq_work_queue(&event->pending_irq)\\n<======= \\n perf_event_task_sched_out()\\n event_sched_out()\\n event->pending_sigtrap = 0;\\n atomic_long_inc_not_zero(&event->refcount)\\n task_work_add(&event->pending_task)\\n finish_lock_switch()\\n=======> \\n perf_pending_irq()\\n //do nothing, rely on pending task work\\n<======= \\n\\nbegin_new_exec()\\n perf_event_exit_task()\\n perf_event_exit_event()\\n // If is child event\\n free_event()\\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\\n // event is leaked\\n\\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\\nsimply against concurrent perf_event_release().\\n\\nFix this with synchonizing against the possibly remaining pending task\\nwork while freeing the event, just like is done with remaining pending\\nIRQ work. This means that the pending task callback neither need nor\\nshould hold a reference to the event, preventing it from ever beeing\\nfreed.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43869\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43870", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43870" + }, + { + "url": "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51" + }, + { + "url": "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b" + }, + { + "url": "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a" + }, + { + "url": "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7" + }, + { + "url": "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43870 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43870", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43870\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43870\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43870\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43870\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43870\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51\",\n \"https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b\",\n \"https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a\",\n \"https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7\",\n \"https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: Fix event leak upon exit\\n\\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\\nto the target task upon resume to userspace via task_work.\\n\\nHowever failures while adding an event's callback to the task_work\\nengine are ignored. And since the last call for events exit happen\\nafter task work is eventually closed, there is a small window during\\nwhich pending sigtrap can be queued though ignored, leaking the event\\nrefcount addition such as in the following scenario:\\n\\n TASK A\\n -----\\n\\n do_exit()\\n exit_task_work(tsk);\\n\\n \\n perf_event_overflow()\\n event->pending_sigtrap = pending_id;\\n irq_work_queue(&event->pending_irq);\\n \\n =========> PREEMPTION: TASK A -> TASK B\\n event_sched_out()\\n event->pending_sigtrap = 0;\\n atomic_long_inc_not_zero(&event->refcount)\\n // FAILS: task work has exited\\n task_work_add(&event->pending_task)\\n [...]\\n \\n perf_pending_irq()\\n // early return: event->oncpu = -1\\n \\n [...]\\n =========> TASK B -> TASK A\\n perf_event_exit_task(tsk)\\n perf_event_exit_event()\\n free_event()\\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\\n // leak event due to unexpected refcount == 2\\n\\nAs a result the event is never released while the task exits.\\n\\nFix this with appropriate task_work_add()'s error handling.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43870\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43871", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43871" + }, + { + "url": "https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96" + }, + { + "url": "https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d" + }, + { + "url": "https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85" + }, + { + "url": "https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c" + }, + { + "url": "https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf" + }, + { + "url": "https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701" + }, + { + "url": "https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c" + }, + { + "url": "https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43871 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43871", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43871\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43871\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43871\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43871\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43871\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96\",\n \"https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d\",\n \"https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85\",\n \"https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c\",\n \"https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf\",\n \"https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701\",\n \"https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c\",\n \"https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\\n\\nIt will cause memory leakage when use driver API devm_free_percpu()\\nto free memory allocated by devm_alloc_percpu(), fixed by using\\ndevres_release() instead of devres_destroy() within devm_free_percpu().\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43871\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43872", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43872" + }, + { + "url": "https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08" + }, + { + "url": "https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43872 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43872", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43872\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43872\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43872\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43872\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43872\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08\",\n \"https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/hns: Fix soft lockup under heavy CEQE load\\n\\nCEQEs are handled in interrupt handler currently. This may cause the\\nCPU core staying in interrupt context too long and lead to soft lockup\\nunder heavy load.\\n\\nHandle CEQEs in BH workqueue and set an upper limit for the number of\\nCEQE handled by a single call of work handler.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43872\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43873", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43873" + }, + { + "url": "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22" + }, + { + "url": "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb" + }, + { + "url": "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582" + }, + { + "url": "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c" + }, + { + "url": "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43873 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43873", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43873\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43873\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43873\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43873\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43873\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22\",\n \"https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb\",\n \"https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582\",\n \"https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c\",\n \"https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvhost/vsock: always initialize seqpacket_allow\\n\\nThere are two issues around seqpacket_allow:\\n1. seqpacket_allow is not initialized when socket is\\n created. Thus if features are never set, it will be\\n read uninitialized.\\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\\n then seqpacket_allow will not be cleared appropriately\\n (existing apps I know about don't usually do this but\\n it's legal and there's no way to be sure no one relies\\n on this).\\n\\nTo fix:\\n\\t- initialize seqpacket_allow after allocation\\n\\t- set it unconditionally in set_features\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43873\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43875", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43875" + }, + { + "url": "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f" + }, + { + "url": "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832" + }, + { + "url": "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0" + }, + { + "url": "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429" + }, + { + "url": "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43875 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43875", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43875\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43875\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43875\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43875\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43875\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f\",\n \"https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832\",\n \"https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0\",\n \"https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429\",\n \"https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\\n\\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\\n\\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\\n\\nInstead of printing an error message and then crashing we should return\\nan error code and clean up.\\n\\nAlso the NULL check is reversed so it prints an error for success\\ninstead of failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43875\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43879", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43879" + }, + { + "url": "https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27" + }, + { + "url": "https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd" + }, + { + "url": "https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f" + }, + { + "url": "https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9" + }, + { + "url": "https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086" + }, + { + "url": "https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142" + }, + { + "url": "https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d" + }, + { + "url": "https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43879 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43879", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43879\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43879\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43879\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43879\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43879\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27\",\n \"https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd\",\n \"https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f\",\n \"https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9\",\n \"https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086\",\n \"https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142\",\n \"https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d\",\n \"https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\\n\\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\\ncfg80211_calculate_bitrate_he(), leading to below warning:\\n\\nkernel: invalid HE MCS: bw:6, ru:6\\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\\n\\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43879\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43880", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43880" + }, + { + "url": "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037" + }, + { + "url": "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624" + }, + { + "url": "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb" + }, + { + "url": "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb" + }, + { + "url": "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf" + }, + { + "url": "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e" + }, + { + "url": "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43880 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43880", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43880\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43880\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43880\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43880\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43880\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037\",\n \"https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624\",\n \"https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb\",\n \"https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb\",\n \"https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf\",\n \"https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e\",\n \"https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_erp: Fix object nesting warning\\n\\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\\ncontain more ACLs (i.e., tc filters), but the number of masks in each\\nregion (i.e., tc chain) is limited.\\n\\nIn order to mitigate the effects of the above limitation, the device\\nallows filters to share a single mask if their masks only differ in up\\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\\nnumber of masks being used (and therefore does not support mask\\naggregation), but can contain a limited number of filters.\\n\\nThe driver uses the \\\"objagg\\\" library to perform the mask aggregation by\\npassing it objects that consist of the filter's mask and whether the\\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\\ndifferent TCAMs cannot share a mask.\\n\\nThe set of created objects is dependent on the insertion order of the\\nfilters and is not necessarily optimal. Therefore, the driver will\\nperiodically ask the library to compute a more optimal set (\\\"hints\\\") by\\nlooking at all the existing objects.\\n\\nWhen the library asks the driver whether two objects can be aggregated\\nthe driver only compares the provided masks and ignores the A-TCAM /\\nC-TCAM indication. This is the right thing to do since the goal is to\\nmove as many filters as possible to the A-TCAM. The driver also forbids\\ntwo identical masks from being aggregated since this can only happen if\\none was intentionally put in the C-TCAM to avoid a conflict in the\\nA-TCAM.\\n\\nThe above can result in the following set of hints:\\n\\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\\n\\nAfter getting the hints from the library the driver will start migrating\\nfilters from one region to another while consulting the computed hints\\nand instructing the device to perform a lookup in both regions during\\nthe transition.\\n\\nAssuming a filter with mask X is being migrated into the A-TCAM in the\\nnew region, the hints lookup will return H1. Since H2 is the parent of\\nH1, the library will try to find the object associated with it and\\ncreate it if necessary in which case another hints lookup (recursive)\\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\\nreturn H2 or H3 since the driver passes the library an object comparison\\nfunction that ignores the A-TCAM / C-TCAM indication.\\n\\nThis can eventually lead to nested objects which are not supported by\\nthe library [1].\\n\\nFix by removing the object comparison function from both the driver and\\nthe library as the driver was the only user. That way the lookup will\\nonly return exact matches.\\n\\nI do not have a reliable reproducer that can reproduce the issue in a\\ntimely manner, but before the fix the issue would reproduce in several\\nminutes and with the fix it does not reproduce in over an hour.\\n\\nNote that the current usefulness of the hints is limited because they\\ninclude the C-TCAM indication and represent aggregation that cannot\\nactually happen. This will be addressed in net-next.\\n\\n[1]\\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\\nModules linked in:\\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\\n[...]\\nCall Trace:\\n \\n __objagg_obj_get+0x2bb/0x580\\n objagg_obj_get+0xe/0x80\\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43880\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43882", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43882" + }, + { + "url": "https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759" + }, + { + "url": "https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada" + }, + { + "url": "https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e" + }, + { + "url": "https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64" + }, + { + "url": "https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e" + }, + { + "url": "https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f" + }, + { + "url": "https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb" + }, + { + "url": "https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43882 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43882", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43882\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43882\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43882\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43882\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43882\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759\",\n \"https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada\",\n \"https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e\",\n \"https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64\",\n \"https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e\",\n \"https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f\",\n \"https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb\",\n \"https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nexec: Fix ToCToU between perm check and set-uid/gid usage\\n\\nWhen opening a file for exec via do_filp_open(), permission checking is\\ndone against the file's metadata at that moment, and on success, a file\\npointer is passed back. Much later in the execve() code path, the file\\nmetadata (specifically mode, uid, and gid) is used to determine if/how\\nto set the uid and gid. However, those values may have changed since the\\npermissions check, meaning the execution may gain unintended privileges.\\n\\nFor example, if a file could change permissions from executable and not\\nset-id:\\n\\n---------x 1 root root 16048 Aug 7 13:16 target\\n\\nto set-id and non-executable:\\n\\n---S------ 1 root root 16048 Aug 7 13:16 target\\n\\nit is possible to gain root privileges when execution should have been\\ndisallowed.\\n\\nWhile this race condition is rare in real-world scenarios, it has been\\nobserved (and proven exploitable) when package managers are updating\\nthe setuid bits of installed programs. Such files start with being\\nworld-executable but then are adjusted to be group-exec with a set-uid\\nbit. For example, \\\"chmod o-x,u+s target\\\" makes \\\"target\\\" executable only\\nby uid \\\"root\\\" and gid \\\"cdrom\\\", while also becoming setuid-root:\\n\\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\\n\\nbecomes:\\n\\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\\n\\nBut racing the chmod means users without group \\\"cdrom\\\" membership can\\nget the permission to execute \\\"target\\\" just before the chmod, and when\\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\\nsetuid to root, violating the expressed authorization of \\\"only cdrom\\ngroup members can setuid to root\\\".\\n\\nRe-check that we still have execute permissions in case the metadata\\nhas changed. It would be better to keep a copy from the perm-check time,\\nbut until we can do that refactoring, the least-bad option is to do a\\nfull inode_permission() call (under inode lock). It is understood that\\nthis is safe against dead-locks, but hardly optimal.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43882\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43883", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43883" + }, + { + "url": "https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37" + }, + { + "url": "https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174" + }, + { + "url": "https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14" + }, + { + "url": "https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89" + }, + { + "url": "https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80" + }, + { + "url": "https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a" + }, + { + "url": "https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54" + }, + { + "url": "https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43883 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43883", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: vhci-hcd: Do not drop references before new references are gained\n\nAt a few places the driver carries stale pointers\nto references that can still be used. Make sure that does not happen.\nThis strictly speaking closes ZDI-CAN-22273, though there may be\nsimilar races in the driver.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43883\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43883\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43883\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43883\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43883\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37\",\n \"https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174\",\n \"https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14\",\n \"https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89\",\n \"https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80\",\n \"https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a\",\n \"https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54\",\n \"https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: vhci-hcd: Do not drop references before new references are gained\\n\\nAt a few places the driver carries stale pointers\\nto references that can still be used. Make sure that does not happen.\\nThis strictly speaking closes ZDI-CAN-22273, though there may be\\nsimilar races in the driver.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43883\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43884", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43884" + }, + { + "url": "https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43884 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43884", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Add error handling to pair_device()\n\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\npointer dereference causing a crash.\n\nFixed by adding error handling in the function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43884\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43884\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43884\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43884\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43884\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: MGMT: Add error handling to pair_device()\\n\\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\\npointer dereference causing a crash.\\n\\nFixed by adding error handling in the function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43884\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43886", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43886" + }, + { + "url": "https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6" + }, + { + "url": "https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43886 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43886", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\n\n[WHY]\nWhen switching from \"Extend\" to \"Second Display Only\" we sometimes\ncall resource_get_otg_master_for_stream on a stream for the eDP,\nwhich is disconnected. This leads to a null pointer dereference.\n\n[HOW]\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43886\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43886\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43886\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43886\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43886\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6\",\n \"https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\\n\\n[WHY]\\nWhen switching from \\\"Extend\\\" to \\\"Second Display Only\\\" we sometimes\\ncall resource_get_otg_master_for_stream on a stream for the eDP,\\nwhich is disconnected. This leads to a null pointer dereference.\\n\\n[HOW]\\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43886\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43889", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43889" + }, + { + "url": "https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c" + }, + { + "url": "https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d" + }, + { + "url": "https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c" + }, + { + "url": "https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f" + }, + { + "url": "https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3" + }, + { + "url": "https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43889 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43889", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\n\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\nbootup time.\n\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\n :\n [ 10.017963] Call Trace:\n [ 10.017968] \n [ 10.018004] ? padata_mt_helper+0x39/0xb0\n [ 10.018084] process_one_work+0x174/0x330\n [ 10.018093] worker_thread+0x266/0x3a0\n [ 10.018111] kthread+0xcf/0x100\n [ 10.018124] ret_from_fork+0x31/0x50\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\n [ 10.018147] \n\nLooking at the padata_mt_helper() function, the only way a divide-by-0\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\nmin_chunk in the passed-in padata_mt_job structure is 0.\n\nFix this divide-by-0 panic by making sure that chunk_size will be at least\n1 no matter what the input parameters are.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43889\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43889\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43889\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43889\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43889\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c\",\n \"https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d\",\n \"https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c\",\n \"https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f\",\n \"https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3\",\n \"https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\\n\\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\\nbootup time.\\n\\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\\n :\\n [ 10.017963] Call Trace:\\n [ 10.017968] \\n [ 10.018004] ? padata_mt_helper+0x39/0xb0\\n [ 10.018084] process_one_work+0x174/0x330\\n [ 10.018093] worker_thread+0x266/0x3a0\\n [ 10.018111] kthread+0xcf/0x100\\n [ 10.018124] ret_from_fork+0x31/0x50\\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\\n [ 10.018147] \\n\\nLooking at the padata_mt_helper() function, the only way a divide-by-0\\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\\nmin_chunk in the passed-in padata_mt_job structure is 0.\\n\\nFix this divide-by-0 panic by making sure that chunk_size will be at least\\n1 no matter what the input parameters are.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43889\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43890", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43890" + }, + { + "url": "https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6" + }, + { + "url": "https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c" + }, + { + "url": "https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5" + }, + { + "url": "https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8" + }, + { + "url": "https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143" + }, + { + "url": "https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da" + }, + { + "url": "https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18" + }, + { + "url": "https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43890 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43890", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix overflow in get_free_elt()\n\n\"tracing_map->next_elt\" in get_free_elt() is at risk of overflowing.\n\nOnce it overflows, new elements can still be inserted into the tracing_map\neven though the maximum number of elements (`max_elts`) has been reached.\nContinuing to insert elements after the overflow could result in the\ntracing_map containing \"tracing_map->max_size\" elements, leaving no empty\nentries.\nIf any attempt is made to insert an element into a full tracing_map using\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\ndisabled, leading to a CPU hang problem.\n\nFix this by preventing any further increments to \"tracing_map->next_elt\"\nonce it reaches \"tracing_map->max_elt\".", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43890\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43890\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43890\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43890\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43890\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6\",\n \"https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c\",\n \"https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5\",\n \"https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8\",\n \"https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143\",\n \"https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da\",\n \"https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18\",\n \"https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Fix overflow in get_free_elt()\\n\\n\\\"tracing_map->next_elt\\\" in get_free_elt() is at risk of overflowing.\\n\\nOnce it overflows, new elements can still be inserted into the tracing_map\\neven though the maximum number of elements (`max_elts`) has been reached.\\nContinuing to insert elements after the overflow could result in the\\ntracing_map containing \\\"tracing_map->max_size\\\" elements, leaving no empty\\nentries.\\nIf any attempt is made to insert an element into a full tracing_map using\\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\\ndisabled, leading to a CPU hang problem.\\n\\nFix this by preventing any further increments to \\\"tracing_map->next_elt\\\"\\nonce it reaches \\\"tracing_map->max_elt\\\".\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43890\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43892", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43892" + }, + { + "url": "https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b" + }, + { + "url": "https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946" + }, + { + "url": "https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43892 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43892", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: protect concurrent access to mem_cgroup_idr\n\nCommit 73f576c04b94 (\"mm: memcontrol: fix cgroup creation failure after\nmany small jobs\") decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures. It introduced IDR to maintain the memcg ID\nspace. The IDR depends on external synchronization mechanisms for\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero. Fix that.\n\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time. These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode. Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block's list_lru didn't have list_lru_one for the\nmemcg of that object. The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success. No evidence were found for these cases.\n\nLooking more deeply, we started seeing situations where valid memcg's id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them. Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43892\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43892\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43892\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43892\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43892\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b\",\n \"https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946\",\n \"https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmemcg: protect concurrent access to mem_cgroup_idr\\n\\nCommit 73f576c04b94 (\\\"mm: memcontrol: fix cgroup creation failure after\\nmany small jobs\\\") decoupled the memcg IDs from the CSS ID space to fix the\\ncgroup creation failures. It introduced IDR to maintain the memcg ID\\nspace. The IDR depends on external synchronization mechanisms for\\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\\nhappen within css callback and thus are protected through cgroup_mutex\\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\\nwas not protected against concurrency and can be run concurrently for\\ndifferent memcgs when they hit their refcnt to zero. Fix that.\\n\\nWe have been seeing list_lru based kernel crashes at a low frequency in\\nour fleet for a long time. These crashes were in different part of\\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\\ncode. Upon further inspection, it looked like for a given object (dentry\\nand inode), the super_block's list_lru didn't have list_lru_one for the\\nmemcg of that object. The initial suspicions were either the object is\\nnot allocated through kmem_cache_alloc_lru() or somehow\\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\\nreturned success. No evidence were found for these cases.\\n\\nLooking more deeply, we started seeing situations where valid memcg's id\\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\\nreasonable explanation is that these situations can happen due to race\\nbetween multiple idr_remove() calls or race between\\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\\nmultiple memcgs to acquire the same ID and then offlining of one of them\\nwould cleanup list_lrus on the system for all of them. Later access from\\nother memcgs to the list_lru cause crashes due to missing list_lru_one.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43892\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43893", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43893" + }, + { + "url": "https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba" + }, + { + "url": "https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e" + }, + { + "url": "https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f" + }, + { + "url": "https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8" + }, + { + "url": "https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193" + }, + { + "url": "https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49" + }, + { + "url": "https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051" + }, + { + "url": "https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43893 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43893", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divide by zero\n\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\n\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nRule: add", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43893\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43893\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43893\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43893\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43893\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba\",\n \"https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e\",\n \"https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f\",\n \"https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8\",\n \"https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193\",\n \"https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49\",\n \"https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051\",\n \"https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: core: check uartclk for zero to avoid divide by zero\\n\\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\\nresult in uartclk being zero, which will result in a\\ndivide by zero error in uart_get_divisor(). The check for\\nuartclk being zero in uart_set_info() needs to be done\\nbefore other settings are made as subsequent calls to\\nioctl TIOCSSERIAL for the same port would be impacted if\\nthe uartclk check was done where uartclk gets set.\\n\\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\\nCall Trace:\\n \\nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\\n drivers/tty/serial/8250/8250_port.c:2589)\\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\\n drivers/tty/serial/8250/8250_port.c:2741)\\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\\nuart_change_line_settings (./include/linux/spinlock.h:376\\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\\nuart_startup (drivers/tty/serial/serial_core.c:368)\\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\\ntty_set_serial (drivers/tty/tty_io.c:2637)\\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\\n fs/ioctl.c:893 fs/ioctl.c:893)\\ndo_syscall_64 (arch/x86/entry/common.c:52\\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nRule: add\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43893\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43894", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43894" + }, + { + "url": "https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f" + }, + { + "url": "https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6" + }, + { + "url": "https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e" + }, + { + "url": "https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff" + }, + { + "url": "https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52" + }, + { + "url": "https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62" + }, + { + "url": "https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43894 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43894", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset->mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43894\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43894\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43894\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43894\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43894\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f\",\n \"https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6\",\n \"https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e\",\n \"https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff\",\n \"https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52\",\n \"https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62\",\n \"https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\\n\\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\\nassigned to modeset->mode, which will lead to a possible NULL pointer\\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43894\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43895", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43895" + }, + { + "url": "https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9" + }, + { + "url": "https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919" + }, + { + "url": "https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad" + }, + { + "url": "https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43895 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43895", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.\n\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43895\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43895\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43895\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43895\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43895\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9\",\n \"https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919\",\n \"https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad\",\n \"https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\\n\\n[why]\\nEncounter NULL pointer dereference uner mst + dsc setup.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000008\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP NOPTI\\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\\n Call Trace:\\n\\n ? __die+0x23/0x70\\n ? page_fault_oops+0x171/0x4e0\\n ? plist_add+0xbe/0x100\\n ? exc_page_fault+0x7c/0x180\\n ? asm_exc_page_fault+0x26/0x30\\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\\n drm_atomic_check_only+0x5c5/0xa40\\n drm_mode_atomic_ioctl+0x76e/0xbc0\\n\\n[how]\\ndsc recompute should be skipped if no mode change detected on the new\\nrequest. If detected, keep checking whether the stream is already on\\ncurrent state or not.\\n\\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43895\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43898", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43898" + }, + { + "url": "https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e" + }, + { + "url": "https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652" + }, + { + "url": "https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43898 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43898", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: sanity check for NULL pointer after ext4_force_shutdown\n\nTest case: 2 threads write short inline data to a file.\nIn ext4_page_mkwrite the resulting inline data is converted.\nHandling ext4_grp_locked_error with description \"block bitmap\nand bg descriptor inconsistent: X vs Y free clusters\" calls\next4_force_shutdown. The conversion clears\nEXT4_STATE_MAY_INLINE_DATA but fails for\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\nto ext4_forced_shutdown. The restoration of inline data fails\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\nWithout the flag set a regular process path in ext4_da_write_end\nfollows trying to dereference page folio private pointer that has\nnot been set. The fix calls early return with -EIO error shall the\npointer to private be NULL.\n\nSample crash report:\n\nUnable to handle kernel paging request at virtual address dfff800000000004\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000004] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\nsp : ffff8000a1957600\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\nCall trace:\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\n block_write_end+0xb4/0x104 fs/buffer.c:2253\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\n ext4_file_write_iter+0x188/0x1780\n call_write_iter include/linux/fs.h:2110 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x968/0xc3c fs/read_write.c:590\n ksys_write+0x15c/0x26c fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\n---[ end trace 0000000000000000 ]---\n----------------\nCode disassembly (best guess):\n 0:\t97f85911 \tbl\t0xffffffffffe16444\n 4:\tf94002da \tldr\tx26, [x22]\n 8:\t91008356 \tadd\tx22, x26, #0x20\n c:\td343fec8 \tlsr\tx8, x22, #3\n* 10:\t38796908 \tldrb\tw8, [x8, x25] <-- trapping instruction", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43898\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43898\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43898\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43898\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43898\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e\",\n \"https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652\",\n \"https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: sanity check for NULL pointer after ext4_force_shutdown\\n\\nTest case: 2 threads write short inline data to a file.\\nIn ext4_page_mkwrite the resulting inline data is converted.\\nHandling ext4_grp_locked_error with description \\\"block bitmap\\nand bg descriptor inconsistent: X vs Y free clusters\\\" calls\\next4_force_shutdown. The conversion clears\\nEXT4_STATE_MAY_INLINE_DATA but fails for\\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\\nto ext4_forced_shutdown. The restoration of inline data fails\\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\\nWithout the flag set a regular process path in ext4_da_write_end\\nfollows trying to dereference page folio private pointer that has\\nnot been set. The fix calls early return with -EIO error shall the\\npointer to private be NULL.\\n\\nSample crash report:\\n\\nUnable to handle kernel paging request at virtual address dfff800000000004\\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\\nMem abort info:\\n ESR = 0x0000000096000005\\n EC = 0x25: DABT (current EL), IL = 32 bits\\n SET = 0, FnV = 0\\n EA = 0, S1PTW = 0\\n FSC = 0x05: level 1 translation fault\\nData abort info:\\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[dfff800000000004] address between user and kernel address ranges\\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\\nsp : ffff8000a1957600\\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\\nCall trace:\\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\\n block_write_end+0xb4/0x104 fs/buffer.c:2253\\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\\n ext4_file_write_iter+0x188/0x1780\\n call_write_iter include/linux/fs.h:2110 [inline]\\n new_sync_write fs/read_write.c:497 [inline]\\n vfs_write+0x968/0xc3c fs/read_write.c:590\\n ksys_write+0x15c/0x26c fs/read_write.c:643\\n __do_sys_write fs/read_write.c:655 [inline]\\n __se_sys_write fs/read_write.c:652 [inline]\\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\\n---[ end trace 0000000000000000 ]---\\n----------------\\nCode disassembly (best guess):\\n 0:\\t97f85911 \\tbl\\t0xffffffffffe16444\\n 4:\\tf94002da \\tldr\\tx26, [x22]\\n 8:\\t91008356 \\tadd\\tx22, x26, #0x20\\n c:\\td343fec8 \\tlsr\\tx8, x22, #3\\n* 10:\\t38796908 \\tldrb\\tw8, [x8, x25] <-- trapping instruction\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43898\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43899", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43899" + }, + { + "url": "https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e" + }, + { + "url": "https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43899 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43899", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\n\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\n\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\n\nand then enabling fullscreen playback (double click on the video)\n\nThe following calltrace will be seen:\n\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\n[ 181.844003] #PF: error_code(0x0010) - not-present page\n[ 181.844009] PGD 0 P4D 0\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\n[ 181.844044] RIP: 0010:0x0\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\n[ 181.844141] Call Trace:\n[ 181.844146] \n[ 181.844153] ? show_regs+0x6d/0x80\n[ 181.844167] ? __die+0x24/0x80\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43899\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43899\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43899\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43899\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43899\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e\",\n \"https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\\n\\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\\n\\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\\n\\nand then enabling fullscreen playback (double click on the video)\\n\\nThe following calltrace will be seen:\\n\\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\\n[ 181.844003] #PF: error_code(0x0010) - not-present page\\n[ 181.844009] PGD 0 P4D 0\\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\\n[ 181.844044] RIP: 0010:0x0\\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\\n[ 181.844141] Call Trace:\\n[ 181.844146] \\n[ 181.844153] ? show_regs+0x6d/0x80\\n[ 181.844167] ? __die+0x24/0x80\\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43899\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43900", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43900" + }, + { + "url": "https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5" + }, + { + "url": "https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60" + }, + { + "url": "https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b" + }, + { + "url": "https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43900 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43900", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\n\nsyzkaller reported use-after-free in load_firmware_cb() [1].\nThe reason is because the module allocated a struct tuner in tuner_probe(),\nand then the module initialization failed, the struct tuner was released.\nA worker which created during module initialization accesses this struct\ntuner later, it caused use-after-free.\n\nThe process is as follows:\n\ntask-6504 worker_thread\ntuner_probe <= alloc dvb_frontend [2]\n...\nrequest_firmware_nowait <= create a worker\n...\ntuner_remove <= free dvb_frontend\n...\n request_firmware_work_func <= the firmware is ready\n load_firmware_cb <= but now the dvb_frontend has been freed\n\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\nnull, report a warning and just return.\n\n[1]:\n ==================================================================\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\n\n Call trace:\n load_firmware_cb+0x1310/0x17a0\n request_firmware_work_func+0x128/0x220\n process_one_work+0x770/0x1824\n worker_thread+0x488/0xea0\n kthread+0x300/0x430\n ret_from_fork+0x10/0x20\n\n Allocated by task 6504:\n kzalloc\n tuner_probe+0xb0/0x1430\n i2c_device_probe+0x92c/0xaf0\n really_probe+0x678/0xcd0\n driver_probe_device+0x280/0x370\n __device_attach_driver+0x220/0x330\n bus_for_each_drv+0x134/0x1c0\n __device_attach+0x1f4/0x410\n device_initial_probe+0x20/0x30\n bus_probe_device+0x184/0x200\n device_add+0x924/0x12c0\n device_register+0x24/0x30\n i2c_new_device+0x4e0/0xc44\n v4l2_i2c_new_subdev_board+0xbc/0x290\n v4l2_i2c_new_subdev+0xc8/0x104\n em28xx_v4l2_init+0x1dd0/0x3770\n\n Freed by task 6504:\n kfree+0x238/0x4e4\n tuner_remove+0x144/0x1c0\n i2c_device_remove+0xc8/0x290\n __device_release_driver+0x314/0x5fc\n device_release_driver+0x30/0x44\n bus_remove_device+0x244/0x490\n device_del+0x350/0x900\n device_unregister+0x28/0xd0\n i2c_unregister_device+0x174/0x1d0\n v4l2_device_unregister+0x224/0x380\n em28xx_v4l2_init+0x1d90/0x3770\n\n The buggy address belongs to the object at ffff8000d7ca2000\n which belongs to the cache kmalloc-2k of size 2048\n The buggy address is located 776 bytes inside of\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\n The buggy address belongs to the page:\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\n flags: 0x7ff800000000100(slab)\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\n[2]\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43900\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43900\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43900\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43900\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43900\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5\",\n \"https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60\",\n \"https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b\",\n \"https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\\n\\nsyzkaller reported use-after-free in load_firmware_cb() [1].\\nThe reason is because the module allocated a struct tuner in tuner_probe(),\\nand then the module initialization failed, the struct tuner was released.\\nA worker which created during module initialization accesses this struct\\ntuner later, it caused use-after-free.\\n\\nThe process is as follows:\\n\\ntask-6504 worker_thread\\ntuner_probe <= alloc dvb_frontend [2]\\n...\\nrequest_firmware_nowait <= create a worker\\n...\\ntuner_remove <= free dvb_frontend\\n...\\n request_firmware_work_func <= the firmware is ready\\n load_firmware_cb <= but now the dvb_frontend has been freed\\n\\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\\nnull, report a warning and just return.\\n\\n[1]:\\n ==================================================================\\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\\n\\n Call trace:\\n load_firmware_cb+0x1310/0x17a0\\n request_firmware_work_func+0x128/0x220\\n process_one_work+0x770/0x1824\\n worker_thread+0x488/0xea0\\n kthread+0x300/0x430\\n ret_from_fork+0x10/0x20\\n\\n Allocated by task 6504:\\n kzalloc\\n tuner_probe+0xb0/0x1430\\n i2c_device_probe+0x92c/0xaf0\\n really_probe+0x678/0xcd0\\n driver_probe_device+0x280/0x370\\n __device_attach_driver+0x220/0x330\\n bus_for_each_drv+0x134/0x1c0\\n __device_attach+0x1f4/0x410\\n device_initial_probe+0x20/0x30\\n bus_probe_device+0x184/0x200\\n device_add+0x924/0x12c0\\n device_register+0x24/0x30\\n i2c_new_device+0x4e0/0xc44\\n v4l2_i2c_new_subdev_board+0xbc/0x290\\n v4l2_i2c_new_subdev+0xc8/0x104\\n em28xx_v4l2_init+0x1dd0/0x3770\\n\\n Freed by task 6504:\\n kfree+0x238/0x4e4\\n tuner_remove+0x144/0x1c0\\n i2c_device_remove+0xc8/0x290\\n __device_release_driver+0x314/0x5fc\\n device_release_driver+0x30/0x44\\n bus_remove_device+0x244/0x490\\n device_del+0x350/0x900\\n device_unregister+0x28/0xd0\\n i2c_unregister_device+0x174/0x1d0\\n v4l2_device_unregister+0x224/0x380\\n em28xx_v4l2_init+0x1d90/0x3770\\n\\n The buggy address belongs to the object at ffff8000d7ca2000\\n which belongs to the cache kmalloc-2k of size 2048\\n The buggy address is located 776 bytes inside of\\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\\n The buggy address belongs to the page:\\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\\n flags: 0x7ff800000000100(slab)\\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\\n page dumped because: kasan: bad access detected\\n\\n Memory state around the buggy address:\\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ^\\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ==================================================================\\n\\n[2]\\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43900\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43901", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43901" + }, + { + "url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351" + }, + { + "url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43901 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43901", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] \n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43901\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43901\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43901\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43901\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43901\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351\",\n \"https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\\n\\nWhen users run the command:\\n\\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\\n\\nThe following NULL pointer dereference happens:\\n\\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\\n[ +0.000002] #PF: error_code(0x0010) - not-present page\\n[ +0.000002] PGD 0 P4D 0\\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\\n[ +0.000003] RIP: 0010:0x0\\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n[...]\\n[ +0.000002] PKRU: 55555554\\n[ +0.000002] Call Trace:\\n[ +0.000002] \\n[ +0.000003] ? show_regs+0x65/0x70\\n[ +0.000006] ? __die+0x24/0x70\\n[ +0.000004] ? page_fault_oops+0x160/0x470\\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\\n[ +0.000003] ? prb_read_valid+0x1c/0x30\\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000003] ? vsnprintf+0x2fb/0x600\\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000002] ? do_anonymous_page+0x337/0x700\\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\\n[ +0.000207] full_proxy_read+0x66/0x90\\n[ +0.000007] vfs_read+0xb0/0x340\\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\\n[ +0.000003] ksys_read+0x6b/0xf0\\n[ +0.000004] __x64_sys_read+0x19/0x20\\n[ +0.000003] do_syscall_64+0x60/0x130\\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\\n[...]\\n\\nThis error happens when the color log tries to read the gamut remap\\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\\nwhich leads to a null pointer dereference. This commit addresses this\\nissue by adding a proper guard to access the gamut_remap callback in\\ncase the specific ASIC did not implement this function.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43901\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43902", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43902" + }, + { + "url": "https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2" + }, + { + "url": "https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175" + }, + { + "url": "https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a" + }, + { + "url": "https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d" + }, + { + "url": "https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43902 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43902", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43902\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43902\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43902\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43902\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43902\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2\",\n \"https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175\",\n \"https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a\",\n \"https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d\",\n \"https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null checker before passing variables\\n\\nChecks null pointer before passing variables to functions.\\n\\nThis fixes 3 NULL_RETURNS issues reported by Coverity.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43902\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43903", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43903" + }, + { + "url": "https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc" + }, + { + "url": "https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff" + }, + { + "url": "https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04" + }, + { + "url": "https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43903 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43903", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43903\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43903\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43903\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43903\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43903\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc\",\n \"https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff\",\n \"https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04\",\n \"https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\\n\\nThis commit adds a null check for the 'afb' variable in the\\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\\nassumed to be null, but was used later in the code without a null check.\\nThis could potentially lead to a null pointer dereference.\\n\\nFixes the below:\\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43903\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43904", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43904" + }, + { + "url": "https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea" + }, + { + "url": "https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43904 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43904", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\n\nThis commit adds null checks for the 'stream' and 'plane' variables in\nthe dcn30_apply_idle_power_optimizations function. These variables were\npreviously assumed to be null at line 922, but they were used later in\nthe code without checking if they were null. This could potentially lead\nto a null pointer dereference, which would cause a crash.\n\nThe null checks ensure that 'stream' and 'plane' are not null before\nthey are used, preventing potential crashes.\n\nFixes the below static smatch checker:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43904\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43904\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43904\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43904\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43904\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea\",\n \"https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\\n\\nThis commit adds null checks for the 'stream' and 'plane' variables in\\nthe dcn30_apply_idle_power_optimizations function. These variables were\\npreviously assumed to be null at line 922, but they were used later in\\nthe code without checking if they were null. This could potentially lead\\nto a null pointer dereference, which would cause a crash.\\n\\nThe null checks ensure that 'stream' and 'plane' are not null before\\nthey are used, preventing potential crashes.\\n\\nFixes the below static smatch checker:\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43904\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43905", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43905" + }, + { + "url": "https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80" + }, + { + "url": "https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab" + }, + { + "url": "https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239" + }, + { + "url": "https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43905 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43905", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43905\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43905\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43905\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43905\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43905\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80\",\n \"https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab\",\n \"https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239\",\n \"https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\\n\\nCheck return value and conduct null pointer handling to avoid null pointer dereference.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43905\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43906", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43906" + }, + { + "url": "https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d" + }, + { + "url": "https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d" + }, + { + "url": "https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43906 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43906", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/admgpu: fix dereferencing null pointer context\n\nWhen user space sets an invalid ta type, the pointer context will be empty.\nSo it need to check the pointer context before using it", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43906\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43906\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43906\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43906\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43906\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d\",\n \"https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d\",\n \"https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/admgpu: fix dereferencing null pointer context\\n\\nWhen user space sets an invalid ta type, the pointer context will be empty.\\nSo it need to check the pointer context before using it\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43906\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43907", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43907" + }, + { + "url": "https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac" + }, + { + "url": "https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82" + }, + { + "url": "https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30" + }, + { + "url": "https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622" + }, + { + "url": "https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054" + }, + { + "url": "https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43907 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43907", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43907\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43907\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43907\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43907\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43907\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac\",\n \"https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82\",\n \"https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30\",\n \"https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622\",\n \"https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054\",\n \"https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\\n\\nCheck the pointer value to fix potential null pointer\\ndereference\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43907\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43908", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43908" + }, + { + "url": "https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4" + }, + { + "url": "https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4" + }, + { + "url": "https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43" + }, + { + "url": "https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a" + }, + { + "url": "https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2" + }, + { + "url": "https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c" + }, + { + "url": "https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43908 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43908", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\n\nCheck ras_manager before using it", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43908\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43908\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43908\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43908\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43908\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4\",\n \"https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4\",\n \"https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43\",\n \"https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a\",\n \"https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2\",\n \"https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c\",\n \"https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\\n\\nCheck ras_manager before using it\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43908\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43909", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43909" + }, + { + "url": "https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb" + }, + { + "url": "https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d" + }, + { + "url": "https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce" + }, + { + "url": "https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751" + }, + { + "url": "https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43909 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43909", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\n\noptimize the code to avoid pass a null pointer (hwmgr->backend)\nto function smu7_update_edc_leakage_table.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43909\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43909\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43909\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43909\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43909\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb\",\n \"https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d\",\n \"https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce\",\n \"https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751\",\n \"https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\\n\\noptimize the code to avoid pass a null pointer (hwmgr->backend)\\nto function smu7_update_edc_leakage_table.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43909\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43910", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43910" + }, + { + "url": "https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a" + }, + { + "url": "https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43910 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43910", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\n\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\na global function as an argument. The adverse effects of this is that\nBPF helpers can continue to make use of this modified\nCONST_PTR_TO_DYNPTR from within the context of the global function,\nwhich can unintentionally result in out-of-bounds memory accesses and\ntherefore compromise overall system stability i.e.\n\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\n[ 244.174318] Call Trace:\n[ 244.175787] \n[ 244.177356] dump_stack_lvl+0x66/0xa0\n[ 244.179531] print_report+0xce/0x670\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\n[ 244.184908] kasan_report+0xd7/0x110\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\n[ 244.192020] bpf_dynptr_data+0x137/0x140\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\n[ 244.204744] ? 0xffffffffc0009e58\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\n[ 244.220912] do_syscall_64+0xc1/0x1d0\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\n[ 244.268303] \n\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\nverifies the arguments of global function arguments, specifically\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\nexplicit and strict type matching on the supplied register type, so\nlet's also enforce that a register either type PTR_TO_STACK or\nCONST_PTR_TO_DYNPTR is by the caller.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43910\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43910\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43910\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43910\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43910\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a\",\n \"https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\\n\\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\\na global function as an argument. The adverse effects of this is that\\nBPF helpers can continue to make use of this modified\\nCONST_PTR_TO_DYNPTR from within the context of the global function,\\nwhich can unintentionally result in out-of-bounds memory accesses and\\ntherefore compromise overall system stability i.e.\\n\\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\\n[ 244.174318] Call Trace:\\n[ 244.175787] \\n[ 244.177356] dump_stack_lvl+0x66/0xa0\\n[ 244.179531] print_report+0xce/0x670\\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\\n[ 244.184908] kasan_report+0xd7/0x110\\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\\n[ 244.192020] bpf_dynptr_data+0x137/0x140\\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\\n[ 244.204744] ? 0xffffffffc0009e58\\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\\n[ 244.220912] do_syscall_64+0xc1/0x1d0\\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\\n[ 244.268303] \\n\\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\\nverifies the arguments of global function arguments, specifically\\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\\nexplicit and strict type matching on the supplied register type, so\\nlet's also enforce that a register either type PTR_TO_STACK or\\nCONST_PTR_TO_DYNPTR is by the caller.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43910\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43911", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43911" + }, + { + "url": "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b" + }, + { + "url": "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43911 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43911", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43911\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43911\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43911\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43911\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43911\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b\",\n \"https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\\n\\nIn MLD connection, link_data/link_conf are dynamically allocated. They\\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\\nht_supported/vht_supported/has_he/has_eht on sta deflink.\\n\\nCrash log (with rtw89 version under MLO development):\\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[ 9890.526102] #PF: supervisor read access in kernel mode\\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\\n[ 9890.526109] PGD 0 P4D 0\\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\\nAll code\\n========\\n 0:\\tf7 e8 \\timul %eax\\n 2:\\td5 \\t(bad)\\n 3:\\t93 \\txchg %eax,%ebx\\n 4:\\t3e ea \\tds (bad)\\n 6:\\t48 83 c4 28 \\tadd $0x28,%rsp\\n a:\\t89 d8 \\tmov %ebx,%eax\\n c:\\t5b \\tpop %rbx\\n d:\\t41 5c \\tpop %r12\\n f:\\t41 5d \\tpop %r13\\n 11:\\t41 5e \\tpop %r14\\n 13:\\t41 5f \\tpop %r15\\n 15:\\t5d \\tpop %rbp\\n 16:\\tc3 \\tretq\\n 17:\\tcc \\tint3\\n 18:\\tcc \\tint3\\n 19:\\tcc \\tint3\\n 1a:\\tcc \\tint3\\n 1b:\\t49 8b 84 24 e0 f1 ff \\tmov -0xe20(%r12),%rax\\n 22:\\tff\\n 23:\\t48 8b 80 90 1b 00 00 \\tmov 0x1b90(%rax),%rax\\n 2a:*\\t83 38 03 \\tcmpl $0x3,(%rax)\\t\\t<-- trapping instruction\\n 2d:\\t0f 84 37 fe ff ff \\tje 0xfffffffffffffe6a\\n 33:\\tbb ea ff ff ff \\tmov $0xffffffea,%ebx\\n 38:\\teb cc \\tjmp 0x6\\n 3a:\\t49 \\trex.WB\\n 3b:\\t8b \\t.byte 0x8b\\n 3c:\\t84 24 10 \\ttest %ah,(%rax,%rdx,1)\\n 3f:\\tf3 \\trepz\\n\\nCode starting with the faulting instruction\\n===========================================\\n 0:\\t83 38 03 \\tcmpl $0x3,(%rax)\\n 3:\\t0f 84 37 fe ff ff \\tje 0xfffffffffffffe40\\n 9:\\tbb ea ff ff ff \\tmov $0xffffffea,%ebx\\n e:\\teb cc \\tjmp 0xffffffffffffffdc\\n 10:\\t49 \\trex.WB\\n 11:\\t8b \\t.byte 0x8b\\n 12:\\t84 24 10 \\ttest %ah,(%rax,%rdx,1)\\n 15:\\tf3 \\trepz\\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\\n[ 9890.526321] Call Trace:\\n[ 9890.526324] \\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43911\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43912", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43912" + }, + { + "url": "https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe" + }, + { + "url": "https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e" + }, + { + "url": "https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc" + }, + { + "url": "https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43912 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43912", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: disallow setting special AP channel widths\n\nSetting the AP channel width is meant for use with the normal\n20/40/... MHz channel width progression, and switching around\nin S1G or narrow channels isn't supported. Disallow that.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43912\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43912\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43912\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43912\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43912\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe\",\n \"https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e\",\n \"https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc\",\n \"https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: nl80211: disallow setting special AP channel widths\\n\\nSetting the AP channel width is meant for use with the normal\\n20/40/... MHz channel width progression, and switching around\\nin S1G or narrow channels isn't supported. Disallow that.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43912\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43913", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43913" + }, + { + "url": "https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210" + }, + { + "url": "https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43913 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43913", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43913\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43913\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43913\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43913\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43913\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210\",\n \"https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvme: apple: fix device reference counting\\n\\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\\nSplit the allocation side out to make the error handling boundary easier\\nto navigate. The apple driver had been doing this wrong, leaking the\\ncontroller device memory on a tagset failure.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43913\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-43914", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-43914" + }, + { + "url": "https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0" + }, + { + "url": "https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49" + }, + { + "url": "https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707" + }, + { + "url": "https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab" + }, + { + "url": "https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2" + }, + { + "url": "https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600" + }, + { + "url": "https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666" + }, + { + "url": "https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-43914 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-43914", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\n\nCurrently, mdadm support --revert-reshape to abort the reshape while\nreassembling, as the test 07revert-grow. However, following BUG_ON()\ncan be triggerred by the test:\n\nkernel BUG at drivers/md/raid5.c:6278!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nirq event stamp: 158985\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\nRIP: 0010:reshape_request+0x3f1/0xe60\nCall Trace:\n \n raid5_sync_request+0x43d/0x550\n md_do_sync+0xb7a/0x2110\n md_thread+0x294/0x2b0\n kthread+0x147/0x1c0\n ret_from_fork+0x59/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\nwhile reshape position is still set, and after reassembling the array,\nreshape position will be read from super block, then during reshape the\nchecking of 'writepos' that is caculated by old reshape position will\nfail.\n\nFix this panic the easy way first, by converting the BUG_ON() to\nWARN_ON(), and stop the reshape if checkings fail.\n\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\nshould enhance metadata validation as well, however this means\nreassemble will fail and there must be user tools to fix the wrong\nmetadata.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-43914\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-43914\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-43914\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-43914\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-43914\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0\",\n \"https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49\",\n \"https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707\",\n \"https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab\",\n \"https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2\",\n \"https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600\",\n \"https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666\",\n \"https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\\n\\nCurrently, mdadm support --revert-reshape to abort the reshape while\\nreassembling, as the test 07revert-grow. However, following BUG_ON()\\ncan be triggerred by the test:\\n\\nkernel BUG at drivers/md/raid5.c:6278!\\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\\nirq event stamp: 158985\\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\\nRIP: 0010:reshape_request+0x3f1/0xe60\\nCall Trace:\\n \\n raid5_sync_request+0x43d/0x550\\n md_do_sync+0xb7a/0x2110\\n md_thread+0x294/0x2b0\\n kthread+0x147/0x1c0\\n ret_from_fork+0x59/0x70\\n ret_from_fork_asm+0x1a/0x30\\n \\n\\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\\nwhile reshape position is still set, and after reassembling the array,\\nreshape position will be read from super block, then during reshape the\\nchecking of 'writepos' that is caculated by old reshape position will\\nfail.\\n\\nFix this panic the easy way first, by converting the BUG_ON() to\\nWARN_ON(), and stop the reshape if checkings fail.\\n\\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\\nshould enhance metadata validation as well, however this means\\nreassemble will fail and there must be user tools to fix the wrong\\nmetadata.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-43914\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44931", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44931" + }, + { + "url": "https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc" + }, + { + "url": "https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb" + }, + { + "url": "https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44931 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44931", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\n\nUserspace may trigger a speculative read of an address outside the gpio\ndescriptor array.\nUsers can do that by calling gpio_ioctl() with an offset out of range.\nOffset is copied from user and then used as an array index to get\nthe gpio descriptor without sanitization in gpio_device_get_desc().\n\nThis change ensures that the offset is sanitized by using\narray_index_nospec() to mitigate any possibility of speculative\ninformation leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44931\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44931\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44931\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44931\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44931\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc\",\n \"https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb\",\n \"https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\\n\\nUserspace may trigger a speculative read of an address outside the gpio\\ndescriptor array.\\nUsers can do that by calling gpio_ioctl() with an offset out of range.\\nOffset is copied from user and then used as an array index to get\\nthe gpio descriptor without sanitization in gpio_device_get_desc().\\n\\nThis change ensures that the offset is sanitized by using\\narray_index_nospec() to mitigate any possibility of speculative\\ninformation leaks.\\n\\nThis bug was discovered and resolved using Coverity Static Analysis\\nSecurity Testing (SAST) by Synopsys, Inc.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44931\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44934", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44934" + }, + { + "url": "https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f" + }, + { + "url": "https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f" + }, + { + "url": "https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078" + }, + { + "url": "https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658" + }, + { + "url": "https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44934 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44934", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44934\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44934\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44934\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44934\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44934\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f\",\n \"https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f\",\n \"https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078\",\n \"https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658\",\n \"https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: bridge: mcast: wait for previous gc cycles when removing port\\n\\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\\nmake sure that all previous garbage has been collected when removing a\\nport. What happens is:\\n CPU 1 CPU 2\\n start gc cycle remove port\\n acquire gc lock first\\n wait for lock\\n call br_multicasg_gc() directly\\n acquire lock now but free port\\n the port can be freed\\n while grp timers still\\n running\\n\\nMake sure all previous gc cycles have finished by using flush_work before\\nfreeing the port.\\n\\n[1]\\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\\n\\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\\n Call Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0xc3/0x620 mm/kasan/report.c:488\\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\\n expire_timers kernel/time/timer.c:1843 [inline]\\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\\n __run_timer_base kernel/time/timer.c:2428 [inline]\\n __run_timer_base kernel/time/timer.c:2421 [inline]\\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44934\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44935", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44935" + }, + { + "url": "https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5" + }, + { + "url": "https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84" + }, + { + "url": "https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c" + }, + { + "url": "https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928" + }, + { + "url": "https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18" + }, + { + "url": "https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7" + }, + { + "url": "https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44935 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44935", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix null-ptr-deref in reuseport_add_sock().\n\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\nreuseport_add_sock(). [0]\n\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\nanother listener on the same port and concurrently closes the first\nlistener.\n\nThe second listen() calls reuseport_add_sock() with the first listener as\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\nbut the close() does clear it by reuseport_detach_sock().\n\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\nreuseport_add_sock(), and reuseport_detach_sock().\n\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\nprovide synchronisation for sockets that are classified into the same\nreuseport group.\n\nOtherwise, such sockets form multiple identical reuseport groups, and\nall groups except one would be silently dead.\n\n 1. Two sockets call listen() concurrently\n 2. No socket in the same group found in sctp_ep_hashtable[]\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\n incoming packets\n\nAlso, the reported null-ptr-deref could occur.\n\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\n\nLet's apply the locking strategy to __sctp_hash_endpoint() and\n__sctp_unhash_endpoint().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\n sctp_listen_start net/sctp/socket.c:8570 [inline]\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]\n __se_sys_listen net/socket.c:1900 [inline]\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f24e46039b9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\nR13:\n---truncated---", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44935\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44935\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44935\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44935\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44935\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5\",\n \"https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84\",\n \"https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c\",\n \"https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928\",\n \"https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18\",\n \"https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7\",\n \"https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: Fix null-ptr-deref in reuseport_add_sock().\\n\\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\\nreuseport_add_sock(). [0]\\n\\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\\nanother listener on the same port and concurrently closes the first\\nlistener.\\n\\nThe second listen() calls reuseport_add_sock() with the first listener as\\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\\nbut the close() does clear it by reuseport_detach_sock().\\n\\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\\nreuseport_add_sock(), and reuseport_detach_sock().\\n\\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\\nprovide synchronisation for sockets that are classified into the same\\nreuseport group.\\n\\nOtherwise, such sockets form multiple identical reuseport groups, and\\nall groups except one would be silently dead.\\n\\n 1. Two sockets call listen() concurrently\\n 2. No socket in the same group found in sctp_ep_hashtable[]\\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\\n incoming packets\\n\\nAlso, the reported null-ptr-deref could occur.\\n\\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\\n\\nLet's apply the locking strategy to __sctp_hash_endpoint() and\\n__sctp_unhash_endpoint().\\n\\n[0]:\\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \\n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\\n sctp_listen_start net/sctp/socket.c:8570 [inline]\\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\\n __sys_listen_socket net/socket.c:1883 [inline]\\n __sys_listen+0x1b7/0x230 net/socket.c:1894\\n __do_sys_listen net/socket.c:1902 [inline]\\n __se_sys_listen net/socket.c:1900 [inline]\\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7f24e46039b9\\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\\nR13:\\n---truncated---\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\n \"metrics\": {\n \"baseScore\": 5.5,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 3.6\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44935\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44938", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44938" + }, + { + "url": "https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630" + }, + { + "url": "https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2" + }, + { + "url": "https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44938 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44938", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix shift-out-of-bounds in dbDiscardAG\n\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\ncausing shift exponent -1 to be negative.\n\nThis patch fixes the issue by exiting the loop directly when negative\nshift is found.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44938\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44938\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44938\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44938\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44938\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630\",\n \"https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2\",\n \"https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: Fix shift-out-of-bounds in dbDiscardAG\\n\\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\\ncausing shift exponent -1 to be negative.\\n\\nThis patch fixes the issue by exiting the loop directly when negative\\nshift is found.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44938\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44939", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44939" + }, + { + "url": "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6" + }, + { + "url": "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702" + }, + { + "url": "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44939 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44939", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44939\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44939\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44939\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44939\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44939\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6\",\n \"https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702\",\n \"https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\njfs: fix null ptr deref in dtInsertEntry\\n\\n[syzbot reported]\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\\n...\\n[Analyze]\\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\\npreviously true judgment \\\"p->header.flag & BT-LEAF\\\" to change to no after writing\\nthe name operation, this leads to entering an incorrect branch and accessing the\\nuninitialized object ih when judging this condition for the second time.\\n\\n[Fix]\\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\\nand return -EINVAL.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44939\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44940", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44940" + }, + { + "url": "https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59" + }, + { + "url": "https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79" + }, + { + "url": "https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44940 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44940", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44940\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44940\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44940\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44940\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44940\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59\",\n \"https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79\",\n \"https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfou: remove warn in gue_gro_receive on unsupported protocol\\n\\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\\nnot known or does not have a GRO handler.\\n\\nSuch a packet is easily constructed. Syzbot generates them and sets\\noff this warning.\\n\\nRemove the warning as it is expected and not actionable.\\n\\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\\ncommit 270136613bf7 (\\\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\\nproto callbacks\\\").\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44940\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44941", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44941" + }, + { + "url": "https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8" + }, + { + "url": "https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d" + }, + { + "url": "https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44941 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44941", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44941\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44941\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44941\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44941\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44941\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"Unknown\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8\",\n \"https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d\",\n \"https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to cover read extent cache access with lock\\n\\nsyzbot reports a f2fs bug as below:\\n\\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\\n\\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\\nCall Trace:\\n \\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\\n do_read_inode fs/f2fs/inode.c:509 [inline]\\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\\n do_handle_to_path fs/fhandle.c:155 [inline]\\n handle_to_path fs/fhandle.c:210 [inline]\\n do_handle_open+0x495/0x650 fs/fhandle.c:226\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\\nso, below race case may happen, result in use after free issue.\\n\\n- f2fs_iget\\n - do_read_inode\\n - f2fs_init_read_extent_tree\\n : add largest extent entry in to cache\\n\\t\\t\\t\\t\\t- shrink\\n\\t\\t\\t\\t\\t - f2fs_shrink_read_extent_tree\\n\\t\\t\\t\\t\\t - __shrink_extent_tree\\n\\t\\t\\t\\t\\t - __detach_extent_node\\n\\t\\t\\t\\t\\t : drop largest extent entry\\n - sanity_check_extent_cache\\n : access et->largest w/o lock\\n\\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\\nand call it before f2fs_init_read_extent_tree() to fix this issue.\",\n \"cvss\": []\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44941\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + }, + { + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "cveid": "CVE-2024-44942", + "severity": "Medium" + }, + "descriptions": [ + { + "data": "vulnerability is not known to be fixed in any versions", + "label": "fix" + }, + { + "data": "undefined", + "label": "check" + } + ], + "refs": [ + { + "url": "https://ubuntu.com/security/CVE-2024-44942" + }, + { + "url": "https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f" + }, + { + "url": "https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745" + }, + { + "url": "https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929" + } + ], + "source_location": {}, + "title": "Grype found a vulnerability to CVE-2024-44942 in tensorflow/tensorflow:latest", + "id": "Grype-Ignored-Match/CVE-2024-44942", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inline.c:258!\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\nCall Trace:\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f2/0x390 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nThe root cause is: inline_data inode can be fuzzed, so that there may\nbe valid blkaddr in its direct node, once f2fs triggers background GC\nto migrate the block, it will hit f2fs_bug_on() during dirty page\nwriteback.\n\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\nso that, it can forbid migrating inline_data inode's data block for\nfixing.", + "impact": 0, + "code": "{\n \"vulnerability\": {\n \"id\": \"CVE-2024-44942\",\n \"dataSource\": \"https://ubuntu.com/security/CVE-2024-44942\",\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"severity\": \"Medium\",\n \"urls\": [\n \"https://ubuntu.com/security/CVE-2024-44942\"\n ],\n \"cvss\": [],\n \"fix\": {\n \"versions\": [],\n \"state\": \"not-fixed\"\n },\n \"advisories\": []\n },\n \"relatedVulnerabilities\": [\n {\n \"id\": \"CVE-2024-44942\",\n \"dataSource\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-44942\",\n \"namespace\": \"nvd:cpe\",\n \"severity\": \"High\",\n \"urls\": [\n \"https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f\",\n \"https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745\",\n \"https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929\"\n ],\n \"description\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\\n\\nsyzbot reports a f2fs bug as below:\\n\\n------------[ cut here ]------------\\nkernel BUG at fs/f2fs/inline.c:258!\\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\\nCall Trace:\\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\\n process_one_work kernel/workqueue.c:3254 [inline]\\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\\n kthread+0x2f2/0x390 kernel/kthread.c:388\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n\\nThe root cause is: inline_data inode can be fuzzed, so that there may\\nbe valid blkaddr in its direct node, once f2fs triggers background GC\\nto migrate the block, it will hit f2fs_bug_on() during dirty page\\nwriteback.\\n\\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\\nso that, it can forbid migrating inline_data inode's data block for\\nfixing.\",\n \"cvss\": [\n {\n \"source\": \"nvd@nist.gov\",\n \"type\": \"Primary\",\n \"version\": \"3.1\",\n \"vector\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\n \"metrics\": {\n \"baseScore\": 7.8,\n \"exploitabilityScore\": 1.8,\n \"impactScore\": 5.9\n },\n \"vendorMetadata\": {}\n }\n ]\n }\n ]\n}", + "results": [ + { + "status": "failed", + "code_desc": "[\n {\n \"type\": \"exact-indirect-match\",\n \"matcher\": \"dpkg-matcher\",\n \"searchedBy\": {\n \"distro\": {\n \"type\": \"ubuntu\",\n \"version\": \"22.04\"\n },\n \"namespace\": \"ubuntu:distro:ubuntu:22.04\",\n \"package\": {\n \"name\": \"linux\",\n \"version\": \"5.15.0-113.123\"\n }\n },\n \"found\": {\n \"versionConstraint\": \"none (deb)\",\n \"vulnerabilityID\": \"CVE-2024-44942\"\n }\n }\n]", + "message": "This finding is ignored due to the following applied ignored rules:\n[\n {\n \"package\": {\n \"name\": \"linux-libc-dev\",\n \"type\": \"deb\",\n \"upstream-name\": \"linux\"\n },\n \"match-type\": \"exact-indirect-match\"\n }\n]\nArtifact Information:\n{\n \"id\": \"ae4822e3cd5a96ea\",\n \"name\": \"linux-libc-dev\",\n \"version\": \"5.15.0-113.123\",\n \"type\": \"deb\",\n \"locations\": [\n {\n \"path\": \"/usr/share/doc/linux-libc-dev/copyright\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums\",\n \"layerID\": \"sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869\"\n },\n {\n \"path\": \"/var/lib/dpkg/status\",\n \"layerID\": \"sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86\"\n }\n ],\n \"language\": \"\",\n \"licenses\": [\n \"GPL-2\"\n ],\n \"cpes\": [\n \"cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*\",\n \"cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*\"\n ],\n \"purl\": \"pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04\",\n \"upstreams\": [\n {\n \"name\": \"linux\"\n }\n ]\n}", + "start_time": "2024-08-29T13:31:15.474449-04:00" + } + ] + } + ], + "sha256": "8ee3cf4d2e5c92c36501d4c503c7261131e5dbfe6d6da95f5e5d8e970d5136e0" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "", + "data": {} + } + ], + "raw": { + "wrapper": { + "matches": [ + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "2baa616d4a39d455", + "name": "binutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils:binutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils@2.38-4ubuntu2.6?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "63fdcfa2d3d7f050", + "name": "binutils-common", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-common:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_common:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-common:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_common:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-common@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "f1c65ff7effb20c8", + "name": "binutils-x86-64-linux-gnu", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/binutils-x86-64-linux-gnu.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux-gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux_gnu:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64-linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64_linux:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86-64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86_64:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils-x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils_x86:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils-x86-64-linux-gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:binutils:binutils_x86_64_linux_gnu:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/binutils-x86-64-linux-gnu@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2781", + "dataSource": "https://ubuntu.com/security/CVE-2016-2781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "coreutils", + "version": "8.32-4.1ubuntu1.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2781" + } + } + ], + "artifact": { + "id": "ba31f56208da56da", + "name": "coreutils", + "version": "8.32-4.1ubuntu1.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/coreutils/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/coreutils.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-3" + ], + "cpes": [ + "cpe:2.3:a:coreutils:coreutils:8.32-4.1ubuntu1.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1.2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "c933f77f391da70f", + "name": "cpp", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:cpp:cpp:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "ec8dc9fd7bb4eba9", + "name": "cpp-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/cpp-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:cpp-11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp-11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp_11:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:cpp:cpp_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/cpp-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "324465965a47402a", + "name": "curl", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/curl/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/curl.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:curl:curl:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-34969", + "dataSource": "https://ubuntu.com/security/CVE-2023-34969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-34969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-34969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/", + "https://security.netapp.com/advisory/ntap-20231208-0007/" + ], + "description": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "dbus", + "version": "1.12.20-2ubuntu4.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-34969" + } + } + ], + "artifact": { + "id": "60da06608335c6e9", + "name": "dbus", + "version": "1.12.20-2ubuntu4.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/dbus/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/dbus.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/dbus.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "AFL-2.1", + "BSD-3-clause", + "BSD-3-clause-generic", + "Expat", + "GPL-2", + "GPL-2+", + "Tcl-BSDish", + "g10-permissive" + ], + "cpes": [ + "cpe:2.3:a:dbus:dbus:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/dbus@1.12.20-2ubuntu4.1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "efa651c03e29c607", + "name": "dirmngr", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/dirmngr/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/dirmngr.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:dirmngr:dirmngr:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/dirmngr@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "991685e1bc259ed8", + "name": "g++", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:g++:g++:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "4b5cc3dda3447fc9", + "name": "g++-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/g++-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:g++-11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++-11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++_11:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:g++:g++_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/g%2B%2B-11@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-13844", + "dataSource": "https://ubuntu.com/security/CVE-2020-13844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-13844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-13844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation", + "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions", + "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html" + ], + "description": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-13844" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-15847", + "dataSource": "https://ubuntu.com/security/CVE-2019-15847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15847", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" + ], + "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15847" + } + } + ], + "artifact": { + "id": "343d7434c8c334f5", + "name": "gcc", + "version": "4:11.2.0-1ubuntu1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/cpp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:gcc:gcc:4:11.2.0-1ubuntu1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc@4:11.2.0-1ubuntu1?arch=amd64&upstream=gcc-defaults%401.193ubuntu1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-defaults", + "version": "1.193ubuntu1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "b15bbd3cb5f12603", + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11@11.4.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "21bb5fd2d1b64d58", + "name": "gcc-11-base", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gcc-11-base:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-11-base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11-base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11_base:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_11:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-11-base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_11_base:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-11-base@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "0d7332e43f485d8d", + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gcc-12-base:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "0d7332e43f485d8d", + "name": "gcc-12-base", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gcc-12-base:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:gcc-12-base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12-base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12_base:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc-12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc_12:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc-12-base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:gcc:gcc_12_base:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gcc-12-base@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "3e0695ea8a15e043", + "name": "gir1.2-packagekitglib-1.0", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gir1.2-packagekitglib-1.0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "3e0695ea8a15e043", + "name": "gir1.2-packagekitglib-1.0", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gir1.2-packagekitglib-1.0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/gir1.2-packagekitglib-1.0.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib-1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib_1.0:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2-packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2_packagekitglib:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2-packagekitglib-1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:gir1.2:gir1.2_packagekitglib_1.0:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gir1.2-packagekitglib-1.0@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "1d53afeb1b2bed73", + "name": "gnupg", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg:gnupg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "50e44f27e2b0c800", + "name": "gnupg-l10n", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg-l10n/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg-l10n.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg-l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg-l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_l10n:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_l10n:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg-l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg_l10n:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg-l10n@2.2.27-3ubuntu2.1?arch=all&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "1d0ecf2cdf605099", + "name": "gnupg-utils", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gnupg-utils/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gnupg-utils.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gnupg-utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg-utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_utils:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg_utils:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg-utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gnupg:gnupg_utils:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gnupg-utils@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "22ea11b15ccb9d9a", + "name": "gpg", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg:gpg:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "6b1172046efd6589", + "name": "gpg-agent", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-agent/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-agent.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-agent.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_agent:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_agent:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_agent:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-agent@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "165b537d3990d094", + "name": "gpg-wks-client", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-wks-client/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-wks-client.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-wks-client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks-client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_client:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_client:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-wks-client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_wks_client:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-wks-client@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "89c2406ff86aa601", + "name": "gpg-wks-server", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpg-wks-server/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpg-wks-server.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpg-wks-server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks-server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_server:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks_server:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg-wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg_wks:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg-wks-server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*", + "cpe:2.3:a:gpg:gpg_wks_server:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpg-wks-server@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "775f261341147b3c", + "name": "gpgconf", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgconf/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpgconf.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgconf:gpgconf:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgconf@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "5e764c44f36dd32a", + "name": "gpgsm", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgsm/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/gpgsm.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgsm:gpgsm:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgsm@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-3219", + "dataSource": "https://ubuntu.com/security/CVE-2022-3219", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3219" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3219", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-3219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", + "https://dev.gnupg.org/D556", + "https://dev.gnupg.org/T5993", + "https://marc.info/?l=oss-security&m=165696590211434&w=4", + "https://security.netapp.com/advisory/ntap-20230324-0001/" + ], + "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gnupg2", + "version": "2.2.27-3ubuntu2.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3219" + } + } + ], + "artifact": { + "id": "9b32ff71df8828aa", + "name": "gpgv", + "version": "2.2.27-3ubuntu2.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gpgv/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/gpgv.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "CC0-1.0", + "Expat", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-3", + "LGPL-3+", + "RFC-Reference", + "TinySCHEME", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:gpgv:gpgv:2.2.27-3ubuntu2.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/gpgv@2.2.27-3ubuntu2.1?arch=amd64&upstream=gnupg2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gnupg2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-1585", + "dataSource": "https://ubuntu.com/security/CVE-2016-1585", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2016-1585" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-1585", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-1585", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.launchpad.net/apparmor/+bug/1597017", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@ubuntu.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 3.9, + "exploitabilityScore": 0.5, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "apparmor", + "version": "3.0.4-2ubuntu2.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-1585" + } + } + ], + "artifact": { + "id": "20b7d6a703b1cdb0", + "name": "libapparmor1", + "version": "3.0.4-2ubuntu2.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libapparmor1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libapparmor1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libapparmor1:libapparmor1:3.0.4-2ubuntu2.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libapparmor1@3.0.4-2ubuntu2.3?arch=amd64&upstream=apparmor&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "apparmor" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "56ea2975ec405acb", + "name": "libasan6", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libasan6:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libasan6:libasan6:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libasan6@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "816f5e3fe2b8694c", + "name": "libatomic1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libatomic1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "816f5e3fe2b8694c", + "name": "libatomic1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libatomic1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libatomic1:libatomic1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libatomic1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "e1318293ffeacaf0", + "name": "libbinutils", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libbinutils:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libbinutils:libbinutils:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libbinutils@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "534613922e3db6d7", + "name": "libc-bin", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc-bin.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc-bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_bin:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_bin:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "57746bb623c8ca26", + "name": "libc-dev-bin", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc-dev-bin/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libc-dev-bin.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc-dev-bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev-bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev_bin:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev_bin:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc-dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc_dev:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc-dev-bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc:libc_dev_bin:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc-dev-bin@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "cde0d63aef474648", + "name": "libc6", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc6:libc6:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-20013", + "dataSource": "https://ubuntu.com/security/CVE-2016-20013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2016-20013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-20013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20013", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://akkadia.org/drepper/SHA-crypt.txt", + "https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/", + "https://twitter.com/solardiz/status/795601240151457793" + ], + "description": "sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "glibc", + "version": "2.35-0ubuntu3.8" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-20013" + } + } + ], + "artifact": { + "id": "ce5bb87ce346e38b", + "name": "libc6-dev", + "version": "2.35-0ubuntu3.8", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libc6-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libc6-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-2", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libc6-dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6-dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6_dev:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6_dev:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6:libc6-dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*", + "cpe:2.3:a:libc6:libc6_dev:2.35-0ubuntu3.8:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libc6-dev@2.35-0ubuntu3.8?arch=amd64&upstream=glibc&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "glibc" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "a69323dca274b473", + "name": "libcc1-0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libcc1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "a69323dca274b473", + "name": "libcc1-0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libcc1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libcc1-0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1-0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1_0:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1-0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libcc1:libcc1_0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcc1-0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "f60f0b441039170a", + "name": "libctf-nobfd0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libctf-nobfd0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf-nobfd0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf-nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf-nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf_nobfd0:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf-nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*", + "cpe:2.3:a:libctf:libctf_nobfd0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf-nobfd0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2019-1010204", + "dataSource": "https://ubuntu.com/security/CVE-2019-1010204", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-1010204" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-1010204", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010204", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "https://support.f5.com/csp/article/K05032915?utm_source=f5support&%3Butm_medium=RSS" + ], + "description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-1010204" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-13716", + "dataSource": "https://ubuntu.com/security/CVE-2017-13716", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13716" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13716", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13716", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ], + "description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 8.6, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13716" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-48064", + "dataSource": "https://ubuntu.com/security/CVE-2022-48064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XKYUAIORNQ32IZUOZFURECZKEXOHX7Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSUNHSOWWLLNGHRM5TUBNCJHEYHPDX2M/", + "https://security.netapp.com/advisory/ntap-20231006-0008/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=29922", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=8f2c64de86bc3d7556121fe296dd679000283931" + ], + "description": "GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48064" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2018-20657", + "dataSource": "https://ubuntu.com/security/CVE-2018-20657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-20657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-20657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20657", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ], + "description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "binutils", + "version": "2.38-4ubuntu2.6" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-20657" + } + } + ], + "artifact": { + "id": "090aac7e6312e1a4", + "name": "libctf0", + "version": "2.38-4ubuntu2.6", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/binutils-common/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libctf0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL", + "GPL", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libctf0:libctf0:2.38-4ubuntu2.6:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libctf0@2.38-4ubuntu2.6?arch=amd64&upstream=binutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "binutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "b4d74f55020f24c9", + "name": "libcurl3-gnutls", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libcurl3-gnutls/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libcurl3-gnutls:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3:libcurl3-gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl3:libcurl3_gnutls:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcurl3-gnutls@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "curl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7264", + "dataSource": "https://ubuntu.com/security/CVE-2024-7264", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7264" + ], + "cvss": [], + "fix": { + "versions": [ + "7.81.0-1ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7264", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/07/31/1", + "https://curl.se/docs/CVE-2024-7264.html", + "https://curl.se/docs/CVE-2024-7264.json", + "https://hackerone.com/reports/2629968" + ], + "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "curl", + "version": "7.81.0-1ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 7.81.0-1ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-7264" + } + } + ], + "artifact": { + "id": "52b4ac2b67a9ecd2", + "name": "libcurl4", + "version": "7.81.0-1ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libcurl4/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libcurl4:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-Clause", + "BSD-4-Clause", + "ISC", + "curl", + "other", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libcurl4:libcurl4:7.81.0-1ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libcurl4@7.81.0-1ubuntu1.16?arch=amd64&upstream=curl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "curl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-34969", + "dataSource": "https://ubuntu.com/security/CVE-2023-34969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-34969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-34969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/", + "https://security.netapp.com/advisory/ntap-20231208-0007/" + ], + "description": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "dbus", + "version": "1.12.20-2ubuntu4.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-34969" + } + } + ], + "artifact": { + "id": "0c67a21e65bd16ee", + "name": "libdbus-1-3", + "version": "1.12.20-2ubuntu4.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libdbus-1-3/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libdbus-1-3:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "AFL-2.1", + "BSD-3-clause", + "BSD-3-clause-generic", + "Expat", + "GPL-2", + "GPL-2+", + "Tcl-BSDish", + "g10-permissive" + ], + "cpes": [ + "cpe:2.3:a:libdbus-1-3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1-3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1_3:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1_3:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus-1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus_1:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus:libdbus-1-3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libdbus:libdbus_1_3:1.12.20-2ubuntu4.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libdbus-1-3@1.12.20-2ubuntu4.1?arch=amd64&upstream=dbus&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "dbus" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-25260", + "dataSource": "https://ubuntu.com/security/CVE-2024-25260", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25260" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25260", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/schsiung/fuzzer_issues/issues/1", + "https://sourceware.org/bugzilla/show_bug.cgi?id=31058", + "https://sourceware.org/elfutils/" + ], + "description": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4, + "exploitabilityScore": 2.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "elfutils", + "version": "0.186-1build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25260" + } + } + ], + "artifact": { + "id": "84f06d819a7d441b", + "name": "libdw1", + "version": "0.186-1build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libdw1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libdw1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-3", + "LGPL-3" + ], + "cpes": [ + "cpe:2.3:a:libdw1:libdw1:0.186-1build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libdw1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "elfutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-25260", + "dataSource": "https://ubuntu.com/security/CVE-2024-25260", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25260" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25260", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/schsiung/fuzzer_issues/issues/1", + "https://sourceware.org/bugzilla/show_bug.cgi?id=31058", + "https://sourceware.org/elfutils/" + ], + "description": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4, + "exploitabilityScore": 2.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "elfutils", + "version": "0.186-1build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25260" + } + } + ], + "artifact": { + "id": "db43cdc9ed146fdf", + "name": "libelf1", + "version": "0.186-1build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libelf1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libelf1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-3", + "LGPL-3" + ], + "cpes": [ + "cpe:2.3:a:libelf1:libelf1:0.186-1build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libelf1@0.186-1build1?arch=amd64&upstream=elfutils&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "elfutils" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "851df3c34e377555", + "name": "libgcc-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libgcc-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-11-dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11-dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11_dev:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_11:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "e06d1fc320a8a1ac", + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcc-s1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e06d1fc320a8a1ac", + "name": "libgcc-s1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcc-s1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcc-s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc-s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc_s1:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc-s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libgcc:libgcc_s1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcc-s1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2236", + "dataSource": "https://ubuntu.com/security/CVE-2024-2236", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2236" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2236", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2236", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-2236", + "https://bugzilla.redhat.com/show_bug.cgi?id=2245218", + "https://bugzilla.redhat.com/show_bug.cgi?id=2268268" + ], + "description": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", + "cvss": [ + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-2236" + } + } + ], + "artifact": { + "id": "8bd34a8029c4772d", + "name": "libgcrypt20", + "version": "1.9.4-3ubuntu3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgcrypt20/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgcrypt20:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.9.4-3ubuntu3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "c8cf906bd8b6dcd3", + "name": "libgomp1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgomp1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "c8cf906bd8b6dcd3", + "name": "libgomp1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgomp1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libgomp1:libgomp1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgomp1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "9ca0af3dda6de8e1", + "name": "libgssapi-krb5-2", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libgssapi-krb5-2/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2020-0347", + "dataSource": "https://ubuntu.com/security/CVE-2020-0347", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-0347" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-0347", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-0347", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://source.android.com/security/bulletin/android-11" + ], + "description": "In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-136658008", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.7, + "exploitabilityScore": 0.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "iptables", + "version": "1.8.7-1ubuntu5.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-0347" + } + } + ], + "artifact": { + "id": "6e9c18c8e88097db", + "name": "libip4tc2", + "version": "1.8.7-1ubuntu5.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libip4tc2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libip4tc2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GPL-2", + "GPL-2+", + "custom" + ], + "cpes": [ + "cpe:2.3:a:libip4tc2:libip4tc2:1.8.7-1ubuntu5.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libip4tc2@1.8.7-1ubuntu5.2?arch=amd64&upstream=iptables&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "iptables" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "3df6bfc8ac5188d7", + "name": "libitm1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libitm1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "3df6bfc8ac5188d7", + "name": "libitm1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libitm1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libitm1:libitm1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libitm1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "5b4458fd2a0b50fd", + "name": "libk5crypto3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libk5crypto3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libk5crypto3:libk5crypto3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libk5crypto3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "2b04489baa0c5a85", + "name": "libkrb5-3", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5-3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5-3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5-3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5_3:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5-3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*", + "cpe:2.3:a:libkrb5:libkrb5_3:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5-3@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37371", + "dataSource": "https://ubuntu.com/security/CVE-2024-37371", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37371" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37371", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37371" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37370", + "dataSource": "https://ubuntu.com/security/CVE-2024-37370", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37370" + ], + "cvss": [], + "fix": { + "versions": [ + "1.19.2-2ubuntu0.4" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37370", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef", + "https://web.mit.edu/kerberos/www/advisories/" + ], + "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "< 1.19.2-2ubuntu0.4 (deb)", + "vulnerabilityID": "CVE-2024-37370" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26462", + "dataSource": "https://ubuntu.com/security/CVE-2024-26462", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26462" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26462", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", + "https://security.netapp.com/advisory/ntap-20240415-0012/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26462" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26461", + "dataSource": "https://ubuntu.com/security/CVE-2024-26461", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26461" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26461", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", + "https://security.netapp.com/advisory/ntap-20240415-0011/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26461" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-26458", + "dataSource": "https://ubuntu.com/security/CVE-2024-26458", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26458" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", + "https://security.netapp.com/advisory/ntap-20240415-0010/" + ], + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "krb5", + "version": "1.19.2-2ubuntu0.3" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26458" + } + } + ], + "artifact": { + "id": "3ead40926c2b5d5c", + "name": "libkrb5support0", + "version": "1.19.2-2ubuntu0.3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libkrb5support0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:libkrb5support0:libkrb5support0:1.19.2-2ubuntu0.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libkrb5support0@1.19.2-2ubuntu0.3?arch=amd64&upstream=krb5&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "krb5" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "e41baeef893dc672", + "name": "liblsan0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/liblsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "e41baeef893dc672", + "name": "liblsan0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/liblsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:liblsan0:liblsan0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/liblsan0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "9d631babdfb8df3e", + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncurses6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "9d631babdfb8df3e", + "name": "libncurses6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncurses6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncurses6:libncurses6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncurses6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "0532d09628a2ff0b", + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncursesw6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "0532d09628a2ff0b", + "name": "libncursesw6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libncursesw6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libncursesw6:libncursesw6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libncursesw6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "4e2ed93a3f00508b", + "name": "libpackagekit-glib2-18", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpackagekit-glib2-18/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "4e2ed93a3f00508b", + "name": "libpackagekit-glib2-18", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpackagekit-glib2-18/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpackagekit-glib2-18:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2-18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2_18:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit-glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit_glib2:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit-glib2-18:1.2.5-2ubuntu2:*:*:*:*:*:*:*", + "cpe:2.3:a:libpackagekit:libpackagekit_glib2_18:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpackagekit-glib2-18@1.2.5-2ubuntu2?arch=amd64&upstream=packagekit&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "packagekit" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "4d802af324d0c968", + "name": "libpam-systemd", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpam-systemd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpam-systemd:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libpam-systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam-systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam_systemd:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam_systemd:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam:libpam-systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:libpam:libpam_systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpam-systemd@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-41409", + "dataSource": "https://ubuntu.com/security/CVE-2022-41409", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-41409" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-41409", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35", + "https://github.com/PCRE2Project/pcre2/issues/141" + ], + "description": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "pcre2", + "version": "10.39-3ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-41409" + } + } + ], + "artifact": { + "id": "b83e437a170b2b4b", + "name": "libpcre2-8-0", + "version": "10.39-3ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpcre2-8-0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libpcre2-8-0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:libpcre2-8-0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8-0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8_0:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8_0:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2-8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2_8:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2:libpcre2-8-0:10.39-3ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libpcre2:libpcre2_8_0:10.39-3ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpcre2-8-0@10.39-3ubuntu0.1?arch=amd64&upstream=pcre2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "pcre2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2017-11164", + "dataSource": "https://ubuntu.com/security/CVE-2017-11164", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-11164" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-11164", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.openwall.com/lists/oss-security/2023/04/11/1", + "http://www.openwall.com/lists/oss-security/2023/04/12/1", + "http://www.securityfocus.com/bid/99575", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" + ], + "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 10, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "pcre3", + "version": "2:8.39-13ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-11164" + } + } + ], + "artifact": { + "id": "c17e17a6c3b778e9", + "name": "libpcre3", + "version": "2:8.39-13ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpcre3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libpcre3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [], + "cpes": [ + "cpe:2.3:a:libpcre3:libpcre3:2:8.39-13ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpcre3@2:8.39-13ubuntu0.22.04.1?arch=amd64&upstream=pcre3&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "pcre3" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "75f309e7896cc7d5", + "name": "libpolkit-agent-1-0", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpolkit-agent-1-0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpolkit-agent-1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:libpolkit-agent-1-0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1-0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1_0:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1_0:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent-1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent_1:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_agent:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit-agent-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit_agent_1_0:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpolkit-agent-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "ff118ec3fae758b1", + "name": "libpolkit-gobject-1-0", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpolkit-gobject-1-0/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpolkit-gobject-1-0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:libpolkit-gobject-1-0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1-0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1_0:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1_0:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject-1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject_1:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit-gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit_gobject:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit-gobject-1-0:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:libpolkit:libpolkit_gobject_1_0:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpolkit-gobject-1-0@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "b091a7d3eecb8cae", + "name": "libpython3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-minimal:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_minimal:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "7c865f57958d3c18", + "name": "libpython3.10-stdlib", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libpython3.10-stdlib:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10-stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10_stdlib:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10-stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.10:libpython3.10_stdlib:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.10-stdlib@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "6804eab1d6c15334", + "name": "libpython3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11:libpython3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "f22d42b9e8547354", + "name": "libpython3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-dev:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_dev:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "79dc12f98cb88c59", + "name": "libpython3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.conffiles", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-minimal:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_minimal:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "2f404a2f16e30ca1", + "name": "libpython3.11-stdlib", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libpython3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/libpython3.11-stdlib:amd64.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11-stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11_stdlib:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11-stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libpython3.11:libpython3.11_stdlib:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libpython3.11-stdlib@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "851fee7a303de1b7", + "name": "libquadmath0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libquadmath0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "851fee7a303de1b7", + "name": "libquadmath0", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libquadmath0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libquadmath0:libquadmath0:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libquadmath0@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-41996", + "dataSource": "https://ubuntu.com/security/CVE-2024-41996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41996" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + ], + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41996" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://ubuntu.com/security/CVE-2024-5535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5535" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-5535" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4741", + "dataSource": "https://ubuntu.com/security/CVE-2024-4741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4741" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4741" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4603", + "dataSource": "https://ubuntu.com/security/CVE-2024-4603", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4603" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4603", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/16/2", + "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", + "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", + "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", + "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", + "https://security.netapp.com/advisory/ntap-20240621-0001/", + "https://www.openssl.org/news/secadv/20240516.txt" + ], + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4603" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://ubuntu.com/security/CVE-2024-2511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2511" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-2511" + } + } + ], + "artifact": { + "id": "44b973ec93703d21", + "name": "libssl3", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:libssl3:libssl3:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libssl3@3.0.2-0ubuntu1.16?arch=amd64&upstream=openssl&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "openssl" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "5c5dbe65627d4087", + "name": "libstdc++-11-dev", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libstdc++-11-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++-11-dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11-dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11_dev:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++-11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++_11:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++-11-dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:libstdc++:libstdc++_11_dev:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B-11-dev@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "4ddc88716174352d", + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libstdc++6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "4ddc88716174352d", + "name": "libstdc++6", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libstdc++6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libstdc++6:libstdc++6:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "837dfa89fb7aecbb", + "name": "libsystemd0", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libsystemd0/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libsystemd0:libsystemd0:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libsystemd0@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46848", + "dataSource": "https://ubuntu.com/security/CVE-2021-46848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugs.gentoo.org/866237", + "https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5", + "https://gitlab.com/gnutls/libtasn1/-/issues/32", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00003.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/", + "https://security.netapp.com/advisory/ntap-20221118-0006/" + ], + "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libtasn1-6", + "version": "4.18.0-4build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46848" + } + } + ], + "artifact": { + "id": "48034bac058cf4d8", + "name": "libtasn1-6", + "version": "4.18.0-4build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtasn1-6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtasn1-6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.3", + "GPL-3", + "LGPL", + "LGPL-2.1" + ], + "cpes": [ + "cpe:2.3:a:libtasn1-6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1-6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1_6:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1_6:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1:libtasn1-6:4.18.0-4build1:*:*:*:*:*:*:*", + "cpe:2.3:a:libtasn1:libtasn1_6:4.18.0-4build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtasn1-6@4.18.0-4build1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "e392e94b182b72b9", + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtinfo6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "e392e94b182b72b9", + "name": "libtinfo6", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libtinfo6/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libtinfo6:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:libtinfo6:libtinfo6:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-46195", + "dataSource": "https://ubuntu.com/security/CVE-2021-46195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841" + ], + "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46195" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-3826", + "dataSource": "https://ubuntu.com/security/CVE-2021-3826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3826", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/git/?p=gcc.git%3Ba=commit%3Bh=5481040197402be6dfee265bd2ff5a4c88e30505", + "https://gcc.gnu.org/pipermail/gcc-patches/2021-September/579987", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4MYLS3VR4OPL5ECRWOR4ZHMGXUSCJFZY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AKZ2DTS3ATVN5PANNVLKLE5OP4OF25Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MTEHT3G6YKJ7F7MSGWYSI4UM3XBAYXZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXFC74WRZ2Q7F2TSUKPYNIL7ZPBWYI6L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/" + ], + "description": "Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-11", + "version": "11.4.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3826" + } + } + ], + "artifact": { + "id": "f12aede72a6ee01b", + "name": "libtsan0", + "version": "11.4.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-11-base/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libtsan0:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libtsan0:libtsan0:11.4.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libtsan0@11.4.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-4039", + "dataSource": "https://ubuntu.com/security/CVE-2023-4039", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4039" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4039", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", + "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" + ], + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + }, + { + "source": "arm-security@arm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 2.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4039" + } + } + ], + "artifact": { + "id": "0bd42c1a89f86d7c", + "name": "libubsan1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libubsan1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-27943", + "dataSource": "https://ubuntu.com/security/CVE-2022-27943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-27943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-27943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" + ], + "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "gcc-12", + "version": "12.3.0-1ubuntu1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-27943" + } + } + ], + "artifact": { + "id": "0bd42c1a89f86d7c", + "name": "libubsan1", + "version": "12.3.0-1ubuntu1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/gcc-12-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libubsan1:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Artistic", + "GFDL-1.2", + "GPL", + "GPL-2", + "GPL-3", + "LGPL" + ], + "cpes": [ + "cpe:2.3:a:libubsan1:libubsan1:12.3.0-1ubuntu1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libubsan1@12.3.0-1ubuntu1~22.04?arch=amd64&upstream=gcc-12&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "gcc-12" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "dfcf0201a1ab32bf", + "name": "libudev1", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libudev1/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:libudev1:libudev1:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libudev1@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-34459", + "dataSource": "https://ubuntu.com/security/CVE-2024-34459", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34459" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + ], + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libxml2", + "version": "2.9.13+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34459" + } + } + ], + "artifact": { + "id": "2c561f4e739dd13a", + "name": "libxml2", + "version": "2.9.13+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libxml2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libxml2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "ISC", + "MIT-1" + ], + "cpes": [ + "cpe:2.3:a:libxml2:libxml2:2.9.13+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libxml2@2.9.13%2Bdfsg-1ubuntu0.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35328", + "dataSource": "https://ubuntu.com/security/CVE-2024-35328", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35328" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35328", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35328", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35328" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35326", + "dataSource": "https://ubuntu.com/security/CVE-2024-35326", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35326" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35326", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35326", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35326" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35325", + "dataSource": "https://ubuntu.com/security/CVE-2024-35325", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35325" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35325", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35325", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libyaml", + "version": "0.2.2-1build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35325" + } + } + ], + "artifact": { + "id": "df8d710de57d7548", + "name": "libyaml-0-2", + "version": "0.2.2-1build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libyaml-0-2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/libyaml-0-2:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat", + "permissive" + ], + "cpes": [ + "cpe:2.3:a:libyaml-0-2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0-2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0_2:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml-0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml_0:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml-0-2:0.2.2-1build2:*:*:*:*:*:*:*", + "cpe:2.3:a:libyaml:libyaml_0_2:0.2.2-1build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.2.2-1build2?arch=amd64&upstream=libyaml&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libyaml" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-4899", + "dataSource": "https://ubuntu.com/security/CVE-2022-4899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-4899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-4899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/facebook/zstd/issues/3200", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", + "https://security.netapp.com/advisory/ntap-20230725-0005/" + ], + "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "libzstd", + "version": "1.4.8+dfsg-3build1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-4899" + } + } + ], + "artifact": { + "id": "db01fe463729db55", + "name": "libzstd1", + "version": "1.4.8+dfsg-3build1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libzstd1/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/libzstd1:amd64.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "Expat", + "GPL-2", + "zlib" + ], + "cpes": [ + "cpe:2.3:a:libzstd1:libzstd1:1.4.8+dfsg-3build1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/libzstd1@1.4.8%2Bdfsg-3build1?arch=amd64&upstream=libzstd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "libzstd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-29383", + "dataSource": "https://ubuntu.com/security/CVE-2023-29383", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-29383" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-29383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "shadow", + "version": "1:4.8.1-2ubuntu2.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-29383" + } + } + ], + "artifact": { + "id": "c25e61c8104d045b", + "name": "login", + "version": "1:4.8.1-2ubuntu2.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/login/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/login.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/login.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:login:login:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/login@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "shadow" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "3760343f92af5dba", + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "3760343f92af5dba", + "name": "ncurses-base", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-base/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-base.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_base:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-base:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_base:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-base@6.3-2ubuntu0.1?arch=all&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-50495", + "dataSource": "https://ubuntu.com/security/CVE-2023-50495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-50495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-50495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://security.netapp.com/advisory/ntap-20240119-0008/" + ], + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-50495" + } + } + ], + "artifact": { + "id": "38ed2d1a224f9399", + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-45918", + "dataSource": "https://ubuntu.com/security/CVE-2023-45918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-45918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-45918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html", + "https://security.netapp.com/advisory/ntap-20240315-0006/" + ], + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "ncurses", + "version": "6.3-2ubuntu0.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-45918" + } + } + ], + "artifact": { + "id": "38ed2d1a224f9399", + "name": "ncurses-bin", + "version": "6.3-2ubuntu0.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/ncurses-bin/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/ncurses-bin.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3-clause", + "MIT/X11", + "X11" + ], + "cpes": [ + "cpe:2.3:a:ncurses-bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_bin:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_bin:6.3-2ubuntu0.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/ncurses-bin@6.3-2ubuntu0.1?arch=amd64&upstream=ncurses&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "ncurses" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-41996", + "dataSource": "https://ubuntu.com/security/CVE-2024-41996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41996" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + ], + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41996" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5535", + "dataSource": "https://ubuntu.com/security/CVE-2024-5535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5535" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/27/1", + "http://www.openwall.com/lists/oss-security/2024/06/28/4", + "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", + "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", + "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", + "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", + "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c", + "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", + "https://security.netapp.com/advisory/ntap-20240712-0005/", + "https://www.openssl.org/news/secadv/20240627.txt" + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-5535" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4741", + "dataSource": "https://ubuntu.com/security/CVE-2024-4741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4741" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4741" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4603", + "dataSource": "https://ubuntu.com/security/CVE-2024-4603", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4603" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4603", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/16/2", + "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", + "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", + "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d", + "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", + "https://security.netapp.com/advisory/ntap-20240621-0001/", + "https://www.openssl.org/news/secadv/20240516.txt" + ], + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-4603" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-2511", + "dataSource": "https://ubuntu.com/security/CVE-2024-2511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2511" + ], + "cvss": [], + "fix": { + "versions": [ + "3.0.2-0ubuntu1.17" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/04/08/5", + "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", + "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", + "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", + "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", + "https://security.netapp.com/advisory/ntap-20240503-0013/", + "https://www.openssl.org/news/secadv/20240408.txt" + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "openssl", + "version": "3.0.2-0ubuntu1.16" + } + }, + "found": { + "versionConstraint": "< 3.0.2-0ubuntu1.17 (deb)", + "vulnerabilityID": "CVE-2024-2511" + } + } + ], + "artifact": { + "id": "fed47764300c311f", + "name": "openssl", + "version": "3.0.2-0ubuntu1.16", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/libssl3/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/openssl.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/openssl.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "Artistic", + "GPL-1", + "GPL-1+" + ], + "cpes": [ + "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.16:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0217", + "dataSource": "https://ubuntu.com/security/CVE-2024-0217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0217", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2256624", + "https://github.com/PackageKit/PackageKit/commit/64278c9127e3333342b56ead99556161f7e86f79" + ], + "description": "A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0217" + } + } + ], + "artifact": { + "id": "cb13b67d8759b594", + "name": "packagekit", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/packagekit/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-0987", + "dataSource": "https://ubuntu.com/security/CVE-2022-0987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0987", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2064315" + ], + "description": "A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "packagekit", + "version": "1.2.5-2ubuntu2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0987" + } + } + ], + "artifact": { + "id": "cb13b67d8759b594", + "name": "packagekit", + "version": "1.2.5-2ubuntu2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/packagekit/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/packagekit.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+" + ], + "cpes": [ + "cpe:2.3:a:packagekit:packagekit:1.2.5-2ubuntu2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/packagekit@1.2.5-2ubuntu2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-29383", + "dataSource": "https://ubuntu.com/security/CVE-2023-29383", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-29383" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-29383", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", + "https://github.com/shadow-maint/shadow/pull/687", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", + "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" + ], + "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "shadow", + "version": "1:4.8.1-2ubuntu2.2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-29383" + } + } + ], + "artifact": { + "id": "fdb7dd2a267a46c4", + "name": "passwd", + "version": "1:4.8.1-2ubuntu2.2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/passwd/copyright", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/passwd.conffiles", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/info/passwd.md5sums", + "layerID": "sha256:931b7ff0cb6f494b27d31a4cbec3efe62ac54676add9c7469560302f1541ecaf" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:passwd:passwd:1:4.8.1-2ubuntu2.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/passwd@1:4.8.1-2ubuntu2.2?arch=amd64&upstream=shadow&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "shadow" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-45261", + "dataSource": "https://ubuntu.com/security/CVE-2021-45261", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2021-45261" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-45261", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-45261", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://savannah.gnu.org/bugs/?61685" + ], + "description": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-45261" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2019-20633", + "dataSource": "https://ubuntu.com/security/CVE-2019-20633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2019-20633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-20633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20633", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://savannah.gnu.org/bugs/index.php?56683" + ], + "description": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-20633" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2018-6952", + "dataSource": "https://ubuntu.com/security/CVE-2018-6952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-6952" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-6952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6952", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/103047", + "https://access.redhat.com/errata/RHSA-2019:2033", + "https://savannah.gnu.org/bugs/index.php?53133", + "https://security.gentoo.org/glsa/201904-17" + ], + "description": "A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "patch", + "version": "2.7.6-7build2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-6952" + } + } + ], + "artifact": { + "id": "ee1d527e22791580", + "name": "patch", + "version": "2.7.6-7build2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/patch/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/patch.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL" + ], + "cpes": [ + "cpe:2.3:a:patch:patch:2.7.6-7build2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/patch@2.7.6-7build2?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "d55289a43c85d6a4", + "name": "pkexec", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/pkexec/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/pkexec.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:pkexec:pkexec:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/pkexec@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "d757443f44e8916c", + "name": "policykit-1", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/policykit-1/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/policykit-1.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:policykit-1:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit-1:policykit_1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit_1:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit_1:policykit_1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit:policykit-1:0.105-33:*:*:*:*:*:*:*", + "cpe:2.3:a:policykit:policykit_1:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/policykit-1@0.105-33?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2016-2568", + "dataSource": "https://ubuntu.com/security/CVE-2016-2568", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2016-2568" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-2568", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2568", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/02/26/3", + "https://access.redhat.com/security/cve/cve-2016-2568", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062", + "https://bugzilla.redhat.com/show_bug.cgi?id=1300746", + "https://ubuntu.com/security/CVE-2016-2568" + ], + "description": "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.1, + "impactScore": 6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "policykit-1", + "version": "0.105-33" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-2568" + } + } + ], + "artifact": { + "id": "6ace8efb10979881", + "name": "polkitd", + "version": "0.105-33", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/polkitd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/polkitd.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/polkitd.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "LGPL-2", + "LGPL-2.0+" + ], + "cpes": [ + "cpe:2.3:a:polkitd:polkitd:0.105-33:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/polkitd@0.105-33?arch=amd64&upstream=policykit-1&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "policykit-1" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-21240", + "dataSource": "https://ubuntu.com/security/CVE-2021-21240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2021-21240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-21240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", + "https://github.com/httplib2/httplib2/pull/182", + "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", + "https://pypi.org/project/httplib2" + ], + "description": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-httplib2", + "version": "0.20.2-2" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-21240" + } + } + ], + "artifact": { + "id": "9a3b917c64001b05", + "name": "python3-httplib2", + "version": "0.20.2-2", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-httplib2/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-httplib2.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "BSD-3", + "Expat", + "GPL-2", + "GPL-2+", + "GPL-3", + "GPL-3+", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-1.1" + ], + "cpes": [ + "cpe:2.3:a:python3-httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_httplib2:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_httplib2:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-httplib2:0.20.2-2:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_httplib2:0.20.2-2:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-httplib2@0.20.2-2?arch=all&upstream=python-httplib2&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-httplib2" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-3651", + "dataSource": "https://ubuntu.com/security/CVE-2024-3651", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-3651" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-3651", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", + "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb" + ], + "description": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-3651" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-35195", + "dataSource": "https://ubuntu.com/security/CVE-2024-35195", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35195" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35195", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac", + "https://github.com/psf/requests/pull/6655", + "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/" + ], + "description": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 5.6, + "exploitabilityScore": 0.3, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35195" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-5752", + "dataSource": "https://ubuntu.com/security/CVE-2023-5752", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-5752" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-5752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://github.com/pypa/pip/pull/12306", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + ], + "description": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + }, + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-5752" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-32681", + "dataSource": "https://ubuntu.com/security/CVE-2023-32681", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-32681" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", + "https://github.com/psf/requests/releases/tag/v2.31.0", + "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", + "https://security.gentoo.org/glsa/202309-08" + ], + "description": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.6, + "impactScore": 4 + }, + "vendorMetadata": {} + }, + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.6, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-32681" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-37891", + "dataSource": "https://ubuntu.com/security/CVE-2024-37891", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37891" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" + ], + "description": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", + "cvss": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-pip", + "version": "22.0.2+dfsg-1ubuntu0.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37891" + } + } + ], + "artifact": { + "id": "0e693380e112a507", + "name": "python3-pip-whl", + "version": "22.0.2+dfsg-1ubuntu0.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pip-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-pip-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-2", + "BSD-3", + "Expat", + "ISC", + "LGPL-2.1", + "LGPL-2.1+", + "MPL-2", + "MPL-2.0", + "Python" + ], + "cpes": [ + "cpe:2.3:a:python3-pip-whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip-whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip_whl:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pip:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pip-whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pip_whl:22.0.2+dfsg-1ubuntu0.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pip-whl@22.0.2%2Bdfsg-1ubuntu0.4?arch=all&upstream=python-pip&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-pip" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "setuptools", + "version": "59.6.0-1.2ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "96186ba8ec8bad45", + "name": "python3-pkg-resources", + "version": "59.6.0-1.2ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-pkg-resources/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-pkg-resources.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-3-clause" + ], + "cpes": [ + "cpe:2.3:a:python3-pkg-resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg-resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg_resources:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg_resources:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_pkg:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-pkg-resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_pkg_resources:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-pkg-resources@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "setuptools" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6345", + "dataSource": "https://ubuntu.com/security/CVE-2024-6345", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6345" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6345", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", + "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" + ], + "description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "setuptools", + "version": "59.6.0-1.2ubuntu0.22.04.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6345" + } + } + ], + "artifact": { + "id": "2806aa205839c7c6", + "name": "python3-setuptools-whl", + "version": "59.6.0-1.2ubuntu0.22.04.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-setuptools-whl/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3-setuptools-whl.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Apache-2.0", + "BSD-3-clause" + ], + "cpes": [ + "cpe:2.3:a:python3-setuptools-whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools-whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools_whl:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools_whl:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_setuptools:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-setuptools-whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_setuptools_whl:59.6.0-1.2ubuntu0.22.04.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-setuptools-whl@59.6.0-1.2ubuntu0.22.04.1?arch=all&upstream=setuptools&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "setuptools" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-5569", + "dataSource": "https://ubuntu.com/security/CVE-2024-5569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-5569" + ], + "cvss": [], + "fix": { + "versions": [ + "1.0.0-3ubuntu0.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-5569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5569", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd", + "https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae" + ], + "description": "A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.", + "cvss": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python-zipp", + "version": "1.0.0-3" + } + }, + "found": { + "versionConstraint": "< 1.0.0-3ubuntu0.1 (deb)", + "vulnerabilityID": "CVE-2024-5569" + } + } + ], + "artifact": { + "id": "e3bc49624ab198ff", + "name": "python3-zipp", + "version": "1.0.0-3", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3-zipp/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3-zipp.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "Expat" + ], + "cpes": [ + "cpe:2.3:a:python3-zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3-zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_zipp:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3_zipp:python3_zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3-zipp:1.0.0-3:*:*:*:*:*:*:*", + "cpe:2.3:a:python3:python3_zipp:1.0.0-3:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3-zipp@1.0.0-3?arch=all&upstream=python-zipp&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python-zipp" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "4dc42e62f2b0d64b", + "name": "python3.10", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10:python3.10:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.4?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [ + "3.10.12-1~22.04.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.10", + "version": "3.10.12-1~22.04.4" + } + }, + "found": { + "versionConstraint": "< 3.10.12-1~22.04.5 (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "e31d6d71fb42d87a", + "name": "python3.10-minimal", + "version": "3.10.12-1~22.04.4", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.10-minimal/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/python3.10-minimal.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.10-minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10-minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10_minimal:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10-minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.10:python3.10_minimal:3.10.12-1~22.04.4:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.10-minimal@3.10.12-1~22.04.4?arch=amd64&upstream=python3.10&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.10" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "b01dc75ced99d8e1", + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11:python3.11:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "79c2c10d8eae10cc", + "name": "python3.11-dev", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-dev.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_dev:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_dev:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-dev@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "9176608c6605979b", + "name": "python3.11-minimal", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11-minimal/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-minimal.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_minimal:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_minimal:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-minimal@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-42919", + "dataSource": "https://ubuntu.com/security/CVE-2022-42919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2022-42919" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-42919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/compare/v3.10.8...v3.10.9", + "https://github.com/python/cpython/compare/v3.9.15...v3.9.16", + "https://github.com/python/cpython/issues/97514", + "https://github.com/python/cpython/issues/97514#issuecomment-1310277840", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0006/" + ], + "description": "Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-42919" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-8088", + "dataSource": "https://ubuntu.com/security/CVE-2024-8088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-8088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-8088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-8088", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", + "https://github.com/python/cpython/pull/122906", + "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" + ], + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-8088" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-7592", + "dataSource": "https://ubuntu.com/security/CVE-2024-7592", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-7592" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-7592", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/123067", + "https://github.com/python/cpython/pull/123075", + "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/" + ], + "description": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-7592" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-6923", + "dataSource": "https://ubuntu.com/security/CVE-2024-6923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-6923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-6923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-6923", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/issues/121650", + "https://github.com/python/cpython/pull/122233", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" + ], + "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 2.1, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-6923" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0450", + "dataSource": "https://ubuntu.com/security/CVE-2024-0450", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0450" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0450", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85", + "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba", + "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675", + "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51", + "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549", + "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183", + "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b", + "https://github.com/python/cpython/issues/109858", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", + "https://www.bamsoftware.com/hacks/zipbomb/" + ], + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0450" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-0397", + "dataSource": "https://ubuntu.com/security/CVE-2024-0397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0397", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/2", + "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", + "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", + "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", + "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", + "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", + "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", + "https://github.com/python/cpython/issues/114572", + "https://github.com/python/cpython/pull/114573", + "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" + ], + "description": "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 2.2, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0397" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-6597", + "dataSource": "https://ubuntu.com/security/CVE-2023-6597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/20/5", + "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a", + "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25", + "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5", + "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d", + "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82", + "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", + "https://github.com/python/cpython/issues/91133", + "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", + "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + ], + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "cvss": [ + { + "source": "cna@python.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.4, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6597" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-41105", + "dataSource": "https://ubuntu.com/security/CVE-2023-41105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-41105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-41105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/106242", + "https://github.com/python/cpython/pull/107981", + "https://github.com/python/cpython/pull/107982", + "https://github.com/python/cpython/pull/107983", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", + "https://security.netapp.com/advisory/ntap-20231006-0015/" + ], + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-41105" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-40217", + "dataSource": "https://ubuntu.com/security/CVE-2023-40217", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-40217" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-40217", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", + "https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/", + "https://security.netapp.com/advisory/ntap-20231006-0014/", + "https://www.python.org/dev/security/" + ], + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-40217" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-27043", + "dataSource": "https://ubuntu.com/security/CVE-2023-27043", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-27043" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-27043", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-27043", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://python.org", + "https://github.com/python/cpython/issues/102988", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/", + "https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html", + "https://security.netapp.com/advisory/ntap-20230601-0003/" + ], + "description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 3.9, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-27043" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-24329", + "dataSource": "https://ubuntu.com/security/CVE-2023-24329", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-24329" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24329", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/102153", + "https://github.com/python/cpython/pull/99421", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/", + "https://pointernull.com/security/python-url-parse-problem.html", + "https://security.netapp.com/advisory/ntap-20230324-0004/", + "https://www.kb.cert.org/vuls/id/127587" + ], + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-24329" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2022-45061", + "dataSource": "https://ubuntu.com/security/CVE-2022-45061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ], + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45061" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2024-4032", + "dataSource": "https://ubuntu.com/security/CVE-2024-4032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-4032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-4032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-4032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/06/17/3", + "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", + "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", + "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", + "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", + "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", + "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", + "https://github.com/python/cpython/issues/113171", + "https://github.com/python/cpython/pull/113179", + "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" + ], + "description": "The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "python3.11", + "version": "3.11.0~rc1-1~22.04" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-4032" + } + } + ], + "artifact": { + "id": "ea04946965edbd31", + "name": "python3.11-venv", + "version": "3.11.0~rc1-1~22.04", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/python3.11/copyright", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/info/python3.11-venv.md5sums", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "By", + "GPL-2", + "Permission", + "Redistribution", + "This" + ], + "cpes": [ + "cpe:2.3:a:python3.11-venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11-venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11_venv:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11-venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*", + "cpe:2.3:a:python3.11:python3.11_venv:3.11.0~rc1-1~22.04:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/python3.11-venv@3.11.0~rc1-1~22.04?arch=amd64&upstream=python3.11&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "python3.11" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "08e5107537f6b389", + "name": "systemd", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/systemd/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd.conffiles", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:systemd:systemd:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/systemd@249.11-0ubuntu3.12?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + }, + { + "vulnerability": { + "id": "CVE-2023-7008", + "dataSource": "https://ubuntu.com/security/CVE-2023-7008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-7008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-7008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2463", + "https://access.redhat.com/errata/RHSA-2024:3203", + "https://access.redhat.com/security/cve/CVE-2023-7008", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222261", + "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", + "https://github.com/systemd/systemd/issues/25676", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + ], + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "systemd", + "version": "249.11-0ubuntu3.12" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-7008" + } + } + ], + "artifact": { + "id": "6a9688725c2c3e10", + "name": "systemd-sysv", + "version": "249.11-0ubuntu3.12", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/systemd-sysv/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/systemd-sysv.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "CC0-1.0", + "Expat", + "GPL-2", + "GPL-2+", + "LGPL-2.1", + "LGPL-2.1+", + "public-domain" + ], + "cpes": [ + "cpe:2.3:a:systemd-sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd-sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd_sysv:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd_sysv:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd:systemd-sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*", + "cpe:2.3:a:systemd:systemd_sysv:249.11-0ubuntu3.12:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/systemd-sysv@249.11-0ubuntu3.12?arch=amd64&upstream=systemd&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "systemd" + } + ] + } + }, + { + "vulnerability": { + "id": "CVE-2021-31879", + "dataSource": "https://ubuntu.com/security/CVE-2021-31879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-31879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-31879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31879", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html", + "https://security.netapp.com/advisory/ntap-20210618-0002/" + ], + "description": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "wget", + "version": "1.21.2-2ubuntu1.1" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-31879" + } + } + ], + "artifact": { + "id": "313cc77842f860d3", + "name": "wget", + "version": "1.21.2-2ubuntu1.1", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/wget/copyright", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/wget.conffiles", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/info/wget.md5sums", + "layerID": "sha256:387a348022bdf89fb3f5142e3176c4b6aa07567dc660e1e1db46d6db50723a5b" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GFDL-1.2", + "GPL-3" + ], + "cpes": [ + "cpe:2.3:a:wget:wget:1.21.2-2ubuntu1.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/wget@1.21.2-2ubuntu1.1?arch=amd64&distro=ubuntu-22.04", + "upstreams": [] + } + } + ], + "ignoredMatches": [ + { + "vulnerability": { + "id": "CVE-2012-4542", + "dataSource": "https://ubuntu.com/security/CVE-2012-4542", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2012-4542" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2012-4542", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2012-4542", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://marc.info/?l=linux-kernel&m=135903967015813&w=2", + "http://marc.info/?l=linux-kernel&m=135904012416042&w=2", + "http://rhn.redhat.com/errata/RHSA-2013-0496.html", + "http://rhn.redhat.com/errata/RHSA-2013-0579.html", + "http://rhn.redhat.com/errata/RHSA-2013-0882.html", + "http://rhn.redhat.com/errata/RHSA-2013-0928.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=875360", + "https://oss.oracle.com/git/?p=redpatch.git%3Ba=commit%3Bh=76a274e17114abf1a77de6b651424648ce9e10c8" + ], + "description": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2012-4542" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2013-7445", + "dataSource": "https://ubuntu.com/security/CVE-2013-7445", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2013-7445" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2013-7445", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-7445", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.kernel.org/show_bug.cgi?id=60533" + ], + "description": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 10, + "impactScore": 6.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2013-7445" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2015-8553", + "dataSource": "https://ubuntu.com/security/CVE-2015-8553", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2015-8553" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2015-8553", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2015-8553", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://xenbits.xen.org/xsa/advisory-120.html", + "https://seclists.org/bugtraq/2019/Aug/18", + "https://www.debian.org/security/2019/dsa-4497" + ], + "description": "Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2015-8553" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2016-8660", + "dataSource": "https://ubuntu.com/security/CVE-2016-8660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2016-8660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-8660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-8660", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2016/10/13/8", + "http://www.securityfocus.com/bid/93558", + "https://bugzilla.redhat.com/show_bug.cgi?id=1384851" + ], + "description": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2016-8660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-0537", + "dataSource": "https://ubuntu.com/security/CVE-2017-0537", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2017-0537" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-0537", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-0537", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/96831", + "http://www.securitytracker.com/id/1037968", + "https://source.android.com/security/bulletin/2017-03-01", + "https://source.android.com/security/bulletin/2017-03-01.html" + ], + "description": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.6, + "exploitabilityScore": 4.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-0537" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13165", + "dataSource": "https://ubuntu.com/security/CVE-2017-13165", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13165" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13165", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13165", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://source.android.com/security/bulletin/pixel/2017-12-01" + ], + "description": "An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13165" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13693", + "dataSource": "https://ubuntu.com/security/CVE-2017-13693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13693", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/100502", + "https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732", + "https://patchwork.kernel.org/patch/9919053/" + ], + "description": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2017-13694", + "dataSource": "https://ubuntu.com/security/CVE-2017-13694", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2017-13694" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2017-13694", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-13694", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/100500", + "https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0", + "https://patchwork.kernel.org/patch/9806085/" + ], + "description": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2017-13694" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-1121", + "dataSource": "https://ubuntu.com/security/CVE-2018-1121", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-1121" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-1121", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-1121", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://seclists.org/oss-sec/2018/q2/122", + "http://www.securityfocus.com/bid/104214", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", + "https://www.exploit-db.com/exploits/44806/", + "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + ], + "description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "metrics": { + "baseScore": 3.9, + "exploitabilityScore": 1.3, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-1121" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12928", + "dataSource": "https://ubuntu.com/security/CVE-2018-12928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/104593", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384", + "https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2" + ], + "description": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12929", + "dataSource": "https://ubuntu.com/security/CVE-2018-12929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12929", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12930", + "dataSource": "https://ubuntu.com/security/CVE-2018-12930", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12930" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12930", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12930", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12930" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-12931", + "dataSource": "https://ubuntu.com/security/CVE-2018-12931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2018-12931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-12931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-12931", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.securityfocus.com/bid/104588", + "https://access.redhat.com/errata/RHSA-2019:0641", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403", + "https://marc.info/?l=linux-ntfs-dev&m=152413769810234&w=2" + ], + "description": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-12931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2018-17977", + "dataSource": "https://ubuntu.com/security/CVE-2018-17977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2018-17977" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2018-17977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-17977", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.securityfocus.com/bid/105539", + "https://www.openwall.com/lists/oss-security/2018/10/05/5" + ], + "description": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2018-17977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-14899", + "dataSource": "https://ubuntu.com/security/CVE-2019-14899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-14899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-14899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-14899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2020/Dec/32", + "http://seclists.org/fulldisclosure/2020/Jul/23", + "http://seclists.org/fulldisclosure/2020/Jul/24", + "http://seclists.org/fulldisclosure/2020/Jul/25", + "http://seclists.org/fulldisclosure/2020/Nov/20", + "http://www.openwall.com/lists/oss-security/2020/08/13/2", + "http://www.openwall.com/lists/oss-security/2020/10/07/3", + "http://www.openwall.com/lists/oss-security/2021/07/05/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899", + "https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/", + "https://support.apple.com/kb/HT211288", + "https://support.apple.com/kb/HT211289", + "https://support.apple.com/kb/HT211290", + "https://support.apple.com/kb/HT211850", + "https://support.apple.com/kb/HT211931" + ], + "description": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:S/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 4.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-14899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-15213", + "dataSource": "https://ubuntu.com/security/CVE-2019-15213", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-15213" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-15213", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-15213", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html", + "http://www.openwall.com/lists/oss-security/2019/08/20/2", + "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6cf97230cd5f36b7665099083272595c55d72be7", + "https://security.netapp.com/advisory/ntap-20190905-0002/", + "https://syzkaller.appspot.com/bug?id=a53c9c9dd2981bfdbfbcbc1ddbd35595eda8bced" + ], + "description": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.9, + "exploitabilityScore": 3.9, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-15213" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-19378", + "dataSource": "https://ubuntu.com/security/CVE-2019-19378", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-19378" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-19378", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19378", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378", + "https://security.netapp.com/advisory/ntap-20200103-0001/" + ], + "description": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 8.6, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-19378" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-19814", + "dataSource": "https://ubuntu.com/security/CVE-2019-19814", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-19814" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-19814", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19814", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19814", + "https://security.netapp.com/advisory/ntap-20200103-0001/" + ], + "description": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 9.3, + "exploitabilityScore": 8.6, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-19814" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2019-20794", + "dataSource": "https://ubuntu.com/security/CVE-2019-20794", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2019-20794" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2019-20794", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20794", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2020/08/24/1", + "https://github.com/sargun/fuse-example", + "https://security.netapp.com/advisory/ntap-20200608-0001/", + "https://sourceforge.net/p/fuse/mailman/message/36598753/" + ], + "description": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 3.4, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2019-20794" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-11935", + "dataSource": "https://ubuntu.com/security/CVE-2020-11935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-11935" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-11935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-11935", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugs.launchpad.net/bugs/1873074", + "https://ubuntu.com/security/CVE-2020-11935" + ], + "description": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@ubuntu.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-11935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-14304", + "dataSource": "https://ubuntu.com/security/CVE-2020-14304", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-14304" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-14304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304" + ], + "description": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-14304" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-15802", + "dataSource": "https://ubuntu.com/security/CVE-2020-15802", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-15802" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-15802", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-15802", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709", + "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/", + "https://www.kb.cert.org/vuls/id/589825" + ], + "description": "Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-15802" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26140", + "dataSource": "https://ubuntu.com/security/CVE-2020-26140", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26140" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26140", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26140", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 6.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26140" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26142", + "dataSource": "https://ubuntu.com/security/CVE-2020-26142", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26142" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26142", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26142", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.6, + "exploitabilityScore": 4.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26142" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26143", + "dataSource": "https://ubuntu.com/security/CVE-2020-26143", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26143" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26143", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26143", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 6.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26143" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26146", + "dataSource": "https://ubuntu.com/security/CVE-2020-26146", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26146" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26146", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26146", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2021/05/11/12", + "https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf", + "https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu", + "https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63", + "https://www.fragattacks.com" + ], + "description": "An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26146" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26556", + "dataSource": "https://ubuntu.com/security/CVE-2020-26556", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26556" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26556", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26556", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/", + "https://www.kb.cert.org/vuls/id/799380" + ], + "description": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26556" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26557", + "dataSource": "https://ubuntu.com/security/CVE-2020-26557", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26557" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26557", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26557", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26557" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26559", + "dataSource": "https://ubuntu.com/security/CVE-2020-26559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26559", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 6.5, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-26560", + "dataSource": "https://ubuntu.com/security/CVE-2020-26560", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2020-26560" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-26560", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-26560", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://kb.cert.org/vuls/id/799380", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 6.5, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-26560" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2020-35501", + "dataSource": "https://ubuntu.com/security/CVE-2020-35501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2020-35501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2020-35501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1908577" + ], + "description": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 3.6, + "exploitabilityScore": 3.9, + "impactScore": 4.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 3.4, + "exploitabilityScore": 0.8, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2020-35501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-26934", + "dataSource": "https://ubuntu.com/security/CVE-2021-26934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2021-26934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-26934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-26934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://xenbits.xen.org/xsa/advisory-363.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/", + "https://security.netapp.com/advisory/ntap-20210326-0001/" + ], + "description": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 3.9, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-26934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-31615", + "dataSource": "https://ubuntu.com/security/CVE-2021-31615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-31615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-31615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31615", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bluetooth.com", + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/injectable/" + ], + "description": "Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:A/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.9, + "exploitabilityScore": 5.5, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-31615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-33096", + "dataSource": "https://ubuntu.com/security/CVE-2021-33096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-33096" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-33096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-33096", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://security.netapp.com/advisory/ntap-20220210-0010/", + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html" + ], + "description": "Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-33096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3714", + "dataSource": "https://ubuntu.com/security/CVE-2021-3714", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3714" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3714", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3714", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2021-3714", + "https://arxiv.org/abs/2111.08553", + "https://arxiv.org/pdf/2111.08553.pdf", + "https://bugzilla.redhat.com/show_bug.cgi?id=1931327" + ], + "description": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3714" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3773", + "dataSource": "https://ubuntu.com/security/CVE-2021-3773", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3773" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3773", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3773", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2004949", + "https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3773" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-3864", + "dataSource": "https://ubuntu.com/security/CVE-2021-3864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-3864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-3864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2021-3864", + "https://bugzilla.redhat.com/show_bug.cgi?id=2015046", + "https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/", + "https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/", + "https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/", + "https://security-tracker.debian.org/tracker/CVE-2021-3864", + "https://www.openwall.com/lists/oss-security/2021/10/20/2" + ], + "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-3864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-4095", + "dataSource": "https://ubuntu.com/security/CVE-2021-4095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-4095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-4095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4095", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2022/01/17/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=2031194", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIOQN7JJNN6ABIDGRSTVZA65MHRLMH2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT6573CGKVK3DU2632VVO5BVM4IU7SBV/" + ], + "description": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.9, + "exploitabilityScore": 3.4, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-4095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-46928", + "dataSource": "https://ubuntu.com/security/CVE-2021-46928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-46928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-46928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-46928", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26", + "https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8", + "https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-46928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47432", + "dataSource": "https://ubuntu.com/security/CVE-2021-47432", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47432" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47432", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47432", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/784d01f9bbc282abb0c5ade5beb98a87f50343ac", + "https://git.kernel.org/stable/c/9492261ff2460252cf2d8de89cdf854c7e2b28a0", + "https://git.kernel.org/stable/c/aa7f1827953100cdde0795289a80c6c077bfe437", + "https://git.kernel.org/stable/c/ec298b958cb0c40d70c68079da933c8f31c5134c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Don't overflow in peek()\n\nWhen we started spreading new inode numbers throughout most of the 64\nbit inode space, that triggered some corner case bugs, in particular\nsome integer overflows related to the radix tree code. Oops.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47432" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47472", + "dataSource": "https://ubuntu.com/security/CVE-2021-47472", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47472" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47472", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47472", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47472" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47599", + "dataSource": "https://ubuntu.com/security/CVE-2021-47599", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47599" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47599", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47599", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2", + "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47599" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2021-47615", + "dataSource": "https://ubuntu.com/security/CVE-2021-47615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2021-47615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2021-47615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-47615", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9", + "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701", + "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it's\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn't udata, which indicates that this isn't a user MR.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2021-47615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0400", + "dataSource": "https://ubuntu.com/security/CVE-2022-0400", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0400" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0400", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-0400", + "https://bugzilla.redhat.com/show_bug.cgi?id=2040604", + "https://bugzilla.redhat.com/show_bug.cgi?id=2044575" + ], + "description": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0400" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0480", + "dataSource": "https://ubuntu.com/security/CVE-2022-0480", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0480" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0480", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0480", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-0480", + "https://bugzilla.redhat.com/show_bug.cgi?id=2049700", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f12156dff2862ac54235fc72703f18770769042", + "https://github.com/kata-containers/kata-containers/issues/3373", + "https://lore.kernel.org/linux-mm/20210902215519.AWcuVc3li%25akpm%40linux-foundation.org/", + "https://ubuntu.com/security/CVE-2022-0480" + ], + "description": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0480" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0854", + "dataSource": "https://ubuntu.com/security/CVE-2022-0854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0854", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8&id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13", + "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html", + "https://www.debian.org/security/2022/dsa-5161", + "https://www.debian.org/security/2022/dsa-5173" + ], + "description": "A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-0995", + "dataSource": "https://ubuntu.com/security/CVE-2022-0995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-0995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-0995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0995", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html", + "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=2063786", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb", + "https://security.netapp.com/advisory/ntap-20220429-0001/" + ], + "description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "metrics": { + "baseScore": 7.2, + "exploitabilityScore": 3.9, + "impactScore": 10 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-0995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-1205", + "dataSource": "https://ubuntu.com/security/CVE-2022-1205", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-1205" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-1205", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1205", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-1205", + "https://bugzilla.redhat.com/show_bug.cgi?id=2071047", + "https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0", + "https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009", + "https://www.openwall.com/lists/oss-security/2022/04/02/4" + ], + "description": "A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-1205" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-1247", + "dataSource": "https://ubuntu.com/security/CVE-2022-1247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-1247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-1247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1247", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-1247", + "https://bugzilla.redhat.com/show_bug.cgi?id=2066799" + ], + "description": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-1247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-23825", + "dataSource": "https://ubuntu.com/security/CVE-2022-23825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-23825" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-23825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23825", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2022/11/08/1", + "http://www.openwall.com/lists/oss-security/2022/11/10/2", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/", + "https://security.gentoo.org/glsa/202402-07", + "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037", + "https://www.debian.org/security/2022/dsa-5184" + ], + "description": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-23825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25265", + "dataSource": "https://ubuntu.com/security/CVE-2022-25265", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25265" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25265", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294", + "https://github.com/x0reaxeax/exec-prot-bypass", + "https://security.netapp.com/advisory/ntap-20220318-0005/" + ], + "description": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 3.4, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25265" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25836", + "dataSource": "https://ubuntu.com/security/CVE-2022-25836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25836", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.2, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-25837", + "dataSource": "https://ubuntu.com/security/CVE-2022-25837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-25837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-25837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25837", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/" + ], + "description": "Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.2, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-25837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-26047", + "dataSource": "https://ubuntu.com/security/CVE-2022-26047", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-26047" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-26047", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-26047", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-26047" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-28667", + "dataSource": "https://ubuntu.com/security/CVE-2022-28667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-28667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-28667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28667", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00687.html" + ], + "description": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-28667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-28693", + "dataSource": "https://ubuntu.com/security/CVE-2022-28693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-28693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-28693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-2961", + "dataSource": "https://ubuntu.com/security/CVE-2022-2961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-2961" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-2961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2961", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2022-2961", + "https://security.netapp.com/advisory/ntap-20230214-0004/" + ], + "description": "A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-2961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3114", + "dataSource": "https://ubuntu.com/security/CVE-2022-3114", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3114" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3114", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3114", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2153054", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2&id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037" + ], + "description": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3114" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3238", + "dataSource": "https://ubuntu.com/security/CVE-2022-3238", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3238" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3238", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2127927" + ], + "description": "A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3238" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-3523", + "dataSource": "https://ubuntu.com/security/CVE-2022-3523", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-3523" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-3523", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-3523", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16ce101db85db694a91380aa4c89b25530871d33", + "https://vuldb.com/?id.211020" + ], + "description": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-3523" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-38096", + "dataSource": "https://ubuntu.com/security/CVE-2022-38096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-38096" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-38096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2022-38096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-38457", + "dataSource": "https://ubuntu.com/security/CVE-2022-38457", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-38457" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-38457", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074" + ], + "description": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-38457" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-40133", + "dataSource": "https://ubuntu.com/security/CVE-2022-40133", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-40133" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-40133", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=2075" + ], + "description": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 2.1, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-40133" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-41848", + "dataSource": "https://ubuntu.com/security/CVE-2022-41848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-41848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-41848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-41848", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/char/pcmcia/synclink_cs.c", + "https://lore.kernel.org/lkml/20220919040251.GA302541%40ubuntu/T/#rc85e751f467b3e6f9ccef92cfa7fb8a6cc50c270" + ], + "description": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.2, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-41848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44032", + "dataSource": "https://ubuntu.com/security/CVE-2022-44032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44032", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/", + "https://lore.kernel.org/lkml/20220919040701.GA302806%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44033", + "dataSource": "https://ubuntu.com/security/CVE-2022-44033", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44033" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44033", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44033", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220915020834.GA110086%40ubuntu/", + "https://lore.kernel.org/lkml/20220919040457.GA302681%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44033" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-44034", + "dataSource": "https://ubuntu.com/security/CVE-2022-44034", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2022-44034" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-44034", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-44034", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b12f050c76f090cc6d0aebe0ef76fed79ec3f15", + "https://lore.kernel.org/lkml/20220916050333.GA188358%40ubuntu/", + "https://lore.kernel.org/lkml/20220919101825.GA313940%40ubuntu/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-44034" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-4543", + "dataSource": "https://ubuntu.com/security/CVE-2022-4543", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-4543" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-4543", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-4543", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.openwall.com/lists/oss-security/2022/12/16/3", + "https://www.willsroot.io/2022/12/entrybleed.html" + ], + "description": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-4543" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45884", + "dataSource": "https://ubuntu.com/security/CVE-2022-45884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45884", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=627bb528b086b4136315c25d6a447a98ea9448d3", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45885", + "dataSource": "https://ubuntu.com/security/CVE-2022-45885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45885", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45887", + "dataSource": "https://ubuntu.com/security/CVE-2022-45887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45887", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=517a281338322ff8293f988771c98aaa7205e457", + "https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel%40gmail.com/", + "https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4bel%40gmail.com/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-45888", + "dataSource": "https://ubuntu.com/security/CVE-2022-45888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2022-45888" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-45888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-45888", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=282a4b71816b6076029017a7bab3a9dcee12a920", + "https://lore.kernel.org/all/20221022175404.GA375335%40ubuntu/", + "https://security.netapp.com/advisory/ntap-20230113-0006/" + ], + "description": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-45888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48628", + "dataSource": "https://ubuntu.com/security/CVE-2022-48628", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48628" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48628", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48628", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47f82395f04a976d4fa97de7f2acffa1c1096571", + "https://git.kernel.org/stable/c/89744b64914426cbabceb3d8a149176b5dafdfb5", + "https://git.kernel.org/stable/c/e3dfcab2080dc1f9a4b09cc1327361bc2845bfcd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48628" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48631", + "dataSource": "https://ubuntu.com/security/CVE-2022-48631", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48631" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48631", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48631", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0", + "https://git.kernel.org/stable/c/2f5e9de15e4f55fbf56f22d4a2ce406246cc462d", + "https://git.kernel.org/stable/c/958b0ee23f5ac106e7cc11472b71aa2ea9a033bc", + "https://git.kernel.org/stable/c/bb7eb3ca4b3b0d2c7872cf1a41c30f5e5bd65df0", + "https://git.kernel.org/stable/c/be4df018c0be5ebecf1ca510feacc23be415cefc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\n\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\nassumes that the extent header has been previously validated. However, there\nare no checks that verify that the number of entries (eh->eh_entries) is\nnon-zero when depth is > 0. And this will lead to problems because the\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\n\n[ 135.245946] ------------[ cut here ]------------\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\n[ 135.256475] Code:\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\n[ 135.277952] Call Trace:\n[ 135.278635] \n[ 135.279247] ? preempt_count_add+0x6d/0xa0\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\n[ 135.283745] ? xa_load+0x6f/0xa0\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\n[ 135.285646] read_pages+0x67/0x1d0\n[ 135.286492] ? folio_add_lru+0x51/0x80\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\n[ 135.289457] ? path_openat+0xa72/0xdd0\n[ 135.290332] filemap_read+0xbf/0x300\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\n[ 135.292192] new_sync_read+0x103/0x170\n[ 135.293014] vfs_read+0x15d/0x180\n[ 135.293745] ksys_read+0xa1/0xe0\n[ 135.294461] do_syscall_64+0x3c/0x80\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\neh_entries is not 0 when eh_depth is > 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48631" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48632", + "dataSource": "https://ubuntu.com/security/CVE-2022-48632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b5ab5fbe69ebbee5692c72b05071a43fc0655d8", + "https://git.kernel.org/stable/c/48ee0a864d1af02eea98fc825cc230d61517a71e", + "https://git.kernel.org/stable/c/dc2a0c587006f29b724069740c48654b9dcaebd2", + "https://git.kernel.org/stable/c/de24aceb07d426b6f1c59f33889d6a964770547b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\n\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48633", + "dataSource": "https://ubuntu.com/security/CVE-2022-48633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48633", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/55c077d97fa67e9f19952bb24122a8316b089474", + "https://git.kernel.org/stable/c/b6f25c3b94f2aadbf5cbef954db4073614943d74" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\n\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\ngets destroyed by drm_gem_object_release() move the\ndrm_gem_object_release() call in psb_gem_free_object() to after\nthe unpin to fix the below warning:\n\n[ 79.693962] ------------[ cut here ]------------\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\n[ 79.694734] Call Trace:\n[ 79.694749] \n[ 79.694761] ? __schedule+0x47f/0x1670\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\n[ 79.694885] ? __cond_resched+0x1c/0x30\n[ 79.694902] ww_mutex_lock+0x38/0xa0\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\n[ 79.695042] idr_for_each+0x4b/0xb0\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 79.695095] drm_gem_release+0x1c/0x30\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\n[ 79.695150] drm_release+0x6a/0x120\n[ 79.695175] __fput+0x9f/0x260\n[ 79.695203] task_work_run+0x59/0xa0\n[ 79.695227] do_exit+0x387/0xbe0\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695304] do_group_exit+0x33/0xb0\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\n[ 79.695353] do_syscall_64+0x58/0x80\n[ 79.695376] ? up_read+0x17/0x20\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48633" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48634", + "dataSource": "https://ubuntu.com/security/CVE-2022-48634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/63e37a79f7bd939314997e29c2f5a9f0ef184281", + "https://git.kernel.org/stable/c/a6ed7624bf4d0a32f2631e74828bca7b7bf15afd", + "https://git.kernel.org/stable/c/c5812807e416618477d1bb0049727ce8bb8292fd", + "https://git.kernel.org/stable/c/e5ae504c8623476e13032670f1a6d6344d53ec9b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\n\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\ncrtc_funcs->mode_set_base() which takes ww_mutex.\n\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\non mode_set_base() errors.\n\nInstead unlock it after setting gma_crtc->page_flip_event and on\nerrors re-take the lock and clear gma_crtc->page_flip_event it\nit is still set.\n\nThis fixes the following WARN/stacktrace:\n\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\n[ 512.123031] preempt_count: 1, expected: 0\n[ 512.123048] RCU nest depth: 0, expected: 0\n[ 512.123066] INFO: lockdep is turned off.\n[ 512.123080] irq event stamp: 0\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 512.123233] Preemption disabled at:\n[ 512.123241] [<0000000000000000>] 0x0\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 512.123323] Call Trace:\n[ 512.123346] \n[ 512.123370] dump_stack_lvl+0x5b/0x77\n[ 512.123412] __might_resched.cold+0xff/0x13a\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\n[ 512.123984] drm_ioctl+0x21f/0x420\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\n[ 512.124104] ? lock_release+0x1ef/0x2d0\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\n[ 512.124203] do_syscall_64+0x58/0x80\n[ 512.124239] ? do_syscall_64+0x67/0x80\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\n[ 512.124300] ? do_syscall_64+0x67/0x80\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\n[ 512.124647] ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48635", + "dataSource": "https://ubuntu.com/security/CVE-2022-48635", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48635" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48635", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48635", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/17d9c15c9b9e7fb285f7ac5367dfb5f00ff575e3", + "https://git.kernel.org/stable/c/60644dffac87b1bb47bdb393aa29d5f2ffcf41a0", + "https://git.kernel.org/stable/c/929ef155e1da41c06f4d8ca86ae12b851a83a744" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got an infinite loop and a WARNING report when executing a tail command\nin virtiofs.\n\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\n Modules linked in:\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\n Call Trace:\n \n dax_iomap_rw+0xea/0x620\n ? __this_cpu_preempt_check+0x13/0x20\n fuse_dax_read_iter+0x47/0x80\n fuse_file_read_iter+0xae/0xd0\n new_sync_read+0xfe/0x180\n ? 0xffffffff81000000\n vfs_read+0x14d/0x1a0\n ksys_read+0x6d/0xf0\n __x64_sys_read+0x1a/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe tail command will call read() with a count of 0. In this case,\niomap_iter() will report this WARNING, and always return 1 which casuing\nthe infinite loop in dax_iomap_rw().\n\nFixing by checking count whether is 0 in dax_iomap_rw().", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48635" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48636", + "dataSource": "https://ubuntu.com/security/CVE-2022-48636", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48636" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48636", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e473351400e3dd66f0b71eddcef82ee45a584c1", + "https://git.kernel.org/stable/c/49f401a98b318761ca2e15d4c7869a20043fbed4", + "https://git.kernel.org/stable/c/650a2e79d176db753654d3dde88e53a2033036ac", + "https://git.kernel.org/stable/c/aaba5ff2742043705bc4c02fd0b2b246e2e16da1", + "https://git.kernel.org/stable/c/d3a67c21b18f33c79382084af556557c442f12a6", + "https://git.kernel.org/stable/c/d86b4267834e6d4af62e3073e48166e349ab1b70", + "https://git.kernel.org/stable/c/db7ba07108a48c0f95b74fabbfd5d63e924f992d", + "https://git.kernel.org/stable/c/f5fcc9d6d71d9ff7fdbdd4b89074e6e24fffc20b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\n\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\n\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\n\nFix by checking the pavgroup pointer with lcu->lock held.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48636" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48637", + "dataSource": "https://ubuntu.com/security/CVE-2022-48637", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48637" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48637", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48637", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6", + "https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338", + "https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: prevent skb UAF after handing over to PTP worker\n\nWhen reading the timestamp is required bnxt_tx_int() hands\nover the ownership of the completed skb to the PTP worker.\nThe skb should not be used afterwards, as the worker may\nrun before the rest of our code and free the skb, leading\nto a use-after-free.\n\nSince dev_kfree_skb_any() accepts NULL make the loss of\nownership more obvious and set skb to NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48637" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48638", + "dataSource": "https://ubuntu.com/security/CVE-2022-48638", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48638" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48638", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48638", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e9571887f97b17cf3ffe9aa4da89090ea60988b", + "https://git.kernel.org/stable/c/8484a356cee8ce3d6a8e6266ff99be326e9273ad", + "https://git.kernel.org/stable/c/df02452f3df069a59bc9e69c84435bf115cb6e37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\n\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\nespecially cgroup id is provide from userspace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48638" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48639", + "dataSource": "https://ubuntu.com/security/CVE-2022-48639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0559d91ee3a2cd81b15ad5cd507539d6da867f88", + "https://git.kernel.org/stable/c/8844c750eeb03452e2b3319c27a526f447b82596", + "https://git.kernel.org/stable/c/903f7d322c17d8e306d766404b4604e81653902a", + "https://git.kernel.org/stable/c/c2e1cfefcac35e0eea229e148c8284088ce437b5", + "https://git.kernel.org/stable/c/f8162aed962be8fa07445b2b5928e84ab40dd8d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix possible refcount leak in tc_new_tfilter()\n\ntfilter_put need to be called to put the refount got by tp->ops->get to\navoid possible refcount leak when chain->tmplt_ops != NULL and\nchain->tmplt_ops != tp->ops.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48640", + "dataSource": "https://ubuntu.com/security/CVE-2022-48640", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48640" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48640", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48640", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6", + "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7", + "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n [ 334.694703] Mem abort info:\n [ 334.697486] ESR = 0x0000000096000004\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 334.706536] SET = 0, FnV = 0\n [ 334.709579] EA = 0, S1PTW = 0\n [ 334.712719] FSC = 0x04: level 0 translation fault\n [ 334.717586] Data abort info:\n [ 334.720454] ISV = 0, ISS = 0x00000004\n [ 334.724288] CM = 0, WnR = 0\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.807962] sp : ffff8000221733e0\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n [ 334.882532] Call trace:\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\n [ 334.913799] arp_xmit+0x3c/0xbc\n [ 334.916932] arp_send_dst+0x98/0xd0\n [ 334.920410] arp_solicit+0xe8/0x230\n [ 334.923888] neigh_probe+0x60/0xb0\n [ 334.927279] __neigh_event_send+0x3b0/0x470\n [ 334.931453] neigh_resolve_output+0x70/0x90\n [ 334.935626] ip_finish_output2+0x158/0x514\n [ 334.939714] __ip_finish_output+0xac/0x1a4\n [ 334.943800] ip_finish_output+0x40/0xfc\n [ 334.947626] ip_output+0xf8/0x1a4\n [ 334.950931] ip_send_skb+0x5c/0x100\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\n [ 334.958758] raw_sendmsg+0x458/0x6d0\n [ 334.962325] inet_sendmsg+0x50/0x80\n [ 334.965805] sock_sendmsg+0x60/0x6c\n [ 334.969286] __sys_sendto+0xc8/0x134\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48640" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48641", + "dataSource": "https://ubuntu.com/security/CVE-2022-48641", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48641" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48641", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48641", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11ebf32fde46572b0aaf3c2bdd97d923ef5a03ab", + "https://git.kernel.org/stable/c/1e98318af2f163eadaff815abcef38d27ca92c1e", + "https://git.kernel.org/stable/c/38cf372b17f0a5f35c1b716a100532d539f0eb33", + "https://git.kernel.org/stable/c/62ce44c4fff947eebdf10bb582267e686e6835c9", + "https://git.kernel.org/stable/c/754e8b74281dd54a324698803483f47cf3355ae1", + "https://git.kernel.org/stable/c/d5917b7af7cae0e2804f9d127a03268035098b7f", + "https://git.kernel.org/stable/c/ebd97dbe3c55d68346b9c5fb00634a7f5b10bbee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix memory leak when blob is malformed\n\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48641" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48642", + "dataSource": "https://ubuntu.com/security/CVE-2022-48642", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48642" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08d7524f366a886b99b1630a24a27dd6e0d7f852", + "https://git.kernel.org/stable/c/985b031667c3177b9e7fb9787b989628e4271714", + "https://git.kernel.org/stable/c/9a4d6dd554b86e65581ef6b6638a39ae079b17ac", + "https://git.kernel.org/stable/c/b043a525a3f5520abb676a7cd8f6328fdf959e88" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\n\nIt seems to me that percpu memory for chain stats started leaking since\ncommit 3bc158f8d0330f0a (\"netfilter: nf_tables: map basechain priority to\nhardware priority\") when nft_chain_offload_priority() returned an error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48642" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48643", + "dataSource": "https://ubuntu.com/security/CVE-2022-48643", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48643" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48643", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48643", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/710e3f526bd23a0d33435dedc52c3144de284378", + "https://git.kernel.org/stable/c/8bcad2a931313aeba076b76922d5813ef97d0a91", + "https://git.kernel.org/stable/c/91aa52652f4b37089aff3cb53e83049d826fef6d", + "https://git.kernel.org/stable/c/921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\n\nsyzbot is reporting underflow of nft_counters_enabled counter at\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\"netfilter:\nnf_tables: do not leave chain stats enabled on error\") missed that\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\nnf_tables_addchain() decrements the counter because nft_basechain_init()\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\n\nIncrement the counter immediately after returning from\nnft_basechain_init().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48643" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48644", + "dataSource": "https://ubuntu.com/security/CVE-2022-48644", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48644" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48644", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48644", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb", + "https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323", + "https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76", + "https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92", + "https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48644" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48645", + "dataSource": "https://ubuntu.com/security/CVE-2022-48645", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48645" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48645", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48645", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f", + "https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7", + "https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\n\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\n\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\n\nMoreover, attempting to access these registers crashes the kernel:\n\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\n\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48645" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48646", + "dataSource": "https://ubuntu.com/security/CVE-2022-48646", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48646" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48646", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48646", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/589c6eded10c77a12b7b2cf235b6b19a2bdb91fa", + "https://git.kernel.org/stable/c/a4eadca702dff0768dd01be6789bbec2a18e5b0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\n\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\npointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48646" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48647", + "dataSource": "https://ubuntu.com/security/CVE-2022-48647", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48647" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48647", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48647", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/360910b88d1466a90644a4e0533803b594344a2b", + "https://git.kernel.org/stable/c/5f623a77cfc2d501d72bcb4f9ee71721e6c766ff", + "https://git.kernel.org/stable/c/b4afd3878f961d3517f27b3213730fceef77945c", + "https://git.kernel.org/stable/c/f232af4295653afa4ade3230462b3be15ad16419" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interrupts\n\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\nthe offset is 0 because the tx queues are in the single existing channel\nat index 0, together with the rx queue.\n\nWithout this fix, as soon as you try to send any traffic, it tries to\nget the tx queues from an uninitialized channel getting these errors:\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48647" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48648", + "dataSource": "https://ubuntu.com/security/CVE-2022-48648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3", + "https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998", + "https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7", + "https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn't\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it's wrong anyway so let's fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48650", + "dataSource": "https://ubuntu.com/security/CVE-2022-48650", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48650" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48650", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48650", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/601be20fc6a1b762044d2398befffd6bf236cebf", + "https://git.kernel.org/stable/c/6a4236ed47f5b0a57eb6b8fb1c351b15b3d341d7", + "https://git.kernel.org/stable/c/89df49e561b4a8948521fc3f8a013012eaa08f82" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\n\nCommit 8f394da36a36 (\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\")\nmade the __qlt_24xx_handle_abts() function return early if\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\nup the allocated memory for the management command.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48650" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48651", + "dataSource": "https://ubuntu.com/security/CVE-2022-48651", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48651" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48651", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48651", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca", + "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be", + "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4", + "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7", + "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638", + "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241", + "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef", + "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\n and skb->protocol is not specified as in packet_parse_headers()\n\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\n\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb->head + skb->mac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48651" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48653", + "dataSource": "https://ubuntu.com/security/CVE-2022-48653", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48653" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48653", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48653", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/149979e87eb7a365d3d0b259bed79d84ff585a93", + "https://git.kernel.org/stable/c/23c619190318376769ad7b61504c2ea0703fb783", + "https://git.kernel.org/stable/c/34447d64b8d28e4d6a73d73f07c879959d68fbfe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't double unplug aux on peer initiated reset\n\nIn the IDC callback that is accessed when the aux drivers request a reset,\nthe function to unplug the aux devices is called. This function is also\ncalled in the ice_prepare_for_reset function. This double call is causing\na \"scheduling while atomic\" BUG.\n\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\n\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\n\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\n\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\n\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\n r ttm\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\n[ 662.815557] Preemption disabled at:\n[ 662.815558] [<0000000000000000>] 0x0\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\n[ 662.815568] Call Trace:\n[ 662.815572] \n[ 662.815574] dump_stack_lvl+0x33/0x42\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\n[ 662.815588] __schedule+0x798/0x990\n[ 662.815595] schedule+0x44/0xc0\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\n[ 662.815633] device_del+0x37/0x3d0\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\n[ 662.815764] handle_irq_event+0x34/0x60\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\n[ 662.815770] __common_interrupt+0x62/0x100\n[ 662.815774] common_interrupt+0xb4/0xd0\n[ 662.815779] \n[ 662.815780] \n[ 662.815780] asm_common_interrupt+0x1e/0x40\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\n[ 662.815795] RDX: 0000009a52da2d08 R\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48653" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48654", + "dataSource": "https://ubuntu.com/security/CVE-2022-48654", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48654" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48654", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48654", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/559c36c5a8d730c49ef805a72b213d3bba155cc8", + "https://git.kernel.org/stable/c/5d75fef3e61e797fab5c3fbba88caa74ab92ad47", + "https://git.kernel.org/stable/c/633c81c0449663f57d4138326d036dc6cfad674e", + "https://git.kernel.org/stable/c/721ea8ac063d70c2078c4e762212705de6151764", + "https://git.kernel.org/stable/c/816eab147e5c6f6621922b8515ad9010ceb1735e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48654" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48656", + "dataSource": "https://ubuntu.com/security/CVE-2022-48656", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48656" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48656", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48656", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a17df55bf6d536712da6902a83db82b82e67d5a2", + "https://git.kernel.org/stable/c/aa11dae059a439af82bae541b134f8f53ac177b5", + "https://git.kernel.org/stable/c/dd5a6c5a08752b613e83ad2cb5133e72a64b876d", + "https://git.kernel.org/stable/c/f9fdb0b86f087c2b7f6c6168dd0985a3c1eda87e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48656" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48658", + "dataSource": "https://ubuntu.com/security/CVE-2022-48658", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48658" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48658", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48658", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b", + "https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a", + "https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48658" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48659", + "dataSource": "https://ubuntu.com/security/CVE-2022-48659", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48659" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48659", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48659", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/016b150992eebc32c4a18f783cf2bb6e2545a3d9", + "https://git.kernel.org/stable/c/02bcd951aa3c2cea95fb241c20802e9501940296", + "https://git.kernel.org/stable/c/2d6e55e0c03804e1e227b80a5746e086d6c6696c", + "https://git.kernel.org/stable/c/379ac7905ff3f0a6a4e507d3e9f710ec4fab9124", + "https://git.kernel.org/stable/c/7e9c323c52b379d261a72dc7bd38120a761a93cd", + "https://git.kernel.org/stable/c/a1d83a19cec3bfeb2b3547a1f7631e432a766d1c", + "https://git.kernel.org/stable/c/e9219fa63c5c25804af82c7aa54d1ec770ebe457", + "https://git.kernel.org/stable/c/e996821717c5cf8aa1e1abdb6b3d900a231e3755" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48659" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48660", + "dataSource": "https://ubuntu.com/security/CVE-2022-48660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48660", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/657803b918e097e47d99d1489da83a603c36bcdd", + "https://git.kernel.org/stable/c/69bef19d6b9700e96285f4b4e28691cda3dcd0d1", + "https://git.kernel.org/stable/c/97da736cd11ae73bdf2f5e21e24446b8349e0168", + "https://git.kernel.org/stable/c/b1489043d3b9004dd8d5a0357b08b5f0e6691c43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48661", + "dataSource": "https://ubuntu.com/security/CVE-2022-48661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48661", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/02743c4091ccfb246f5cdbbe3f44b152d5d12933", + "https://git.kernel.org/stable/c/41f857033c44442a27f591fda8d986e7c9e42872", + "https://git.kernel.org/stable/c/9b26723e058faaf11b532fb4aa16d6849d581790" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48664", + "dataSource": "https://ubuntu.com/security/CVE-2022-48664", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48664" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48664", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48664", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8", + "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b", + "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b", + "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\n Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\n Sep 07 11:55:32 debian9 kernel: Call Trace:\n Sep 07 11:55:32 debian9 kernel: \n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: \n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n block group, but the metadata reservation can not be satisfied right\n away, so a reservation ticket is created and it starts the async\n metadata reclaim task (fs_info->async_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n (generic/562 creates a lot of 2K files with the goal of filling\n metadata space). We try to create an inline extent for them, but we\n fail when trying to insert the inline extent with -ENOSPC (at\n cow_file_range_inline()) - since this is not critical, we fallback\n to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48664" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48666", + "dataSource": "https://ubuntu.com/security/CVE-2022-48666", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48666" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48666", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48666", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a", + "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f", + "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506", + "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.4, + "exploitabilityScore": 1.4, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48666" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48667", + "dataSource": "https://ubuntu.com/security/CVE-2022-48667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48667", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cdde8460c304283d4ebe3f767a70215d1ab9d4e", + "https://git.kernel.org/stable/c/9c8b7a293f50253e694f19161c045817a938e551" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in insert range\n\ninsert range doesn't discard the affected cached region\nso can risk temporarily corrupting file data.\n\nAlso includes some minor cleanup (avoiding rereading\ninode size repeatedly unnecessarily) to make it clearer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48668", + "dataSource": "https://ubuntu.com/security/CVE-2022-48668", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48668" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48668", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48668", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49523a4732204bdacbf3941a016503ddb4ddb3b9", + "https://git.kernel.org/stable/c/fa30a81f255a56cccd89552cd6ce7ea6e8d8acc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in collapse range\n\ncollapse range doesn't discard the affected cached region\nso can risk temporarily corrupting the file data. This\nfixes xfstest generic/031\n\nI also decided to merge a minor cleanup to this into the same patch\n(avoiding rereading inode size repeatedly unnecessarily) to make it\nclearer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48668" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48672", + "dataSource": "https://ubuntu.com/security/CVE-2022-48672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48672", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e", + "https://git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0", + "https://git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181", + "https://git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7", + "https://git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853", + "https://git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf", + "https://git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48673", + "dataSource": "https://ubuntu.com/security/CVE-2022-48673", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48673" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48673", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48673", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde", + "https://git.kernel.org/stable/c/e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48673" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48675", + "dataSource": "https://ubuntu.com/security/CVE-2022-48675", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48675" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48675", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48675", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/819110054b14d7272b4188db997a3d80f75ab785", + "https://git.kernel.org/stable/c/83c43fd872e32c8071d5582eb7c40f573a8342f3", + "https://git.kernel.org/stable/c/85eaeb5058f0f04dffb124c97c86b4f18db0b833", + "https://git.kernel.org/stable/c/e8de6cb5755eae7b793d8c00c8696c8667d44a7f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48675" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48686", + "dataSource": "https://ubuntu.com/security/CVE-2022-48686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48686", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5", + "https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea", + "https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3", + "https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff", + "https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48687", + "dataSource": "https://ubuntu.com/security/CVE-2022-48687", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48687" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48687", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48687", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa", + "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c", + "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093", + "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3", + "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35", + "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864", + "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48687" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48688", + "dataSource": "https://ubuntu.com/security/CVE-2022-48688", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48688" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48688", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48688", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2ed94383f3a2693dbf5bc47c514b42524bd8f9ae", + "https://git.kernel.org/stable/c/342d77769a6cceb3df7720a1e18baa4339eee3fc", + "https://git.kernel.org/stable/c/38af35bec59a8431a1eb29da994a0a45cba275d9", + "https://git.kernel.org/stable/c/5332a094514852d5e58c278cf4193adb937337fc", + "https://git.kernel.org/stable/c/c49f320e2492738d478bc427dcd54ccfe0cba746", + "https://git.kernel.org/stable/c/fb8396aeda5872369a8ed6d2301e2c86e303c520" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48688" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48689", + "dataSource": "https://ubuntu.com/security/CVE-2022-48689", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48689" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48689", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48689", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3261400639463a853ba2b3be8bd009c2a8089775", + "https://git.kernel.org/stable/c/6730c48ed6b0cd939fc9b30b2d621ce0b89bea83", + "https://git.kernel.org/stable/c/8527c9a6bf8e54fef0a8d3d7d8874a48c725c915" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48689" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48691", + "dataSource": "https://ubuntu.com/security/CVE-2022-48691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48691", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ce55ec5cb7c573c983dffbe290b8d17caf1f157", + "https://git.kernel.org/stable/c/77972a36ecc4db7fc7c68f0e80714263c5f03f65", + "https://git.kernel.org/stable/c/910891a2a44cdc49efcc4fe7459c1085ba00d0f4", + "https://git.kernel.org/stable/c/94ed8eeb8d9aeb00e4f4e19b83a2e28b6442fbc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48692", + "dataSource": "https://ubuntu.com/security/CVE-2022-48692", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48692" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48692", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48692", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/12f35199a2c0551187edbf8eb01379f0598659fa", + "https://git.kernel.org/stable/c/a8edd49c94b4b08019ed7d6dd794fca8078a4deb", + "https://git.kernel.org/stable/c/f022576aa03c2385ea7f2b27ee5b331e43abf624", + "https://git.kernel.org/stable/c/f2c70f56f762e5dc3b0d7dc438fbb137cb116413" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48692" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48693", + "dataSource": "https://ubuntu.com/security/CVE-2022-48693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48693", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0284b4e6dec6088a41607aa3f42bf51edff01883", + "https://git.kernel.org/stable/c/1085f5080647f0c9f357c270a537869191f7f2a1", + "https://git.kernel.org/stable/c/43245c77d9efd8c9eb91bf225d07954dcf32204d", + "https://git.kernel.org/stable/c/57b2897ec3ffe4cbe018446be6d04432919dca6b", + "https://git.kernel.org/stable/c/653500b400d5576940b7429690f7197199ddcc82", + "https://git.kernel.org/stable/c/6dc0251638a4a1a998506dbd4627f8317e907558" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48695", + "dataSource": "https://ubuntu.com/security/CVE-2022-48695", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48695" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48695", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48695", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41acb064c4e013808bc7d5fc1b506fa449425b0b", + "https://git.kernel.org/stable/c/5682c94644fde72f72bded6580c38189ffc856b5", + "https://git.kernel.org/stable/c/6229fa494a5949be209bc73afbc5d0a749c2e3c7", + "https://git.kernel.org/stable/c/82efb917eeb27454dc4c6fe26432fc8f6c75bc16", + "https://git.kernel.org/stable/c/991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34", + "https://git.kernel.org/stable/c/b8fc9e91b931215110ba824d1a2983c5f60b6f82", + "https://git.kernel.org/stable/c/d4959d09b76eb7a4146f5133962b88d3bddb63d6", + "https://git.kernel.org/stable/c/ea10a652ad2ae2cf3eced6f632a5c98f26727057" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48695" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48697", + "dataSource": "https://ubuntu.com/security/CVE-2022-48697", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48697" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48697", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48697", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f121ca3ec6be0fb32d77c7f65362934a38cc8e", + "https://git.kernel.org/stable/c/4484ce97a78171668c402e0c45db7f760aea8060", + "https://git.kernel.org/stable/c/6a02a61e81c231cc5c680c5dbf8665275147ac52", + "https://git.kernel.org/stable/c/8d66989b5f7bb28bba2f8e1e2ffc8bfef4a10717", + "https://git.kernel.org/stable/c/be01f1c988757b95f11f090a9f491365670a522b", + "https://git.kernel.org/stable/c/ebf46da50beb78066674354ad650606a467e33fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48697" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48698", + "dataSource": "https://ubuntu.com/security/CVE-2022-48698", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48698" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48698", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48698", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a6279d243cb035eaaff1450980b40cf19748f05", + "https://git.kernel.org/stable/c/58acd2ebae034db3bacf38708f508fbd12ae2e54", + "https://git.kernel.org/stable/c/cbfac7fa491651c57926c99edeb7495c6c1aeac2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48698" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48699", + "dataSource": "https://ubuntu.com/security/CVE-2022-48699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48699" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c32a93963e03c03e561d5a066eedad211880ba3", + "https://git.kernel.org/stable/c/26e9a1ded8923510e5529fbb28390b22228700c2", + "https://git.kernel.org/stable/c/c2e406596571659451f4b95e37ddfd5a8ef1d0dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48700", + "dataSource": "https://ubuntu.com/security/CVE-2022-48700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986", + "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03", + "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46", + "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere's currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it's not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there's no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48701", + "dataSource": "https://ubuntu.com/security/CVE-2022-48701", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48701" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48701", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48701", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712", + "https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936", + "https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf", + "https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0", + "https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251", + "https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd", + "https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061", + "https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48701" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48702", + "dataSource": "https://ubuntu.com/security/CVE-2022-48702", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48702" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48702", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48702", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c", + "https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178", + "https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2", + "https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1", + "https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa", + "https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275", + "https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7", + "https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48702" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48703", + "dataSource": "https://ubuntu.com/security/CVE-2022-48703", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48703" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48703", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48703", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d", + "https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48703" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48704", + "dataSource": "https://ubuntu.com/security/CVE-2022-48704", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48704" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48704", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48704", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16cb367daa446923d82e332537f446a4cc784b40", + "https://git.kernel.org/stable/c/4e25e8f27fdbdc6fd55cc572a9939bf24500b9e8", + "https://git.kernel.org/stable/c/5a7a5b2edac4b05abd744eeaebda46d9dacd952d", + "https://git.kernel.org/stable/c/826b46fd5974113515abe9e4fc8178009a8ce18c", + "https://git.kernel.org/stable/c/b878da58df2c40b08914d3960e2224040fd1fbfe", + "https://git.kernel.org/stable/c/c0a45f41fde4a0f2c900f719817493ee5c4a5aa3", + "https://git.kernel.org/stable/c/c72d97146fc5a4dff381b1737f6167e89860430d", + "https://git.kernel.org/stable/c/f461950fdc374a3ada5a63c669d997de4600dffe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [] ra = [] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[] si_dma_is_lockup+0x34/0xd0\n[] radeon_fence_check_lockup+0xd0/0x290\n[] process_one_work+0x280/0x550\n[] worker_thread+0x70/0x7c0\n[] worker_thread+0x130/0x7c0\n[] kthread+0x200/0x210\n[] worker_thread+0x0/0x7c0\n[] kthread+0x14c/0x210\n[] ret_from_kernel_thread+0x18/0x20\n[] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48704" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48706", + "dataSource": "https://ubuntu.com/security/CVE-2022-48706", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48706" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48706", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48706", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e", + "https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48706" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48708", + "dataSource": "https://ubuntu.com/security/CVE-2022-48708", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48708" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48708", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48708", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db", + "https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb", + "https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208", + "https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26", + "https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2", + "https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f5fe703b", + "https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference\n\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48708" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48710", + "dataSource": "https://ubuntu.com/security/CVE-2022-48710", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48710" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48710", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48710", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17", + "https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f", + "https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60", + "https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9", + "https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29", + "https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f", + "https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9", + "https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479", + "https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48710" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48744", + "dataSource": "https://ubuntu.com/security/CVE-2022-48744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e", + "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48766", + "dataSource": "https://ubuntu.com/security/CVE-2022-48766", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48766" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48766", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48766", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f", + "https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48766" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48771", + "dataSource": "https://ubuntu.com/security/CVE-2022-48771", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48771" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48771", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48771", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", + "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", + "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", + "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", + "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", + "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", + "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48771" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48772", + "dataSource": "https://ubuntu.com/security/CVE-2022-48772", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48772" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48772", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea", + "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87", + "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0", + "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115", + "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4", + "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d", + "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] \n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48772" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48781", + "dataSource": "https://ubuntu.com/security/CVE-2022-48781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48781", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3", + "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48781" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48808", + "dataSource": "https://ubuntu.com/security/CVE-2022-48808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48808", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7", + "https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae", + "https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48816", + "dataSource": "https://ubuntu.com/security/CVE-2022-48816", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48816" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48816", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48816", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07", + "https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48816" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48833", + "dataSource": "https://ubuntu.com/security/CVE-2022-48833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec", + "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82", + "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] \n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48834", + "dataSource": "https://ubuntu.com/security/CVE-2022-48834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48834", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e", + "https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952", + "https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016", + "https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7", + "https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48835", + "dataSource": "https://ubuntu.com/security/CVE-2022-48835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48835", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f", + "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05", + "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3", + "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48836", + "dataSource": "https://ubuntu.com/security/CVE-2022-48836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48836", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7", + "https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8", + "https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821", + "https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f", + "https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c", + "https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31", + "https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a", + "https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n \n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48837", + "dataSource": "https://ubuntu.com/security/CVE-2022-48837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48837", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7", + "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e", + "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65", + "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c", + "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa", + "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b", + "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90", + "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48838", + "dataSource": "https://ubuntu.com/security/CVE-2022-48838", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48838" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48838", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48838", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646", + "https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740", + "https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a", + "https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5", + "https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e", + "https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b", + "https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e", + "https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48838" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48839", + "dataSource": "https://ubuntu.com/security/CVE-2022-48839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48839", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d", + "https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02", + "https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a", + "https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da", + "https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33", + "https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0", + "https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a", + "https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n \n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n==================================================================", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48840", + "dataSource": "https://ubuntu.com/security/CVE-2022-48840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48840", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57", + "https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813", + "https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48846", + "dataSource": "https://ubuntu.com/security/CVE-2022-48846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48846", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29", + "https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e", + "https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48868", + "dataSource": "https://ubuntu.com/security/CVE-2022-48868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f150134dd795ffcd60b798a85ab737d8d010fb7", + "https://git.kernel.org/stable/c/99dc4520b74e7ca8e9dc9abe37a0b10b49467960", + "https://git.kernel.org/stable/c/b51b75f0604f17c0f6f3b6f68f1a521a5cc6b04f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48869", + "dataSource": "https://ubuntu.com/security/CVE-2022-48869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3", + "https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4", + "https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae", + "https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9", + "https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48870", + "dataSource": "https://ubuntu.com/security/CVE-2022-48870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f", + "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", + "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48871", + "dataSource": "https://ubuntu.com/security/CVE-2022-48871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a", + "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2", + "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a", + "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48872", + "dataSource": "https://ubuntu.com/security/CVE-2022-48872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907", + "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4", + "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1", + "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb", + "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48873", + "dataSource": "https://ubuntu.com/security/CVE-2022-48873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330", + "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8", + "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b", + "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7", + "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48875", + "dataSource": "https://ubuntu.com/security/CVE-2022-48875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef", + "https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df", + "https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e", + "https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48877", + "dataSource": "https://ubuntu.com/security/CVE-2022-48877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48877" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c38cdc747f00daf7394535eae5afc4c503c59bb", + "https://git.kernel.org/stable/c/2c129e868992621a739bdd57a5bffa3985ef1b91", + "https://git.kernel.org/stable/c/557e85ff9afef6d45020b6f09357111d38033c31", + "https://git.kernel.org/stable/c/72009139a661ade5cb1da4239734ed02fa1cfff0", + "https://git.kernel.org/stable/c/dd83a9763e29ed7a21c8a43f7a62cd0a6bf74692", + "https://git.kernel.org/stable/c/df9d44b645b83fffccfb4e28c1f93376585fdec8", + "https://git.kernel.org/stable/c/ff85a1dbd90d29f73033177ff8d8de4a27d9721c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48878", + "dataSource": "https://ubuntu.com/security/CVE-2022-48878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/272970be3dabd24cbe50e393ffee8f04aec3b9a8", + "https://git.kernel.org/stable/c/908d1742b6e694e84ead5c62e4b7c1bfbb8b46a3", + "https://git.kernel.org/stable/c/e84ec6e25df9bb0968599e92eacedaf3a0a5b587", + "https://git.kernel.org/stable/c/ea3ebda47dd56f6e1c62f2e0e1b6e1b0a973e447" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48879", + "dataSource": "https://ubuntu.com/security/CVE-2022-48879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5", + "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794", + "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452", + "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104", + "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747", + "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48880", + "dataSource": "https://ubuntu.com/security/CVE-2022-48880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48880" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb", + "https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884", + "https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48887", + "dataSource": "https://ubuntu.com/security/CVE-2022-48887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a", + "https://git.kernel.org/stable/c/a309c7194e8a2f8bd4539b9449917913f6c2cd50" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48891", + "dataSource": "https://ubuntu.com/security/CVE-2022-48891", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48891" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48891", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02228f6aa6a64d588bc31e3267d05ff184d772eb", + "https://git.kernel.org/stable/c/1c1afcb8839b91c09d211ea304faa269763b1f91", + "https://git.kernel.org/stable/c/470f6a9175f13a53810734658c35cc5bba33be01", + "https://git.kernel.org/stable/c/ad1336274f733a7cb1f87b5c5908165a2c14df53", + "https://git.kernel.org/stable/c/d443308edbfb6e9e757b478af908515110d1efd5", + "https://git.kernel.org/stable/c/d4aa749e046435f054e94ebf50cad143d6229fae", + "https://git.kernel.org/stable/c/f75cde714e0a67f73ef169aa50d4ed77d04f7236" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48891" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48892", + "dataSource": "https://ubuntu.com/security/CVE-2022-48892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc", + "https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8", + "https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48893", + "dataSource": "https://ubuntu.com/security/CVE-2022-48893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112", + "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48895", + "dataSource": "https://ubuntu.com/security/CVE-2022-48895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48895" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a", + "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48896", + "dataSource": "https://ubuntu.com/security/CVE-2022-48896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0", + "https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8", + "https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18", + "https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07", + "https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48898", + "dataSource": "https://ubuntu.com/security/CVE-2022-48898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169", + "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1", + "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a", + "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48899", + "dataSource": "https://ubuntu.com/security/CVE-2022-48899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8", + "https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea", + "https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e", + "https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2", + "https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317", + "https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48900", + "dataSource": "https://ubuntu.com/security/CVE-2022-48900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2022-48929", + "dataSource": "https://ubuntu.com/security/CVE-2022-48929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2022-48929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-48929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48929", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1", + "https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae", + "https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2022-48929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-0030", + "dataSource": "https://ubuntu.com/security/CVE-2023-0030", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-0030" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-0030", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2157270", + "https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10", + "https://security.netapp.com/advisory/ntap-20230413-0010/" + ], + "description": "A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-0030" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-0160", + "dataSource": "https://ubuntu.com/security/CVE-2023-0160", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-0160" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-0160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-0160", + "https://bugzilla.redhat.com/show_bug.cgi?id=2159764", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56", + "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + ], + "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-0160" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1193", + "dataSource": "https://ubuntu.com/security/CVE-2023-1193", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1193" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1193", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-1193", + "https://bugzilla.redhat.com/show_bug.cgi?id=2154177", + "https://lkml.kernel.org/linux-cifs/20230401084951.6085-2-linkinjeon@kernel.org/T/" + ], + "description": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1193" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1872", + "dataSource": "https://ubuntu.com/security/CVE-2023-1872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1872", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html", + "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be", + "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", + "https://security.netapp.com/advisory/ntap-20230601-0002/" + ], + "description": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "cve-coordination@google.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-1989", + "dataSource": "https://ubuntu.com/security/CVE-2023-1989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-1989" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-1989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-1989", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=f132c2d13088", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html", + "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", + "https://security.netapp.com/advisory/ntap-20230601-0004/", + "https://www.debian.org/security/2023/dsa-5492" + ], + "description": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-1989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-2007", + "dataSource": "https://ubuntu.com/security/CVE-2023-2007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-2007" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-2007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/torvalds/linux/commit/b04e75a4a8a81887386a0d2dbf605a48e779d2a0", + "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", + "https://security.netapp.com/advisory/ntap-20240119-0011/", + "https://www.debian.org/security/2023/dsa-5480" + ], + "description": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-2007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-20569", + "dataSource": "https://ubuntu.com/security/CVE-2023-20569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2023-20569" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-20569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-20569", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2023/08/08/4", + "http://xenbits.xen.org/xsa/advisory-434.html", + "https://comsec.ethz.ch/research/microarch/inception/", + "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/", + "https://security.netapp.com/advisory/ntap-20240605-0006/", + "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005", + "https://www.debian.org/security/2023/dsa-5475" + ], + "description": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-20569" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-26242", + "dataSource": "https://ubuntu.com/security/CVE-2023-26242", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-26242" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-26242", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-26242", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.suse.com/show_bug.cgi?id=1208518", + "https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee%40gmail.com", + "https://security.netapp.com/advisory/ntap-20230406-0002/" + ], + "description": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-26242" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-28327", + "dataSource": "https://ubuntu.com/security/CVE-2023-28327", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-28327" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-28327", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-28327", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2177382" + ], + "description": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-28327" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-31082", + "dataSource": "https://ubuntu.com/security/CVE-2023-31082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-31082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-31082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.suse.com/show_bug.cgi?id=1210781", + "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A%40mail.gmail.com/", + "https://security.netapp.com/advisory/ntap-20230929-0003/" + ], + "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-31082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-33053", + "dataSource": "https://ubuntu.com/security/CVE-2023-33053", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-33053" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-33053", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-33053", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin" + ], + "description": "Memory corruption in Kernel while parsing metadata.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "product-security@qualcomm.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-33053" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-3397", + "dataSource": "https://ubuntu.com/security/CVE-2023-3397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-3397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-3397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-3397", + "https://bugzilla.redhat.com/show_bug.cgi?id=2217271", + "https://www.spinics.net/lists/kernel/msg4788636.html" + ], + "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 1, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-3397" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-3640", + "dataSource": "https://ubuntu.com/security/CVE-2023-3640", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-3640" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-3640", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-3640", + "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + ], + "description": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-3640" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-38417", + "dataSource": "https://ubuntu.com/security/CVE-2023-38417", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-38417" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-38417", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-38417", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-38417" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-4010", + "dataSource": "https://ubuntu.com/security/CVE-2023-4010", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4010" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4010", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2023-4010", + "https://bugzilla.redhat.com/show_bug.cgi?id=2227726", + "https://github.com/wanrenmi/a-usb-kernel-bug" + ], + "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4010" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-4133", + "dataSource": "https://ubuntu.com/security/CVE-2023-4133", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2023-4133" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-4133", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2394", + "https://access.redhat.com/errata/RHSA-2024:2950", + "https://access.redhat.com/errata/RHSA-2024:3138", + "https://access.redhat.com/security/cve/CVE-2023-4133", + "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + ], + "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-4133" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-44452", + "dataSource": "https://ubuntu.com/security/CVE-2023-44452", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-44452" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-44452", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-44452", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736", + "https://www.zerodayinitiative.com/advisories/ZDI-23-1836/" + ], + "description": "Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.", + "cvss": [ + { + "source": "zdi-disclosures@trendmicro.com", + "type": "Secondary", + "version": "3.0", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-44452" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-47210", + "dataSource": "https://ubuntu.com/security/CVE-2023-47210", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-47210" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-47210", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-47210", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html" + ], + "description": "Improper input validation for some Intel(R) PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-47210" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52438", + "dataSource": "https://ubuntu.com/security/CVE-2023-52438", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52438" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52438", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906", + "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6", + "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56", + "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869", + "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3", + "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c", + "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52438" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52439", + "dataSource": "https://ubuntu.com/security/CVE-2023-52439", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52439" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52439", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52439", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2", + "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea", + "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c", + "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad", + "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7", + "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570", + "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41", + "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52439" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52452", + "dataSource": "https://ubuntu.com/security/CVE-2023-52452", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52452" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52452", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19", + "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529", + "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52452" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52475", + "dataSource": "https://ubuntu.com/security/CVE-2023-52475", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52475" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52475", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46", + "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd", + "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc", + "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc", + "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f", + "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9", + "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06", + "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52475" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52476", + "dataSource": "https://ubuntu.com/security/CVE-2023-52476", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52476" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52476", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52476", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c", + "https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c", + "https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265", + "https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52476" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52477", + "dataSource": "https://ubuntu.com/security/CVE-2023-52477", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52477" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52477", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52477", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289", + "https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c", + "https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b", + "https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3", + "https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d", + "https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81", + "https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee", + "https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52477" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52478", + "dataSource": "https://ubuntu.com/security/CVE-2023-52478", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52478" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52478", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52478", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1", + "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528", + "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c", + "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5", + "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b", + "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452", + "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e", + "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52478" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52479", + "dataSource": "https://ubuntu.com/security/CVE-2023-52479", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52479" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52479", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52479", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/694e13732e830cbbfedb562e57f28644927c33fd", + "https://git.kernel.org/stable/c/8226ffc759ea59f10067b9acdf7f94bae1c69930", + "https://git.kernel.org/stable/c/c69813471a1ec081a0b9bf0c6bd7e8afd818afce", + "https://git.kernel.org/stable/c/d5b0e9d3563e7e314a850e81f42b2ef6f39882f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52479" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52481", + "dataSource": "https://ubuntu.com/security/CVE-2023-52481", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52481" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52481", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52481", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25", + "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513", + "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52481" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52482", + "dataSource": "https://ubuntu.com/security/CVE-2023-52482", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52482" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52482", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52482", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ce2f297a7168274547d0b5aea6c7c16268b8a96", + "https://git.kernel.org/stable/c/a5ef7d68cea1344cf524f04981c2b3f80bedbb0d", + "https://git.kernel.org/stable/c/cf43b304b6952b549d58feabc342807b334f03d4", + "https://git.kernel.org/stable/c/e7ea043bc3f19473561c08565047b3f1671bf35d", + "https://git.kernel.org/stable/c/f090a8b4d2e3ec6f318d6fdab243a2edc5a8cc37", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52482" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52483", + "dataSource": "https://ubuntu.com/security/CVE-2023-52483", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52483" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52483", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a", + "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4", + "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c", + "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52483" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52484", + "dataSource": "https://ubuntu.com/security/CVE-2023-52484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52484" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52484", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429", + "https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6", + "https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b", + "https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52485", + "dataSource": "https://ubuntu.com/security/CVE-2023-52485", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52485" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52485", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009", + "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52485" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52488", + "dataSource": "https://ubuntu.com/security/CVE-2023-52488", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52488" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52488", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52488", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db", + "https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573", + "https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611", + "https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23", + "https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b", + "https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52488" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52499", + "dataSource": "https://ubuntu.com/security/CVE-2023-52499", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52499" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52499", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52499", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820", + "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746", + "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3", + "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP: b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR: 00000030 CR: 00001000 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52499" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52500", + "dataSource": "https://ubuntu.com/security/CVE-2023-52500", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52500" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52500", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52500", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2259e1901b2d8c0e8538fc99e77de443b939e749", + "https://git.kernel.org/stable/c/22e6d783a33015bcdf0979015e4eac603912bea7", + "https://git.kernel.org/stable/c/2afd8fcee0c4d65a482e30c3ad2a92c25e5e92d4", + "https://git.kernel.org/stable/c/c13e7331745852d0dd7c35eabbe181cbd5b01172", + "https://git.kernel.org/stable/c/d540a4370aba378fbedf349ba0bb68e96e24243d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52500" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52501", + "dataSource": "https://ubuntu.com/security/CVE-2023-52501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52501", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d", + "https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a", + "https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca", + "https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49", + "https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52502", + "dataSource": "https://ubuntu.com/security/CVE-2023-52502", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52502" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52502", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52502", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31c07dffafce914c1d1543c135382a11ff058d93", + "https://git.kernel.org/stable/c/6ac22ecdaad2ecc662048f8c6b0ceb1ca0699ef9", + "https://git.kernel.org/stable/c/7adcf014bda16cdbf804af5c164d94d5d025db2d", + "https://git.kernel.org/stable/c/d1af8a39cf839d93c8967fdd858f6bbdc3e4a15c", + "https://git.kernel.org/stable/c/d888d3f70b0de32b4f51534175f039ddab15eef8", + "https://git.kernel.org/stable/c/e4f2611f07c87b3ddb57c4b9e8efcd1e330fc3dc", + "https://git.kernel.org/stable/c/e863f5720a5680e50c4cecf12424d7cc31b3eb0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52502" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52503", + "dataSource": "https://ubuntu.com/security/CVE-2023-52503", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52503" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52503", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52503", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116", + "https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce", + "https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c", + "https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27", + "https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52503" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52504", + "dataSource": "https://ubuntu.com/security/CVE-2023-52504", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52504" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52504", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52504", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3719d3c36aa853d5a2401af9f8d6b116c91ad5ae", + "https://git.kernel.org/stable/c/3770c38cd6a60494da29ac2da73ff8156440a2d1", + "https://git.kernel.org/stable/c/5b784489c8158518bf7a466bb3cc045b0fb66b4b", + "https://git.kernel.org/stable/c/6788b10620ca6e98575d1e06e72a8974aad7657e", + "https://git.kernel.org/stable/c/cd287cc208dfe6bd6da98e7f88e723209242c9b4", + "https://git.kernel.org/stable/c/d35652a5fc9944784f6f50a5c979518ff8dacf61", + "https://git.kernel.org/stable/c/ecba5afe86f30605eb9dfb7f265a8de0218d4cfc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52504" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52507", + "dataSource": "https://ubuntu.com/security/CVE-2023-52507", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52507" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52507", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52507", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25dd54b95abfdca423b65a4ee620a774777d8213", + "https://git.kernel.org/stable/c/2c231a247a1d1628e41fa1eefd1a5307c41c5f53", + "https://git.kernel.org/stable/c/354a6e707e29cb0c007176ee5b8db8be7bd2dee0", + "https://git.kernel.org/stable/c/6584eba7688dcf999542778b07f63828c21521da", + "https://git.kernel.org/stable/c/853dda54ba59ea70d5580a298b7ede4707826848", + "https://git.kernel.org/stable/c/95733ea130e35ef9ec5949a5908dde3feaba92cb", + "https://git.kernel.org/stable/c/a424807d860ba816aaafc3064b46b456361c0802", + "https://git.kernel.org/stable/c/a686f84101680b8442181a8846fbd3c934653729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52507" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52508", + "dataSource": "https://ubuntu.com/security/CVE-2023-52508", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52508" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52508", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52508", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c", + "https://git.kernel.org/stable/c/be90c9e29dd59b7d19a73297a1590ff3ec1d22ea", + "https://git.kernel.org/stable/c/dd46b3ac7322baf3772b33b29726e94f98289db7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52508" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52509", + "dataSource": "https://ubuntu.com/security/CVE-2023-52509", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52509" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52509", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52509", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705", + "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89", + "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6", + "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5", + "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965", + "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52509" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52510", + "dataSource": "https://ubuntu.com/security/CVE-2023-52510", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52510" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52510", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52510", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66", + "https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add", + "https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f", + "https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e", + "https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc", + "https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640", + "https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d", + "https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52510" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52511", + "dataSource": "https://ubuntu.com/security/CVE-2023-52511", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52511" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52511", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52511", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/171f8a49f212e87a8b04087568e1b3d132e36a18", + "https://git.kernel.org/stable/c/b3c21c9c7289692f4019f163c3b06d8bdf78b355", + "https://git.kernel.org/stable/c/e15bb292b24630ee832bfc7fd616bd72c7682bbb", + "https://git.kernel.org/stable/c/ff05ed4ae214011464a0156f05cac1b0b46b5fbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52511" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52516", + "dataSource": "https://ubuntu.com/security/CVE-2023-52516", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52516" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52516", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52516", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/ac0d068099349cbca3d93f2e3b15bb329364b08c", + "https://git.kernel.org/stable/c/be8f49029eca3efbad0d74dbff3cb9129994ffab", + "https://git.kernel.org/stable/c/c79300599923daaa30f417c75555d5566b3d31ae", + "https://git.kernel.org/stable/c/fb5a4315591dae307a65fc246ca80b5159d296e1", + "https://git.kernel.org/stable/c/fe2b811a02c3244ebf6059039e4a9e715e26a9e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52516" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52517", + "dataSource": "https://ubuntu.com/security/CVE-2023-52517", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52517" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52517", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52517", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d", + "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209", + "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097", + "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52517" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52522", + "dataSource": "https://ubuntu.com/security/CVE-2023-52522", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52522" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52522", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52522", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa", + "https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd", + "https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0", + "https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af", + "https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc", + "https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52522" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52524", + "dataSource": "https://ubuntu.com/security/CVE-2023-52524", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52524" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52524", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52524", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/191d87a19cf1005ecf41e1ae08d74e17379e8391", + "https://git.kernel.org/stable/c/29c16c2bf5866326d5fbc4a537b3997fcac23391", + "https://git.kernel.org/stable/c/4837a192f6d06d5bb2f3f47d6ce5353ab69bf86b", + "https://git.kernel.org/stable/c/7562780e32b84196731d57dd24563546fcf6d082", + "https://git.kernel.org/stable/c/dba849cc98113b145c6e720122942c00b8012bdb", + "https://git.kernel.org/stable/c/dfc7f7a988dad34c3bf4c053124fb26aa6c5f916" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52524" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52527", + "dataSource": "https://ubuntu.com/security/CVE-2023-52527", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52527" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52527", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52527", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6", + "https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59", + "https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844", + "https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed", + "https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070", + "https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb", + "https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f", + "https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0e0e28fd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52527" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52528", + "dataSource": "https://ubuntu.com/security/CVE-2023-52528", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52528" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52528", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52528", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a36d9e2995c8c3c3f179aab1215a69cff06cbed", + "https://git.kernel.org/stable/c/30bc4d7aebe33904b0f2d3aad4b4a9c6029ad0c5", + "https://git.kernel.org/stable/c/310f1c92f65ad905b7e81fe14de82d979ebbd825", + "https://git.kernel.org/stable/c/3e0af6eec1789fd11934164a7f4dbcad979855a4", + "https://git.kernel.org/stable/c/4931e80da9463b03bfe42be54a9a19f213b0f76d", + "https://git.kernel.org/stable/c/9ffc5018020fe646795a8dc1203224b8f776dc09", + "https://git.kernel.org/stable/c/cda10784a176d7192f08ecb518f777a4e9575812", + "https://git.kernel.org/stable/c/e9c65989920f7c28775ec4e0c11b483910fb67b8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52528" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52531", + "dataSource": "https://ubuntu.com/security/CVE-2023-52531", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52531" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52531", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52531", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6b3223449c959a8be94a1f042288059e40fcccb0", + "https://git.kernel.org/stable/c/7c8faa31080342aec4903c9acb20caf82fcca1ef", + "https://git.kernel.org/stable/c/8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d", + "https://git.kernel.org/stable/c/f06cdd8d4ba5252986f51f80cc30263636397128" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52531" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52532", + "dataSource": "https://ubuntu.com/security/CVE-2023-52532", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52532" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52532", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52532", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a910e0f6304726da30a212feecec65cb97ff7a80", + "https://git.kernel.org/stable/c/b2b000069a4c307b09548dc2243f31f3ca0eac9c", + "https://git.kernel.org/stable/c/b67d7b1bfc46d05c1a58b172516454698e8d5004" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52532" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52559", + "dataSource": "https://ubuntu.com/security/CVE-2023-52559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52559", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29298c85a81abdc512e87537515ed4b1a9601d0e", + "https://git.kernel.org/stable/c/496c591f0b389eb782f36d9d4c2564b9a865eed0", + "https://git.kernel.org/stable/c/59df44bfb0ca4c3ee1f1c3c5d0ee8e314844799e", + "https://git.kernel.org/stable/c/c12ef025add77ca3a0902e8719d552b6d47b4282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52561", + "dataSource": "https://ubuntu.com/security/CVE-2023-52561", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52561" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52561", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52561", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/110e70fccce4f22b53986ae797d665ffb1950aa6", + "https://git.kernel.org/stable/c/82dacd0ca0d9640723824026d6fdf773c02de1d2", + "https://git.kernel.org/stable/c/dc1ab6577475b0460ba4261cd9caec37bd62ca0b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\n\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\n\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52561" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52566", + "dataSource": "https://ubuntu.com/security/CVE-2023-52566", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52566" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52566", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52566", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33", + "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2", + "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8", + "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7", + "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc", + "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c", + "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b", + "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52566" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52569", + "dataSource": "https://ubuntu.com/security/CVE-2023-52569", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52569" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52569", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52569", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c58c3931ede7cd08cbecf1f1a4acaf0a04a41a9", + "https://git.kernel.org/stable/c/39c4a9522db0072570d602e9b365119e17fb9f4f", + "https://git.kernel.org/stable/c/d10fd53393cc5de4b9cf1a4b8f9984f0a037aa51" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52569" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52572", + "dataSource": "https://ubuntu.com/security/CVE-2023-52572", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52572" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52572", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52572", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/76569e3819e0bb59fc19b1b8688b017e627c268a", + "https://git.kernel.org/stable/c/908b3b5e97d25e879de3d1f172a255665491c2c3", + "https://git.kernel.org/stable/c/d527f51331cace562393a8038d870b3e9916686f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52572" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52574", + "dataSource": "https://ubuntu.com/security/CVE-2023-52574", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52574" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52574", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52574", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457", + "https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58", + "https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd", + "https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7", + "https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7", + "https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d", + "https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d", + "https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52574" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52576", + "dataSource": "https://ubuntu.com/security/CVE-2023-52576", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52576" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52576", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52576", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/34cf99c250d5cd2530b93a57b0de31d3aaf8685b", + "https://git.kernel.org/stable/c/d2dfbc0e3b7a04c2d941421a958dc31c897fb204", + "https://git.kernel.org/stable/c/eef16bfdb212da60f5144689f2967fb25b051a2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52576" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52578", + "dataSource": "https://ubuntu.com/security/CVE-2023-52578", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52578" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52578", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52578", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd", + "https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4", + "https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2", + "https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394", + "https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5", + "https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839", + "https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52578" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52582", + "dataSource": "https://ubuntu.com/security/CVE-2023-52582", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52582" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52582", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52582", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/d9f5537479d4ec97ea92ff24e81a517d5772581a", + "https://git.kernel.org/stable/c/df1c357f25d808e30b216188330e708e09e1a412", + "https://git.kernel.org/stable/c/df9950d37df113db59495fa09d060754366a2b7c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52582" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52584", + "dataSource": "https://ubuntu.com/security/CVE-2023-52584", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52584" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52584", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8", + "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e", + "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9", + "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 3.8, + "exploitabilityScore": 1.2, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52584" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52585", + "dataSource": "https://ubuntu.com/security/CVE-2023-52585", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52585" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52585", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0eb296233f86750102aa43b97879b8d8311f249a", + "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49", + "https://git.kernel.org/stable/c/467139546f3fb93913de064461b1a43a212d7626", + "https://git.kernel.org/stable/c/7e6d6f27522bcd037856234b720ff607b9c4a09b", + "https://git.kernel.org/stable/c/92cb363d16ac1e41c9764cdb513d0e89a6ff4915", + "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680", + "https://git.kernel.org/stable/c/c364e7a34c85c2154fb2e47561965d5b5a0b69b1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2023-52585" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52586", + "dataSource": "https://ubuntu.com/security/CVE-2023-52586", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52586" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52586", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f", + "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52586" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52589", + "dataSource": "https://ubuntu.com/security/CVE-2023-52589", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52589" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52589", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7", + "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395", + "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe", + "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52589" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52590", + "dataSource": "https://ubuntu.com/security/CVE-2023-52590", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52590" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52590", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc", + "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52590" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52591", + "dataSource": "https://ubuntu.com/security/CVE-2023-52591", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52591" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52591", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc", + "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed", + "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52591" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52593", + "dataSource": "https://ubuntu.com/security/CVE-2023-52593", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52593" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52593", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878", + "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03", + "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132", + "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52593" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52596", + "dataSource": "https://ubuntu.com/security/CVE-2023-52596", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52596" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52596", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede", + "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489", + "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52596" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52621", + "dataSource": "https://ubuntu.com/security/CVE-2023-52621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d", + "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d", + "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304", + "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52624", + "dataSource": "https://ubuntu.com/security/CVE-2023-52624", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52624" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52624", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d", + "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52624" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52625", + "dataSource": "https://ubuntu.com/security/CVE-2023-52625", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52625" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52625", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f", + "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52625" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52629", + "dataSource": "https://ubuntu.com/security/CVE-2023-52629", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52629" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52629", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65", + "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2023-52629" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52632", + "dataSource": "https://ubuntu.com/security/CVE-2023-52632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4", + "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340", + "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c", + "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52634", + "dataSource": "https://ubuntu.com/security/CVE-2023-52634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662", + "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52639", + "dataSource": "https://ubuntu.com/security/CVE-2023-52639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082", + "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc", + "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380", + "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52646", + "dataSource": "https://ubuntu.com/security/CVE-2023-52646", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52646" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52646", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52646", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/178993157e8c50aef7f35d7d6d3b44bb428199e1", + "https://git.kernel.org/stable/c/4326d0080f7e84fba775da41d158f46cf9d3f1c2", + "https://git.kernel.org/stable/c/808f1e4b5723ae4eda724d2ad6f6638905eefd95", + "https://git.kernel.org/stable/c/81e9d6f8647650a7bead74c5f926e29970e834d1", + "https://git.kernel.org/stable/c/af126acf01a12bdb04986fd26fc2eb3b40249e0d", + "https://git.kernel.org/stable/c/c261f798f7baa8080cf0214081d43d5f86bb073f", + "https://git.kernel.org/stable/c/d8dca1bfe9adcae38b35add64977818c0c13dd22" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix mremap after fork null-deref\n\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\n\n[jmoyer@redhat.com: fix 80 column issue]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52646" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52648", + "dataSource": "https://ubuntu.com/security/CVE-2023-52648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461", + "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92", + "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba", + "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52653", + "dataSource": "https://ubuntu.com/security/CVE-2023-52653", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52653" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52653", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4", + "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c", + "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822", + "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52653" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52655", + "dataSource": "https://ubuntu.com/security/CVE-2023-52655", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52655" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52655", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52655", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ebf775f0541ae0d474836fa0cf3220e502f8e3e", + "https://git.kernel.org/stable/c/46412b2fb1f9cc895d6d4036bf24f640b5d86dab", + "https://git.kernel.org/stable/c/82c386d73689a45d5ee8c1290827bce64056dddd", + "https://git.kernel.org/stable/c/84f2e5b3e70f08fce3cb1ff73414631c5e490204", + "https://git.kernel.org/stable/c/ccab434e674ca95d483788b1895a70c21b7f016a", + "https://git.kernel.org/stable/c/d69581c17608d81824dd497d9a54b6a5b6139975" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aqc111: check packet for fixup for true limit\n\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\n\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\n\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52655" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52657", + "dataSource": "https://ubuntu.com/security/CVE-2023-52657", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52657" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52657", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52657", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e443ed55fe3ffb08327b331a9f45e9382413c94", + "https://git.kernel.org/stable/c/955558030954b9637b41c97b730f9b38c92ac488", + "https://git.kernel.org/stable/c/baac292852c0e347626fb5436916947188e5838f", + "https://git.kernel.org/stable/c/c51468ac328d3922747be55507c117e47da813e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/pm: resolve reboot exception for si oland\"\n\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\n\nThis causes hangs on SI when DC is enabled and errors on driver\nreboot and power off cycles.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52657" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52660", + "dataSource": "https://ubuntu.com/security/CVE-2023-52660", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52660" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52660", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52660", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63", + "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee", + "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587", + "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52660" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52664", + "dataSource": "https://ubuntu.com/security/CVE-2023-52664", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52664" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52664", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d", + "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928", + "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf", + "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52664" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52666", + "dataSource": "https://ubuntu.com/security/CVE-2023-52666", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52666" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52666", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52666", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52666" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52667", + "dataSource": "https://ubuntu.com/security/CVE-2023-52667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52667", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8", + "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779", + "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1", + "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e", + "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft->g. However, its caller\nfs_any_create_table() will free ft->g again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft->g to NULL in fs_any_create_groups().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52669", + "dataSource": "https://ubuntu.com/security/CVE-2023-52669", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52669" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52669", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52669", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285", + "https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79", + "https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b", + "https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e", + "https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23", + "https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left. Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52669" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52670", + "dataSource": "https://ubuntu.com/security/CVE-2023-52670", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52670" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52670", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52670", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08", + "https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6", + "https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a", + "https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30", + "https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43", + "https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687", + "https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d", + "https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.6, + "exploitabilityScore": 0.7, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52670" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52671", + "dataSource": "https://ubuntu.com/security/CVE-2023-52671", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52671" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52671", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52671", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5", + "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239", + "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52671" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52672", + "dataSource": "https://ubuntu.com/security/CVE-2023-52672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52672", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8", + "https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9", + "https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24", + "https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55", + "https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f", + "https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner : rewrite to account for watch queues]", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52673", + "dataSource": "https://ubuntu.com/security/CVE-2023-52673", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52673" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52673", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a", + "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52673" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52674", + "dataSource": "https://ubuntu.com/security/CVE-2023-52674", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52674" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52674", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52674", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03035872e17897ba89866940bbc9cefca601e572", + "https://git.kernel.org/stable/c/04f8f053252b86c7583895c962d66747ecdc61b7", + "https://git.kernel.org/stable/c/ad945ea8d47dd4454c271510bea24850119847c2", + "https://git.kernel.org/stable/c/d8d8897d65061cbe36bf2909057338303a904810", + "https://git.kernel.org/stable/c/e517645ead5ea22c69d2a44694baa23fe1ce7c2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\n\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52674" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52675", + "dataSource": "https://ubuntu.com/security/CVE-2023-52675", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52675" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52675", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52675", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024352f7928b28f53609660663329d8c0f4ad032", + "https://git.kernel.org/stable/c/0a233867a39078ebb0f575e2948593bbff5826b3", + "https://git.kernel.org/stable/c/1e80aa25d186a7aa212df5acd8c75f55ac8dae34", + "https://git.kernel.org/stable/c/5a669f3511d273c8c1ab1c1d268fbcdf53fc7a05", + "https://git.kernel.org/stable/c/75fc599bcdcb1de093c9ced2e3cccc832f3787f3", + "https://git.kernel.org/stable/c/a2da3f9b1a1019c887ee1d164475a8fcdb0a3fec", + "https://git.kernel.org/stable/c/c7d828e12b326ea50fb80c369d7aa87519ed14c6", + "https://git.kernel.org/stable/c/f105c263009839d80fad6998324a4e1b3511cba0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52675" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52676", + "dataSource": "https://ubuntu.com/security/CVE-2023-52676", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52676" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52676", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52676", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760", + "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2", + "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52676" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52677", + "dataSource": "https://ubuntu.com/security/CVE-2023-52677", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52677" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52677", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52677", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d7a03052846f34d624d0ab41a879adf5e85c85f", + "https://git.kernel.org/stable/c/420370f3ae3d3b883813fd3051a38805160b2b9f", + "https://git.kernel.org/stable/c/890cfe5337e0aaf03ece1429db04d23c88da72e7", + "https://git.kernel.org/stable/c/8db56df4a954b774bdc68917046a685a9fa2e4bc", + "https://git.kernel.org/stable/c/938f70d14618ec72e10d6fcf8a546134136d7c13" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Check if the code to patch lies in the exit section\n\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52677" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52679", + "dataSource": "https://ubuntu.com/security/CVE-2023-52679", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52679" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52679", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52679", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db", + "https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21", + "https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b", + "https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2", + "https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8", + "https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd", + "https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7", + "https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52679" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52680", + "dataSource": "https://ubuntu.com/security/CVE-2023-52680", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52680" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52680", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52680", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51", + "https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e", + "https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3", + "https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3", + "https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52680" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52682", + "dataSource": "https://ubuntu.com/security/CVE-2023-52682", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52682" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52682", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52682", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2", + "https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00", + "https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3", + "https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52682" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52683", + "dataSource": "https://ubuntu.com/security/CVE-2023-52683", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52683" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52683", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52683", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782", + "https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee", + "https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad", + "https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de", + "https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae", + "https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1", + "https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4", + "https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52683" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52685", + "dataSource": "https://ubuntu.com/security/CVE-2023-52685", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52685" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52685", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52685", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52685" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52686", + "dataSource": "https://ubuntu.com/security/CVE-2023-52686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52686", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4", + "https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050", + "https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9", + "https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877", + "https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7", + "https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42", + "https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf", + "https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52690", + "dataSource": "https://ubuntu.com/security/CVE-2023-52690", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52690" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52690", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52690", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b", + "https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19", + "https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742", + "https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13", + "https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9", + "https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2", + "https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52690" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52691", + "dataSource": "https://ubuntu.com/security/CVE-2023-52691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52691", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706", + "https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334", + "https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30", + "https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4", + "https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0", + "https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a", + "https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2", + "https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52692", + "dataSource": "https://ubuntu.com/security/CVE-2023-52692", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52692" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52692", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52692", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3", + "https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99", + "https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467", + "https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88", + "https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52692" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52693", + "dataSource": "https://ubuntu.com/security/CVE-2023-52693", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52693" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52693", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52693", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3", + "https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95", + "https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c", + "https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af", + "https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8", + "https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f", + "https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f", + "https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52693" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52694", + "dataSource": "https://ubuntu.com/security/CVE-2023-52694", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52694" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52694", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52694", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5", + "https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205", + "https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1", + "https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2", + "https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114", + "https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52694" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52696", + "dataSource": "https://ubuntu.com/security/CVE-2023-52696", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52696" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52696", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52696", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664", + "https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219", + "https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc", + "https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1", + "https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab", + "https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d", + "https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52696" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52698", + "dataSource": "https://ubuntu.com/security/CVE-2023-52698", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52698" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52698", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52698", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/321b3a5592c8a9d6b654c7c64833ea67dbb33149", + "https://git.kernel.org/stable/c/36e19f84634aaa94f543fedc0a07588949638d53", + "https://git.kernel.org/stable/c/408bbd1e1746fe33e51f4c81c2febd7d3841d031", + "https://git.kernel.org/stable/c/44a88650ba55e6a7f2ec485d2c2413ba7e216f01", + "https://git.kernel.org/stable/c/9a8f811a146aa2a0230f8edb2e9f4b6609aab8da", + "https://git.kernel.org/stable/c/a4529a08d3704c17ea9c7277d180e46b99250ded", + "https://git.kernel.org/stable/c/ec4e9d630a64df500641892f4e259e8149594a99", + "https://git.kernel.org/stable/c/f14d36e6e97fe935a20e0ceb159c100f90b6627c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: fix memory leak in netlbl_calipso_add_pass()\n\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\n\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n hex dump (first 32 bytes):\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<...>] kmalloc include/linux/slab.h:552 [inline]\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\n\n[PM: merged via the LSM tree at Jakub Kicinski request]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52698" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52699", + "dataSource": "https://ubuntu.com/security/CVE-2023-52699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52699" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76", + "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f", + "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09", + "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1", + "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac", + "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3", + "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e", + "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52700", + "dataSource": "https://ubuntu.com/security/CVE-2023-52700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc", + "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52701", + "dataSource": "https://ubuntu.com/security/CVE-2023-52701", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52701" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52701", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52701", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5", + "https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use a bounce buffer for copying skb->mark\n\nsyzbot found arm64 builds would crash in sock_recv_mark()\nwhen CONFIG_HARDENED_USERCOPY=y\n\nx86 and powerpc are not detecting the issue because\nthey define user_access_begin.\nThis will be handled in a different patch,\nbecause a check_object_size() is missing.\n\nOnly data from skb->cb[] can be copied directly to/from user space,\nas explained in commit 79a8a642bf05 (\"net: Whitelist\nthe skbuff_head_cache \"cb\" field\")\n\nsyzbot report was:\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nsp : ffff80000fb9b9a0\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\nCall trace:\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\ncheck_heap_object mm/usercopy.c:196 [inline]\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\ncheck_object_size include/linux/thread_info.h:199 [inline]\n__copy_to_user include/linux/uaccess.h:115 [inline]\nput_cmsg+0x408/0x464 net/core/scm.c:238\nsock_recv_mark net/socket.c:975 [inline]\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\n____sys_recvmsg+0x110/0x3a0\n___sys_recvmsg net/socket.c:2737 [inline]\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\n__do_sys_recvmsg net/socket.c:2777 [inline]\n__se_sys_recvmsg net/socket.c:2774 [inline]\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52701" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52702", + "dataSource": "https://ubuntu.com/security/CVE-2023-52702", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52702" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52702", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52702", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1563e998a938f095548054ef09e277b562b79536", + "https://git.kernel.org/stable/c/2fa28f5c6fcbfc794340684f36d2581b4f2d20b5", + "https://git.kernel.org/stable/c/c0f65ee0a3329eb4b94beaef0268633696e2d0c6", + "https://git.kernel.org/stable/c/e336a9e08618203a456fb5367f1387b14554f55e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\n\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52702" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52703", + "dataSource": "https://ubuntu.com/security/CVE-2023-52703", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52703" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52703", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52703", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc", + "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5", + "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb", + "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030", + "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081", + "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042", + "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52703" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52705", + "dataSource": "https://ubuntu.com/security/CVE-2023-52705", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52705" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52705", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52705", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5", + "https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b", + "https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f", + "https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d", + "https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205", + "https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4", + "https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes. Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks. This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord state:D stack:23456 pid:5067 ppid:2\n flags:0x00004000\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n schedule+0xc3/0x190 kernel/sched/core.c:6682\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n kthread+0x270/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n ...\n Call Trace:\n \n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52705" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52707", + "dataSource": "https://ubuntu.com/security/CVE-2023-52707", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52707" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52707", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52707", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38", + "https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe", + "https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a", + "https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a", + "https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\n\nIf a non-root cgroup gets removed when there is a thread that registered\ntrigger and is polling on a pressure file within the cgroup, the polling\nwaitqueue gets freed in the following path:\n\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n\nHowever, the polling thread still has a reference to the pressure file and\nwill access the freed waitqueue when the file is closed or upon exit:\n\n fput\n ep_eventpoll_release\n ep_free\n ep_remove_wait_queue\n remove_wait_queue\n\nThis results in use-after-free as pasted below.\n\nThe fundamental problem here is that cgroup_file_release() (and\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\nwith the comment at commit 42288cb44c4b (\"wait: add wake_up_pollfree()\")\nsince the waitqueue's lifetime is not tied to file's one and can be\nconsidered as another special case. While this would be fixable by somehow\nmaking cgroup_file_release() be tied to the fput(), it would require\nsizable refactoring at cgroups or higher layer which might be more\njustifiable if we identify more cases like this.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\n\n\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\n\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\n\tCall Trace:\n\t\n\tdump_stack_lvl+0x73/0xa0\n\tprint_report+0x16c/0x4e0\n\tkasan_report+0xc3/0xf0\n\tkasan_check_range+0x2d2/0x310\n\t_raw_spin_lock_irqsave+0x60/0xc0\n\tremove_wait_queue+0x1a/0xa0\n\tep_free+0x12c/0x170\n\tep_eventpoll_release+0x26/0x30\n\t__fput+0x202/0x400\n\ttask_work_run+0x11d/0x170\n\tdo_exit+0x495/0x1130\n\tdo_group_exit+0x100/0x100\n\tget_signal+0xd67/0xde0\n\tarch_do_signal_or_restart+0x2a/0x2b0\n\texit_to_user_mode_prepare+0x94/0x100\n\tsyscall_exit_to_user_mode+0x20/0x40\n\tdo_syscall_64+0x52/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\t\n\n Allocated by task 4404:\n\n\tkasan_set_track+0x3d/0x60\n\t__kasan_kmalloc+0x85/0x90\n\tpsi_trigger_create+0x113/0x3e0\n\tpressure_write+0x146/0x2e0\n\tcgroup_file_write+0x11c/0x250\n\tkernfs_fop_write_iter+0x186/0x220\n\tvfs_write+0x3d8/0x5c0\n\tksys_write+0x90/0x110\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Freed by task 4407:\n\n\tkasan_set_track+0x3d/0x60\n\tkasan_save_free_info+0x27/0x40\n\t____kasan_slab_free+0x11d/0x170\n\tslab_free_freelist_hook+0x87/0x150\n\t__kmem_cache_free+0xcb/0x180\n\tpsi_trigger_destroy+0x2e8/0x310\n\tcgroup_file_release+0x4f/0xb0\n\tkernfs_drain_open_files+0x165/0x1f0\n\tkernfs_drain+0x162/0x1a0\n\t__kernfs_remove+0x1fb/0x310\n\tkernfs_remove_by_name_ns+0x95/0xe0\n\tcgroup_addrm_files+0x67f/0x700\n\tcgroup_destroy_locked+0x283/0x3c0\n\tcgroup_rmdir+0x29/0x100\n\tkernfs_iop_rmdir+0xd1/0x140\n\tvfs_rmdir+0xfe/0x240\n\tdo_rmdir+0x13d/0x280\n\t__x64_sys_rmdir+0x2c/0x30\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52707" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52708", + "dataSource": "https://ubuntu.com/security/CVE-2023-52708", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52708" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52708", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52708", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b3edcb24bd81b3b2e3dac89f4733bfd47d283be", + "https://git.kernel.org/stable/c/82645bf4ed02abe930a659c5fe16d593a6dbd93f", + "https://git.kernel.org/stable/c/cf4c9d2ac1e42c7d18b921bec39486896645b714", + "https://git.kernel.org/stable/c/e9b488d60f51ae312006e224e03a30a151c28bdd", + "https://git.kernel.org/stable/c/ecad2fafd424ffdc203b2748ded0b37e4bbecef3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\n\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\n\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52708" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52730", + "dataSource": "https://ubuntu.com/security/CVE-2023-52730", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52730" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52730", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e06cf04239e202248c8fa356bf11449dc73cfbd", + "https://git.kernel.org/stable/c/30716d9f0fa1766e522cf24c8a456244e4fc9931", + "https://git.kernel.org/stable/c/5c7858adada31dbed042448cff6997dd6efc472a", + "https://git.kernel.org/stable/c/605d9fb9556f8f5fb4566f4df1480f280f308ded", + "https://git.kernel.org/stable/c/761db46b29b496946046d8cb33c7ea6de6bef36e", + "https://git.kernel.org/stable/c/92ff03c2563c9b57a027c744750f3b7d2f261c58", + "https://git.kernel.org/stable/c/f855d31bb38d663c3ba672345d7cce9324ba3b72" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52730" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52732", + "dataSource": "https://ubuntu.com/security/CVE-2023-52732", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52732" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52732", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52732", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/66ec619e4591f8350f99c5269a7ce160cccc7a7c", + "https://git.kernel.org/stable/c/a68e564adcaa69b0930809fb64d9d5f7d9c32ba9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: blocklist the kclient when receiving corrupted snap trace\n\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\n\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\n\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52732" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52733", + "dataSource": "https://ubuntu.com/security/CVE-2023-52733", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52733" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52733", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52733", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/16409f7d9ca5bb8220e1049ea9aae0d3c94d2dfb", + "https://git.kernel.org/stable/c/55dbd6f4ea954751340f4f73d5dcd7c8f12208b2", + "https://git.kernel.org/stable/c/7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b", + "https://git.kernel.org/stable/c/9ed522143f959630f8b7782ddc212900d8f609a9", + "https://git.kernel.org/stable/c/f1eb22d0ff064ad458b3b1a1eaa84ac3996206c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/decompressor: specify __decompress() buf len to avoid overflow\n\nHistorically calls to __decompress() didn't specify \"out_len\" parameter\non many architectures including s390, expecting that no writes beyond\nuncompressed kernel image are performed. This has changed since commit\n2aa14b1ab2c4 (\"zstd: import usptream v1.5.2\") which includes zstd library\ncommit 6a7ede3dfccb (\"Reduce size of dctx by reutilizing dst buffer\n(#2751)\"). Now zstd decompression code might store literal buffer in\nthe unwritten portion of the destination buffer. Since \"out_len\" is\nnot set, it is considered to be unlimited and hence free to use for\noptimization needs. On s390 this might corrupt initrd or ipl report\nwhich are often placed right after the decompressor buffer. Luckily the\nsize of uncompressed kernel image is already known to the decompressor,\nso to avoid the problem simply specify it in the \"out_len\" parameter.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52733" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52734", + "dataSource": "https://ubuntu.com/security/CVE-2023-52734", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52734" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52734", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52734", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52734" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52735", + "dataSource": "https://ubuntu.com/security/CVE-2023-52735", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52735" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52735", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52735", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/5b4a79ba65a1ab479903fff2e604865d229b70a9", + "https://git.kernel.org/stable/c/7499859881488da97589f3c79cc66fa75748ad49", + "https://git.kernel.org/stable/c/f312367f5246e04df564d341044286e9e37a97ba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\n\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\n\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52735" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52736", + "dataSource": "https://ubuntu.com/security/CVE-2023-52736", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52736" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52736", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52736", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/427ca2530da8dc61a42620d7113b05e187b6c2c0", + "https://git.kernel.org/stable/c/7fc4e7191eae9d9325511e03deadfdb2224914f8", + "https://git.kernel.org/stable/c/87978e6ad45a16835cc58234451111091be3c59a", + "https://git.kernel.org/stable/c/e909f5f2aa55a8f9aa6919cce08015cb0e8d4668" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Do not unset preset when cleaning up codec\n\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\n\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\n\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52736" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52737", + "dataSource": "https://ubuntu.com/security/CVE-2023-52737", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52737" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52737", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52737", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508", + "https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52737" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52738", + "dataSource": "https://ubuntu.com/security/CVE-2023-52738", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52738" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52738", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52738", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b", + "https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd", + "https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52738" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52739", + "dataSource": "https://ubuntu.com/security/CVE-2023-52739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52739" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52739", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23", + "https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5", + "https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673", + "https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52740", + "dataSource": "https://ubuntu.com/security/CVE-2023-52740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52740", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1", + "https://git.kernel.org/stable/c/6f097c24815e67909a1fcc2c605586d02babd673", + "https://git.kernel.org/stable/c/86f7e423933608d536015a0f2eb9e0338c1227e0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\n\nThe RFI and STF security mitigation options can flip the\ninterrupt_exit_not_reentrant static branch condition concurrently with\nthe interrupt exit code which tests that branch.\n\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\nagain in the case a soft-masked interrupt is found pending, to recover\nthe MSR so the interrupt can be replayed before attempting to exit\nagain. If the condition changes between these two tests, the MSR and irq\nsoft-mask state will become corrupted, leading to warnings and possible\ncrashes. For example, if the branch is initially true then false,\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\nenabled, leading to warnings in irq_64.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52741", + "dataSource": "https://ubuntu.com/security/CVE-2023-52741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52741" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52741", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52741", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b693fe3f760c87fd9768e759f6297f743a1b3b0", + "https://git.kernel.org/stable/c/3684a2f6affa1ca52a5d4a12f04d0652efdee65e", + "https://git.kernel.org/stable/c/aa5465aeca3c66fecdf7efcf554aed79b4c4b211", + "https://git.kernel.org/stable/c/d1fba1e096ffc7ec11df863a97c50203c47315b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages()\n\nWhen the network status is unstable, use-after-free may occur when\nread data from the server.\n\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\n\n Call Trace:\n \n dump_stack_lvl+0x38/0x4c\n print_report+0x16f/0x4a6\n kasan_report+0xb7/0x130\n readpages_fill_pages+0x14c/0x7e0\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n \n\n Allocated by task 2535:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x82/0x90\n cifs_readdata_direct_alloc+0x2c/0x110\n cifs_readdata_alloc+0x2d/0x60\n cifs_readahead+0x393/0xfe0\n read_pages+0x12f/0x470\n page_cache_ra_unbounded+0x1b1/0x240\n filemap_get_pages+0x1c8/0x9a0\n filemap_read+0x1c0/0x540\n cifs_strict_readv+0x21b/0x240\n vfs_read+0x395/0x4b0\n ksys_read+0xb8/0x150\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 79:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2e/0x50\n __kasan_slab_free+0x10e/0x1a0\n __kmem_cache_free+0x7a/0x1a0\n cifs_readdata_release+0x49/0x60\n process_one_work+0x46c/0x760\n worker_thread+0x2a4/0x6f0\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\n Last potentially related work creation:\n kasan_save_stack+0x22/0x50\n __kasan_record_aux_stack+0x95/0xb0\n insert_work+0x2b/0x130\n __queue_work+0x1fe/0x660\n queue_work_on+0x4b/0x60\n smb2_readv_callback+0x396/0x800\n cifs_abort_connection+0x474/0x6a0\n cifs_reconnect+0x5cb/0xa50\n cifs_readv_from_socket.cold+0x22/0x6c\n cifs_read_page_from_socket+0xc1/0x100\n readpages_fill_pages.cold+0x2f/0x46\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\nThe following function calls will cause UAF of the rdata pointer.\n\nreadpages_fill_pages\n cifs_read_page_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n __cifs_reconnect\n cifs_abort_connection\n mid->callback() --> smb2_readv_callback\n queue_work(&rdata->work) # if the worker completes first,\n # the rdata is freed\n cifs_readv_complete\n kref_put\n cifs_readdata_release\n kfree(rdata)\n return rdata->... # UAF in readpages_fill_pages()\n\nSimilarly, this problem also occurs in the uncache_fill_pages().\n\nFix this by adjusts the order of condition judgment in the return\nstatement.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52741" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52742", + "dataSource": "https://ubuntu.com/security/CVE-2023-52742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52742" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc", + "https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727", + "https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1", + "https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9", + "https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63", + "https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f", + "https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52743", + "dataSource": "https://ubuntu.com/security/CVE-2023-52743", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52743" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52743", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52743", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ad4112c9fcf0bc08222b2b1614fba52ffd12255", + "https://git.kernel.org/stable/c/4d159f7884f78b1aacb99b4fc37d1e3cb1194e39", + "https://git.kernel.org/stable/c/87a5e3fc8416106e290c448fc8a6dd50ab24c634", + "https://git.kernel.org/stable/c/ca834a017851c50464c25a85f3cb2daefff7bede", + "https://git.kernel.org/stable/c/df59e05401450973c8c7e96fd74b49e24442dc1f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] \n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52743" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52744", + "dataSource": "https://ubuntu.com/security/CVE-2023-52744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/360682fe7df262d94fae54f737c487bec0f9190d", + "https://git.kernel.org/stable/c/5d9745cead1f121974322b94ceadfb4d1e67960e", + "https://git.kernel.org/stable/c/8f5fe1cd8e6a97f94840b55f59ed08cbc397086f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix potential NULL-ptr-dereference\n\nin_dev_get() can return NULL which will cause a failure once idev is\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\ncheck for NULL value in idev beforehand.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52745", + "dataSource": "https://ubuntu.com/security/CVE-2023-52745", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52745" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52745", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52745", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6", + "https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f", + "https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc", + "https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf", + "https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\n\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\n\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52745" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52746", + "dataSource": "https://ubuntu.com/security/CVE-2023-52746", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52746" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52746", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52746", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/419674224390fca298020fc0751a20812f84b12d", + "https://git.kernel.org/stable/c/5dc688fae6b7be9dbbf5304a3d2520d038e06db5", + "https://git.kernel.org/stable/c/a893cc644812728e86e9aff517fd5698812ecef0", + "https://git.kernel.org/stable/c/b6ee896385380aa621102e8ea402ba12db1cabff" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\n\n int type = nla_type(nla);\n\n if (type > XFRMA_MAX) {\n return -EOPNOTSUPP;\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\n if (nla_len(nla) < compat_policy[type].len) {\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52746" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52747", + "dataSource": "https://ubuntu.com/security/CVE-2023-52747", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52747" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52747", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52747", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00d9e212b8a39e6ffcf31b9d2e503d2bf6009d45", + "https://git.kernel.org/stable/c/0a4f811f2e5d07bbd0c9226f4afb0a1270a831ae", + "https://git.kernel.org/stable/c/6601fc0d15ffc20654e39486f9bef35567106d68", + "https://git.kernel.org/stable/c/7896accedf5bf1277d2f305718e36dc8bac7e321", + "https://git.kernel.org/stable/c/79b595d9591426156a9e0635a5b5115508a36fef", + "https://git.kernel.org/stable/c/9bae58d58b6bb73b572356b31a62d2afc7378d12" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Restore allocated resources on failed copyout\n\nFix a resource leak if an error occurs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52747" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52748", + "dataSource": "https://ubuntu.com/security/CVE-2023-52748", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52748" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52748", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52748", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3eebe636cac53886bd5d1cdd55e082ec9e84983f", + "https://git.kernel.org/stable/c/526dd7540a09ecf87b5f54f3ab4e0a2528f25a79", + "https://git.kernel.org/stable/c/6fca08fd3085253b48fcb1bd243a0a5e18821a00", + "https://git.kernel.org/stable/c/c041f5ddef00c731c541e00bc8ae97b8c84c682f", + "https://git.kernel.org/stable/c/e0d4e8acb3789c5a8651061fbab62ca24a45c063", + "https://git.kernel.org/stable/c/e4088d7d8f1123006d46a42edf51b8c960a58ef9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid format-overflow warning\n\nWith gcc and W=1 option, there's a warning like this:\n\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\n\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52748" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52749", + "dataSource": "https://ubuntu.com/security/CVE-2023-52749", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52749" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52749", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52749", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068", + "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e", + "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr->cur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52749" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52750", + "dataSource": "https://ubuntu.com/security/CVE-2023-52750", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52750" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52750", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52750", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/146a15b873353f8ac28dc281c139ff611a3c4848", + "https://git.kernel.org/stable/c/69e619d2fd056fe1f5d0adf01584f2da669e0d28", + "https://git.kernel.org/stable/c/936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9", + "https://git.kernel.org/stable/c/bd31e534721ab95ef237020fe6995c899ffdf21a", + "https://git.kernel.org/stable/c/d08a1e75253b4e19ae290b1c35349f12cfcebc0a", + "https://git.kernel.org/stable/c/ef0224ee5399ea8a46bc07dc6c6494961ed5fdd2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\n\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\n\nThis went unnoticed until commit:\n\n 34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\n\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\n\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\n\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x13c/0x340\n| el1t_64_irq_handler+0x0/0x1c\n| el1_abort+0x0/0x5c\n| el1h_64_sync+0x64/0x68\n| __pi_strcmp+0x1c/0x150\n| unflatten_dt_nodes+0x1e8/0x2d8\n| __unflatten_device_tree+0x5c/0x15c\n| unflatten_device_tree+0x38/0x50\n| setup_arch+0x164/0x1e0\n| start_kernel+0x64/0x38c\n| __primary_switched+0xbc/0xc4\n\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52750" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52751", + "dataSource": "https://ubuntu.com/security/CVE-2023-52751", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52751" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52751", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52751", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b", + "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9", + "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52751" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52752", + "dataSource": "https://ubuntu.com/security/CVE-2023-52752", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52752" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52752", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52752", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a", + "https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7", + "https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09", + "https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2023-52752" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52753", + "dataSource": "https://ubuntu.com/security/CVE-2023-52753", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52753" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52753", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52753", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09909f515032fa80b921fd3118efe66b185d10fd", + "https://git.kernel.org/stable/c/4e497f1acd99075b13605b2e7fa0cba721a2cfd9", + "https://git.kernel.org/stable/c/6d8653b1a7a8dc938b566ae8c4f373b36e792c68", + "https://git.kernel.org/stable/c/79b6a90f4f2433312154cd68452b0ba501fa74db", + "https://git.kernel.org/stable/c/8a06894666e0b462c9316b26ab615cefdd0d676c", + "https://git.kernel.org/stable/c/b1904ed480cee3f9f4036ea0e36d139cb5fee2d6", + "https://git.kernel.org/stable/c/df8bc953eed72371e43ca407bd063507f760cf89", + "https://git.kernel.org/stable/c/eac3e4760aa12159f7f5475d55a67b7933abc195" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52753" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52754", + "dataSource": "https://ubuntu.com/security/CVE-2023-52754", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52754" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52754", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52754", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f5068519f89d928d6c51100e4b274479123829f", + "https://git.kernel.org/stable/c/10ec5a97f8f5a772a1a42b4eb27196b447cd3aa9", + "https://git.kernel.org/stable/c/2a493a34bd6e496c55fabedd82b957193ace178f", + "https://git.kernel.org/stable/c/5e0b788fb96be36d1baf1a5c88d09c7c82a0452a", + "https://git.kernel.org/stable/c/a1766a4fd83befa0b34d932d532e7ebb7fab1fa7", + "https://git.kernel.org/stable/c/b083aaf5db2eeca9e362723258e5d8698f7dd84e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: fix access to invalid resource for the second interface\n\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver. It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor. Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\n\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52754" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52755", + "dataSource": "https://ubuntu.com/security/CVE-2023-52755", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52755" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52755", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52755", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70", + "https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb", + "https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa", + "https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819", + "https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52755" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52756", + "dataSource": "https://ubuntu.com/security/CVE-2023-52756", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52756" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52756", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52756", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52756" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52757", + "dataSource": "https://ubuntu.com/security/CVE-2023-52757", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52757" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52757", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52757", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29", + "https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf", + "https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26", + "https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0 CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\n release_mid()\n spin_lock(&server->mid_lock);\n spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t spin_lock(&server->mid_lock)\n __release_mid()\n smb2_find_smb_tcon()\n spin_lock(&cifs_tcp_ses_lock) *deadlock*", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52757" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52759", + "dataSource": "https://ubuntu.com/security/CVE-2023-52759", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52759" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52759", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52759", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c8061586c6b", + "https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4", + "https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c", + "https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae", + "https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2", + "https://git.kernel.org/stable/c/4c6a08125f2249531ec01783a5f4317d7342add5", + "https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3", + "https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3", + "https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: ignore negated quota changes\n\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\n\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\n\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\n\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\n\ngfs2_quota_change\n do_qc\n qd_hold\n slot_hold\n\nLater, when the changes are to be synced:\n\ngfs2_quota_sync\n qd_fish\n qd_check_sync\n gets qd ref via lockref_get_not_dead\n do_sync\n do_qc(QC_SYNC)\n qd_put\n\t lockref_put_or_lock\n qd_unlock\n qd_put\n lockref_put_or_lock\n\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52759" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52760", + "dataSource": "https://ubuntu.com/security/CVE-2023-52760", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52760" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52760", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81", + "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba", + "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2023-52760" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52761", + "dataSource": "https://ubuntu.com/security/CVE-2023-52761", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52761" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52761", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788", + "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76", + "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52761" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52762", + "dataSource": "https://ubuntu.com/security/CVE-2023-52762", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52762" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52762", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52762", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9", + "https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48", + "https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b", + "https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90", + "https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\n\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\n\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52762" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52763", + "dataSource": "https://ubuntu.com/security/CVE-2023-52763", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52763" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52763", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52763", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39c71357e68e2f03766f9321b9f4882e49ff1442", + "https://git.kernel.org/stable/c/3cb79a365e7cce8f121bba91312e2ddd206b9781", + "https://git.kernel.org/stable/c/b53e9758a31c683fc8615df930262192ed5f034b", + "https://git.kernel.org/stable/c/e64d23dc65810be4e3395d72df0c398f60c991f9", + "https://git.kernel.org/stable/c/eed74230435c61eeb58abaa275b1820e6a4b7f02" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\n\nThe `i3c_master_bus_init` function may attach the I2C devices before the\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\nthe DAT `cleanup` will execute before the device is detached, which will\nexecue DAT `free_entry` function. The above scenario can cause the driver\nto use DAT_data when it is NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52763" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52764", + "dataSource": "https://ubuntu.com/security/CVE-2023-52764", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52764" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52764", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52764", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/099be1822d1f095433f4b08af9cc9d6308ec1953", + "https://git.kernel.org/stable/c/09cd8b561aa9796903710a1046957f2b112c8f26", + "https://git.kernel.org/stable/c/2eee8edfff90e22980a6b22079d238c3c9d323bb", + "https://git.kernel.org/stable/c/69bba62600bd91d6b7c1e8ca181faf8ac64f7060", + "https://git.kernel.org/stable/c/8f83c85ee88225319c52680792320c02158c2a9b", + "https://git.kernel.org/stable/c/93bddd6529f187f510eec759f37d0569243c9809", + "https://git.kernel.org/stable/c/a647f27a7426d2fe1b40da7c8fa2b81354a51177", + "https://git.kernel.org/stable/c/c6b6b8692218da73b33b310d7c1df90f115bdd9a", + "https://git.kernel.org/stable/c/e2d7149b913d14352c82624e723ce1c211ca06d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\n\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\n\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52764" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52766", + "dataSource": "https://ubuntu.com/security/CVE-2023-52766", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52766" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52766", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52766", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/45a832f989e520095429589d5b01b0c65da9b574", + "https://git.kernel.org/stable/c/4c86cb2321bd9c72d3b945ce7f747961beda8e65", + "https://git.kernel.org/stable/c/7c2b91b30d74d7c407118ad72502d4ca28af1af6", + "https://git.kernel.org/stable/c/8be39f66915b40d26ea2c18ba84b5c3d5da6809b", + "https://git.kernel.org/stable/c/d23ad76f240c0f597b7a9eb79905d246f27d40df" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\n\nDo not loop over ring headers in hci_dma_irq_handler() that are not\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\nwill occur from rings->headers[i] access when i >= number of allocated\nring headers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52766" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52768", + "dataSource": "https://ubuntu.com/security/CVE-2023-52768", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52768" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52768", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52768", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05ac1a198a63ad66bf5ae8b7321407c102d40ef3", + "https://git.kernel.org/stable/c/3ce1c2c3999b232258f7aabab311d47dda75605c", + "https://git.kernel.org/stable/c/4b0d6ddb6466d10df878a7787f175a0e4adc3e27", + "https://git.kernel.org/stable/c/541b3757fd443a68ed8d25968eae511a8275e7c8", + "https://git.kernel.org/stable/c/6aaf7cd8bdfe245d3c9a8b48fe70c2011965948e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: use vmm_table as array in wilc struct\n\nEnabling KASAN and running some iperf tests raises some memory issues with\nvmm_table:\n\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\n\nKASAN detects that we are writing data beyond range allocated to vmm_table.\nThere is indeed a mismatch between the size passed to allocator in\nwilc_wlan_init, and the range of possible indexes used later: allocation\nsize is missing a multiplication by sizeof(u32)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52768" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52772", + "dataSource": "https://ubuntu.com/security/CVE-2023-52772", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52772" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52772", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52772", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce", + "https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d", + "https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef", + "https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700", + "https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52772" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52774", + "dataSource": "https://ubuntu.com/security/CVE-2023-52774", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52774" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52774", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52774", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250", + "https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240", + "https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a", + "https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885", + "https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be", + "https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f", + "https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d", + "https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52774" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52775", + "dataSource": "https://ubuntu.com/security/CVE-2023-52775", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52775" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52775", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52775", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c", + "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1", + "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c", + "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add", + "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n ¦ clc proposal\n ------------->\n ¦ clc accept\n <-------------\n ¦ clc confirm\n ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n ¦failed llc confirm\n ¦ x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n ¦ decline\n -------------->\n ¦ decline\n <--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52775" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52781", + "dataSource": "https://ubuntu.com/security/CVE-2023-52781", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52781" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52781", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52781", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702", + "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8", + "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc", + "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223", + "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a 'goto' statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52781" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52784", + "dataSource": "https://ubuntu.com/security/CVE-2023-52784", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52784" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52784", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52784", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19554aa901b5833787df4417a05ccdebf351b7f4", + "https://git.kernel.org/stable/c/396baca6683f415b5bc2b380289387bef1406edc", + "https://git.kernel.org/stable/c/3cffa2ddc4d3fcf70cde361236f5a614f81a09b2", + "https://git.kernel.org/stable/c/53064e8239dd2ecfefc5634e991f1025abc2ee0c", + "https://git.kernel.org/stable/c/87c49806a37f88eddde3f537c162fd0c2834170c", + "https://git.kernel.org/stable/c/b4f0e605a508f6d7cda6df2f03a0c676b778b1fe", + "https://git.kernel.org/stable/c/d98c91215a5748a0f536e7ccea26027005196859" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: stop the device in bond_setup_by_slave()\n\nCommit 9eed321cde22 (\"net: lapbether: only support ethernet devices\")\nhas been able to keep syzbot away from net/lapb, until today.\n\nIn the following splat [1], the issue is that a lapbether device has\nbeen created on a bonding device without members. Then adding a non\nARPHRD_ETHER member forced the bonding master to change its type.\n\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\nso that the potential linked lapbether devices (or any other devices\nhaving assumptions on the physical device) are removed.\n\nA similar bug has been addressed in commit 40baec225765\n(\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\")\n\n[1]\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\nkernel BUG at net/core/skbuff.c:192 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic net/core/skbuff.c:188 [inline]\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nlr : skb_panic net/core/skbuff.c:188 [inline]\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nsp : ffff800096a06aa0\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\nCall trace:\nskb_panic net/core/skbuff.c:188 [inline]\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\ndev_hard_header include/linux/netdevice.h:3136 [inline]\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\ndev_ifsioc+0x754/0x9ac\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52784" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52788", + "dataSource": "https://ubuntu.com/security/CVE-2023-52788", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52788" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52788", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52788", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f49cdfd5fb342a1a9641930dc040c570694e98", + "https://git.kernel.org/stable/c/1566e8be73fd5fa424e88d2a4cffdc34f970f0e1", + "https://git.kernel.org/stable/c/471aa951bf1206d3c10d0daa67005b8e4db4ff83", + "https://git.kernel.org/stable/c/55db76caa782baa4a1bf02296e2773c38a524a3e", + "https://git.kernel.org/stable/c/bf8e105030083e7b71591cdf437e464bcd8a0c09" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\n\nWhen i915 perf interface is not available dereferencing it will lead to\nNULL dereferences.\n\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\navailable.\n\n[tursulin: added stable tag]\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52788" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52789", + "dataSource": "https://ubuntu.com/security/CVE-2023-52789", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52789" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52789", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52789", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/38cd56fc9de78bf3c878790785e8c231116ef9d3", + "https://git.kernel.org/stable/c/460284dfb10b207980c6f3f7046e33446ceb38ac", + "https://git.kernel.org/stable/c/4a24a31826246b15477399febd13292b0c9f0ee9", + "https://git.kernel.org/stable/c/4ef41a7f33ffe1a335e7db7e1564ddc6afad47cc", + "https://git.kernel.org/stable/c/6c80f48912b5bd4965352d1a9a989e21743a4a06", + "https://git.kernel.org/stable/c/7cebc86481bf16049e266f6774d90f2fd4f8d5d2", + "https://git.kernel.org/stable/c/8f8771757b130383732195497e47fba2aba76d3a", + "https://git.kernel.org/stable/c/909963e0c16778cec28efb1affc21558825f4200", + "https://git.kernel.org/stable/c/d81ffb87aaa75f842cd7aa57091810353755b3e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vcc: Add check for kstrdup() in vcc_probe()\n\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52789" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52791", + "dataSource": "https://ubuntu.com/security/CVE-2023-52791", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52791" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52791", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185f3617adc8fe45e40489b458f03911f0dec46c", + "https://git.kernel.org/stable/c/25284c46b657f48c0f3880a2e0706c70d81182c0", + "https://git.kernel.org/stable/c/25eb381a736e7ae39a4245ef5c96484eb1073809", + "https://git.kernel.org/stable/c/3473cf43b9068b9dfef2f545f833f33c6a544b91", + "https://git.kernel.org/stable/c/8c3fa52a46ff4d208cefb1a462ec94e0043a91e1", + "https://git.kernel.org/stable/c/aa49c90894d06e18a1ee7c095edbd2f37c232d02", + "https://git.kernel.org/stable/c/f6237afabc349c1c7909db00e15d2816519e0d2b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Run atomic i2c xfer when !preemptible\n\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\n\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\n\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\n\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52791" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52796", + "dataSource": "https://ubuntu.com/security/CVE-2023-52796", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52796" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52796", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52796", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458", + "https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2", + "https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f", + "https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02", + "https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542", + "https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a", + "https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760", + "https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: add ipvlan_route_v6_outbound() helper\n\nInspired by syzbot reports using a stack of multiple ipvlan devices.\n\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\n\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\n\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\n\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n\n\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[] cpu_online include/linux/cpumask.h:1092 [inline]\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\n[dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52799" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52800", + "dataSource": "https://ubuntu.com/security/CVE-2023-52800", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52800" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52800", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52800", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679", + "https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e", + "https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d", + "https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8", + "https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c", + "https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52800" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52802", + "dataSource": "https://ubuntu.com/security/CVE-2023-52802", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52802" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52802", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52802", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52802" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52803", + "dataSource": "https://ubuntu.com/security/CVE-2023-52803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52803", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a", + "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df", + "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618", + "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680", + "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5", + "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264", + "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a", + "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52804", + "dataSource": "https://ubuntu.com/security/CVE-2023-52804", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52804" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52804", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52804", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f74d336990f37703a8eee77153463d65b67f70e", + "https://git.kernel.org/stable/c/2323de34a3ae61a9f9b544c18583f71cea86721f", + "https://git.kernel.org/stable/c/32bd8f1cbcf8b663e29dd1f908ba3a129541a11b", + "https://git.kernel.org/stable/c/5013f8269887642cca784adc8db9b5f0b771533f", + "https://git.kernel.org/stable/c/64933ab7b04881c6c18b21ff206c12278341c72e", + "https://git.kernel.org/stable/c/a0649e2dd4a3595b5595a29d0064d047c2fae2fb", + "https://git.kernel.org/stable/c/c6c8863fb3f57700ab583d875adda04caaf2278a", + "https://git.kernel.org/stable/c/ce15b0f1a431168f07b1cc6c9f71206a2db5c809", + "https://git.kernel.org/stable/c/dca403bb035a565bb98ecc1dda5d30f676feda40" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add validity check for db_maxag and db_agpref\n\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\n\nThe following is related bug reported by Syzbot:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\n\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52804" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52805", + "dataSource": "https://ubuntu.com/security/CVE-2023-52805", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52805" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52805", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52805", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483", + "https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8", + "https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1", + "https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9", + "https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641", + "https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777", + "https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c", + "https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d", + "https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52805" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52806", + "dataSource": "https://ubuntu.com/security/CVE-2023-52806", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52806" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52806", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52806", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2527775616f3638f4fd54649eba8c7b84d5e4250", + "https://git.kernel.org/stable/c/25354bae4fc310c3928e8a42fda2d486f67745d7", + "https://git.kernel.org/stable/c/43b91df291c8802268ab3cfd8fccfdf135800ed4", + "https://git.kernel.org/stable/c/4a320da7f7cbdab2098b103c47f45d5061f42edd", + "https://git.kernel.org/stable/c/631a96e9eb4228ff75fce7e72d133ca81194797e", + "https://git.kernel.org/stable/c/758c7733cb821041f5fd403b7b97c0b95d319323", + "https://git.kernel.org/stable/c/7de25112de8222fd20564769e6c99dc9f9738a0b", + "https://git.kernel.org/stable/c/f93dc90c2e8ed664985e366aa6459ac83cdab236", + "https://git.kernel.org/stable/c/fe7c1a0c2b25c82807cb46fc3aadbf2664a682b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52806" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52808", + "dataSource": "https://ubuntu.com/security/CVE-2023-52808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52808", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/33331b265aac9441ac0c1a5442e3f05d038240ec", + "https://git.kernel.org/stable/c/6de426f9276c448e2db7238911c97fb157cb23be", + "https://git.kernel.org/stable/c/75a2656260fe8c7eeabda6ff4600b29e183f48db", + "https://git.kernel.org/stable/c/b4465009e7d60c6111946db4c8f1e50d401ed7be", + "https://git.kernel.org/stable/c/f0bfc8a5561fb0b2c48183dcbfe00bdd6d973bd3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\n\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\n\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000] down_write+0x24/0x70\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175] pci_device_remove+0x48/0xd8\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\n[ 1669.993282] device_release_driver+0x28/0x38\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244] remove_store+0xfc/0x140\n[ 1670.010802] dev_attr_store+0x44/0x60\n[ 1670.014448] sysfs_kf_write+0x58/0x80\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000] __vfs_write+0x60/0x190\n[ 1670.025472] vfs_write+0xac/0x1c0\n[ 1670.028771] ksys_write+0x6c/0xd8\n[ 1670.032071] __arm64_sys_write+0x24/0x30\n[ 1670.035977] el0_svc_common+0x78/0x130\n[ 1670.039710] el0_svc_handler+0x38/0x78\n[ 1670.043442] el0_svc+0x8/0xc\n\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52809", + "dataSource": "https://ubuntu.com/security/CVE-2023-52809", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52809" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52809", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52809", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/442fd24d7b6b29e4a9cd9225afba4142d5f522ba", + "https://git.kernel.org/stable/c/4df105f0ce9f6f30cda4e99f577150d23f0c9c5f", + "https://git.kernel.org/stable/c/56d78b5495ebecbb9395101f3be177cd0a52450b", + "https://git.kernel.org/stable/c/6b9ecf4e1032e645873933e5b43cbb84cac19106", + "https://git.kernel.org/stable/c/77072ec41d6ab3718c3fc639bc149b8037caedfa", + "https://git.kernel.org/stable/c/930f0aaba4820d6362de4e6ed569eaf444f1ea4e", + "https://git.kernel.org/stable/c/b549acf999824d4f751ca57965700372f2f3ad00", + "https://git.kernel.org/stable/c/bb83f79f90e92f46466adcfd4fd264a7ae0f0f01", + "https://git.kernel.org/stable/c/f6fe7261b92b21109678747f36df9fdab1e30c34" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52809" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52810", + "dataSource": "https://ubuntu.com/security/CVE-2023-52810", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52810" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52810", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52810", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0cb567e727339a192f9fd0db00781d73a91d15a6", + "https://git.kernel.org/stable/c/1a7c53fdea1d189087544d9a606d249e93c4934b", + "https://git.kernel.org/stable/c/491085258185ffc4fb91555b0dba895fe7656a45", + "https://git.kernel.org/stable/c/524b4f203afcf87accfe387e846f33f916f0c907", + "https://git.kernel.org/stable/c/525b861a008143048535011f3816d407940f4bfa", + "https://git.kernel.org/stable/c/5f148b16972e5f4592629b244d5109b15135f53f", + "https://git.kernel.org/stable/c/8f2964df6bfce9d92d81ca552010b8677af8d9dc", + "https://git.kernel.org/stable/c/a81a56b4cbe3142cc99f6b98e8f9b3a631c768e1", + "https://git.kernel.org/stable/c/cc61fcf7d1c99f148fe8ddfb5c6ed0bb75861f01" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add check for negative db_l2nbperpage\n\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\n\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\n\nSyzbot reported this bug:\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52810" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52811", + "dataSource": "https://ubuntu.com/security/CVE-2023-52811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52811" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4", + "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d", + "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f", + "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8", + "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue's event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52812", + "dataSource": "https://ubuntu.com/security/CVE-2023-52812", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52812" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52812", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52812", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a", + "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec", + "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52812" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52813", + "dataSource": "https://ubuntu.com/security/CVE-2023-52813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52813" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0", + "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28", + "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316", + "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523", + "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e", + "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7", + "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf", + "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d", + "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst->flags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst->flags & PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52815", + "dataSource": "https://ubuntu.com/security/CVE-2023-52815", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52815" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52815", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52815", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/33fb1a555354bd593f785935ddcb5d9dd4d3847f", + "https://git.kernel.org/stable/c/70f831f21155c692bb336c434936fd6f24f3f81a", + "https://git.kernel.org/stable/c/8c6c85a073768df68c1a3fea143d013a38c66d34", + "https://git.kernel.org/stable/c/cd90511557fdfb394bb4ac4c3b539b007383914c", + "https://git.kernel.org/stable/c/eaa03ea366c85ae3cb69c8d4bbc67c8bc2167a27" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52815" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52816", + "dataSource": "https://ubuntu.com/security/CVE-2023-52816", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52816" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52816", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52816", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2806f880379232e789957c2078d612669eb7a69c", + "https://git.kernel.org/stable/c/282c1d793076c2edac6c3db51b7e8ed2b41d60a5", + "https://git.kernel.org/stable/c/3f7a400d5e80f99581e3e8a9843e1f6118bf454f", + "https://git.kernel.org/stable/c/56649c43d40ce0147465a2d5756d300e87f9ee1c", + "https://git.kernel.org/stable/c/d33a35b13cbfec3238043f196fa87a6384f9d087" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix shift out-of-bounds issue\n\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\n[ 567.614748] Call Trace:\n[ 567.614750] \n[ 567.614753] dump_stack_lvl+0x48/0x70\n[ 567.614761] dump_stack+0x10/0x20\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\n[ 567.615286] do_swap_page+0x7b6/0xa30\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615294] ? __free_pages+0x119/0x130\n[ 567.615299] handle_pte_fault+0x227/0x280\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\n[ 567.615311] handle_mm_fault+0x119/0x330\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\n[ 567.615323] exc_page_fault+0x81/0x1b0\n[ 567.615328] asm_exc_page_fault+0x27/0x30\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52816" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52817", + "dataSource": "https://ubuntu.com/security/CVE-2023-52817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52817" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52817", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/174f62a0aa15c211e60208b41ee9e7cdfb73d455", + "https://git.kernel.org/stable/c/437e0fa907ba39b4d7eda863c03ea9cf48bd93a9", + "https://git.kernel.org/stable/c/5104fdf50d326db2c1a994f8b35dcd46e63ae4ad", + "https://git.kernel.org/stable/c/6c1b3d89a2dda79881726bb6e37af19c0936d736", + "https://git.kernel.org/stable/c/820daf9ffe2b0afb804567b10983fb38bc5ae288", + "https://git.kernel.org/stable/c/ba3c0796d292de84f2932cc5bbb0f771fc720996", + "https://git.kernel.org/stable/c/bf2d51eedf03bd61e3556e35d74d49e2e6112398", + "https://git.kernel.org/stable/c/f475d5502f33a6c5b149b0afe96316ad1962a64a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52818", + "dataSource": "https://ubuntu.com/security/CVE-2023-52818", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52818" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52818", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6dffdddfca818c02a42b6caa1d9845995f0a1f94", + "https://git.kernel.org/stable/c/760efbca74a405dc439a013a5efaa9fadc95a8c3", + "https://git.kernel.org/stable/c/8af28ae3acb736ada4ce3457662fa446cc913bb4", + "https://git.kernel.org/stable/c/92a775e7c9707aed28782bafe636bf87675f5a97", + "https://git.kernel.org/stable/c/acdb6830de02cf2873aeaccdf2d9bca4aee50e47", + "https://git.kernel.org/stable/c/c847379a5d00078ad6fcb1c24230e72c5609342f", + "https://git.kernel.org/stable/c/cfd8cd907fd94538561479a43aea455f5cf16928", + "https://git.kernel.org/stable/c/e52e324a21341c97350d5f11de14721c1c609498", + "https://git.kernel.org/stable/c/fc9ac0e8e0bcb3740c6eaad3a1a50c20016d422b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52818" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52819", + "dataSource": "https://ubuntu.com/security/CVE-2023-52819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52819" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f0e59075b5c22f1e871fbd508d6e4f495048356", + "https://git.kernel.org/stable/c/60a00dfc7c5deafd1dd393beaf53224f7256dad6", + "https://git.kernel.org/stable/c/7c68283f3166221af3df5791f0e13d3137a72216", + "https://git.kernel.org/stable/c/8c1dbddbfcb051e82cea0c197c620f9dcdc38e92", + "https://git.kernel.org/stable/c/a237675aa1e62bbfaa341c535331c8656a508fa1", + "https://git.kernel.org/stable/c/a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e", + "https://git.kernel.org/stable/c/b3b8b7c040cf069da7afe11c5bd73b870b8f3d18", + "https://git.kernel.org/stable/c/d0725232da777840703f5f1e22f2e3081d712aa4", + "https://git.kernel.org/stable/c/d50a56749e5afdc63491b88f5153c1aae00d4679" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52821", + "dataSource": "https://ubuntu.com/security/CVE-2023-52821", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52821" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52821", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52821", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2381f6b628b3214f07375e0adf5ce17093c31190", + "https://git.kernel.org/stable/c/4fa930ba046d20fc1899770396ee11e905fa96e4", + "https://git.kernel.org/stable/c/79813cd59398015867d51e6d7dcc14d287d4c402", + "https://git.kernel.org/stable/c/8a9dd36fcb4f3906982b82593393578db4479992", + "https://git.kernel.org/stable/c/924e5814d1f84e6fa5cb19c6eceb69f066225229", + "https://git.kernel.org/stable/c/c7dc0aca5962fb37dbea9769dd26ec37813faae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52821" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52825", + "dataSource": "https://ubuntu.com/security/CVE-2023-52825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52825" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52825", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/50f35a907c4f9ed431fd3dbb8b871ef1cbb0718e", + "https://git.kernel.org/stable/c/709c348261618da7ed89d6c303e2ceb9e453ba74", + "https://git.kernel.org/stable/c/7d43cdd22cd81a2b079e864c4321b9aba4c6af34", + "https://git.kernel.org/stable/c/c772eacbd6d0845fc922af8716bb9d29ae27b8cf", + "https://git.kernel.org/stable/c/fc0210720127cc6302e6d6f3de48f49c3fcf5659" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\n\nprange->svm_bo unref can happen in both mmu callback and a callback after\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\nunref operation to avoid random \"use-after-free\".", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52826", + "dataSource": "https://ubuntu.com/security/CVE-2023-52826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52826", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/84c923d898905187ebfd4c0ef38cd1450af7e0ea", + "https://git.kernel.org/stable/c/9268bfd76bebc85ff221691b61498cc16d75451c", + "https://git.kernel.org/stable/c/9acc2bc00135e9ecd13a70ce1140e2673e504cdc", + "https://git.kernel.org/stable/c/d0bc9ab0a161a9745273f5bf723733a8e6c57aca", + "https://git.kernel.org/stable/c/eaede6900c0961b072669d6bd97fe8f90ed1900f", + "https://git.kernel.org/stable/c/f22def5970c423ea7f87d5247bd0ef91416b0658" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52826" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52828", + "dataSource": "https://ubuntu.com/security/CVE-2023-52828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52828" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52828", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5", + "https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18", + "https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21", + "https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922", + "https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f", + "https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52829", + "dataSource": "https://ubuntu.com/security/CVE-2023-52829", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52829" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52829", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e", + "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c", + "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52829" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52831", + "dataSource": "https://ubuntu.com/security/CVE-2023-52831", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52831" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52831", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63", + "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13", + "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908", + "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don't offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(&doms, &attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52831" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52832", + "dataSource": "https://ubuntu.com/security/CVE-2023-52832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52832", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f", + "https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846", + "https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62", + "https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6", + "https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7", + "https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea", + "https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a", + "https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f", + "https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52833", + "dataSource": "https://ubuntu.com/security/CVE-2023-52833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0048ddf045bddc4dacb3e783fd869a2f8fb5be30", + "https://git.kernel.org/stable/c/13b1ebad4c175e6a9b0748acbf133c21a15d282a", + "https://git.kernel.org/stable/c/624820f7c8826dd010e8b1963303c145f99816e9", + "https://git.kernel.org/stable/c/9f8e4d1a4ca1179aaeb43f91f3e2a386e7e616b3", + "https://git.kernel.org/stable/c/a556f2ef556a04790f67f2fa272f1a77336d15a0", + "https://git.kernel.org/stable/c/f9de14bde56dcbb0765284c6dfc35842b021733c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52834", + "dataSource": "https://ubuntu.com/security/CVE-2023-52834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52834", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32f08b7b430ee01ec47d730f961a3306c1c7b6fb", + "https://git.kernel.org/stable/c/54a6152da4993ec8e4b53dc3cf577f5a2c829afa", + "https://git.kernel.org/stable/c/57e44ff9c2c9747b2b1a53556810b0e5192655d6", + "https://git.kernel.org/stable/c/86565682e9053e5deb128193ea9e88531bbae9cf", + "https://git.kernel.org/stable/c/c29a89b23f67ee592f4dee61f9d7efbf86d60315" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\natl1c: Work around the DMA RX overflow issue\n\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\n\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\n\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\n\nTested on AR8131 on Acer 4540.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52835", + "dataSource": "https://ubuntu.com/security/CVE-2023-52835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece", + "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a", + "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb", + "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916", + "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734", + "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f", + "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a", + "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52836", + "dataSource": "https://ubuntu.com/security/CVE-2023-52836", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52836" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52836", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52836", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/304a2c4aad0fff887ce493e4197bf9cbaf394479", + "https://git.kernel.org/stable/c/9ed2d68b3925145f5f51c46559484881d6082f75", + "https://git.kernel.org/stable/c/bccdd808902f8c677317cec47c306e42b93b849e", + "https://git.kernel.org/stable/c/c56df79d68677cf062da1b6e3b33e74299a92dfc", + "https://git.kernel.org/stable/c/d4d37c9e6a4dbcca958dabd99216550525c7e389", + "https://git.kernel.org/stable/c/d8267cabbe1bed15ccf8b0e684c528bf8eeef715", + "https://git.kernel.org/stable/c/dcd85e3c929368076a7592b27f541e0da8b427f5", + "https://git.kernel.org/stable/c/e36407713163363e65566e7af0abe207d5f59a0c", + "https://git.kernel.org/stable/c/e89d0ed45a419c485bae999426ecf92697cbdda3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/ww_mutex/test: Fix potential workqueue corruption\n\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\n\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\n\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\n\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\n\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\n\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52836" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52837", + "dataSource": "https://ubuntu.com/security/CVE-2023-52837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/327462725b0f759f093788dfbcb2f1fd132f956b", + "https://git.kernel.org/stable/c/4e9b3ec84dc97909876641dad14e0a2300d6c2a3", + "https://git.kernel.org/stable/c/56bd7901b5e9dbc9112036ea615ebcba1565fafe", + "https://git.kernel.org/stable/c/879947f4180bc6e83af64eb0515e0cf57fce15db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_open\n\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\n\nFix this by implementing ->free_disk and free private data in it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52838", + "dataSource": "https://ubuntu.com/security/CVE-2023-52838", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52838" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52838", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52838", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18d26f9baca7d0d309303e3074a2252b8310884a", + "https://git.kernel.org/stable/c/382e1931e0c9cd58a5a8519cdc6cd9dc4d82b485", + "https://git.kernel.org/stable/c/6c66d737b2726ac7784269ddf32a31634f8f269d", + "https://git.kernel.org/stable/c/7bc7b82fb2191b0d50a80ee4e27030918767dd1d", + "https://git.kernel.org/stable/c/8e4b510fe91782522b7ca0ca881b663b5d35e513", + "https://git.kernel.org/stable/c/a4dfebec32ec6d420a5506dd56a7834c91be28e4", + "https://git.kernel.org/stable/c/aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b", + "https://git.kernel.org/stable/c/b346a531159d08c564a312a9eaeea691704f3c00" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imsttfb: fix a resource leak in probe\n\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52838" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52840", + "dataSource": "https://ubuntu.com/security/CVE-2023-52840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52840", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f", + "https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2", + "https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff", + "https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5", + "https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f", + "https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585", + "https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683", + "https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\n\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52841", + "dataSource": "https://ubuntu.com/security/CVE-2023-52841", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52841" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52841", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fd6eb12642e0c32692924ff359c07de4b781d78", + "https://git.kernel.org/stable/c/64863ba8e6b7651d994c6e6d506cc8aa2ac45edb", + "https://git.kernel.org/stable/c/980be4c3b0d51c0f873fd750117774561c66cf68", + "https://git.kernel.org/stable/c/a254ee1ddc592ae1efcce96b8c014e1bd2d5a2b4", + "https://git.kernel.org/stable/c/aae7598aff291d4d140be1355aa20930af948785", + "https://git.kernel.org/stable/c/cb13001411999adb158b39e76d94705eb2da100d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: mux: Add check and kfree for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52841" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52843", + "dataSource": "https://ubuntu.com/security/CVE-2023-52843", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52843" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52843", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52843", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a720d0259ad3521ec6c9e4199f9f6fc75bac77a", + "https://git.kernel.org/stable/c/352887b3edd007cf9b0abc30fe9d98622acd859b", + "https://git.kernel.org/stable/c/3a2653828ffc6101aef80bf58d5b77484239f779", + "https://git.kernel.org/stable/c/7b3ba18703a63f6fd487183b9262b08e5632da1b", + "https://git.kernel.org/stable/c/900a4418e3f66a32db6baaf23f92b99c20ae6535", + "https://git.kernel.org/stable/c/9a3f9054a5227d7567cba1fb821df48ccecad10c", + "https://git.kernel.org/stable/c/cbdcdf42d15dac74c7287679fb2a9d955f8feb1f", + "https://git.kernel.org/stable/c/f980e9a57dfb9530f1f4ee41a2420f2a256d7b29", + "https://git.kernel.org/stable/c/ff5cb6a4f0c6d7fbdc84858323fb4b7af32cfd79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: verify mac len before reading mac header\n\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\n\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\n\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\n\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\n\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\n\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\n\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\n\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52843" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52844", + "dataSource": "https://ubuntu.com/security/CVE-2023-52844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52844", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9", + "https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0", + "https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad", + "https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d", + "https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a", + "https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: psi: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52845", + "dataSource": "https://ubuntu.com/security/CVE-2023-52845", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52845" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52845", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52845", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579", + "https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0", + "https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6", + "https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8", + "https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4", + "https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709", + "https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d", + "https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04", + "https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\n\nsyzbot reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\n\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\n\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52845" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52846", + "dataSource": "https://ubuntu.com/security/CVE-2023-52846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52846", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18", + "https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db", + "https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d", + "https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da", + "https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363", + "https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Prevent use after free in prp_create_tagged_frame()\n\nThe prp_fill_rct() function can fail. In that situation, it frees the\nskb and returns NULL. Meanwhile on the success path, it returns the\noriginal skb. So it's straight forward to fix bug by using the returned\nvalue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52847", + "dataSource": "https://ubuntu.com/security/CVE-2023-52847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267", + "https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226", + "https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b", + "https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574", + "https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586dad982132", + "https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a", + "https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9", + "https://git.kernel.org/stable/c/bd5b50b329e850d467e7bcc07b2b6bde3752fbda" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bttv: fix use after free error due to btv->timeout timer\n\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\n\nThis bug is found by static analysis, it may be false positive.\n\nFix it by adding del_timer_sync invoking to the remove function.\n\ncpu0 cpu1\n bttv_probe\n ->timer_setup\n ->bttv_set_dma\n ->mod_timer;\nbttv_remove\n ->kfree(btv);\n ->bttv_irq_timeout\n ->USE btv", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52849", + "dataSource": "https://ubuntu.com/security/CVE-2023-52849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52849" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ca074f7d788627a4e0b047ca5fbdb5fc567220c", + "https://git.kernel.org/stable/c/20bd0198bebdd706bd4614b3933ef70d7c19618f", + "https://git.kernel.org/stable/c/7c7371b41a14e86f53e7dbe5baa7b1d3e0ab324b", + "https://git.kernel.org/stable/c/88d3917f82ed4215a2154432c26de1480a61b209", + "https://git.kernel.org/stable/c/cad22a757029c3a1985c221a2d4a6491ad4035ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that removing cxl_mock_mem causes a crash with the following\ntrace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000044\n [..]\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x29/0x40 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n device_unregister+0x13/0x60\n devm_release_action+0x4d/0x90\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\n delete_endpoint+0x121/0x130 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n ? lock_release+0x142/0x290\n cdev_device_del+0x15/0x50\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\n\nThis crash is due to the clearing out the cxl_memdev's driver context\n(@cxlds) before the subsystem is done with it. This is ultimately due to\nthe region(s), that this memdev is a member, being torn down and expecting\nto be able to de-reference @cxlds, like here:\n\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\n...\n if (cxlds->rcd)\n goto endpoint_reset;\n...\n\nFix it by keeping the driver context valid until memdev-device\nunregistration, and subsequently the entire stack of related\ndependencies, unwinds.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52852", + "dataSource": "https://ubuntu.com/security/CVE-2023-52852", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52852" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52852", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52852", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5", + "https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401", + "https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c", + "https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2", + "https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52852" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52853", + "dataSource": "https://ubuntu.com/security/CVE-2023-52853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52853", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf", + "https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd", + "https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819", + "https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38", + "https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6", + "https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42", + "https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c", + "https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52854", + "dataSource": "https://ubuntu.com/security/CVE-2023-52854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52854", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5", + "https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b", + "https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f", + "https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d", + "https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f", + "https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix refcnt handling in padata_free_shell()\n\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\n\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\n\n```c\nstruct request {\n struct padata_priv padata;\n struct completion *done;\n};\n\nvoid parallel(struct padata_priv *padata) {\n do_something();\n}\n\nvoid serial(struct padata_priv *padata) {\n struct request *request = container_of(padata,\n \t\t\t\tstruct request,\n\t\t\t\tpadata);\n complete(request->done);\n}\n\nvoid user_function() {\n DECLARE_COMPLETION(done)\n padata->parallel = parallel;\n padata->serial = serial;\n padata_do_parallel();\n wait_for_completion(&done);\n padata_free_shell();\n}\n```\n\nIn the corresponding padata.c file, there's the following code:\n\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n ...\n cnt = 0;\n\n while (!list_empty(&local_list)) {\n ...\n padata->serial(padata);\n cnt++;\n }\n\n local_bh_enable();\n\n if (refcount_sub_and_test(cnt, &pd->refcnt))\n padata_free_pd(pd);\n}\n```\n\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\n\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52855", + "dataSource": "https://ubuntu.com/security/CVE-2023-52855", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52855" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52855", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52855", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14c9ec34e8118fbffd7f5431814d767726323e72", + "https://git.kernel.org/stable/c/3e851a77a13ce944d703721793f49ee82622986d", + "https://git.kernel.org/stable/c/64c47749fc7507ed732e155c958253968c1d275e", + "https://git.kernel.org/stable/c/6b21a22728852d020a6658d39cd7bb7e14b07790", + "https://git.kernel.org/stable/c/a7bee9598afb38004841a41dd8fe68c1faff4e90", + "https://git.kernel.org/stable/c/bdb3dd4096302d6b87441fdc528439f171b04be6", + "https://git.kernel.org/stable/c/ef307bc6ef04e8c1ea843231db58e3afaafa9fa6", + "https://git.kernel.org/stable/c/fcaafb574fc88a52dce817f039f7ff2f9da38001", + "https://git.kernel.org/stable/c/fed492aa6493a91a77ebd51da6fb939c98d94a0d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\n\nIn _dwc2_hcd_urb_enqueue(), \"urb->hcpriv = NULL\" is executed without\nholding the lock \"hsotg->lock\". In _dwc2_hcd_urb_dequeue():\n\n spin_lock_irqsave(&hsotg->lock, flags);\n ...\n\tif (!urb->hcpriv) {\n\t\tdev_dbg(hsotg->dev, \"## urb->hcpriv is NULL ##\\n\");\n\t\tgoto out;\n\t}\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\n ...\nout:\n spin_unlock_irqrestore(&hsotg->lock, flags);\n\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\nconcurrently executed, the NULL check of \"urb->hcpriv\" can be executed\nbefore \"urb->hcpriv = NULL\". After urb->hcpriv is NULL, it can be used\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\npointer dereference.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by myself. This tool analyzes the locking APIs to extract\nfunction pairs that can be concurrently executed, and then analyzes the\ninstructions in the paired functions to identify possible concurrency\nbugs including data races and atomicity violations. The above possible\nbug is reported, when my tool analyzes the source code of Linux 6.5.\n\nTo fix this possible bug, \"urb->hcpriv = NULL\" should be executed with\nholding the lock \"hsotg->lock\". After using this patch, my tool never\nreports the possible bug, with the kernelconfiguration allyesconfig for\nx86_64. Because I have no associated hardware, I cannot test the patch\nin runtime testing, and just verify it according to the code logic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52855" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52856", + "dataSource": "https://ubuntu.com/security/CVE-2023-52856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52856", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/42071feab712ba2a139b8928f7e0f8d3a6fc719e", + "https://git.kernel.org/stable/c/44283993144a03af9df31934d6c32bbd42d1a347", + "https://git.kernel.org/stable/c/7bf0cb8f40280a85034990dfe42be8ca8f80f37a", + "https://git.kernel.org/stable/c/b65e3249f3ca96e3c736af889461d80d675feab6", + "https://git.kernel.org/stable/c/fcd9895e365474709844eeb31cfe53d912c3596e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: lt8912b: Fix crash on bridge detach\n\nThe lt8912b driver, in its bridge detach function, calls\ndrm_connector_unregister() and drm_connector_cleanup().\n\ndrm_connector_unregister() should be called only for connectors\nexplicitly registered with drm_connector_register(), which is not the\ncase in lt8912b.\n\nThe driver's drm_connector_funcs.destroy hook is set to\ndrm_connector_cleanup().\n\nThus the driver should not call either drm_connector_unregister() nor\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\ncrash on bridge detach:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\nsp : ffff800082ed3a90\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n drm_connector_cleanup+0x78/0x2d4 [drm]\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\n drm_bridge_detach+0x44/0x84 [drm]\n drm_encoder_cleanup+0x40/0xb8 [drm]\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\n drm_managed_release+0xac/0x148 [drm]\n drm_dev_put.part.0+0x88/0xb8 [drm]\n devm_drm_dev_init_release+0x14/0x24 [drm]\n devm_action_release+0x14/0x20\n release_nodes+0x5c/0x90\n devres_release_all+0x8c/0xe0\n device_unbind_cleanup+0x18/0x68\n device_release_driver_internal+0x208/0x23c\n driver_detach+0x4c/0x94\n bus_remove_driver+0x70/0xf4\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\n __arm64_sys_delete_module+0x1a0/0x2b4\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x60/0x10c\n do_el0_svc_compat+0x1c/0x40\n el0_svc_compat+0x40/0xac\n el0t_32_sync_handler+0xb0/0x138\n el0t_32_sync+0x194/0x198\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52857", + "dataSource": "https://ubuntu.com/security/CVE-2023-52857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52857" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52857", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396", + "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c", + "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52858", + "dataSource": "https://ubuntu.com/security/CVE-2023-52858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52858" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52858", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d89430fc3158f872d492f1b88d07262f48290c0", + "https://git.kernel.org/stable/c/2befa515c1bb6cdd33c262b909d93d1973a219aa", + "https://git.kernel.org/stable/c/4f861b63945e076f9f003a5fad958174096df1ee", + "https://git.kernel.org/stable/c/5fbea47eebff5daeca7d918c99289bcd3ae4dc8d", + "https://git.kernel.org/stable/c/a836efc21ef04608333d6d05753e558ebd1f85d0", + "https://git.kernel.org/stable/c/e8ae4b49dd9cfde69d8de8c0c0cd7cf1b004482e", + "https://git.kernel.org/stable/c/e964d21dc034b650d719c4ea39564bec72b42f94" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52859", + "dataSource": "https://ubuntu.com/security/CVE-2023-52859", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52859" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52859", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52859", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e1e88bba286621b886218363de07b319d6208b2", + "https://git.kernel.org/stable/c/3405f364f82d4f5407a8b4c519dc15d24b847fda", + "https://git.kernel.org/stable/c/75bab28ffd05ec8879c197890b1bd1dfec8d3f63", + "https://git.kernel.org/stable/c/b660420f449d094b1fabfa504889810b3a63cdd5", + "https://git.kernel.org/stable/c/b805cafc604bfdb671fae7347a57f51154afa735" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: hisi: Fix use-after-free when register pmu fails\n\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52859" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52863", + "dataSource": "https://ubuntu.com/security/CVE-2023-52863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a5b3370a1d9750eca325292e291c8c7cb8cf2e0", + "https://git.kernel.org/stable/c/33de53a2706066d526173dc743faf43d92c62105", + "https://git.kernel.org/stable/c/7d870088db4863c514a7f8751cd593751983029a", + "https://git.kernel.org/stable/c/b3e7eb23a6e97642ff3190431c06475d9ca1e062", + "https://git.kernel.org/stable/c/c49f14cc1bb12c625a1c572e8a95b6adefd4d8eb", + "https://git.kernel.org/stable/c/f62b8969847850ba7596cb145cc47c65ea57dae0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\n\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52864", + "dataSource": "https://ubuntu.com/security/CVE-2023-52864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52864", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e", + "https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e", + "https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203", + "https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6", + "https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453", + "https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097", + "https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6", + "https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: wmi: Fix opening of char device\n\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\n\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52865", + "dataSource": "https://ubuntu.com/security/CVE-2023-52865", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52865" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52865", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52865", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/122ac6496e4975ddd7ec1edba4f6fc1e15e39478", + "https://git.kernel.org/stable/c/2705c5b97f504e831ae1935c05f0e44f80dfa6b3", + "https://git.kernel.org/stable/c/357df1c2f6ace96defd557fad709ed1f9f70e16c", + "https://git.kernel.org/stable/c/3aefc6fcfbada57fac27f470602d5565e5b76cb4", + "https://git.kernel.org/stable/c/4c79cbfb8e9e2311be77182893fda5ea4068c836", + "https://git.kernel.org/stable/c/606f6366a35a3329545e38129804d65ef26ed7d2", + "https://git.kernel.org/stable/c/81b16286110728674dcf81137be0687c5055e7bf", + "https://git.kernel.org/stable/c/be3f12f16038a558f08fa93cc32fa715746a5235", + "https://git.kernel.org/stable/c/c26feedbc561f2a3cee1a4f717e61bdbdfb4fa92" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52865" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52867", + "dataSource": "https://ubuntu.com/security/CVE-2023-52867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/112d4b02d94bf9fa4f1d3376587878400dd74783", + "https://git.kernel.org/stable/c/19534a7a225f1bf2da70a9a90d41d0215f8f6b45", + "https://git.kernel.org/stable/c/341e79f8aec6af6b0061b8171d77b085835c6a58", + "https://git.kernel.org/stable/c/347f025a02b3a5d715a0b471fc3b1439c338ad94", + "https://git.kernel.org/stable/c/7b063c93bece827fde237fae1c101bceeee4e896", + "https://git.kernel.org/stable/c/caaa74541459c4c9e2c10046cf66ad2890483d0f", + "https://git.kernel.org/stable/c/d9b4fa249deaae1145d6fc2b64dae718e5c7a855", + "https://git.kernel.org/stable/c/dd05484f99d16715a88eedfca363828ef9a4c2d4", + "https://git.kernel.org/stable/c/ddc42881f170f1f518496f5a70447501335fc783" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: possible buffer overflow\n\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52868", + "dataSource": "https://ubuntu.com/security/CVE-2023-52868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f6b3be28c4d62ef6498133959c72266629bea97", + "https://git.kernel.org/stable/c/3091ab943dfc7b2578599b0fe203350286fab5bb", + "https://git.kernel.org/stable/c/3a8f4e58e1ee707b4f46a1000b40b86ea3dd509c", + "https://git.kernel.org/stable/c/3f795fb35c2d8a637efe76b4518216c9319b998c", + "https://git.kernel.org/stable/c/6ad1bf47fbe5750c4d5d8e41337665e193e2c521", + "https://git.kernel.org/stable/c/77ff34a56b695e228e6daf30ee30be747973d6e8", + "https://git.kernel.org/stable/c/b55f0a9f865be75ca1019aad331f3225f7b50ce8", + "https://git.kernel.org/stable/c/c99626092efca3061b387043d4a7399bf75fbdd5", + "https://git.kernel.org/stable/c/edbd6bbe40ac524a8f2273ffacc53edf14f3c686" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: prevent potential string overflow\n\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX. If it's too high then these sprintf()s will overflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52869", + "dataSource": "https://ubuntu.com/security/CVE-2023-52869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52869", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1c426da79f9fc7b761021b5eb44185ba119cd44a", + "https://git.kernel.org/stable/c/379b120e4f27fd1cf636a5f85570c4d240a3f688", + "https://git.kernel.org/stable/c/63f637309baadf81a095f2653e3b807d4b5814b9", + "https://git.kernel.org/stable/c/a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c", + "https://git.kernel.org/stable/c/ad5cb6deb41417ef41b9d6ff54f789212108606f", + "https://git.kernel.org/stable/c/bb166bdae1a7d7db30e9be7e6ccaba606debc05f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/platform: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52870", + "dataSource": "https://ubuntu.com/security/CVE-2023-52870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10cc81124407d862f0f747db4baa9c006510b480", + "https://git.kernel.org/stable/c/2617aa8ceaf30e41d3eb7f5fef3445542bef193a", + "https://git.kernel.org/stable/c/533ca5153ad6c7b7d47ae0114b14d0333964b946", + "https://git.kernel.org/stable/c/b5ff3e89b4e7f46ad2aa0de7e08d18e6f87d71bc", + "https://git.kernel.org/stable/c/b82681042724924ae3ba0f2f2eeec217fa31e830", + "https://git.kernel.org/stable/c/dd1f30d68fa98eb672c0a259297b761656a9025f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52871", + "dataSource": "https://ubuntu.com/security/CVE-2023-52871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1143bfb9b055897975aeaea254da148e19524493", + "https://git.kernel.org/stable/c/3565684309e54fa998ea27f37028d67cc3e1dff2", + "https://git.kernel.org/stable/c/5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0", + "https://git.kernel.org/stable/c/995ee1e84e8db7fa5dcdde7dfe0bd7bb6f9bbb8c", + "https://git.kernel.org/stable/c/cc1a1dcb411fe224f48553cfdcdfe6e61395b69c", + "https://git.kernel.org/stable/c/f0ef883cae309bc5e8cdfcdbc1b4822732ce20a8", + "https://git.kernel.org/stable/c/f1a1bc8775b26345aba2be278118999e7f661d3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: llcc: Handle a second device without data corruption\n\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52872", + "dataSource": "https://ubuntu.com/security/CVE-2023-52872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890", + "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243", + "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444", + "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a", + "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52873", + "dataSource": "https://ubuntu.com/security/CVE-2023-52873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1f57f78fbacf630430bf954e5a84caafdfea30c0", + "https://git.kernel.org/stable/c/3994387ba3564976731179c4d4a6d7850ddda71a", + "https://git.kernel.org/stable/c/a90239551abc181687f8c0ba60b276f7d75c141e", + "https://git.kernel.org/stable/c/ca6d565a2319d69d9766e6ecbb5af827fc4afb2b", + "https://git.kernel.org/stable/c/df1c4a9efa3f5b6fb5e0ae63890230dbe2190b7e", + "https://git.kernel.org/stable/c/f6a7c51cf07a399ec067d39f0a22f1817c5c7d2b", + "https://git.kernel.org/stable/c/fbe466f06d4ea18745da0d57540539b7b36936ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52875", + "dataSource": "https://ubuntu.com/security/CVE-2023-52875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/001e5def774fa1a8f2b29567c0b0cd3e3a859a96", + "https://git.kernel.org/stable/c/0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3", + "https://git.kernel.org/stable/c/1953e62366da5460dc712e045f94fb0d8918999d", + "https://git.kernel.org/stable/c/1bf9c204aef4cc55ce46a7ff2d4dc7e5f86551a7", + "https://git.kernel.org/stable/c/2a18dd653284550900b02107c3c7b3ac5e0eb802", + "https://git.kernel.org/stable/c/6fccee2af400edaed9cf349d506c5971d4762739", + "https://git.kernel.org/stable/c/d1175cf4bd2b4c5f7c43f677ea1ce9ad2c18d055", + "https://git.kernel.org/stable/c/d1461f0c9ca0827c03730fe9652ebbf6316a2a95", + "https://git.kernel.org/stable/c/e61934720af4a58ffd43a63ffdd6f3a0bd7d7b47" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52876", + "dataSource": "https://ubuntu.com/security/CVE-2023-52876", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52876" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52876", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52876", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0884393c63cc9a1772f7121a6645ba7bd76feeb9", + "https://git.kernel.org/stable/c/1639072f6260babd017556e9f236ca2ad589d1e7", + "https://git.kernel.org/stable/c/96e9544a0c4faca616b3f9f4034dcd83a14e7f22", + "https://git.kernel.org/stable/c/a540ca0aeae83c2f3964bcb4e383f64ce2ec1783", + "https://git.kernel.org/stable/c/b20cfe007a46f8c165d42a05c50a8d3d893e6592", + "https://git.kernel.org/stable/c/c4070ada5d5155c8d4d17ea64bd246949889f25b", + "https://git.kernel.org/stable/c/cfa68e0ac5dcde43577adadf6f0f26f3b365ad68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52876" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52877", + "dataSource": "https://ubuntu.com/security/CVE-2023-52877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52877" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b", + "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08", + "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b", + "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac", + "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port->partner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port->partner to avoid dereferencing a NULL pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52878", + "dataSource": "https://ubuntu.com/security/CVE-2023-52878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4", + "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc", + "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057", + "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444", + "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52879", + "dataSource": "https://ubuntu.com/security/CVE-2023-52879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706", + "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976", + "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d", + "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e", + "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f", + "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4", + "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52880", + "dataSource": "https://ubuntu.com/security/CVE-2023-52880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52880" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167", + "https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a", + "https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88", + "https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58", + "https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed", + "https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2023-52880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52881", + "dataSource": "https://ubuntu.com/security/CVE-2023-52881", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52881" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52881", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52881", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440", + "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc", + "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757", + "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27", + "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a", + "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57", + "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0", + "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK < SND.UNA wouldn't be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\n\ntp->bytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52881" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52882", + "dataSource": "https://ubuntu.com/security/CVE-2023-52882", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52882" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52882", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52882", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a", + "https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069", + "https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff", + "https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90", + "https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175", + "https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019", + "https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2023-52882" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52884", + "dataSource": "https://ubuntu.com/security/CVE-2023-52884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52884", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6", + "https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7", + "https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd", + "https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc", + "https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52885", + "dataSource": "https://ubuntu.com/security/CVE-2023-52885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52885", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b", + "https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f", + "https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428", + "https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065", + "https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254", + "https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e", + "https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee", + "https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n \n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n \n \n ...\n \n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52886", + "dataSource": "https://ubuntu.com/security/CVE-2023-52886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52886" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52886", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/7fe9d87996062f5eb0ca476ad0257f79bf43aaf5", + "https://git.kernel.org/stable/c/8186596a663506b1124bede9fde6f243ef9f37ee", + "https://git.kernel.org/stable/c/9d241c5d9a9b7ad95c90c6520272fe404d5ac88f", + "https://git.kernel.org/stable/c/b4a074b1fb222164ed7d5c0b8c922dc4a0840848", + "https://git.kernel.org/stable/c/b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5", + "https://git.kernel.org/stable/c/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 0.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52887", + "dataSource": "https://ubuntu.com/security/CVE-2023-52887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bc0a7416ea73f79f915c9a05ac0858dff65cfed", + "https://git.kernel.org/stable/c/1762ca80c2b72dd1b5821c5e347713ae696276ea", + "https://git.kernel.org/stable/c/177e33b655d35d72866b50aec84307119dc5f3d4", + "https://git.kernel.org/stable/c/26b18dd30e63d4fd777be429148e8e4ed66f60b2", + "https://git.kernel.org/stable/c/d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb", + "https://git.kernel.org/stable/c/ed581989d7ea9df6f8646beba2341e32cd49a1f9", + "https://git.kernel.org/stable/c/f6c839e717901dbd6b1c1ca807b6210222eb70f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\n\nThis patch enhances error handling in scenarios with RTS (Request to\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\nbacktraces with a new error handling method. This provides clearer error\nmessages and allows for the early termination of problematic sessions.\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\n\nPotentially this could be reproduced with something like:\ntestj1939 -r vcan0:0x80 &\nwhile true; do\n\t# send first RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send second RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send abort\n\tcansend vcan0 18EC8090#ff00000000002301;\ndone", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52888", + "dataSource": "https://ubuntu.com/security/CVE-2023-52888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52888" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52888", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04", + "https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91", + "https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn't do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52889", + "dataSource": "https://ubuntu.com/security/CVE-2023-52889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52889" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52889", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1", + "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697", + "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81", + "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2", + "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961", + "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2", + "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n BUG: kernel NULL pointer dereference, address: 000000000000004c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n RIP: 0010:aa_label_next_confined+0xb/0x40\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? aa_label_next_confined+0xb/0x40\n apparmor_secmark_check+0xec/0x330\n security_sock_rcv_skb+0x35/0x50\n sk_filter_trim_cap+0x47/0x250\n sock_queue_rcv_skb_reason+0x20/0x60\n raw_rcv+0x13c/0x210\n raw_local_deliver+0x1f3/0x250\n ip_protocol_deliver_rcu+0x4f/0x2f0\n ip_local_deliver_finish+0x76/0xa0\n __netif_receive_skb_one_core+0x89/0xa0\n netif_receive_skb+0x119/0x170\n ? __netdev_alloc_skb+0x3d/0x140\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n __napi_poll+0x28/0x1b0\n net_rx_action+0x2a4/0x380\n __do_softirq+0xd1/0x2c8\n __irq_exit_rcu+0xbb/0xf0\n common_interrupt+0x86/0xa0\n \n \n asm_common_interrupt+0x26/0x40\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n ? __pfx_apparmor_socket_post_create+0x10/0x10\n security_socket_post_create+0x4b/0x80\n __sock_create+0x176/0x1f0\n __sys_socket+0x89/0x100\n __x64_sys_socket+0x17/0x20\n do_syscall_64+0x5d/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52893", + "dataSource": "https://ubuntu.com/security/CVE-2023-52893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a", + "https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393", + "https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8", + "https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd", + "https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2", + "https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b", + "https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52894", + "dataSource": "https://ubuntu.com/security/CVE-2023-52894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52894", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09e4507ec8ef2d44da6ba4092b8ee2d81f216497", + "https://git.kernel.org/stable/c/63d161f29cd39c050e8873aa36e0c9fc013bb763", + "https://git.kernel.org/stable/c/a21da7f7aae618c785f7e4a275d43c06dc8412b6", + "https://git.kernel.org/stable/c/a69c8dfb85b44be9cc223be07d35cc3a9baefbea", + "https://git.kernel.org/stable/c/c6ec929595c7443250b2a4faea988c62019d5cd2", + "https://git.kernel.org/stable/c/e92c70059178da751e5af7de02384b7dfadb5ec7", + "https://git.kernel.org/stable/c/fef6b29671b66dfb71f17e337c1ad14b5a2cedae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52896", + "dataSource": "https://ubuntu.com/security/CVE-2023-52896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1", + "https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a", + "https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd", + "https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233", + "https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52898", + "dataSource": "https://ubuntu.com/security/CVE-2023-52898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e", + "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368", + "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1", + "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7", + "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea", + "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52899", + "dataSource": "https://ubuntu.com/security/CVE-2023-52899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833", + "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d", + "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96", + "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e", + "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87", + "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52900", + "dataSource": "https://ubuntu.com/security/CVE-2023-52900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04", + "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545", + "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062", + "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243", + "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051", + "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d", + "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52901", + "dataSource": "https://ubuntu.com/security/CVE-2023-52901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52901", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08864dc14a6803f0377ca77b9740b26db30c020f", + "https://git.kernel.org/stable/c/2d2820d5f375563690c96e60676855205abfb7f5", + "https://git.kernel.org/stable/c/375be2dd61a072f7b1cac9b17eea59e07b58db3a", + "https://git.kernel.org/stable/c/66fc1600855c05c4ba4e997184c91cf298e0405c", + "https://git.kernel.org/stable/c/9891e5c73cab3fd9ed532dc50e9799e55e974766", + "https://git.kernel.org/stable/c/e8fb5bc76eb86437ab87002d4a36d6da02165654", + "https://git.kernel.org/stable/c/f39c813af0b64f44af94e435c07bfa1ddc2575f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52903", + "dataSource": "https://ubuntu.com/security/CVE-2023-52903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52903", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544d163d659d45a206d8929370d5a2984e546cb7", + "https://git.kernel.org/stable/c/7fc3990dad04a677606337ebc61964094d6cb41b", + "https://git.kernel.org/stable/c/de77faee280163ff03b7ab64af6c9d779a43d4c4", + "https://git.kernel.org/stable/c/ed4629d1e968359fbb91d0a3780b1e86a2c08845" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52904", + "dataSource": "https://ubuntu.com/security/CVE-2023-52904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/92a9c0ad86d47ff4cce899012e355c400f02cfb8", + "https://git.kernel.org/stable/c/a474d4ad59cd4642d1b7e3a6c08cef9eca0992c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52905", + "dataSource": "https://ubuntu.com/security/CVE-2023-52905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/53da7aec32982f5ee775b69dce06d63992ce4af3", + "https://git.kernel.org/stable/c/c8ca0ad10df08ea36bcac1288062d567d22604c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52906", + "dataSource": "https://ubuntu.com/security/CVE-2023-52906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61", + "https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457", + "https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644", + "https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2", + "https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52907", + "dataSource": "https://ubuntu.com/security/CVE-2023-52907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ca78c99656f5c448567db1e148367aa3b01c80a", + "https://git.kernel.org/stable/c/321db5131c92983dac4f3338e8fbb6df214238c0", + "https://git.kernel.org/stable/c/35529d6b827eedb6bf7e81130e4b7e0aba9e58d2", + "https://git.kernel.org/stable/c/39ae73e581112cfe27ba50aecb1c891ce57cecb1", + "https://git.kernel.org/stable/c/8998db5021a28ad67aa8d627bdb4226e4046ccc4", + "https://git.kernel.org/stable/c/9424d2205fe94a095fb9365ec0c6137f0b394a2b", + "https://git.kernel.org/stable/c/9dab880d675b9d0dd56c6428e4e8352a3339371d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52910", + "dataSource": "https://ubuntu.com/security/CVE-2023-52910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f", + "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e", + "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52911", + "dataSource": "https://ubuntu.com/security/CVE-2023-52911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00dd060ab3cf95ca6ede7853bc14397014971b5e", + "https://git.kernel.org/stable/c/b107b08c41b3076a508113fbaaffe15ce1fe7f65" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [] lr : [] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52912", + "dataSource": "https://ubuntu.com/security/CVE-2023-52912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9196eb7c52e55749a332974f0081f77d53d60199", + "https://git.kernel.org/stable/c/99f1a36c90a7524972be5a028424c57fa17753ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] \n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-52913", + "dataSource": "https://ubuntu.com/security/CVE-2023-52913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-52913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-52913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-52913", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/afce71ff6daa9c0f852df0727fe32c6fb107f0fa", + "https://git.kernel.org/stable/c/b696c627b3f56e173f7f70b8487d66da8ff22506" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-52913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6240", + "dataSource": "https://ubuntu.com/security/CVE-2023-6240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:1881", + "https://access.redhat.com/errata/RHSA-2024:1882", + "https://access.redhat.com/errata/RHSA-2024:2758", + "https://access.redhat.com/errata/RHSA-2024:3414", + "https://access.redhat.com/errata/RHSA-2024:3421", + "https://access.redhat.com/errata/RHSA-2024:3618", + "https://access.redhat.com/errata/RHSA-2024:3627", + "https://access.redhat.com/security/cve/CVE-2023-6240", + "https://bugzilla.redhat.com/show_bug.cgi?id=2250843", + "https://people.redhat.com/~hkario/marvin/", + "https://security.netapp.com/advisory/ntap-20240628-0002/", + "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + ], + "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.2, + "impactScore": 4.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.2, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6240" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6356", + "dataSource": "https://ubuntu.com/security/CVE-2023-6356", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6356" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6356", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6356", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254054", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0002/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6356" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6535", + "dataSource": "https://ubuntu.com/security/CVE-2023-6535", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6535" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6535", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6535", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254053", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0003/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6535" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6536", + "dataSource": "https://ubuntu.com/security/CVE-2023-6536", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6536" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6536", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/errata/RHSA-2024:3810", + "https://access.redhat.com/security/cve/CVE-2023-6536", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254052", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", + "https://security.netapp.com/advisory/ntap-20240415-0001/" + ], + "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6536" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6610", + "dataSource": "https://ubuntu.com/security/CVE-2023-6610", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6610" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6610", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:0723", + "https://access.redhat.com/errata/RHSA-2024:0724", + "https://access.redhat.com/errata/RHSA-2024:0725", + "https://access.redhat.com/errata/RHSA-2024:0881", + "https://access.redhat.com/errata/RHSA-2024:0897", + "https://access.redhat.com/errata/RHSA-2024:1248", + "https://access.redhat.com/errata/RHSA-2024:1404", + "https://access.redhat.com/errata/RHSA-2024:2094", + "https://access.redhat.com/security/cve/CVE-2023-6610", + "https://bugzilla.kernel.org/show_bug.cgi?id=218219", + "https://bugzilla.redhat.com/show_bug.cgi?id=2253614" + ], + "description": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6610" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2023-6915", + "dataSource": "https://ubuntu.com/security/CVE-2023-6915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2023-6915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-6915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2024:2394", + "https://access.redhat.com/errata/RHSA-2024:2950", + "https://access.redhat.com/errata/RHSA-2024:3138", + "https://access.redhat.com/security/cve/CVE-2023-6915", + "https://bugzilla.redhat.com/show_bug.cgi?id=2254982", + "https://github.com/torvalds/linux/commit/af73483f4e8b6f5c68c9aa63257bdd929a9c194a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html" + ], + "description": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2023-6915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-0564", + "dataSource": "https://ubuntu.com/security/CVE-2024-0564", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-0564" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-0564", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/security/cve/CVE-2024-0564", + "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513", + "https://bugzilla.redhat.com/show_bug.cgi?id=2258514", + "https://link.springer.com/conference/wisa", + "https://wisa.or.kr/accepted" + ], + "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-0564" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-21803", + "dataSource": "https://ubuntu.com/security/CVE-2024-21803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-21803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-21803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8081" + ], + "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.5, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-21803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-21823", + "dataSource": "https://ubuntu.com/security/CVE-2024-21823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-21823" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-21823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-21823", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/15/1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/", + "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + ], + "description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable escalation of privilege local access", + "cvss": [ + { + "source": "secure@intel.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.1, + "impactScore": 5.8 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-21823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-2193", + "dataSource": "https://ubuntu.com/security/CVE-2024-2193", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-2193" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-2193", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-2193", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/03/12/14", + "https://download.vusec.net/papers/ghostrace_sec24.pdf", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23", + "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace", + "https://kb.cert.org/vuls/id/488902", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html", + "https://www.kb.cert.org/vuls/id/488902", + "https://www.vusec.net/projects/ghostrace/", + "https://xenbits.xen.org/xsa/advisory-453.html" + ], + "description": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-2193" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-22386", + "dataSource": "https://ubuntu.com/security/CVE-2024-22386", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-22386" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-22386", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8147" + ], + "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-22386" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-23307", + "dataSource": "https://ubuntu.com/security/CVE-2024-23307", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-23307" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-23307", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=7975" + ], + "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.7, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-23307" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-23848", + "dataSource": "https://ubuntu.com/security/CVE-2024-23848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-23848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-23848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/" + ], + "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-23848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24856", + "dataSource": "https://ubuntu.com/security/CVE-2024-24856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24856", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8764" + ], + "description": "The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a\nsuccessful allocation, but the subsequent code directly dereferences the\npointer that receives it, which may lead to null pointer dereference.\n\nTo fix this issue, a null pointer check should be added. If it is null, \nreturn exception code AE_NO_MEMORY.", + "cvss": [ + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24857", + "dataSource": "https://ubuntu.com/security/CVE-2024-24857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24857" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8155", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 1.6, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24858", + "dataSource": "https://ubuntu.com/security/CVE-2024-24858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24858" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8154", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 1.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24859", + "dataSource": "https://ubuntu.com/security/CVE-2024-24859", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24859" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24859", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8153" + ], + "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.8, + "exploitabilityScore": 1.2, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", + "metrics": { + "baseScore": 4.6, + "exploitabilityScore": 0.4, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24859" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24861", + "dataSource": "https://ubuntu.com/security/CVE-2024-24861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24861" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8150", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 6.3, + "exploitabilityScore": 1, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 0.8, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-24861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24862", + "dataSource": "https://ubuntu.com/security/CVE-2024-24862", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24862" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24862", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24862", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24862" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24863", + "dataSource": "https://ubuntu.com/security/CVE-2024-24863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\nCVE-2024-24863 has been replaced by CVE-2024-36014.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-24864", + "dataSource": "https://ubuntu.com/security/CVE-2024-24864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-24864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-24864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://bugzilla.openanolis.cn/show_bug.cgi?id=8178" + ], + "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "security@openanolis.org", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.3, + "exploitabilityScore": 0.8, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-24864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25739", + "dataSource": "https://ubuntu.com/security/CVE-2024-25739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25739" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9", + "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://www.spinics.net/lists/kernel/msg5074816.html" + ], + "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-25739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25740", + "dataSource": "https://ubuntu.com/security/CVE-2024-25740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/" + ], + "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25741", + "dataSource": "https://ubuntu.com/security/CVE-2024-25741", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25741" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25741", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://www.spinics.net/lists/linux-usb/msg252167.html" + ], + "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25741" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25742", + "dataSource": "https://ubuntu.com/security/CVE-2024-25742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25742" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9", + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f", + "https://github.com/torvalds/linux/commit/e3ef461af35a8c74f2f4ce6616491ddb355a208f", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + ], + "description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-25742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25743", + "dataSource": "https://ubuntu.com/security/CVE-2024-25743", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25743" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25743", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25743", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2270836", + "https://bugzilla.suse.com/show_bug.cgi?id=1223307", + "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + ], + "description": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25743" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-25744", + "dataSource": "https://ubuntu.com/security/CVE-2024-25744", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-25744" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-25744", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-25744", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7", + "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30" + ], + "description": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-25744" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26595", + "dataSource": "https://ubuntu.com/security/CVE-2024-26595", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26595" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26595", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39", + "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f", + "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26595" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26605", + "dataSource": "https://ubuntu.com/security/CVE-2024-26605", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26605" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26605", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3", + "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20", + "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c", + "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26605" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26607", + "dataSource": "https://ubuntu.com/security/CVE-2024-26607", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26607" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26607", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26607", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9", + "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c", + "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1", + "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26607" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26629", + "dataSource": "https://ubuntu.com/security/CVE-2024-26629", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26629" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26629", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098", + "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f", + "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b", + "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a", + "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03", + "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26629" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26639", + "dataSource": "https://ubuntu.com/security/CVE-2024-26639", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26639" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26639", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26639", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26639" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26642", + "dataSource": "https://ubuntu.com/security/CVE-2024-26642", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26642" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26642", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1", + "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a", + "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199", + "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7", + "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12", + "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9", + "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f", + "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26642" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26647", + "dataSource": "https://ubuntu.com/security/CVE-2024-26647", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26647" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26647", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207", + "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c", + "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26647" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26648", + "dataSource": "https://ubuntu.com/security/CVE-2024-26648", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26648" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26648", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935", + "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c", + "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26648" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26654", + "dataSource": "https://ubuntu.com/security/CVE-2024-26654", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26654" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26654", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457", + "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04", + "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2", + "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901", + "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5", + "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046", + "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845", + "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", + "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26654" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26656", + "dataSource": "https://ubuntu.com/security/CVE-2024-26656", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26656" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26656", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e", + "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c", + "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c", + "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26656" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26658", + "dataSource": "https://ubuntu.com/security/CVE-2024-26658", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26658" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26658", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec", + "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26658" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26661", + "dataSource": "https://ubuntu.com/security/CVE-2024-26661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a", + "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667", + "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26662", + "dataSource": "https://ubuntu.com/security/CVE-2024-26662", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26662" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26662", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5", + "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d", + "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26662" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26669", + "dataSource": "https://ubuntu.com/security/CVE-2024-26669", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26669" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26669", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8", + "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97", + "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26669" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26672", + "dataSource": "https://ubuntu.com/security/CVE-2024-26672", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26672" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26672", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0", + "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26672" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26677", + "dataSource": "https://ubuntu.com/security/CVE-2024-26677", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26677" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26677", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2", + "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae", + "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26677" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26680", + "dataSource": "https://ubuntu.com/security/CVE-2024-26680", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26680" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26680", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56", + "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887", + "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12", + "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26680" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26686", + "dataSource": "https://ubuntu.com/security/CVE-2024-26686", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26686" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26686", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071", + "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305", + "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26686" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26687", + "dataSource": "https://ubuntu.com/security/CVE-2024-26687", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26687" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26687", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd", + "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4", + "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5", + "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44", + "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b", + "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3", + "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26687" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26691", + "dataSource": "https://ubuntu.com/security/CVE-2024-26691", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26691" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26691", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc", + "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc", + "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26691" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26699", + "dataSource": "https://ubuntu.com/security/CVE-2024-26699", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26699" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26699", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc", + "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26699" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26700", + "dataSource": "https://ubuntu.com/security/CVE-2024-26700", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26700" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26700", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238", + "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f", + "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5", + "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26700" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26714", + "dataSource": "https://ubuntu.com/security/CVE-2024-26714", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26714" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26714", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7", + "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0", + "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0", + "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26714" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26718", + "dataSource": "https://ubuntu.com/security/CVE-2024-26718", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26718" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26718", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189", + "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257", + "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94", + "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26718" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26719", + "dataSource": "https://ubuntu.com/security/CVE-2024-26719", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26719" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26719", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0", + "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9", + "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26719" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26726", + "dataSource": "https://ubuntu.com/security/CVE-2024-26726", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26726" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26726", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555", + "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade", + "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7", + "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26726" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26727", + "dataSource": "https://ubuntu.com/security/CVE-2024-26727", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26727" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26727", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f", + "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468", + "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d", + "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430", + "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb", + "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26727" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26739", + "dataSource": "https://ubuntu.com/security/CVE-2024-26739", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26739" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26739", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210", + "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d", + "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26739" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26740", + "dataSource": "https://ubuntu.com/security/CVE-2024-26740", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26740" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26740", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17", + "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be", + "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26740" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26742", + "dataSource": "https://ubuntu.com/security/CVE-2024-26742", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26742" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26742", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe", + "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df", + "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a", + "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26742" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26756", + "dataSource": "https://ubuntu.com/security/CVE-2024-26756", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26756" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26756", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417", + "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26756" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26757", + "dataSource": "https://ubuntu.com/security/CVE-2024-26757", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26757" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26757", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3", + "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26757" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26758", + "dataSource": "https://ubuntu.com/security/CVE-2024-26758", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26758" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26758", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757", + "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26758" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26759", + "dataSource": "https://ubuntu.com/security/CVE-2024-26759", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26759" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26759", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458", + "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95", + "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a", + "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26759" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26767", + "dataSource": "https://ubuntu.com/security/CVE-2024-26767", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26767" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26767", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738", + "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375", + "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26767" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26770", + "dataSource": "https://ubuntu.com/security/CVE-2024-26770", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26770" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26770", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100", + "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183", + "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26770" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26775", + "dataSource": "https://ubuntu.com/security/CVE-2024-26775", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26775" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26775", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77", + "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26", + "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c", + "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26775" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26800", + "dataSource": "https://ubuntu.com/security/CVE-2024-26800", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26800" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26800", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0", + "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1", + "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe", + "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26800" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26807", + "dataSource": "https://ubuntu.com/security/CVE-2024-26807", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26807" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61", + "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc", + "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe ->probe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during ->probe(), as ->probe() enables the device using PM\nruntime, leading the ->runtime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26807" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26810", + "dataSource": "https://ubuntu.com/security/CVE-2024-26810", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26810" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26810", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26810", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf", + "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651", + "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42", + "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3", + "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5", + "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40", + "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7", + "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26810" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26811", + "dataSource": "https://ubuntu.com/security/CVE-2024-26811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26811" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd", + "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896", + "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300", + "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c", + "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26812", + "dataSource": "https://ubuntu.com/security/CVE-2024-26812", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26812" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26812", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034", + "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d", + "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897", + "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834", + "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c", + "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e", + "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3", + "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26812" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26813", + "dataSource": "https://ubuntu.com/security/CVE-2024-26813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26813" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e", + "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5", + "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29", + "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086", + "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375", + "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362", + "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a", + "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26814", + "dataSource": "https://ubuntu.com/security/CVE-2024-26814", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26814" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26814", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417", + "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d", + "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9", + "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012", + "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede", + "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d", + "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26814" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26817", + "dataSource": "https://ubuntu.com/security/CVE-2024-26817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26817" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a", + "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7", + "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29", + "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0", + "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad", + "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751", + "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a", + "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26822", + "dataSource": "https://ubuntu.com/security/CVE-2024-26822", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26822" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26822", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26822", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157", + "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb", + "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26822" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26828", + "dataSource": "https://ubuntu.com/security/CVE-2024-26828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26828" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512", + "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204", + "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301", + "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26830", + "dataSource": "https://ubuntu.com/security/CVE-2024-26830", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26830" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26830", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26830", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893", + "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc", + "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404", + "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26830" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26837", + "dataSource": "https://ubuntu.com/security/CVE-2024-26837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f", + "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db", + "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b", + "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26842", + "dataSource": "https://ubuntu.com/security/CVE-2024-26842", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26842" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26842", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26842", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe", + "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb", + "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26842" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26844", + "dataSource": "https://ubuntu.com/security/CVE-2024-26844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26844", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956", + "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", + "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b", + "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26848", + "dataSource": "https://ubuntu.com/security/CVE-2024-26848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26848" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26848", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470", + "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05", + "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4", + "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31", + "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4", + "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863", + "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b", + "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a", + "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0", + "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809", + "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27", + "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064", + "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a", + "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26853", + "dataSource": "https://ubuntu.com/security/CVE-2024-26853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26853", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f", + "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2", + "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a", + "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26866", + "dataSource": "https://ubuntu.com/security/CVE-2024-26866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f", + "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861", + "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68", + "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26869", + "dataSource": "https://ubuntu.com/security/CVE-2024-26869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253", + "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189", + "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65", + "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26876", + "dataSource": "https://ubuntu.com/security/CVE-2024-26876", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26876" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26876", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26876", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e", + "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c", + "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26876" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26886", + "dataSource": "https://ubuntu.com/security/CVE-2024-26886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26886", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955", + "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c", + "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7", + "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae", + "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-26886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26893", + "dataSource": "https://ubuntu.com/security/CVE-2024-26893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4", + "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c", + "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773", + "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d", + "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26896", + "dataSource": "https://ubuntu.com/security/CVE-2024-26896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26896" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3", + "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b", + "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3", + "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc", + "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26900", + "dataSource": "https://ubuntu.com/security/CVE-2024-26900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26900" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366", + "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4", + "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea", + "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995", + "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9", + "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9", + "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26905", + "dataSource": "https://ubuntu.com/security/CVE-2024-26905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26917", + "dataSource": "https://ubuntu.com/security/CVE-2024-26917", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26917" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26917", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26917", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b", + "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21", + "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783", + "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5", + "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0", + "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b", + "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6", + "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26917" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26921", + "dataSource": "https://ubuntu.com/security/CVE-2024-26921", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26921" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26921", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26921", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272", + "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325", + "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981", + "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-26921" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26922", + "dataSource": "https://ubuntu.com/security/CVE-2024-26922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26922" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d", + "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284", + "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75", + "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2", + "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa", + "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d", + "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee", + "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26923", + "dataSource": "https://ubuntu.com/security/CVE-2024-26923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26923" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26923", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3", + "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f", + "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51", + "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9", + "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423", + "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c", + "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009", + "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26923" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26925", + "dataSource": "https://ubuntu.com/security/CVE-2024-26925", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26925" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26925", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26925", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27", + "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494", + "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428", + "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30", + "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae", + "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1", + "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26925" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26926", + "dataSource": "https://ubuntu.com/security/CVE-2024-26926", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26926" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26926", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26926", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc", + "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc", + "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12", + "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c", + "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76", + "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40", + "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26926" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26928", + "dataSource": "https://ubuntu.com/security/CVE-2024-26928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88", + "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1", + "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d", + "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26929", + "dataSource": "https://ubuntu.com/security/CVE-2024-26929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26929" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26929", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e", + "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525", + "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774", + "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b", + "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04", + "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26931", + "dataSource": "https://ubuntu.com/security/CVE-2024-26931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26931" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211", + "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac", + "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d", + "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d", + "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1", + "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a", + "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a", + "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9", + "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26934", + "dataSource": "https://ubuntu.com/security/CVE-2024-26934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6", + "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384", + "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947", + "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a", + "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5", + "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f", + "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5", + "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057", + "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26935", + "dataSource": "https://ubuntu.com/security/CVE-2024-26935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26935" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26935", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac", + "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889", + "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1", + "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee", + "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c", + "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320", + "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84", + "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26936", + "dataSource": "https://ubuntu.com/security/CVE-2024-26936", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26936" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26936", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26936", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a", + "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674", + "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6", + "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11", + "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26936" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26937", + "dataSource": "https://ubuntu.com/security/CVE-2024-26937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26937" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325", + "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895", + "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a", + "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62", + "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c", + "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f", + "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703", + "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26938", + "dataSource": "https://ubuntu.com/security/CVE-2024-26938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26938" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549", + "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6", + "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac", + "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f", + "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26944", + "dataSource": "https://ubuntu.com/security/CVE-2024-26944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26944" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302", + "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26945", + "dataSource": "https://ubuntu.com/security/CVE-2024-26945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26945", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7", + "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26947", + "dataSource": "https://ubuntu.com/security/CVE-2024-26947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26947" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff", + "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc", + "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7", + "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26948", + "dataSource": "https://ubuntu.com/security/CVE-2024-26948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26948", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98", + "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26950", + "dataSource": "https://ubuntu.com/security/CVE-2024-26950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5", + "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068", + "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5", + "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f", + "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996", + "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37", + "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26951", + "dataSource": "https://ubuntu.com/security/CVE-2024-26951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26951" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04", + "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d", + "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4", + "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87", + "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b", + "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac", + "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26952", + "dataSource": "https://ubuntu.com/security/CVE-2024-26952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26952" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5", + "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63", + "https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e", + "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-26952" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26953", + "dataSource": "https://ubuntu.com/security/CVE-2024-26953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26953" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", + "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664", + "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34", + "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26954", + "dataSource": "https://ubuntu.com/security/CVE-2024-26954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26954" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26954", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57", + "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178", + "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26955", + "dataSource": "https://ubuntu.com/security/CVE-2024-26955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26955", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c", + "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5", + "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20", + "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07", + "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39", + "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d", + "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183", + "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c", + "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26956", + "dataSource": "https://ubuntu.com/security/CVE-2024-26956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26956" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26956", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84", + "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7", + "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4", + "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e", + "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713", + "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35", + "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb", + "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba", + "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26957", + "dataSource": "https://ubuntu.com/security/CVE-2024-26957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26957" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484", + "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c", + "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd", + "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058", + "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55", + "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6", + "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca", + "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d", + "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26958", + "dataSource": "https://ubuntu.com/security/CVE-2024-26958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26958" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26958", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af", + "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab", + "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3", + "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", + "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f", + "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95", + "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26960", + "dataSource": "https://ubuntu.com/security/CVE-2024-26960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a", + "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a", + "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e", + "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b", + "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39", + "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e", + "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26961", + "dataSource": "https://ubuntu.com/security/CVE-2024-26961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26961" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26961", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531", + "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d", + "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1", + "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88", + "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821", + "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", + "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26962", + "dataSource": "https://ubuntu.com/security/CVE-2024-26962", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26962" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26962", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26962", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677", + "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1", + "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26962" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26964", + "dataSource": "https://ubuntu.com/security/CVE-2024-26964", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26964" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26964", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26964", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd", + "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4", + "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757", + "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d", + "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea", + "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26964" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26965", + "dataSource": "https://ubuntu.com/security/CVE-2024-26965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26965" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060", + "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589", + "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362", + "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089", + "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194", + "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95", + "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f", + "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2", + "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26966", + "dataSource": "https://ubuntu.com/security/CVE-2024-26966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26966" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99", + "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9", + "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2", + "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8", + "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38", + "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03", + "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f", + "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d", + "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26969", + "dataSource": "https://ubuntu.com/security/CVE-2024-26969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429", + "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94", + "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe", + "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f", + "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d", + "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566", + "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255", + "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27", + "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26970", + "dataSource": "https://ubuntu.com/security/CVE-2024-26970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26970" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26970", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52", + "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb", + "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6", + "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b", + "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d", + "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d", + "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26972", + "dataSource": "https://ubuntu.com/security/CVE-2024-26972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae", + "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26973", + "dataSource": "https://ubuntu.com/security/CVE-2024-26973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26973" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb", + "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688", + "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63", + "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6", + "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee", + "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375", + "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6", + "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f", + "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26974", + "dataSource": "https://ubuntu.com/security/CVE-2024-26974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26974" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be", + "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7", + "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f", + "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c", + "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc", + "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81", + "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828", + "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71", + "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26976", + "dataSource": "https://ubuntu.com/security/CVE-2024-26976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26976" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26976", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157", + "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750", + "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb", + "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac", + "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98", + "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5", + "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff", + "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b", + "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26977", + "dataSource": "https://ubuntu.com/security/CVE-2024-26977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26977" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26977", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6", + "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8", + "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637", + "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed", + "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f", + "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26979", + "dataSource": "https://ubuntu.com/security/CVE-2024-26979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26980", + "dataSource": "https://ubuntu.com/security/CVE-2024-26980", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26980" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26980", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26980", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085", + "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1", + "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248", + "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20", + "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-26980" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26981", + "dataSource": "https://ubuntu.com/security/CVE-2024-26981", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26981" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26981", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26981", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243", + "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9", + "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1", + "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611", + "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f", + "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8", + "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0", + "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26981" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26982", + "dataSource": "https://ubuntu.com/security/CVE-2024-26982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26982" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26982", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5", + "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395", + "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26983", + "dataSource": "https://ubuntu.com/security/CVE-2024-26983", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26983" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26983", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26983", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918", + "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35", + "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0", + "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-26983" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26984", + "dataSource": "https://ubuntu.com/security/CVE-2024-26984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26984" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26984", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716", + "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7", + "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52", + "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572", + "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525", + "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039", + "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9", + "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26988", + "dataSource": "https://ubuntu.com/security/CVE-2024-26988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26988" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4", + "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a", + "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9", + "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea", + "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8", + "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26989", + "dataSource": "https://ubuntu.com/security/CVE-2024-26989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26989" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3", + "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4", + "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457", + "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069", + "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26993", + "dataSource": "https://ubuntu.com/security/CVE-2024-26993", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26993" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26993", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26993", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c", + "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063", + "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b", + "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17", + "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4", + "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78", + "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957", + "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26993" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26994", + "dataSource": "https://ubuntu.com/security/CVE-2024-26994", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26994" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26994", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26994", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8", + "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76", + "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222", + "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f", + "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595", + "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f", + "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c", + "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26994" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26996", + "dataSource": "https://ubuntu.com/security/CVE-2024-26996", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26996" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93", + "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e", + "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7", + "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca", + "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26996" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-26999", + "dataSource": "https://ubuntu.com/security/CVE-2024-26999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-26999" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-26999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-26999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907", + "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7", + "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce", + "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef", + "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928", + "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f", + "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729", + "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-26999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27000", + "dataSource": "https://ubuntu.com/security/CVE-2024-27000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27000" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27000", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37", + "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a", + "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270", + "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495", + "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026", + "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad", + "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37", + "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27001", + "dataSource": "https://ubuntu.com/security/CVE-2024-27001", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27001" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27001", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27001", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9", + "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696", + "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2", + "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b", + "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b", + "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f", + "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8", + "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27001" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27002", + "dataSource": "https://ubuntu.com/security/CVE-2024-27002", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27002" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27002", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27002", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8", + "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3", + "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5", + "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27002" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27004", + "dataSource": "https://ubuntu.com/security/CVE-2024-27004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27004" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c", + "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba", + "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123", + "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5", + "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034", + "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc", + "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27005", + "dataSource": "https://ubuntu.com/security/CVE-2024-27005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27005" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6", + "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42", + "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27008", + "dataSource": "https://ubuntu.com/security/CVE-2024-27008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27008" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27008", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062", + "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5", + "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1", + "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face", + "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042", + "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb", + "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e", + "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27009", + "dataSource": "https://ubuntu.com/security/CVE-2024-27009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27009" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27009", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48", + "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49", + "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538", + "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e", + "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27010", + "dataSource": "https://ubuntu.com/security/CVE-2024-27010", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27010" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27010", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27010", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11", + "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27010" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27011", + "dataSource": "https://ubuntu.com/security/CVE-2024-27011", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27011" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27011", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27011", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6", + "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27011" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27012", + "dataSource": "https://ubuntu.com/security/CVE-2024-27012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637", + "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27013", + "dataSource": "https://ubuntu.com/security/CVE-2024-27013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27013" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421", + "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad", + "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3", + "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa", + "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713", + "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588", + "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb", + "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27014", + "dataSource": "https://ubuntu.com/security/CVE-2024-27014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc", + "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b", + "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b", + "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27015", + "dataSource": "https://ubuntu.com/security/CVE-2024-27015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27015" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d", + "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27", + "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d", + "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56", + "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27016", + "dataSource": "https://ubuntu.com/security/CVE-2024-27016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27016" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf", + "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7", + "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9", + "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163", + "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27017", + "dataSource": "https://ubuntu.com/security/CVE-2024-27017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27017" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73", + "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-27017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27018", + "dataSource": "https://ubuntu.com/security/CVE-2024-27018", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27018" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27018", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d", + "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615", + "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178", + "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6", + "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27018" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27019", + "dataSource": "https://ubuntu.com/security/CVE-2024-27019", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27019" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27019", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920", + "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73", + "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e", + "https://git.kernel.org/stable/c/cade34279c2249eafe528564bd2e203e4ff15f88", + "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484", + "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27019" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27020", + "dataSource": "https://ubuntu.com/security/CVE-2024-27020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27020" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f", + "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907", + "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5", + "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05", + "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a", + "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b", + "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c", + "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27025", + "dataSource": "https://ubuntu.com/security/CVE-2024-27025", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27025" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27025", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27025", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d", + "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e", + "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced", + "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8", + "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797", + "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983", + "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a", + "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27025" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27032", + "dataSource": "https://ubuntu.com/security/CVE-2024-27032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58", + "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c", + "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1", + "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67", + "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27035", + "dataSource": "https://ubuntu.com/security/CVE-2024-27035", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27035" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27035", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27035", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532", + "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed", + "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00", + "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684", + "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27035" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27041", + "dataSource": "https://ubuntu.com/security/CVE-2024-27041", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27041" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27041", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27041", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b", + "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c", + "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957", + "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27041" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27056", + "dataSource": "https://ubuntu.com/security/CVE-2024-27056", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27056" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27056", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27056", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f", + "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27056" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27057", + "dataSource": "https://ubuntu.com/security/CVE-2024-27057", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27057" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27057", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27057", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759", + "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2", + "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27057" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27059", + "dataSource": "https://ubuntu.com/security/CVE-2024-27059", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27059" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27059", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49", + "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133", + "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636", + "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964", + "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325", + "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34", + "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f", + "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27059" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27062", + "dataSource": "https://ubuntu.com/security/CVE-2024-27062", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27062" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27062", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27062", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7", + "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589", + "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27062" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27072", + "dataSource": "https://ubuntu.com/security/CVE-2024-27072", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27072" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27072", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27072", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2", + "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27072" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27389", + "dataSource": "https://ubuntu.com/security/CVE-2024-27389", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27389" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27389", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6", + "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3", + "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3", + "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a", + "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27389" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27393", + "dataSource": "https://ubuntu.com/security/CVE-2024-27393", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27393" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27393", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27393", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/08/4", + "http://xenbits.xen.org/xsa/advisory-457.html", + "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f", + "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629", + "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1", + "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6", + "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27393" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27395", + "dataSource": "https://ubuntu.com/security/CVE-2024-27395", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27395" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27395", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27395", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994", + "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3", + "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424", + "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2", + "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4", + "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1", + "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137", + "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27395" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27396", + "dataSource": "https://ubuntu.com/security/CVE-2024-27396", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27396" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27396", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27396", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58", + "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd", + "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29", + "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6", + "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07", + "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7", + "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474", + "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27396" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27397", + "dataSource": "https://ubuntu.com/security/CVE-2024-27397", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27397" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27397", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d", + "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3", + "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15", + "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379", + "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01", + "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe", + "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27397" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27398", + "dataSource": "https://ubuntu.com/security/CVE-2024-27398", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27398" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27398", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2", + "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249", + "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014", + "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53", + "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546", + "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178", + "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5", + "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27398" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27399", + "dataSource": "https://ubuntu.com/security/CVE-2024-27399", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27399" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27399", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27399", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c", + "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9", + "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33", + "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0", + "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c", + "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae", + "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79", + "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27399" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27400", + "dataSource": "https://ubuntu.com/security/CVE-2024-27400", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27400" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27400", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27400", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d", + "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be", + "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480", + "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27400" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27401", + "dataSource": "https://ubuntu.com/security/CVE-2024-27401", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27401" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27401", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27401", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa", + "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98", + "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f", + "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c", + "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285", + "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b", + "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239", + "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-27401" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27402", + "dataSource": "https://ubuntu.com/security/CVE-2024-27402", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27402" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27402", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27402", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277", + "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5", + "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88", + "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27402" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27407", + "dataSource": "https://ubuntu.com/security/CVE-2024-27407", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27407" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27407", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27407", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7", + "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb", + "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27407" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27408", + "dataSource": "https://ubuntu.com/security/CVE-2024-27408", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27408" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27408", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27408", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba", + "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3", + "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27408" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27418", + "dataSource": "https://ubuntu.com/security/CVE-2024-27418", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27418" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27418", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27418", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3", + "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd", + "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b", + "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27418" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27435", + "dataSource": "https://ubuntu.com/security/CVE-2024-27435", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27435" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27435", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27435", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8", + "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818", + "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96", + "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d", + "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-27435" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-27437", + "dataSource": "https://ubuntu.com/security/CVE-2024-27437", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-27437" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-27437", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060", + "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351", + "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2", + "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda", + "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5", + "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438", + "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec", + "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-27437" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-31076", + "dataSource": "https://ubuntu.com/security/CVE-2024-31076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-31076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-31076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f", + "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76", + "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420", + "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8", + "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32", + "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30", + "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1", + "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-31076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-33621", + "dataSource": "https://ubuntu.com/security/CVE-2024-33621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-33621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-33621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-33621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989", + "https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381", + "https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48", + "https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761", + "https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0", + "https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5", + "https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a", + "https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-33621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-33847", + "dataSource": "https://ubuntu.com/security/CVE-2024-33847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-33847" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-33847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-33847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee", + "https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec", + "https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c", + "https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b", + "https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d", + "https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-33847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-34027", + "dataSource": "https://ubuntu.com/security/CVE-2024-34027", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34027" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34027", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34027", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019", + "https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b", + "https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f", + "https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4", + "https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b", + "https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34027" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-34777", + "dataSource": "https://ubuntu.com/security/CVE-2024-34777", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-34777" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-34777", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34777", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad", + "https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b", + "https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936", + "https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87", + "https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-34777" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35247", + "dataSource": "https://ubuntu.com/security/CVE-2024-35247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35247", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019", + "https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702", + "https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8", + "https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093", + "https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8", + "https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35784", + "dataSource": "https://ubuntu.com/security/CVE-2024-35784", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35784" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35784", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35784", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b", + "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd", + "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35784" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35785", + "dataSource": "https://ubuntu.com/security/CVE-2024-35785", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35785" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35785", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7", + "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee", + "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac", + "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4", + "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3", + "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35785" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35789", + "dataSource": "https://ubuntu.com/security/CVE-2024-35789", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35789" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35789", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35789", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc", + "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685", + "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7", + "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b", + "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931", + "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f", + "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb", + "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e", + "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35789" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35790", + "dataSource": "https://ubuntu.com/security/CVE-2024-35790", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35790" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35790", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35790", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9", + "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531", + "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35790" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35791", + "dataSource": "https://ubuntu.com/security/CVE-2024-35791", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35791" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35791", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35791", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4", + "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d", + "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865", + "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807", + "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7", + "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35791" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35794", + "dataSource": "https://ubuntu.com/security/CVE-2024-35794", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35794" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35794", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35794", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73", + "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b", + "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35794" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35796", + "dataSource": "https://ubuntu.com/security/CVE-2024-35796", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35796" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35796", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35796", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11", + "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3", + "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a", + "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e", + "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48", + "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8", + "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35796" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35799", + "dataSource": "https://ubuntu.com/security/CVE-2024-35799", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35799" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35799", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35799", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48", + "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06", + "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38", + "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35799" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35801", + "dataSource": "https://ubuntu.com/security/CVE-2024-35801", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35801" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35801", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422", + "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd", + "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d", + "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8", + "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35801" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35803", + "dataSource": "https://ubuntu.com/security/CVE-2024-35803", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35803" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35803", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35803", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926", + "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc", + "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31", + "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02", + "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35803" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35804", + "dataSource": "https://ubuntu.com/security/CVE-2024-35804", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35804" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35804", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35804", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71", + "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06", + "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902", + "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551", + "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35804" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35805", + "dataSource": "https://ubuntu.com/security/CVE-2024-35805", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35805" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35805", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35805", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7", + "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1", + "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683", + "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc", + "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c", + "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2", + "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e", + "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35805" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35806", + "dataSource": "https://ubuntu.com/security/CVE-2024-35806", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35806" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35806", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35806", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397", + "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f", + "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3", + "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a", + "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03", + "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd", + "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9", + "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec", + "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35806" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35807", + "dataSource": "https://ubuntu.com/security/CVE-2024-35807", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35807" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35807", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35807", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6", + "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5", + "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd", + "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1", + "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc", + "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c", + "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a", + "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c", + "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35807" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35808", + "dataSource": "https://ubuntu.com/security/CVE-2024-35808", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35808" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35808", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35808", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc", + "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669", + "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35808" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35809", + "dataSource": "https://ubuntu.com/security/CVE-2024-35809", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35809" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35809", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1", + "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970", + "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674", + "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b", + "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6", + "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf", + "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491", + "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5", + "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35809" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35811", + "dataSource": "https://ubuntu.com/security/CVE-2024-35811", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35811" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35811", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb", + "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744", + "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78", + "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a", + "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169", + "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a", + "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731", + "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1", + "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35811" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35813", + "dataSource": "https://ubuntu.com/security/CVE-2024-35813", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35813" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35813", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35813", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56", + "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6", + "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2", + "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304", + "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28", + "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55", + "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68", + "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35813" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35815", + "dataSource": "https://ubuntu.com/security/CVE-2024-35815", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35815" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35815", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35815", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3", + "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7", + "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50", + "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596", + "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2", + "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a", + "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410", + "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35815" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35817", + "dataSource": "https://ubuntu.com/security/CVE-2024-35817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35817" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe", + "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d", + "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb", + "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3", + "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3", + "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35819", + "dataSource": "https://ubuntu.com/security/CVE-2024-35819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35819" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02", + "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1", + "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa", + "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e", + "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506", + "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14", + "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df", + "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc", + "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35821", + "dataSource": "https://ubuntu.com/security/CVE-2024-35821", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35821" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35821", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35821", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3", + "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566", + "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e", + "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e", + "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f", + "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310", + "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f", + "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3", + "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35821" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35822", + "dataSource": "https://ubuntu.com/security/CVE-2024-35822", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35822" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35822", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35822", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e", + "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8", + "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252", + "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c", + "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a", + "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c", + "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290", + "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf", + "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35822" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35823", + "dataSource": "https://ubuntu.com/security/CVE-2024-35823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35823" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35823", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f", + "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d", + "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90", + "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1", + "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda", + "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51", + "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d", + "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35825", + "dataSource": "https://ubuntu.com/security/CVE-2024-35825", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35825" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35825", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35825", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c", + "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7", + "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b", + "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f", + "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c", + "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779", + "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03", + "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35825" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35826", + "dataSource": "https://ubuntu.com/security/CVE-2024-35826", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35826" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35826", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35826", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367", + "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6", + "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65", + "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2", + "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35826" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35832", + "dataSource": "https://ubuntu.com/security/CVE-2024-35832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35832", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555", + "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35833", + "dataSource": "https://ubuntu.com/security/CVE-2024-35833", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35833" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35833", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35833", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3", + "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24", + "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8", + "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59", + "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714", + "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6", + "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35833" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35835", + "dataSource": "https://ubuntu.com/security/CVE-2024-35835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7", + "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b", + "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb", + "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b", + "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7", + "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056", + "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5", + "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35837", + "dataSource": "https://ubuntu.com/security/CVE-2024-35837", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35837" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35837", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35837", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f", + "https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b", + "https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38", + "https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa", + "https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec", + "https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35837" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35839", + "dataSource": "https://ubuntu.com/security/CVE-2024-35839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35839", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c", + "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b", + "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547", + "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\n\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(&neigh->arp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb->dev = nf_bridge->physindev\n br_handle_frame_finish\n\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35840", + "dataSource": "https://ubuntu.com/security/CVE-2024-35840", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35840" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35840", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35840", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453", + "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c", + "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a", + "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721", + "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35840" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35843", + "dataSource": "https://ubuntu.com/security/CVE-2024-35843", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35843" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35843", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35843", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15", + "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 2.5, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35843" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35847", + "dataSource": "https://ubuntu.com/security/CVE-2024-35847", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35847" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35847", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792", + "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137", + "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438", + "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52", + "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662", + "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91", + "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9", + "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35847" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35848", + "dataSource": "https://ubuntu.com/security/CVE-2024-35848", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35848" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35848", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35848", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a", + "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676", + "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc", + "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6", + "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da", + "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-35848" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35849", + "dataSource": "https://ubuntu.com/security/CVE-2024-35849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35849" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf", + "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6", + "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc", + "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772", + "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86", + "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6", + "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d", + "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35851", + "dataSource": "https://ubuntu.com/security/CVE-2024-35851", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35851" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35851", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35851", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489", + "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88", + "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371", + "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189", + "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35851" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35852", + "dataSource": "https://ubuntu.com/security/CVE-2024-35852", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35852" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35852", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35852", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758", + "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04", + "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f", + "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d", + "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d", + "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab", + "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35852" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35853", + "dataSource": "https://ubuntu.com/security/CVE-2024-35853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35853" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf", + "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e", + "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1", + "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977", + "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d", + "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76", + "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", + "metrics": { + "baseScore": 6.4, + "exploitabilityScore": 1.6, + "impactScore": 4.7 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35854", + "dataSource": "https://ubuntu.com/security/CVE-2024-35854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35854" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35854", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049", + "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121", + "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519", + "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887", + "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1", + "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1", + "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35855", + "dataSource": "https://ubuntu.com/security/CVE-2024-35855", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35855" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35855", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35855", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0", + "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4", + "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770", + "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a", + "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758", + "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef", + "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35855" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35857", + "dataSource": "https://ubuntu.com/security/CVE-2024-35857", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35857" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35857", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35857", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401", + "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767", + "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270", + "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941", + "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35857" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35861", + "dataSource": "https://ubuntu.com/security/CVE-2024-35861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35861" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1", + "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4", + "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f", + "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35862", + "dataSource": "https://ubuntu.com/security/CVE-2024-35862", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35862" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35862", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35862", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d", + "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01", + "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645", + "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35862" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35863", + "dataSource": "https://ubuntu.com/security/CVE-2024-35863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2", + "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825", + "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac", + "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35864", + "dataSource": "https://ubuntu.com/security/CVE-2024-35864", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35864" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35864", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35864", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1", + "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb", + "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5", + "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35864" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35865", + "dataSource": "https://ubuntu.com/security/CVE-2024-35865", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35865" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35865", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35865", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd", + "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4", + "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628", + "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35865" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35866", + "dataSource": "https://ubuntu.com/security/CVE-2024-35866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682", + "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113", + "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35867", + "dataSource": "https://ubuntu.com/security/CVE-2024-35867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/29/2", + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65", + "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49", + "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7", + "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35868", + "dataSource": "https://ubuntu.com/security/CVE-2024-35868", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35868" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35868", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b", + "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72", + "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7", + "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35868" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35869", + "dataSource": "https://ubuntu.com/security/CVE-2024-35869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35869", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a", + "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc", + "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35870", + "dataSource": "https://ubuntu.com/security/CVE-2024-35870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa", + "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5", + "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35871", + "dataSource": "https://ubuntu.com/security/CVE-2024-35871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35871" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4", + "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5", + "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8", + "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9", + "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef", + "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35872", + "dataSource": "https://ubuntu.com/security/CVE-2024-35872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35872" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5", + "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8", + "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706", + "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e", + "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35875", + "dataSource": "https://ubuntu.com/security/CVE-2024-35875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e", + "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374", + "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5", + "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35877", + "dataSource": "https://ubuntu.com/security/CVE-2024-35877", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35877" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35877", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35877", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221", + "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173", + "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6", + "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec", + "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a", + "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f", + "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4", + "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35877" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35878", + "dataSource": "https://ubuntu.com/security/CVE-2024-35878", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35878" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35878", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898", + "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987", + "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35878" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35879", + "dataSource": "https://ubuntu.com/security/CVE-2024-35879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35879" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a", + "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c", + "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951", + "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82", + "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84", + "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35884", + "dataSource": "https://ubuntu.com/security/CVE-2024-35884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35884" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19", + "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8", + "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4", + "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f", + "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd", + "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35885", + "dataSource": "https://ubuntu.com/security/CVE-2024-35885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35885" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35885", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6", + "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4", + "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971", + "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4", + "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35886", + "dataSource": "https://ubuntu.com/security/CVE-2024-35886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35886", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2", + "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778", + "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061", + "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe", + "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985", + "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae", + "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776", + "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35887", + "dataSource": "https://ubuntu.com/security/CVE-2024-35887", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35887" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35887", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b", + "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9", + "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35887" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35888", + "dataSource": "https://ubuntu.com/security/CVE-2024-35888", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35888" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35888", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35888", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac", + "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446", + "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0", + "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d", + "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d", + "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85", + "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5", + "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35888" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35890", + "dataSource": "https://ubuntu.com/security/CVE-2024-35890", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35890" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35890", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35890", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad", + "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f", + "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f", + "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486", + "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35890" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35892", + "dataSource": "https://ubuntu.com/security/CVE-2024-35892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1", + "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b", + "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460", + "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35893", + "dataSource": "https://ubuntu.com/security/CVE-2024-35893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35893" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", + "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5", + "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", + "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", + "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14", + "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd", + "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", + "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35895", + "dataSource": "https://ubuntu.com/security/CVE-2024-35895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35895" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86", + "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd", + "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5", + "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec", + "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75", + "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058", + "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35896", + "dataSource": "https://ubuntu.com/security/CVE-2024-35896", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35896" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35896", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35896", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc", + "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6", + "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5", + "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b", + "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018", + "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35896" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35897", + "dataSource": "https://ubuntu.com/security/CVE-2024-35897", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35897" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35897", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35897", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518", + "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4", + "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb", + "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927", + "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827", + "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78", + "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362", + "https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35897" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35898", + "dataSource": "https://ubuntu.com/security/CVE-2024-35898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35898" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304", + "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8", + "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007", + "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df", + "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331", + "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b", + "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77", + "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35899", + "dataSource": "https://ubuntu.com/security/CVE-2024-35899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35899" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35899", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2", + "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7", + "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31", + "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e", + "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6", + "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86", + "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 1.8, + "impactScore": 4.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35900", + "dataSource": "https://ubuntu.com/security/CVE-2024-35900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35900" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab", + "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7", + "https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8", + "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830", + "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b", + "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb", + "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769", + "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35902", + "dataSource": "https://ubuntu.com/security/CVE-2024-35902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35902" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", + "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a", + "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d", + "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9", + "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196", + "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14", + "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c", + "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35904", + "dataSource": "https://ubuntu.com/security/CVE-2024-35904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b", + "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e", + "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35905", + "dataSource": "https://ubuntu.com/security/CVE-2024-35905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35905" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103", + "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69", + "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69", + "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1", + "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d", + "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35907", + "dataSource": "https://ubuntu.com/security/CVE-2024-35907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35907" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab", + "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e", + "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52", + "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3", + "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35908", + "dataSource": "https://ubuntu.com/security/CVE-2024-35908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8", + "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be", + "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3", + "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35910", + "dataSource": "https://ubuntu.com/security/CVE-2024-35910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35910" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada", + "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4", + "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f", + "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a", + "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de", + "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50", + "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87", + "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35912", + "dataSource": "https://ubuntu.com/security/CVE-2024-35912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35912" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341", + "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5", + "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62", + "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8", + "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35915", + "dataSource": "https://ubuntu.com/security/CVE-2024-35915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35915" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff", + "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240", + "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c", + "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a", + "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a", + "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16", + "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7", + "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35918", + "dataSource": "https://ubuntu.com/security/CVE-2024-35918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35918" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35920", + "dataSource": "https://ubuntu.com/security/CVE-2024-35920", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35920" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35920", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35920", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6", + "https://git.kernel.org/stable/c/23aaf824121055ba81b55f75444355bd83c8eb38", + "https://git.kernel.org/stable/c/6467cda18c9f9b5f2f9a0aa1e2861c653e41f382" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect decoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.\n\nHardware name: Google juniper sku16 board (DT)\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\nsp : ffffffc0131dbbd0\nx29: ffffffc0131dbbd0 x28: 0000000000000000\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\nx21: 0000000000000010 x20: ffffff9b050ea328\nx19: ffffffc0131dbc08 x18: 0000000000001000\nx17: 0000000000000000 x16: ffffffd2d461c6e0\nx15: 0000000000000242 x14: 000000000000018f\nx13: 000000000000004d x12: 0000000000000000\nx11: 0000000000000001 x10: fffffffffffffff0\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : fffffffffffffff0\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\nCall trace:\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\nirq_thread_fn+0x38/0x94\nirq_thread+0x100/0x1c0\nkthread+0x140/0x1fc\nret_from_fork+0x10/0x30\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\n---[ end trace ace43ce36cbd5c93 ]---\nKernel panic - not syncing: Oops: Fatal exception\nSMP: stopping secondary CPUs\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\nPHYS_OFFSET: 0xffffffe580000000\nCPU features: 0x08240002,2188200c\nMemory Limit: none", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35920" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35922", + "dataSource": "https://ubuntu.com/security/CVE-2024-35922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35922" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4", + "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f", + "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33", + "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029", + "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971", + "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270", + "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0", + "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35924", + "dataSource": "https://ubuntu.com/security/CVE-2024-35924", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35924" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35924", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35924", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f", + "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40", + "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35924" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35925", + "dataSource": "https://ubuntu.com/security/CVE-2024-35925", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35925" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35925", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35925", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8", + "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854", + "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe", + "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7", + "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02", + "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68", + "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c", + "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35925" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35926", + "dataSource": "https://ubuntu.com/security/CVE-2024-35926", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35926" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35926", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35926", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054", + "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35926" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35927", + "dataSource": "https://ubuntu.com/security/CVE-2024-35927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545", + "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c", + "https://git.kernel.org/stable/c/4ad8d57d902fbc7c82507cfc1b031f3a07c3de6e", + "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd", + "https://git.kernel.org/stable/c/786c27982a39d79cc753f84229eb5977ac8ef1c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35928", + "dataSource": "https://ubuntu.com/security/CVE-2024-35928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35928" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69", + "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c", + "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587", + "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35929", + "dataSource": "https://ubuntu.com/security/CVE-2024-35929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc", + "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a", + "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35930", + "dataSource": "https://ubuntu.com/security/CVE-2024-35930", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35930" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35930", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf", + "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b", + "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f", + "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7", + "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a", + "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8", + "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8", + "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35930" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35931", + "dataSource": "https://ubuntu.com/security/CVE-2024-35931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35", + "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35932", + "dataSource": "https://ubuntu.com/security/CVE-2024-35932", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35932" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35932", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35932", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40", + "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd", + "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9", + "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35932" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35933", + "dataSource": "https://ubuntu.com/security/CVE-2024-35933", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35933" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35933", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35933", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28", + "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e", + "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b", + "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9", + "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912", + "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645", + "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990", + "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35933" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35934", + "dataSource": "https://ubuntu.com/security/CVE-2024-35934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35934", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0", + "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7", + "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec", + "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4", + "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2", + "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35935", + "dataSource": "https://ubuntu.com/security/CVE-2024-35935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35935" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35935", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229", + "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5", + "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a", + "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501", + "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9", + "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c", + "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3", + "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35936", + "dataSource": "https://ubuntu.com/security/CVE-2024-35936", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35936" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35936", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35936", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d", + "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da", + "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2", + "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9", + "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99", + "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385", + "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89", + "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35936" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35937", + "dataSource": "https://ubuntu.com/security/CVE-2024-35937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35937" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544", + "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9", + "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35938", + "dataSource": "https://ubuntu.com/security/CVE-2024-35938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35938" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793", + "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015", + "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de", + "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559", + "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35939", + "dataSource": "https://ubuntu.com/security/CVE-2024-35939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35939" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a", + "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9", + "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c", + "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35940", + "dataSource": "https://ubuntu.com/security/CVE-2024-35940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35940" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb", + "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682", + "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc", + "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8", + "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041", + "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35941", + "dataSource": "https://ubuntu.com/security/CVE-2024-35941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35942", + "dataSource": "https://ubuntu.com/security/CVE-2024-35942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35942", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d", + "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c", + "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35943", + "dataSource": "https://ubuntu.com/security/CVE-2024-35943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f", + "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3", + "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35943" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35944", + "dataSource": "https://ubuntu.com/security/CVE-2024-35944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35944" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74", + "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec", + "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f", + "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100", + "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73", + "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051", + "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b", + "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35945", + "dataSource": "https://ubuntu.com/security/CVE-2024-35945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311", + "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b", + "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35946", + "dataSource": "https://ubuntu.com/security/CVE-2024-35946", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35946" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35946", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35946", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d", + "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2", + "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35946" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35947", + "dataSource": "https://ubuntu.com/security/CVE-2024-35947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35947" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c", + "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081", + "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38", + "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b", + "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0", + "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab", + "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc", + "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-35947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35948", + "dataSource": "https://ubuntu.com/security/CVE-2024-35948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35948", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.4, + "exploitabilityScore": 2.5, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35949", + "dataSource": "https://ubuntu.com/security/CVE-2024-35949", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35949" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35949", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35949", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273", + "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35949" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35950", + "dataSource": "https://ubuntu.com/security/CVE-2024-35950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984", + "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055", + "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea", + "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0", + "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e", + "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764", + "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35951", + "dataSource": "https://ubuntu.com/security/CVE-2024-35951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35951" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3", + "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002", + "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35955", + "dataSource": "https://ubuntu.com/security/CVE-2024-35955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e", + "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", + "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0", + "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d", + "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808", + "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412", + "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33", + "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35956", + "dataSource": "https://ubuntu.com/security/CVE-2024-35956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35956" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35956", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", + "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", + "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35958", + "dataSource": "https://ubuntu.com/security/CVE-2024-35958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35958" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35958", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1", + "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7", + "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0", + "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde", + "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d", + "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35959", + "dataSource": "https://ubuntu.com/security/CVE-2024-35959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35959" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35959", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7", + "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76", + "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519", + "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35960", + "dataSource": "https://ubuntu.com/security/CVE-2024-35960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35960", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423", + "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f", + "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801", + "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0", + "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64", + "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453", + "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d", + "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "metrics": { + "baseScore": 9.1, + "exploitabilityScore": 3.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35965", + "dataSource": "https://ubuntu.com/security/CVE-2024-35965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35965" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846", + "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9", + "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35966", + "dataSource": "https://ubuntu.com/security/CVE-2024-35966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546", + "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695", + "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35967", + "dataSource": "https://ubuntu.com/security/CVE-2024-35967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35967" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35967", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7", + "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01", + "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c", + "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315", + "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35969", + "dataSource": "https://ubuntu.com/security/CVE-2024-35969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652", + "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70", + "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb", + "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83", + "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129", + "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1", + "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903", + "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35970", + "dataSource": "https://ubuntu.com/security/CVE-2024-35970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35970" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6", + "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf", + "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9", + "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e", + "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35971", + "dataSource": "https://ubuntu.com/security/CVE-2024-35971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35971", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540", + "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b", + "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f", + "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35973", + "dataSource": "https://ubuntu.com/security/CVE-2024-35973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35973" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915", + "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e", + "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852", + "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79", + "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536", + "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670", + "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c", + "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35976", + "dataSource": "https://ubuntu.com/security/CVE-2024-35976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35976" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35976", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d", + "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44", + "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa", + "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6", + "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417", + "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c", + "https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd", + "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "metrics": { + "baseScore": 6.7, + "exploitabilityScore": 1.4, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35978", + "dataSource": "https://ubuntu.com/security/CVE-2024-35978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35978" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810", + "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2", + "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8", + "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06", + "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0", + "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67", + "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76", + "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35979", + "dataSource": "https://ubuntu.com/security/CVE-2024-35979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268", + "https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446", + "https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35982", + "dataSource": "https://ubuntu.com/security/CVE-2024-35982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35982" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924", + "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259", + "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2", + "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d", + "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f", + "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa", + "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6", + "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.1, + "exploitabilityScore": 1.4, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35984", + "dataSource": "https://ubuntu.com/security/CVE-2024-35984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35984" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83", + "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d", + "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde", + "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620", + "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec", + "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f", + "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23", + "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35988", + "dataSource": "https://ubuntu.com/security/CVE-2024-35988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35988" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6", + "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be", + "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b", + "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948", + "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa", + "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35989", + "dataSource": "https://ubuntu.com/security/CVE-2024-35989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35989" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e", + "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb", + "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b", + "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be", + "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35990", + "dataSource": "https://ubuntu.com/security/CVE-2024-35990", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35990" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35990", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076", + "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38", + "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11", + "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b", + "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557", + "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35990" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35995", + "dataSource": "https://ubuntu.com/security/CVE-2024-35995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35995", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3", + "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4", + "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c", + "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87", + "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1", + "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3", + "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35997", + "dataSource": "https://ubuntu.com/security/CVE-2024-35997", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35997" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35997", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1", + "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401", + "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722", + "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497", + "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22", + "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e", + "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8", + "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-35997" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35998", + "dataSource": "https://ubuntu.com/security/CVE-2024-35998", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35998" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35998", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35998", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75", + "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc", + "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f", + "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35998" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-35999", + "dataSource": "https://ubuntu.com/security/CVE-2024-35999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-35999" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-35999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-35999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e", + "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00", + "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887", + "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-35999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36000", + "dataSource": "https://ubuntu.com/security/CVE-2024-36000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36000" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36000", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc", + "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10", + "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2", + "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36003", + "dataSource": "https://ubuntu.com/security/CVE-2024-36003", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36003" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36003", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36003", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c", + "https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f", + "https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix LAG and VF lock dependency in ice_reset_vf()\n\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\n\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\n\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\n\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\n ice_service_task+0x2c9/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\n check_prev_add+0xe2/0xc50\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_reset_vf+0x22f/0x4d0 [ice]\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0 CPU1\n ---- ----\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n\n *** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n \n dump_stack_lvl+0x4a/0x80\n check_noncircular+0x12d/0x150\n check_prev_add+0xe2/0xc50\n ? save_trace+0x59/0x230\n ? add_chain_cache+0x109/0x450\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n ? lockdep_hardirqs_on+0x7d/0x100\n lock_acquire+0xd4/0x2d0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? lock_is_held_type+0xc7/0x120\n __mutex_lock+0x9b/0xbf0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? rcu_is_watching+0x11/0x50\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ice_reset_vf+0x22f/0x4d0 [ice]\n ? process_one_work+0x176/0x4d0\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x104/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36003" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36004", + "dataSource": "https://ubuntu.com/security/CVE-2024-36004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36004" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c", + "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939", + "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e", + "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c", + "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd", + "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0", + "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22", + "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36005", + "dataSource": "https://ubuntu.com/security/CVE-2024-36005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36005" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9", + "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2", + "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816", + "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2", + "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a", + "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36006", + "dataSource": "https://ubuntu.com/security/CVE-2024-36006", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36006" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36006", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530", + "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a", + "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154", + "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0", + "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40", + "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97", + "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36006" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36007", + "dataSource": "https://ubuntu.com/security/CVE-2024-36007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36007" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36007", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573", + "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596", + "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d", + "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952", + "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b", + "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916", + "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36008", + "dataSource": "https://ubuntu.com/security/CVE-2024-36008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36008" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1", + "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1", + "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0", + "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4", + "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655", + "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36009", + "dataSource": "https://ubuntu.com/security/CVE-2024-36009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36009" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36009", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851", + "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b", + "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530", + "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36012", + "dataSource": "https://ubuntu.com/security/CVE-2024-36012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36012", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac", + "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56", + "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940", + "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36013", + "dataSource": "https://ubuntu.com/security/CVE-2024-36013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36013", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://www.openwall.com/lists/oss-security/2024/05/30/1", + "http://www.openwall.com/lists/oss-security/2024/05/30/2", + "https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658", + "https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6", + "https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n l2cap_connect\n ┌ mutex_lock(&conn->chan_lock);\n │ chan = pchan->ops->new_connection(pchan); <- alloc chan\n │ __l2cap_chan_add(conn, chan);\n │ l2cap_chan_hold(chan);\n │ list_add(&chan->list, &conn->chan_l); ... (1)\n └ mutex_unlock(&conn->chan_lock);\n chan->conf_state ... (4) <- use after free\n\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn->chan_lock);\n│ foreach chan in conn->chan_l: ... (2)\n│ l2cap_chan_put(chan);\n│ l2cap_chan_destroy\n│ kfree(chan) ... (3) <- chan freed\n└ mutex_unlock(&conn->chan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 6.8, + "exploitabilityScore": 0.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36014", + "dataSource": "https://ubuntu.com/security/CVE-2024-36014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/335cc45ef2b81b68be63c698b4f867a530bdf7a5", + "https://git.kernel.org/stable/c/3e54d4e95120641216dfe91a6c49f116a9f68490", + "https://git.kernel.org/stable/c/565d9ad7e5a18eb69ed8b66a9e9bb3f45346520c", + "https://git.kernel.org/stable/c/93f76ec1eddce60dbb5885cbc0d7df54adee4639", + "https://git.kernel.org/stable/c/a1f95aede6285dba6dd036d907196f35ae3a11ea", + "https://git.kernel.org/stable/c/a5fa5b40a278a3ca978fed64707bd27614adb1eb", + "https://git.kernel.org/stable/c/b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818", + "https://git.kernel.org/stable/c/b77620730f614059db2470e8ebab3e725280fc6d", + "https://git.kernel.org/stable/c/e4b52d49383306ef73fd1bd9102538beebb0fe07" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36015", + "dataSource": "https://ubuntu.com/security/CVE-2024-36015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36015" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36015", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d5b24edad1107a2ffa99058f20f6aeeafeb5d39", + "https://git.kernel.org/stable/c/65cd017d43f4319a56747d38308b0a24cf57299e", + "https://git.kernel.org/stable/c/b65d0410b879af0295d22438a4a32012786d152a", + "https://git.kernel.org/stable/c/b8c6b83cc3adff3ddf403c8c7063fe6d08b2b9d9", + "https://git.kernel.org/stable/c/d32caf51379a4d71db03d3d4d7c22d27cdf7f68b", + "https://git.kernel.org/stable/c/df9329247dbbf00f6057e002139ab3fa529ad828", + "https://git.kernel.org/stable/c/ec3468221efec6660ff656e9ebe51ced3520fc57", + "https://git.kernel.org/stable/c/fbf740aeb86a4fe82ad158d26d711f2f3be79b3e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppdev: Add an error check in register_device\n\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\n\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36016", + "dataSource": "https://ubuntu.com/security/CVE-2024-36016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36016" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-117.127" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36016", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0fb736c9931e02dbc7d9a75044c8e1c039e50f04", + "https://git.kernel.org/stable/c/46f52c89a7e7d2691b97a9728e4591d071ca8abc", + "https://git.kernel.org/stable/c/47388e807f85948eefc403a8a5fdc5b406a65d5a", + "https://git.kernel.org/stable/c/4c267110fc110390704cc065edb9817fdd10ff54", + "https://git.kernel.org/stable/c/774d83b008eccb1c48c14dc5486e7aa255731350", + "https://git.kernel.org/stable/c/9513d4148950b05bc99fa7314dc883cc0e1605e5", + "https://git.kernel.org/stable/c/b229bc6c6ea9fe459fc3fa94fd0a27a2f32aca56", + "https://git.kernel.org/stable/c/b890d45aaf02b564e6cae2d2a590f9649330857d", + "https://git.kernel.org/stable/c/f126ce7305fe88f49cdabc6db4168b9318898ea3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\n\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\n\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\n\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-117.127 (deb)", + "vulnerabilityID": "CVE-2024-36016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36017", + "dataSource": "https://ubuntu.com/security/CVE-2024-36017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36017" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36017", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489", + "https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b", + "https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8", + "https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169", + "https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de", + "https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7", + "https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a", + "https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36020", + "dataSource": "https://ubuntu.com/security/CVE-2024-36020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36020" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36020", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6", + "https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0", + "https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba", + "https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31", + "https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a", + "https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c", + "https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d", + "https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36021", + "dataSource": "https://ubuntu.com/security/CVE-2024-36021", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36021" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36021", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36021", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b550dae55901c2cc9075d6a7155a71b4f516e86", + "https://git.kernel.org/stable/c/50b69054f455dcdb34bd6b22764c7579b270eef3", + "https://git.kernel.org/stable/c/7ca0f73e5e2da3c129935b97f3a0877cce8ebdf5", + "https://git.kernel.org/stable/c/93305b77ffcb042f1538ecc383505e87d95aa05a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during pf initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36021" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36022", + "dataSource": "https://ubuntu.com/security/CVE-2024-36022", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36022" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36022", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36022", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4f8154f775197d0021b690c2945d6a4d8094c8f6", + "https://git.kernel.org/stable/c/f679fd6057fbf5ab34aaee28d58b7f81af0cbf48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Init zone device and drm client after mode-1 reset on reload\n\nIn passthrough environment, when amdgpu is reloaded after unload, mode-1\nis triggered after initializing the necessary IPs, That init does not\ninclude KFD, and KFD init waits until the reset is completed. KFD init\nis called in the reset handler, but in this case, the zone device and\ndrm client is not initialized, causing app to create kernel panic.\n\nv2: Removing the init KFD condition from amdgpu_amdkfd_drm_client_create.\nAs the previous version has the potential of creating DRM client twice.\n\nv3: v2 patch results in SDMA engine hung as DRM open causes VM clear to SDMA\nbefore SDMA init. Adding the condition to in drm client creation, on top of v1,\nto guard against drm client creation call multiple times.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36022" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36024", + "dataSource": "https://ubuntu.com/security/CVE-2024-36024", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36024" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36024", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36024", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2aac387445610d6dfd681f5214388e86f5677ef7", + "https://git.kernel.org/stable/c/6226a5aa77370329e01ee8abe50a95e60618ce97" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\n\n[Why]\nWorkaroud for a race condition where DMCUB is in the process of\ncommitting to IPS1 during the handshake causing us to miss the\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\n\n[How]\nDisable the reallow to ensure that we have enough of a gap between entry\nand exit and we're not seeing back-to-back wake_and_executes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36024" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36025", + "dataSource": "https://ubuntu.com/security/CVE-2024-36025", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36025" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36025", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36025", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd", + "https://git.kernel.org/stable/c/60b87b5ecbe07d70897d35947b0bb3e76ccd1b3a", + "https://git.kernel.org/stable/c/8c820f7c8e9b46238d277c575392fe9930207aab", + "https://git.kernel.org/stable/c/9fc74e367be4247a5ac39bb8ec41eaa73fade510", + "https://git.kernel.org/stable/c/ea8ac95c22c93acecb710209a7fd10b851afe817" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\n\nThe app_reply->elem[] array is allocated earlier in this function and it\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\nprevent memory corruption.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36025" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36026", + "dataSource": "https://ubuntu.com/security/CVE-2024-36026", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36026" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36026", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36026", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e3b8874d55c0c28378beb9007494a7a9269a5f5", + "https://git.kernel.org/stable/c/31729e8c21ecfd671458e02b6511eb68c2225113", + "https://git.kernel.org/stable/c/7521329e54931ede9e042bbf5f4f812b5bc4a01d", + "https://git.kernel.org/stable/c/bd9b94055c3deb2398ee4490c1dfdf03f53efb8f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\n\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\nan invalid state resulting into hard hangs.\n\nAdding a GFX reset as workaround just before sending the\nMP1_UNLOAD message avoids this failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36026" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36029", + "dataSource": "https://ubuntu.com/security/CVE-2024-36029", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36029" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-116.126" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36029", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36029", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045", + "https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af", + "https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20", + "https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5", + "https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-msm: pervent access to suspended controller\n\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-116.126 (deb)", + "vulnerabilityID": "CVE-2024-36029" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36031", + "dataSource": "https://ubuntu.com/security/CVE-2024-36031", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36031" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36031", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36031", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/25777f3f4e1f371d16a594925f31e37ce07b6ec7", + "https://git.kernel.org/stable/c/939a08bcd4334bad4b201e60bd0ae1f278d71d41", + "https://git.kernel.org/stable/c/9da27fb65a14c18efd4473e2e82b76b53ba60252", + "https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a", + "https://git.kernel.org/stable/c/cc219cb8afbc40ec100c0de941047bb29373126a", + "https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d5a4e06d", + "https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix overwrite of key expiration on instantiation\n\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36031" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36032", + "dataSource": "https://ubuntu.com/security/CVE-2024-36032", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36032" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36032", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36032", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57062aa13e87b1a78a4a8f6cb5fab6ba24f5f488", + "https://git.kernel.org/stable/c/62d5550ab62042dcceaf18844d0feadbb962cffe", + "https://git.kernel.org/stable/c/6b63e0ef4d3ce0080395e5091fba2023f246c45a", + "https://git.kernel.org/stable/c/a571044cc0a0c944e7c12237b6768aeedd7480e1", + "https://git.kernel.org/stable/c/cda0d6a198e2a7ec6f176c36173a57bdd8af7af2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching fw build id\n\nAdd the missing sanity checks and move the 255-byte build-id buffer off\nthe stack to avoid leaking stack data through debugfs in case the\nbuild-info reply is malformed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36032" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36244", + "dataSource": "https://ubuntu.com/security/CVE-2024-36244", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36244" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36244", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36244", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724", + "https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2", + "https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36244" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36270", + "dataSource": "https://ubuntu.com/security/CVE-2024-36270", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36270" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36270", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36270", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c", + "https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d", + "https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3", + "https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0", + "https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03", + "https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c", + "https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36270" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36286", + "dataSource": "https://ubuntu.com/security/CVE-2024-36286", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36286" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36286", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a", + "https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4", + "https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256", + "https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5", + "https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9", + "https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718", + "https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec", + "https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36286" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36478", + "dataSource": "https://ubuntu.com/security/CVE-2024-36478", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36478" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36478", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47", + "https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36478" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36479", + "dataSource": "https://ubuntu.com/security/CVE-2024-36479", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36479" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36479", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36479", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529", + "https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125", + "https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36479" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36484", + "dataSource": "https://ubuntu.com/security/CVE-2024-36484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36484" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36484", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21c14c556cccd0cb54b71ec5e901e64ba84c7165", + "https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495", + "https://git.kernel.org/stable/c/59801e88c99f7c3f44a4d20af6ba6417aa359b5d", + "https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3", + "https://git.kernel.org/stable/c/6e03006548c66b979f4e5e9fc797aac4dad82822", + "https://git.kernel.org/stable/c/7de00adc9bd035d861ba4177848ca0bfa5ed1e04", + "https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc", + "https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36489", + "dataSource": "https://ubuntu.com/security/CVE-2024-36489", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36489" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36489", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b", + "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b", + "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302", + "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c", + "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071", + "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36489" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36880", + "dataSource": "https://ubuntu.com/security/CVE-2024-36880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36880" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f05ed44b71152d5e11d29be28aed91c0489b4e", + "https://git.kernel.org/stable/c/1caceadfb50432dbf6d808796cb6c34ebb6d662c", + "https://git.kernel.org/stable/c/2e4edfa1e2bd821a317e7d006517dcf2f3fac68d", + "https://git.kernel.org/stable/c/427281f9498ed614f9aabc80e46ec077c487da6d", + "https://git.kernel.org/stable/c/ed53949cc92e28aaa3463d246942bda1fbb7f307" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: add missing firmware sanity checks\n\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36883", + "dataSource": "https://ubuntu.com/security/CVE-2024-36883", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36883" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36883", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36883", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7", + "https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42", + "https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3", + "https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f", + "https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030", + "https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6", + "https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd", + "https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36883" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36885", + "dataSource": "https://ubuntu.com/security/CVE-2024-36885", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36885" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36885", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36885", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a88c18da464db0ba8ea25196d0a06490f65322e", + "https://git.kernel.org/stable/c/52a6947bf576b97ff8e14bb0a31c5eaf2d0d96e2", + "https://git.kernel.org/stable/c/e05af009302893f39b072811a68fa4a196284c75" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup:\n\n kernel BUG at include/linux/scatterlist.h:187!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\n Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\n RIP: 0010:sg_init_one+0x85/0xa0\n Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n 24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n 0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\n RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\n R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\n FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\n Call Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_oneinit_+0x4f/0x120 [nouveau]\n nvkm_subdev_init_+0x39/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n nvkm_subdev_init+0x44/0x90 [nouveau]\n nvkm_device_init+0x166/0x2e0 [nouveau]\n nvkm_udevice_init+0x47/0x70 [nouveau]\n nvkm_object_init+0x41/0x1c0 [nouveau]\n nvkm_ioctl_new+0x16a/0x290 [nouveau]\n ? __pfx_nvkm_client_child_new+0x10/0x10 [nouveau]\n ? __pfx_nvkm_udevice_new+0x10/0x10 [nouveau]\n nvkm_ioctl+0x126/0x290 [nouveau]\n nvif_object_ctor+0x112/0x190 [nouveau]\n nvif_device_ctor+0x23/0x60 [nouveau]\n nouveau_cli_init+0x164/0x640 [nouveau]\n nouveau_drm_device_init+0x97/0x9e0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? pci_update_current_state+0x72/0xb0\n ? srso_return_thunk+0x5/0x5f\n nouveau_drm_probe+0x12c/0x280 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n local_pci_probe+0x45/0xa0\n pci_device_probe+0xc7/0x270\n really_probe+0xe6/0x3a0\n __driver_probe_device+0x87/0x160\n driver_probe_device+0x1f/0xc0\n __driver_attach+0xec/0x1f0\n ? __pfx___driver_attach+0x10/0x10\n bus_for_each_dev+0x88/0xd0\n bus_add_driver+0x116/0x220\n driver_register+0x59/0x100\n ? __pfx_nouveau_drm_init+0x10/0x10 [nouveau]\n do_one_initcall+0x5b/0x320\n do_init_module+0x60/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x120/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x83/0x160\n ? srso_return_thunk+0x5/0x5f\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n RIP: 0033:0x7feeb5cc20cd\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0\n ff ff 73 01 c3 48 8b 0d 1b cd 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffcf220b2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 000055fdd2916aa0 RCX: 00007feeb5cc20cd\n RDX: 0000000000000000 RSI: 000055fdd29161e0 RDI: 0000000000000035\n RBP: 00007ffcf220b380 R08: 00007feeb5d8fb20 R09: 00007ffcf220b310\n R10: 000055fdd2909dc0 R11: 0000000000000246 R12: 000055\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36885" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36886", + "dataSource": "https://ubuntu.com/security/CVE-2024-36886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36886" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36886", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b", + "https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14", + "https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1", + "https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684", + "https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40", + "https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90", + "https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd", + "https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \n \n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36889", + "dataSource": "https://ubuntu.com/security/CVE-2024-36889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36889" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36889", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012", + "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe", + "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4", + "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f", + "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193", + "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36893", + "dataSource": "https://ubuntu.com/security/CVE-2024-36893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36893", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637", + "https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd", + "https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57", + "https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36894", + "dataSource": "https://ubuntu.com/security/CVE-2024-36894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36894", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/24729b307eefcd7c476065cd7351c1a018082c19", + "https://git.kernel.org/stable/c/3613e5023f09b3308545e9d1acda86017ebd418a", + "https://git.kernel.org/stable/c/73c05ad46bb4fbbdb346004651576d1c8dbcffbb", + "https://git.kernel.org/stable/c/9e72ef59cbe61cd1243857a6418ca92104275867", + "https://git.kernel.org/stable/c/a0fdccb1c9e027e3195f947f61aa87d6d0d2ea14", + "https://git.kernel.org/stable/c/d7461830823242702f5d84084bcccb25159003f4", + "https://git.kernel.org/stable/c/e500b1c4e29ad0bd1c1332a1eaea2913627a92dd", + "https://git.kernel.org/stable/c/f71a53148ce34898fef099b75386a3a9f4449311" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC. There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect. For a DWC3 based implementation, the callstack looks\nlike the following:\n\n DWC3 Gadget FFS Application\ndwc3_gadget_soft_disconnect() ...\n --> dwc3_stop_active_transfers()\n --> dwc3_gadget_giveback(-ESHUTDOWN)\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\n --> usb_ep_free_request() --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call. This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context. Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n consistently\")", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 5.6, + "exploitabilityScore": 0.4, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36898", + "dataSource": "https://ubuntu.com/security/CVE-2024-36898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a51e24404d77bb3307c1e39eee0d8e86febb1a5", + "https://git.kernel.org/stable/c/883e4bbf06eb5fb7482679e4edb201093e9f55a2", + "https://git.kernel.org/stable/c/bd7139a70ee8d8ea872b223e043730cf6f5e2b0e", + "https://git.kernel.org/stable/c/ee0166b637a5e376118e9659e5b4148080f1d27e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix uninitialised kfifo\n\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked. This results in events being written to and read from an\nuninitialised kfifo. Read events are returned to userspace.\n\nInitialise the kfifo in the case where the software debounce is\nalready active.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36899", + "dataSource": "https://ubuntu.com/security/CVE-2024-36899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36899", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da", + "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a", + "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36900", + "dataSource": "https://ubuntu.com/security/CVE-2024-36900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095", + "https://git.kernel.org/stable/c/5c623fe0534806b627054da09b6f51b7b2f7b9cd", + "https://git.kernel.org/stable/c/72ede790f5a03c3957487400a1b72ebce293a2e7", + "https://git.kernel.org/stable/c/c98bc78ce0909ccc92005e2cb6609ec6c7942f69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\n\nThis patch fixes this by registering the devlink after\nhardware initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36901", + "dataSource": "https://ubuntu.com/security/CVE-2024-36901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36901" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36901", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2272e2db38f2e85929278146d7c770f22f528579", + "https://git.kernel.org/stable/c/4db783d68b9b39a411a96096c10828ff5dfada7a", + "https://git.kernel.org/stable/c/55f7eb4001ef2a3b48cf039cf263f9ed0ec5a488", + "https://git.kernel.org/stable/c/9df3b2474a627994433a87cbf325a562555b17de", + "https://git.kernel.org/stable/c/e31b25cc2066d3f2b6c38579253882008d4469b0", + "https://git.kernel.org/stable/c/ea0cb87402f774b0e1214ffba0f57028b27cf155" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-36901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36902", + "dataSource": "https://ubuntu.com/security/CVE-2024-36902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36902" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36902", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1876881c9a49613b5249fb400cbf53412d90cb09", + "https://git.kernel.org/stable/c/35297fc68de36826087e976f86a5b1f94fd0bf95", + "https://git.kernel.org/stable/c/4a5a573387da6a6b23a4cc62147453ff1bc32afa", + "https://git.kernel.org/stable/c/674c951ab8a23f7aff9b4c3f2f865901bc76a290", + "https://git.kernel.org/stable/c/7e3242c139c38e60844638e394c2877b16b396b0", + "https://git.kernel.org/stable/c/8745a8d74ba17dafe72b6ab461fa6c007d879747", + "https://git.kernel.org/stable/c/d101291b2681e5ab938554e3e323f7a7ee33e3aa", + "https://git.kernel.org/stable/c/ddec23f206a944c73bcc2724358b85388837daff", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36903", + "dataSource": "https://ubuntu.com/security/CVE-2024-36903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36903", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3", + "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c", + "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36904", + "dataSource": "https://ubuntu.com/security/CVE-2024-36904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36904" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446", + "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3", + "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34", + "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8", + "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc", + "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc", + "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9", + "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36905", + "dataSource": "https://ubuntu.com/security/CVE-2024-36905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36905" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36905", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4", + "https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270", + "https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1", + "https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485", + "https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f", + "https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf", + "https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214", + "https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36906", + "dataSource": "https://ubuntu.com/security/CVE-2024-36906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36906" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20ac71bee028ffbae4fc14ed679b23b4d3e95726", + "https://git.kernel.org/stable/c/ad702338fe423cb1e79745787090317256a98dab", + "https://git.kernel.org/stable/c/b26f353786d365e658cebc9a9ace88e04fc2325e", + "https://git.kernel.org/stable/c/c4238686f9093b98bd6245a348bcf059cdce23af", + "https://git.kernel.org/stable/c/ee0ce7573e5083031960faf602c9db693ab5b477" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9381/1: kasan: clear stale stack poison\n\nWe found below OOB crash:\n\n[ 33.452494] ==================================================================\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[ 33.455515]\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\n[ 33.456880] Hardware name: Generic DT based system\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\n[ 33.459863] print_report from kasan_report+0x9c/0x148\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[ 33.467397]\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\n[ 33.468493] and is located at offset 112 in frame:\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[ 33.469917]\n[ 33.470165] This frame has 2 objects:\n[ 33.470696] [32, 76) 'global_zone_diff'\n[ 33.470729] [112, 276) 'global_node_diff'\n[ 33.471294]\n[ 33.472095] The buggy address belongs to the physical page:\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[ 33.473944] flags: 0x1000(reserved|zone=0)\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[ 33.475656] raw: 00000000\n[ 33.476050] page dumped because: kasan: bad access detected\n[ 33.476816]\n[ 33.477061] Memory state around the buggy address:\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[ 33.480415] ^\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.482978] ==================================================================\n\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\n\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\n\nFrom cited commit [1] that explain the problem\n\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\n\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code. Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\n\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\n\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\n\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\n\nFrom cited commit [2]\n\nExtend to check for CONFIG_KASAN_STACK\n\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36907", + "dataSource": "https://ubuntu.com/security/CVE-2024-36907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36907", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc", + "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a", + "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: add a missing rpc_stat for TCP TLS\n\nCommit 1548036ef120 (\"nfs: make the rpc_stat per net namespace\") added\nfunctionality to specify rpc_stats function but missed adding it to the\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\nthe following kernel oops.\n\n[ 128.984192] Unable to handle kernel NULL pointer dereference at\nvirtual address 000000000000001c\n[ 128.985058] Mem abort info:\n[ 128.985372] ESR = 0x0000000096000004\n[ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 128.986176] SET = 0, FnV = 0\n[ 128.986521] EA = 0, S1PTW = 0\n[ 128.986804] FSC = 0x04: level 0 translation fault\n[ 128.987229] Data abort info:\n[ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\n[ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\n[ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 128.991168] Modules linked in: nfs_layout_nfsv41_files\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\nip_set nf_tables nfnetlink qrtr vsock_loopback\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\nsg fuse\n[ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\ntainted 6.8.0-rc6+ #12\n[ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\n[ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\n[ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 128.999384] pc : call_start+0x74/0x138 [sunrpc]\n[ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.000244] sp : ffff8000832b3a00\n[ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\n[ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\n[ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\n[ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\n[ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\n[ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\n[ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\n[ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\n[ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\n[ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\n[ 129.005824] Call trace:\n[ 129.005967] call_start+0x74/0x138 [sunrpc]\n[ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc]\n[ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc]\n[ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc]\n[ 129.007204] tls_probe+0x80/0xd0 [sunrpc]\n[ 129.007460] rpc_ping+0x28/0x80 [sunrpc]\n[ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc]\n[ 129.007999] rpc_create+0x128/0x2a0 [sunrpc]\n[ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\n[ 129.008583] process_one_work+0x174/0x3c8\n[ 129.008813] worker_thread+0x2c8/0x3e0\n[ 129.009033] kthread+0x100/0x110\n[ 129.009225] ret_from_fork+0x10/0x20\n[ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36908", + "dataSource": "https://ubuntu.com/security/CVE-2024-36908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01bc4fda9ea0a6b52f12326486f07a4910666cf6", + "https://git.kernel.org/stable/c/14b3275f93d4a0d8ddc02195bc4e9869b7a3700e", + "https://git.kernel.org/stable/c/1c172ac7afe4442964f4153b2c78fe4e005d9d67" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: do not WARN if iocg was already offlined\n\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\n\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n Call trace:\n iocg_pay_debt+0x14c/0x190\n iocg_kick_waitq+0x438/0x4c0\n iocg_waitq_timer_fn+0xd8/0x130\n __run_hrtimer+0x144/0x45c\n __hrtimer_run_queues+0x16c/0x244\n hrtimer_interrupt+0x2cc/0x7b0\n\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\n\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36909", + "dataSource": "https://ubuntu.com/security/CVE-2024-36909", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36909" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36909", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36909", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2f622008bf784a9f5dd17baa19223cc2ac30a039", + "https://git.kernel.org/stable/c/30d18df6567be09c1433e81993e35e3da573ac48", + "https://git.kernel.org/stable/c/82f9e213b124a7d2bb5b16ea35d570260ef467e0", + "https://git.kernel.org/stable/c/a9212a4e2963a7fbe3864ba33dc551d4ad8d0abb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus ring buffer code could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the struct\nvmbus_gpadl for the ring buffers to decide whether to free the memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36909" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36910", + "dataSource": "https://ubuntu.com/security/CVE-2024-36910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36910", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7", + "https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9", + "https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54", + "https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus device UIO driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36911", + "dataSource": "https://ubuntu.com/security/CVE-2024-36911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4aaed9dbe8acd2b6114458f0498a617283d6275b", + "https://git.kernel.org/stable/c/a56fe611326332bf6b7126e5559590c57dcebad4", + "https://git.kernel.org/stable/c/bbf9ac34677b57506a13682b31a2a718934c0e31" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe netvsc driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36912", + "dataSource": "https://ubuntu.com/security/CVE-2024-36912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36912", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1999644d95194d4a58d3e80ad04ce19220a01a81", + "https://git.kernel.org/stable/c/211f514ebf1ef5de37b1cf6df9d28a56cfd242ca", + "https://git.kernel.org/stable/c/8e62341f5c45b27519b7d193bcc32ada416ad9d8", + "https://git.kernel.org/stable/c/bfae56be077ba14311509e70706a13458f87ea99" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nIn order to make sure callers of vmbus_establish_gpadl() and\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\nallocators, add a field in struct vmbus_gpadl to keep track of the\ndecryption status of the buffers. This will allow the callers to\nknow if they should free or leak the pages.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36913", + "dataSource": "https://ubuntu.com/security/CVE-2024-36913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36913", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a", + "https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6", + "https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.1, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36914", + "dataSource": "https://ubuntu.com/security/CVE-2024-36914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7", + "https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d", + "https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip on writeback when it's not applicable\n\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \"BUG: KASAN: slab-out-of-bounds\" as writeback connector does not\nsupport certain features which are not initialized.\n\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36915", + "dataSource": "https://ubuntu.com/security/CVE-2024-36915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8", + "https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107", + "https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\n\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\n\nUse copy_safe_from_sockptr() instead.\n\n[1]\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\n\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36916", + "dataSource": "https://ubuntu.com/security/CVE-2024-36916", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36916" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36916", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36916", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b", + "https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5", + "https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1", + "https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d", + "https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86", + "https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n \n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36916" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36917", + "dataSource": "https://ubuntu.com/security/CVE-2024-36917", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36917" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36917", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155", + "https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee", + "https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6", + "https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix overflow in blk_ioctl_discard()\n\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36917" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36918", + "dataSource": "https://ubuntu.com/security/CVE-2024-36918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c", + "https://git.kernel.org/stable/c/a8d89feba7e54e691ca7c4efc2a6264fa83f3687", + "https://git.kernel.org/stable/c/c418afb9bf23e2f2b76cb819601e4a5d9dbab42d", + "https://git.kernel.org/stable/c/fa6995eeb62e74b5a1480c73fb7b420c270784d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check bloom filter map value size\n\nThis patch adds a missing check to bloom filter creating, rejecting\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\nmany other map types.\n\nThe lack of this protection can cause kernel crashes for value sizes\nthat overflow int's. Such a crash was caught by syzkaller. The next\npatch adds more guard-rails at a lower level.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36919", + "dataSource": "https://ubuntu.com/security/CVE-2024-36919", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36919" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36919", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36919", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936", + "https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3", + "https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312", + "https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb", + "https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3", + "https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9", + "https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256", + "https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36919" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36920", + "dataSource": "https://ubuntu.com/security/CVE-2024-36920", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36920" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36920", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36920", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0", + "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716", + "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa", + "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf->reply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number '1' from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36920" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36921", + "dataSource": "https://ubuntu.com/security/CVE-2024-36921", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36921" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36921", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36921", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17f64517bf5c26af56b6c3566273aad6646c3c4f", + "https://git.kernel.org/stable/c/94f80a8ec15e238b78521f20f8afaed60521a294", + "https://git.kernel.org/stable/c/fab21d220017daa5fd8a3d788ff25ccfecfaae2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\n\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\nresult in out-of-bounds array accesses. This prevents issues should the\ndriver get into a bad state during error handling.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36921" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36922", + "dataSource": "https://ubuntu.com/security/CVE-2024-36922", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36922" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36922", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36922", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89", + "https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa", + "https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36922" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36923", + "dataSource": "https://ubuntu.com/security/CVE-2024-36923", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36923" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36923", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36923", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b4cb6e91f19b81217ad98142ee53a1ab25893fd", + "https://git.kernel.org/stable/c/6630036b7c228f57c7893ee0403e92c2db2cd21d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix uninitialized values during inode evict\n\nIf an iget fails due to not being able to retrieve information\nfrom the server then the inode structure is only partially\ninitialized. When the inode gets evicted, references to\nuninitialized structures (like fscache cookies) were being\nmade.\n\nThis patch checks for a bad_inode before doing anything other\nthan clearing the inode from the cache. Since the inode is\nbad, it shouldn't have any state associated with it that needs\nto be written back (and there really isn't a way to complete\nthose anyways).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36923" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36924", + "dataSource": "https://ubuntu.com/security/CVE-2024-36924", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36924" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36924", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36924", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6503c39398506cadda9f4c81695a9655ca5fb4fd", + "https://git.kernel.org/stable/c/ded20192dff31c91cef2a04f7e20e60e9bb887d3", + "https://git.kernel.org/stable/c/e8bf2c05e8ad68e90f9d5889a9e4ef3f6fe00683", + "https://git.kernel.org/stable/c/ee833d7e62de2b84ed1332d501b67f12e7e5678f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36924" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36927", + "dataSource": "https://ubuntu.com/security/CVE-2024-36927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818", + "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e", + "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36928", + "dataSource": "https://ubuntu.com/security/CVE-2024-36928", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36928" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36928", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36928", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6", + "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524", + "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494", + "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3", + "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n >0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36928" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36929", + "dataSource": "https://ubuntu.com/security/CVE-2024-36929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36929" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62", + "https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec", + "https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533", + "https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6", + "https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681", + "https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36931", + "dataSource": "https://ubuntu.com/security/CVE-2024-36931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36931" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65", + "https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c", + "https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2", + "https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5", + "https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36933", + "dataSource": "https://ubuntu.com/security/CVE-2024-36933", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36933" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36933", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36933", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a", + "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2", + "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c", + "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79", + "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a", + "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340", + "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9", + "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb->network_header\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb->mac_header\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb->protocol\n 7. push the NSH header\n 8. restore skb->mac_header\n 9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 & 7, skb->data points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb->data point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb->{mac_header,network_header} in 8 & 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb->mac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb->mac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36933" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36934", + "dataSource": "https://ubuntu.com/security/CVE-2024-36934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36934" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36934", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32", + "https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9", + "https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35", + "https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4", + "https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd", + "https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f", + "https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147", + "https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36937", + "dataSource": "https://ubuntu.com/security/CVE-2024-36937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36937" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e", + "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc", + "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c", + "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553", + "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36938", + "dataSource": "https://ubuntu.com/security/CVE-2024-36938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36938" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36938", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27", + "https://git.kernel.org/stable/c/5965bc7535fb87510b724e5465ccc1a1cf00916d", + "https://git.kernel.org/stable/c/6648e613226e18897231ab5e42ffc29e63fa3365", + "https://git.kernel.org/stable/c/772d5729b5ff0df0d37b32db600ce635b2172f80", + "https://git.kernel.org/stable/c/b397a0ab8582c533ec0c6b732392f141fc364f87", + "https://git.kernel.org/stable/c/c0809c128dad4c3413818384eb06a341633db973" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36939", + "dataSource": "https://ubuntu.com/security/CVE-2024-36939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36939" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8", + "https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c", + "https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65", + "https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3", + "https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f", + "https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba", + "https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36940", + "dataSource": "https://ubuntu.com/security/CVE-2024-36940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36940" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068", + "https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca", + "https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79", + "https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c", + "https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d", + "https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e", + "https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd", + "https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36941", + "dataSource": "https://ubuntu.com/security/CVE-2024-36941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36941" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d", + "https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a", + "https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307", + "https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7", + "https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457", + "https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4", + "https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f", + "https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36944", + "dataSource": "https://ubuntu.com/security/CVE-2024-36944", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36944" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36944", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36944", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/148ed8b4d64f94ab079c8f0d88c3f444db97ba97", + "https://git.kernel.org/stable/c/3628e0383dd349f02f882e612ab6184e4bb3dc10", + "https://git.kernel.org/stable/c/3dfe35d8683daf9ba69278643efbabe40000bbf6", + "https://git.kernel.org/stable/c/4a89ac4b0921c4ea21eb1b4cf3a469a91bacfcea", + "https://git.kernel.org/stable/c/b548c53bc3ab83dc6fc86c8e840f013b2032267a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nReapply \"drm/qxl: simplify qxl_fence_wait\"\n\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\n\nStephen Rostedt reports:\n \"I went to run my tests on my VMs and the tests hung on boot up.\n Unfortunately, the most I ever got out was:\n\n [ 93.607888] Testing event system initcall: OK\n [ 93.667730] Running tests on all trace events:\n [ 93.669757] Testing all events: OK\n [ 95.631064] ------------[ cut here ]------------\n Timed out after 60 seconds\"\n\nand further debugging points to a possible circular locking dependency\nbetween the console_owner locking and the worker pool locking.\n\nReverting the commit allows Steve's VM to boot to completion again.\n\n[ This may obviously result in the \"[TTM] Buffer eviction failed\"\n messages again, which was the reason for that original revert. But at\n this point this seems preferable to a non-booting system... ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36944" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36945", + "dataSource": "https://ubuntu.com/security/CVE-2024-36945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06", + "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2", + "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff", + "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36946", + "dataSource": "https://ubuntu.com/security/CVE-2024-36946", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36946" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36946", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36946", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4", + "https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe", + "https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137", + "https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7", + "https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7", + "https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a", + "https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00", + "https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36946" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36947", + "dataSource": "https://ubuntu.com/security/CVE-2024-36947", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36947" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36947", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36947", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02ee394a5d899d9bd2f0759382e9481cab6166f8", + "https://git.kernel.org/stable/c/24dd9b08df718f20ccf2dd1519909fefd8c233ee", + "https://git.kernel.org/stable/c/aa23317d0268b309bb3f0801ddd0d61813ff5afb", + "https://git.kernel.org/stable/c/bd8f78c71defbcb7a9ed331e7f287507df972b00", + "https://git.kernel.org/stable/c/db71ca93259dd1078bcfea3afafde2143cfc2da7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix dentry leak\n\nsimple_recursive_removal() drops the pinning references to all positives\nin subtree. For the cases when its argument has been kept alive by\nthe pinning alone that's exactly the right thing to do, but here\nthe argument comes from dcache lookup, that needs to be balanced by\nexplicit dput().\n\nFucked-up-by: Al Viro ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36947" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36948", + "dataSource": "https://ubuntu.com/security/CVE-2024-36948", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36948" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36948", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36948", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/9cb46b31f3d08ed3fce86349e8c12f96d7c88717", + "https://git.kernel.org/stable/c/e23a904dfeb5a9e3d4ec527a365e962478cccf05" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\n\nAddressing potential overflow in result of multiplication of two lower\nprecision (u32) operands before widening it to higher precision\n(u64).\n\n-v2\nFix commit message and description. (Rodrigo)\n\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36948" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36949", + "dataSource": "https://ubuntu.com/security/CVE-2024-36949", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36949" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36949", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36949", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b6f6626528fe724b512c34f3fb5946c36a135f58", + "https://git.kernel.org/stable/c/d06af584be5a769d124b7302b32a033e9559761d", + "https://git.kernel.org/stable/c/ed28ef3840bbf93a64376ea7814ce39f86352e14" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36949" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36950", + "dataSource": "https://ubuntu.com/security/CVE-2024-36950", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36950" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36950", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36950", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec", + "https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420", + "https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0", + "https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d", + "https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9", + "https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61", + "https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130", + "https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36950" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36951", + "dataSource": "https://ubuntu.com/security/CVE-2024-36951", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36951" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36951", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36951", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cac183b98d8a8c692c98e8dba37df15a9e9210d", + "https://git.kernel.org/stable/c/41dc6791596656dd41100b85647ed489e1d5c2f2", + "https://git.kernel.org/stable/c/b6735bfe941486c5dfc9c3085d2d75d4923f9449" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36951" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36952", + "dataSource": "https://ubuntu.com/security/CVE-2024-36952", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36952" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36952", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36952", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0936809d968ecf81e0726fbd02ff2a5732d960c3", + "https://git.kernel.org/stable/c/4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c", + "https://git.kernel.org/stable/c/718602cd15f4c5710850090ea3066a89eeb46278", + "https://git.kernel.org/stable/c/76337eb8daee32bcc67742efab3168ed4ca299d0", + "https://git.kernel.org/stable/c/f2c7f029051edc4b394bb48edbe2297575abefe0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36952" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36953", + "dataSource": "https://ubuntu.com/security/CVE-2024-36953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36953" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487", + "https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f", + "https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80", + "https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728", + "https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb", + "https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36954", + "dataSource": "https://ubuntu.com/security/CVE-2024-36954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36954" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36954", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6", + "https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae", + "https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565", + "https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c", + "https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574", + "https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d", + "https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd", + "https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36955", + "dataSource": "https://ubuntu.com/security/CVE-2024-36955", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36955" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36955", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36955", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/722d33c442e66e4aabd3e778958d696ff3a2777e", + "https://git.kernel.org/stable/c/7db626d2730d3d80fd31638169054b1e507f07bf", + "https://git.kernel.org/stable/c/7ef6ecf98ce309b1f4e5a25cddd5965d01feea07", + "https://git.kernel.org/stable/c/bd2d9641a39e6b5244230c4b41c4aca83b54b377", + "https://git.kernel.org/stable/c/c158cf914713efc3bcdc25680c7156c48c12ef6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\n\nThe documentation for device_get_named_child_node() mentions this\nimportant point:\n\n\"\nThe caller is responsible for calling fwnode_handle_put() on the\nreturned fwnode pointer.\n\"\n\nAdd fwnode_handle_put() to avoid a leaked reference.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.7, + "exploitabilityScore": 2.5, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36955" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36957", + "dataSource": "https://ubuntu.com/security/CVE-2024-36957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36957" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36957", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7", + "https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67", + "https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e", + "https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f", + "https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878", + "https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36959", + "dataSource": "https://ubuntu.com/security/CVE-2024-36959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36959" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36959", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/026e24cf31733dbd97f41cc9bc5273ace428eeec", + "https://git.kernel.org/stable/c/06780473cb8a858d1d6cab2673e021b072a852d1", + "https://git.kernel.org/stable/c/35ab679e8bb5a81a4f922d3efbd43e32bce69274", + "https://git.kernel.org/stable/c/47d253c485491caaf70d8cd8c0248ae26e42581f", + "https://git.kernel.org/stable/c/518d5ddafeb084d6d9b1773ed85164300037d0e6", + "https://git.kernel.org/stable/c/76aa2440deb9a35507590f2c981a69a57ecd305d", + "https://git.kernel.org/stable/c/a0cedbcc8852d6c77b00634b81e41f17f29d9404", + "https://git.kernel.org/stable/c/c7e02ccc9fdc496fe51e440e3e66ac36509ca049", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\n\nIf we fail to allocate propname buffer, we need to drop the reference\ncount we just took. Because the pinctrl_dt_free_maps() includes the\ndroping operation, here we call it directly.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36960", + "dataSource": "https://ubuntu.com/security/CVE-2024-36960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36960" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36960", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b", + "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f", + "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36", + "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22", + "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c", + "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0", + "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9", + "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36964", + "dataSource": "https://ubuntu.com/security/CVE-2024-36964", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36964" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36964", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02", + "https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c", + "https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32", + "https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8", + "https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b", + "https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96", + "https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3", + "https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d", + "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36964" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36965", + "dataSource": "https://ubuntu.com/security/CVE-2024-36965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36965" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36965", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf", + "https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2", + "https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e", + "https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42", + "https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9", + "https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36966", + "dataSource": "https://ubuntu.com/security/CVE-2024-36966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606", + "https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe", + "https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: reliably distinguish block based and fscache mode\n\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\nthat has never been allocated, triggering the following warning:\n\n============================================\nida_free called for id=0 which is not allocated.\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\nModules linked in:\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\nRIP: 0010:ida_free+0x134/0x140\nCall Trace:\n \n erofs_kill_sb+0x81/0x90\n deactivate_locked_super+0x35/0x80\n get_tree_bdev+0x136/0x1e0\n vfs_get_tree+0x2c/0xf0\n do_new_mount+0x190/0x2f0\n [...]\n============================================\n\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\ninitialised, so use sbi->fsid to distinguish between the two modes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36967", + "dataSource": "https://ubuntu.com/security/CVE-2024-36967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36967" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36967", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28", + "https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf", + "https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7", + "https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56", + "https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13", + "https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n'scratch' is never freed. Fix this by calling kfree() in the success, and\nin the error case.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36968", + "dataSource": "https://ubuntu.com/security/CVE-2024-36968", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36968" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36968", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36968", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4d3dbaa252257d20611c3647290e6171f1bbd6c8", + "https://git.kernel.org/stable/c/a5b862c6a221459d54e494e88965b48dcfa6cc44", + "https://git.kernel.org/stable/c/ad3f7986c5a0f82b8b66a0afe1cc1f5421e1d674", + "https://git.kernel.org/stable/c/d2b2f7d3936dc5990549bc36ab7ac7ac37f22c30", + "https://git.kernel.org/stable/c/dfece2b4e3759759b2bdfac2cd6d0ee9fbf055f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \nModules linked in:\n---[ end trace 0000000000000000 ]---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2, + "impactScore": 4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36968" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36969", + "dataSource": "https://ubuntu.com/security/CVE-2024-36969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36969" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36969", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/130afc8a886183a94cf6eab7d24f300014ff87ba", + "https://git.kernel.org/stable/c/308de6be0c9c7ba36915c0d398e771725c0ea911", + "https://git.kernel.org/stable/c/7e4f50dfc98c49b3dc6875a35c3112522fb25639", + "https://git.kernel.org/stable/c/91402e0e5de9124a3108db7a14163fcf9a6d322f", + "https://git.kernel.org/stable/c/a32c8f951c8a456c1c251e1dcdf21787f8066445", + "https://git.kernel.org/stable/c/f187fcbbb8f8bf10c6687f0beae22509369f7563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix division by zero in setup_dsc_config\n\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\n\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\n\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\n\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36970", + "dataSource": "https://ubuntu.com/security/CVE-2024-36970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36970" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3d913719df14c28c4d3819e7e6d150760222bda4", + "https://git.kernel.org/stable/c/d20013259539e2fde2deeac85354851097afdf9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Use request_module_nowait\n\nThis appears to work around a deadlock regression that came in\nwith the LED merge in 6.9.\n\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\nit something like all worker threads are busy and some work that needs\nto complete cannot complete.\n\n[also remove unnecessary \"load_module\" var and now-wrong comment]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36971", + "dataSource": "https://ubuntu.com/security/CVE-2024-36971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13", + "https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6", + "https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508", + "https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4", + "https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e", + "https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc", + "https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72", + "https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36972", + "dataSource": "https://ubuntu.com/security/CVE-2024-36972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3", + "https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1", + "https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1", + "https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2", + "https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \nModules linked in:\nCR2: 0000000000000008", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36974", + "dataSource": "https://ubuntu.com/security/CVE-2024-36974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36974" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c", + "https://git.kernel.org/stable/c/6db4af09987cc5d5f0136bd46148b0e0460dae5b", + "https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404", + "https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2", + "https://git.kernel.org/stable/c/c6041e7124464ce7e896ee3f912897ce88a0c4ec", + "https://git.kernel.org/stable/c/d3dde4c217f0c31ab0621912e682b57e677dd923", + "https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36975", + "dataSource": "https://ubuntu.com/security/CVE-2024-36975", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36975" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36975", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36975", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b", + "https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a", + "https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087", + "https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972", + "https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487", + "https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-36975" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-36978", + "dataSource": "https://ubuntu.com/security/CVE-2024-36978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-36978" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-36978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-36978", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882", + "https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f", + "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e", + "https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3", + "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d", + "https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d", + "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-36978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37021", + "dataSource": "https://ubuntu.com/security/CVE-2024-37021", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37021" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37021", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37021", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad", + "https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9", + "https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37021" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37078", + "dataSource": "https://ubuntu.com/security/CVE-2024-37078", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37078" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37078", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37078", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f", + "https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d", + "https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0", + "https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627", + "https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92", + "https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118", + "https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7", + "https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n \n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n kthread+0x2f0/0x390\n ret_from_fork+0x4b/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37078" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37353", + "dataSource": "https://ubuntu.com/security/CVE-2024-37353", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37353" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37353", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37353", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37353" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37354", + "dataSource": "https://ubuntu.com/security/CVE-2024-37354", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37354" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37354", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428", + "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097", + "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b", + "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37354" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-37356", + "dataSource": "https://ubuntu.com/security/CVE-2024-37356", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-37356" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-37356", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-37356", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c", + "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6", + "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd", + "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66", + "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf", + "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a", + "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be", + "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-37356" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38306", + "dataSource": "https://ubuntu.com/security/CVE-2024-38306", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38306" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38306", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38306", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b", + "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38306" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38381", + "dataSource": "https://ubuntu.com/security/CVE-2024-38381", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38381" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38381", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c", + "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6", + "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619", + "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe", + "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed", + "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea", + "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3", + "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38381" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38538", + "dataSource": "https://ubuntu.com/security/CVE-2024-38538", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38538" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38538", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38538", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5", + "https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2", + "https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a", + "https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc", + "https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38538" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38540", + "dataSource": "https://ubuntu.com/security/CVE-2024-38540", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38540" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38540", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc", + "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659", + "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753", + "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38540" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38541", + "dataSource": "https://ubuntu.com/security/CVE-2024-38541", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38541" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38541", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38541", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6", + "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252", + "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a", + "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38541" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38543", + "dataSource": "https://ubuntu.com/security/CVE-2024-38543", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38543" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38543", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38543", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64", + "https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc", + "https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33", + "https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3", + "https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38543" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38544", + "dataSource": "https://ubuntu.com/security/CVE-2024-38544", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38544" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38544", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38544", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794", + "https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6", + "https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb", + "https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc", + "https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38544" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38545", + "dataSource": "https://ubuntu.com/security/CVE-2024-38545", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38545" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38545", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38545", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507", + "https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911", + "https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08", + "https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf", + "https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38545" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38546", + "dataSource": "https://ubuntu.com/security/CVE-2024-38546", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38546" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38546", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38546", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31", + "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb", + "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5", + "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96", + "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49", + "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21", + "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38546" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38547", + "dataSource": "https://ubuntu.com/security/CVE-2024-38547", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38547" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38547", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38547", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb", + "https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80", + "https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0", + "https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e", + "https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272", + "https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35", + "https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38547" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38548", + "dataSource": "https://ubuntu.com/security/CVE-2024-38548", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38548" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38548", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38548", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da", + "https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79", + "https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3", + "https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896", + "https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a", + "https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965", + "https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38548" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38549", + "dataSource": "https://ubuntu.com/security/CVE-2024-38549", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38549" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38549", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38549", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4", + "https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05", + "https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0", + "https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364", + "https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7", + "https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594", + "https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67", + "https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350", + "https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38549" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38550", + "dataSource": "https://ubuntu.com/security/CVE-2024-38550", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38550" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38550", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38550", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c", + "https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6", + "https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6", + "https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169", + "https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489", + "https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38550" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38552", + "dataSource": "https://ubuntu.com/security/CVE-2024-38552", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38552" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38552", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7", + "https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123", + "https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86", + "https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c", + "https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca", + "https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29", + "https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869", + "https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e", + "https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38552" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38553", + "dataSource": "https://ubuntu.com/security/CVE-2024-38553", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38553" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38553", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f", + "https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243", + "https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5", + "https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38553" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38554", + "dataSource": "https://ubuntu.com/security/CVE-2024-38554", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38554" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38554", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2", + "https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad", + "https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a", + "https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b", + "https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38554" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38555", + "dataSource": "https://ubuntu.com/security/CVE-2024-38555", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38555" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38555", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38555", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb", + "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7", + "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0", + "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a", + "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396", + "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40", + "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38555" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38556", + "dataSource": "https://ubuntu.com/security/CVE-2024-38556", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38556" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38556", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38556", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918", + "https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7", + "https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6", + "https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b", + "https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38556" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38557", + "dataSource": "https://ubuntu.com/security/CVE-2024-38557", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38557" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38557", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38557", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4", + "https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07", + "https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a", + "https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38557" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38558", + "dataSource": "https://ubuntu.com/security/CVE-2024-38558", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "High", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38558" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38558", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5", + "https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120", + "https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3", + "https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982", + "https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11", + "https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd", + "https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56", + "https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6", + "https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38558" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38559", + "dataSource": "https://ubuntu.com/security/CVE-2024-38559", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38559" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38559", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38559", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9", + "https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95", + "https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8", + "https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d", + "https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c", + "https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59", + "https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62", + "https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613", + "https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38559" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38560", + "dataSource": "https://ubuntu.com/security/CVE-2024-38560", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38560" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38560", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38560", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a", + "https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3", + "https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf", + "https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35", + "https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462", + "https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2", + "https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143", + "https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c", + "https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38560" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38564", + "dataSource": "https://ubuntu.com/security/CVE-2024-38564", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38564" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38564", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38564", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7", + "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d", + "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd", + "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38564" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38565", + "dataSource": "https://ubuntu.com/security/CVE-2024-38565", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38565" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38565", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38565", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72", + "https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff", + "https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f", + "https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603", + "https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d", + "https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5", + "https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70", + "https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850", + "https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38565" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38567", + "dataSource": "https://ubuntu.com/security/CVE-2024-38567", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38567" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38567", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38567", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd", + "https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f", + "https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c", + "https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd", + "https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582", + "https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7", + "https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d", + "https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0", + "https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38567" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38570", + "dataSource": "https://ubuntu.com/security/CVE-2024-38570", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38570" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38570", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37", + "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca", + "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73", + "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38570" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38571", + "dataSource": "https://ubuntu.com/security/CVE-2024-38571", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38571" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38571", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38571", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653", + "https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f", + "https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad", + "https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278", + "https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f", + "https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38571" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38573", + "dataSource": "https://ubuntu.com/security/CVE-2024-38573", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38573" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38573", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38573", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5", + "https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618", + "https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf", + "https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe", + "https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4", + "https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38573" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38577", + "dataSource": "https://ubuntu.com/security/CVE-2024-38577", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38577" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38577", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222", + "https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7", + "https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec", + "https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697", + "https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38577" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38578", + "dataSource": "https://ubuntu.com/security/CVE-2024-38578", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38578" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38578", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38578", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c", + "https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93", + "https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1", + "https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df", + "https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910", + "https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5", + "https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e", + "https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1", + "https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38578" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38579", + "dataSource": "https://ubuntu.com/security/CVE-2024-38579", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38579" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38579", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9", + "https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57", + "https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd", + "https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5", + "https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434", + "https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd", + "https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0", + "https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b", + "https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38579" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38580", + "dataSource": "https://ubuntu.com/security/CVE-2024-38580", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38580" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38580", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38580", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d", + "https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b", + "https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2", + "https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784", + "https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38580" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38582", + "dataSource": "https://ubuntu.com/security/CVE-2024-38582", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38582" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38582", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd", + "https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0", + "https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b", + "https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830", + "https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a", + "https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b", + "https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f", + "https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e", + "https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38582" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38583", + "dataSource": "https://ubuntu.com/security/CVE-2024-38583", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38583" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38583", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6", + "https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148", + "https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb", + "https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d", + "https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164", + "https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a", + "https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438", + "https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7", + "https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38583" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38586", + "dataSource": "https://ubuntu.com/security/CVE-2024-38586", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38586" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38586", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6", + "https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d", + "https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479", + "https://git.kernel.org/stable/c/61c1c98e2607120ce9c3fa1bf75e6da909712b27", + "https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1", + "https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd", + "https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38586" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38587", + "dataSource": "https://ubuntu.com/security/CVE-2024-38587", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38587" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38587", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38587", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b", + "https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586", + "https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e", + "https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358", + "https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535", + "https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb", + "https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996", + "https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef", + "https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38587" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38588", + "dataSource": "https://ubuntu.com/security/CVE-2024-38588", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38588" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38588", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38588", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b", + "https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6", + "https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461", + "https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831", + "https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada", + "https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38588" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38589", + "dataSource": "https://ubuntu.com/security/CVE-2024-38589", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38589" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38589", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38589", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691", + "https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7", + "https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5", + "https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3", + "https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5", + "https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de", + "https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d", + "https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6", + "https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38589" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38590", + "dataSource": "https://ubuntu.com/security/CVE-2024-38590", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38590" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38590", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38590", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990", + "https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c", + "https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43", + "https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b", + "https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b", + "https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55", + "https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38590" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38591", + "dataSource": "https://ubuntu.com/security/CVE-2024-38591", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38591" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38591", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38591", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868", + "https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d", + "https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9", + "https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0", + "https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37", + "https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38591" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38594", + "dataSource": "https://ubuntu.com/security/CVE-2024-38594", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38594" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38594", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38594", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197", + "https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416", + "https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38594" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38596", + "dataSource": "https://ubuntu.com/security/CVE-2024-38596", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38596" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38596", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38596", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb", + "https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055", + "https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25", + "https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c", + "https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5", + "https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9", + "https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b", + "https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe", + "https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38596" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38597", + "dataSource": "https://ubuntu.com/security/CVE-2024-38597", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38597" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38597", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38597", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6", + "https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b", + "https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937", + "https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4", + "https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f", + "https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce", + "https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38597" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38598", + "dataSource": "https://ubuntu.com/security/CVE-2024-38598", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38598" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38598", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3", + "https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce", + "https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482", + "https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492", + "https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f", + "https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b", + "https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1", + "https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798", + "https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38598" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38599", + "dataSource": "https://ubuntu.com/security/CVE-2024-38599", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38599" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38599", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38599", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11", + "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df", + "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275", + "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07", + "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b", + "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb", + "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913", + "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098", + "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38599" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38600", + "dataSource": "https://ubuntu.com/security/CVE-2024-38600", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38600" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-118.128" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38600", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38600", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68", + "https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4", + "https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c", + "https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7", + "https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a", + "https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-118.128 (deb)", + "vulnerabilityID": "CVE-2024-38600" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38601", + "dataSource": "https://ubuntu.com/security/CVE-2024-38601", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38601" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38601", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38601", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b", + "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e", + "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb", + "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1", + "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87", + "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533", + "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e", + "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa", + "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38601" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38602", + "dataSource": "https://ubuntu.com/security/CVE-2024-38602", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38602" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38602", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868", + "https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a", + "https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3", + "https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c", + "https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38602" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38605", + "dataSource": "https://ubuntu.com/security/CVE-2024-38605", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38605" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38605", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38605", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1", + "https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12", + "https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5", + "https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434", + "https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e", + "https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92", + "https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 8.8, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38605" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38607", + "dataSource": "https://ubuntu.com/security/CVE-2024-38607", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38607" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38607", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38607", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9", + "https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e", + "https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8", + "https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058", + "https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d", + "https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7", + "https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05", + "https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56", + "https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38607" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38608", + "dataSource": "https://ubuntu.com/security/CVE-2024-38608", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38608" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38608", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38608", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644", + "https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38608" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38610", + "dataSource": "https://ubuntu.com/security/CVE-2024-38610", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38610" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38610", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38610", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb", + "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559", + "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", + "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", + "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32", + "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38610" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38611", + "dataSource": "https://ubuntu.com/security/CVE-2024-38611", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38611" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38611", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38611", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9", + "https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce", + "https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80", + "https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38611" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38612", + "dataSource": "https://ubuntu.com/security/CVE-2024-38612", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38612" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38612", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38612", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c", + "https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7", + "https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45", + "https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01", + "https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66", + "https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4", + "https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a", + "https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4", + "https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38612" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38613", + "dataSource": "https://ubuntu.com/security/CVE-2024-38613", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38613" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38613", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38613", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0", + "https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14", + "https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82", + "https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b", + "https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87", + "https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a", + "https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed", + "https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c", + "https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38613" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38615", + "dataSource": "https://ubuntu.com/security/CVE-2024-38615", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38615" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38615", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38615", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6", + "https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378", + "https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c", + "https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273", + "https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d", + "https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872", + "https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce", + "https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38615" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38618", + "dataSource": "https://ubuntu.com/security/CVE-2024-38618", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38618" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38618", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38618", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3", + "https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e", + "https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f", + "https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1", + "https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e", + "https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd", + "https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab", + "https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38618" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38619", + "dataSource": "https://ubuntu.com/security/CVE-2024-38619", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38619" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38619", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38619", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30", + "https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4", + "https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1", + "https://git.kernel.org/stable/c/3eee13ab67f65606faa66e0c3c729e4f514838fd", + "https://git.kernel.org/stable/c/51fe16c058acb22f847e69bc598066ed0bcd5c15", + "https://git.kernel.org/stable/c/e0aab7b07a9375337847c9d74a5ec044071e01c8", + "https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361", + "https://git.kernel.org/stable/c/f68820f1256b21466ff094dd97f243b7e708f9c1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38619" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38621", + "dataSource": "https://ubuntu.com/security/CVE-2024-38621", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38621" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38621", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38621", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd", + "https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261", + "https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7", + "https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52", + "https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808", + "https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200", + "https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a", + "https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38621" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38623", + "dataSource": "https://ubuntu.com/security/CVE-2024-38623", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38623" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38623", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38623", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef", + "https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1", + "https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7", + "https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f", + "https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38623" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38624", + "dataSource": "https://ubuntu.com/security/CVE-2024-38624", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38624" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38624", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38624", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40", + "https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b", + "https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57", + "https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d", + "https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38624" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38625", + "dataSource": "https://ubuntu.com/security/CVE-2024-38625", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38625" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38625", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803", + "https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8", + "https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38625" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38627", + "dataSource": "https://ubuntu.com/security/CVE-2024-38627", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38627" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38627", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38627", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20", + "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459", + "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247", + "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931", + "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b", + "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36", + "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695", + "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38627" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38628", + "dataSource": "https://ubuntu.com/security/CVE-2024-38628", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38628" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38628", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38628", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464", + "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0", + "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09", + "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38628" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38630", + "dataSource": "https://ubuntu.com/security/CVE-2024-38630", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38630" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38630", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38630", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4", + "https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314", + "https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38630" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38632", + "dataSource": "https://ubuntu.com/security/CVE-2024-38632", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38632" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376", + "https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140", + "https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38632" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38633", + "dataSource": "https://ubuntu.com/security/CVE-2024-38633", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38633" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38633", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b", + "https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752", + "https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec", + "https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003", + "https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00", + "https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762", + "https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72", + "https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38633" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38634", + "dataSource": "https://ubuntu.com/security/CVE-2024-38634", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38634" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38634", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9", + "https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47", + "https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba", + "https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec", + "https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869", + "https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458", + "https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94", + "https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38634" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38635", + "dataSource": "https://ubuntu.com/security/CVE-2024-38635", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38635" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38635", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38635", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089", + "https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567", + "https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785", + "https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021", + "https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91", + "https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078", + "https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38635" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38637", + "dataSource": "https://ubuntu.com/security/CVE-2024-38637", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38637" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38637", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2", + "https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38", + "https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731", + "https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b", + "https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8", + "https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648", + "https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21", + "https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38637" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38659", + "dataSource": "https://ubuntu.com/security/CVE-2024-38659", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38659" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38659", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38659", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7", + "https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600", + "https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227", + "https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5", + "https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31", + "https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d", + "https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449", + "https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38659" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38661", + "dataSource": "https://ubuntu.com/security/CVE-2024-38661", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38661" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38661", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558", + "https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056", + "https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9", + "https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0", + "https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05", + "https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6", + "https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad", + "https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38661" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38662", + "dataSource": "https://ubuntu.com/security/CVE-2024-38662", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38662" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38662", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1", + "https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9", + "https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d", + "https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e", + "https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d", + "https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38662" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38667", + "dataSource": "https://ubuntu.com/security/CVE-2024-38667", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38667" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38667", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38667", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80", + "https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44", + "https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af", + "https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38667" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-38780", + "dataSource": "https://ubuntu.com/security/CVE-2024-38780", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-38780" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-38780", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed", + "https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a", + "https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a", + "https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e", + "https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878", + "https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef", + "https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8", + "https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-38780" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39276", + "dataSource": "https://ubuntu.com/security/CVE-2024-39276", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39276" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39276", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39276", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21", + "https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e", + "https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb", + "https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483", + "https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16", + "https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577", + "https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8", + "https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39276" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39277", + "dataSource": "https://ubuntu.com/security/CVE-2024-39277", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39277" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39277", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39277", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f", + "https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41", + "https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464", + "https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13", + "https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39277" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39292", + "dataSource": "https://ubuntu.com/security/CVE-2024-39292", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39292" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4", + "https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2", + "https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14", + "https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0", + "https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33", + "https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1", + "https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101", + "https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-39292" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39293", + "dataSource": "https://ubuntu.com/security/CVE-2024-39293", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39293" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39293", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39293", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", + "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39293" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39298", + "dataSource": "https://ubuntu.com/security/CVE-2024-39298", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39298" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39298", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39298", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b", + "https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd", + "https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad", + "https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n try_memory_failure_hugetlb\n me_huge_page\n __page_handle_poison\n dissolve_free_hugetlb_folio\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n take_page_off_buddy -- Failed as page is not in the \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39298" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39301", + "dataSource": "https://ubuntu.com/security/CVE-2024-39301", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39301" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39301", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17", + "https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b", + "https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a", + "https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17", + "https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867", + "https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b", + "https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672", + "https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39301" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39362", + "dataSource": "https://ubuntu.com/security/CVE-2024-39362", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39362" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39362", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39362", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39362" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39463", + "dataSource": "https://ubuntu.com/security/CVE-2024-39463", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39463" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39463", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39463", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409", + "https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456", + "https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5", + "https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39463" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39466", + "dataSource": "https://ubuntu.com/security/CVE-2024-39466", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39466" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39466", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39466", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464", + "https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3", + "https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665", + "https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b", + "https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39466" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39467", + "dataSource": "https://ubuntu.com/security/CVE-2024-39467", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39467" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39467", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98", + "https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717", + "https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57", + "https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff", + "https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0", + "https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba", + "https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39467" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39468", + "dataSource": "https://ubuntu.com/security/CVE-2024-39468", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39468" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39468", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39468", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15", + "https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720", + "https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a", + "https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47", + "https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261", + "https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39468" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39469", + "dataSource": "https://ubuntu.com/security/CVE-2024-39469", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39469" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39469", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39469", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11a2edb70356a2202dcb7c9c189c8356ab4752cd", + "https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82", + "https://git.kernel.org/stable/c/2ac8a2fe22bdde9eecce2a42cf5cab79333fb428", + "https://git.kernel.org/stable/c/405b71f1251e5ae865f53bd27c45114e6c83bee3", + "https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5", + "https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c", + "https://git.kernel.org/stable/c/c77ad608df6c091fe64ecb91f41ef7cb465587f1", + "https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39469" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39471", + "dataSource": "https://ubuntu.com/security/CVE-2024-39471", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39471" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39471", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39471", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46", + "https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3", + "https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8", + "https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691", + "https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f", + "https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520", + "https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39471" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39472", + "dataSource": "https://ubuntu.com/security/CVE-2024-39472", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39472" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39472", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39472", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/45cf976008ddef4a9c9a30310c9b4fb2a9a6602a", + "https://git.kernel.org/stable/c/57835c0e7152e36b03875dd6c56dfeed685c1b1f", + "https://git.kernel.org/stable/c/c2389c074973aa94e34992e7f66dac0de37595b5", + "https://git.kernel.org/stable/c/f754591b17d0ee91c2b45fe9509d0cdc420527cb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39472" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39475", + "dataSource": "https://ubuntu.com/security/CVE-2024-39475", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39475" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39475", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b", + "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089", + "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95", + "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339", + "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547", + "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8", + "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7", + "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39475" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39476", + "dataSource": "https://ubuntu.com/security/CVE-2024-39476", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39476" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39476", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39476", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a", + "https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa", + "https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b", + "https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4", + "https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787", + "https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347", + "https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447", + "https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39476" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39480", + "dataSource": "https://ubuntu.com/security/CVE-2024-39480", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39480" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39480", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5", + "https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7", + "https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96", + "https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a", + "https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3cddbc454", + "https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33", + "https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7", + "https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39480" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39482", + "dataSource": "https://ubuntu.com/security/CVE-2024-39482", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39482" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39482", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39482", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671", + "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b", + "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31", + "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023", + "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148", + "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39482" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39484", + "dataSource": "https://ubuntu.com/security/CVE-2024-39484", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39484" + ], + "cvss": [], + "fix": { + "versions": [ + "5.15.0-119.129" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39484", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39484", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d5ed0efe51d36b9ae9b64f133bf41cdbf56f584", + "https://git.kernel.org/stable/c/55c421b364482b61c4c45313a535e61ed5ae4ea3", + "https://git.kernel.org/stable/c/5ee241f72edc6dce5051a5f100eab6cc019d873e", + "https://git.kernel.org/stable/c/6ff7cfa02baabec907f6f29ea76634e6256d2ec4", + "https://git.kernel.org/stable/c/7590da4c04dd4aa9c262da0231e978263861c6eb", + "https://git.kernel.org/stable/c/aea35157bb9b825faa0432bd0f7fbea37ff39aa1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "< 5.15.0-119.129 (deb)", + "vulnerabilityID": "CVE-2024-39484" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39487", + "dataSource": "https://ubuntu.com/security/CVE-2024-39487", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39487" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39487", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/6a8a4fd082c439e19fede027e80c79bc4c84bb8e", + "https://git.kernel.org/stable/c/6b21346b399fd1336fe59233a17eb5ce73041ee1", + "https://git.kernel.org/stable/c/707c85ba3527ad6aa25552033576b0f1ff835d7b", + "https://git.kernel.org/stable/c/9f835e48bd4c75fdf6a9cff3f0b806a7abde78da", + "https://git.kernel.org/stable/c/b75e33eae8667084bd4a63e67657c6a5a0f8d1e8", + "https://git.kernel.org/stable/c/bfd14e5915c2669f292a31d028e75dcd82f1e7e9", + "https://git.kernel.org/stable/c/c8eb8ab9a44ff0e73492d0a12a643c449f641a9f", + "https://git.kernel.org/stable/c/e271ff53807e8f2c628758290f0e499dbe51cb3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.8, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39487" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39488", + "dataSource": "https://ubuntu.com/security/CVE-2024-39488", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39488" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39488", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e", + "https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0", + "https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8", + "https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d", + "https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c", + "https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7", + "https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea", + "https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39488" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39489", + "dataSource": "https://ubuntu.com/security/CVE-2024-39489", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39489" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39489", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0e44d6cbe8de983470c3d2f978649783384fdcb6", + "https://git.kernel.org/stable/c/4a3fcf53725b70010d1cf869a2ba549fed6b8fb3", + "https://git.kernel.org/stable/c/599a5654215092ac22bfc453f4fd3959c55ea821", + "https://git.kernel.org/stable/c/61d31ac85b4572d11f8071855c0ccb4f32d76c0c", + "https://git.kernel.org/stable/c/afd5730969aec960a2fee4e5ee839a6014643976", + "https://git.kernel.org/stable/c/daf341e0a2318b813427d5a78788c86f4a7f02be", + "https://git.kernel.org/stable/c/efb9f4f19f8e37fde43dfecebc80292d179f56c6", + "https://git.kernel.org/stable/c/f6a99ef4e056c20a138a95cc51332b2b96c8f383" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39489" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39490", + "dataSource": "https://ubuntu.com/security/CVE-2024-39490", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39490" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39490", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39490", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9", + "https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864", + "https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a", + "https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8", + "https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix missing sk_buff release in seg6_input_core\n\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\n\nThis issue was introduced in commit af3b5158b89d (\"ipv6: sr: fix BUG due\nto headroom too small after SRH push\") and persists even after commit\n7a3f5b0de364 (\"netfilter: add netfilter hooks to SRv6 data plane\"),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\n\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39490" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39493", + "dataSource": "https://ubuntu.com/security/CVE-2024-39493", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39493" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39493", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39493", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0ce5964b82f212f4df6a9813f09a0b5de15bd9c8", + "https://git.kernel.org/stable/c/3fb4601e0db10d4fe25e46f3fa308d40d37366bd", + "https://git.kernel.org/stable/c/6396b33e98c096bff9c253ed49c008247963492a", + "https://git.kernel.org/stable/c/a718b6d2a329e069b27d9049a71be5931e71d960", + "https://git.kernel.org/stable/c/c2d443aa1ae3175c13a665f3a24b8acd759ce9c3", + "https://git.kernel.org/stable/c/d0fd124972724cce0d48b9865ce3e273ef69e246", + "https://git.kernel.org/stable/c/d3b17c6d9dddc2db3670bc9be628b122416a3d26", + "https://git.kernel.org/stable/c/e7428e7e3fe94a5089dc12ffe5bc31574d2315ad" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\n\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it's still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\n\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39493" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39494", + "dataSource": "https://ubuntu.com/security/CVE-2024-39494", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39494" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39494", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39494", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4", + "https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c", + "https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de", + "https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39494" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39495", + "dataSource": "https://ubuntu.com/security/CVE-2024-39495", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39495" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39495", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39495", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445", + "https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea", + "https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83", + "https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce", + "https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201", + "https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc", + "https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39495" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39496", + "dataSource": "https://ubuntu.com/security/CVE-2024-39496", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39496" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39496", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39496", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", + "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", + "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", + "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39496" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39497", + "dataSource": "https://ubuntu.com/security/CVE-2024-39497", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39497" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39497", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39497", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03c71c42809ef4b17f5d874cdb2d3bf40e847b86", + "https://git.kernel.org/stable/c/1b4a8b89bf6787090b56424d269bf84ba00c3263", + "https://git.kernel.org/stable/c/39bc27bd688066a63e56f7f64ad34fae03fbe3b8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39497" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39499", + "dataSource": "https://ubuntu.com/security/CVE-2024-39499", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39499" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39499", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39499", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/58730dfbd4ae01c1b022b0d234a8bf8c02cdfb81", + "https://git.kernel.org/stable/c/681967c4ff210e06380acf9b9a1b33ae06e77cbd", + "https://git.kernel.org/stable/c/757804e1c599af5d2a7f864c8e8b2842406ff4bb", + "https://git.kernel.org/stable/c/8003f00d895310d409b2bf9ef907c56b42a4e0f4", + "https://git.kernel.org/stable/c/95ac3e773a1f8da83c4710a720fbfe80055aafae", + "https://git.kernel.org/stable/c/95bac1c8bedb362374ea1937b1d3e833e01174ee", + "https://git.kernel.org/stable/c/e293c6b38ac9029d76ff0d2a6b2d74131709a9a8", + "https://git.kernel.org/stable/c/f70ff737346744633e7b655c1fb23e1578491ff3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39499" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39500", + "dataSource": "https://ubuntu.com/security/CVE-2024-39500", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39500" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39500", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3627605de498639a3c586c8684d12c89cba11073", + "https://git.kernel.org/stable/c/4959ffc65a0e94f8acaac20deac49f89e6ded52d", + "https://git.kernel.org/stable/c/4b4647add7d3c8530493f7247d11e257ee425bf0", + "https://git.kernel.org/stable/c/5eabdf17fed2ad41b836bb4055ec36d95e512c50", + "https://git.kernel.org/stable/c/e946428439a0d2079959f5603256ac51b6047017" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n \n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39500" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39501", + "dataSource": "https://ubuntu.com/security/CVE-2024-39501", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39501" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39501", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39501", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08891eeaa97c079b7f95d60b62dcf0e3ce034b69", + "https://git.kernel.org/stable/c/13d25e82b6d00d743c7961dcb260329f86bedf7c", + "https://git.kernel.org/stable/c/760603e30bf19d7b4c28e9d81f18b54fa3b745ad", + "https://git.kernel.org/stable/c/95d03d369ea647b89e950667f1c3363ea6f564e6", + "https://git.kernel.org/stable/c/a42b0060d6ff2f7e59290a26d5f162a3c6329b90", + "https://git.kernel.org/stable/c/bb3641a5831789d83a58a39ed4a928bcbece7080", + "https://git.kernel.org/stable/c/c0a40097f0bc81deafc15f9195d1fb54595cd6d0", + "https://git.kernel.org/stable/c/ec772ed7cb21b46fb132f89241682553efd0b721" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: core: synchronize really_probe() and dev_uevent()\n\nSynchronize the dev->driver usage in really_probe() and dev_uevent().\nThese can run in different threads, what can result in the following\nrace condition for dev->driver uninitialization:\n\nThread #1:\n==========\n\nreally_probe() {\n...\nprobe_failed:\n...\ndevice_unbind_cleanup(dev) {\n ...\n dev->driver = NULL; // <= Failed probe sets dev->driver to NULL\n ...\n }\n...\n}\n\nThread #2:\n==========\n\ndev_uevent() {\n...\nif (dev->driver)\n // If dev->driver is NULLed from really_probe() from here on,\n // after above check, the system crashes\n add_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n...\n}\n\nreally_probe() holds the lock, already. So nothing needs to be done\nthere. dev_uevent() is called with lock held, often, too. But not\nalways. What implies that we can't add any locking in dev_uevent()\nitself. So fix this race by adding the lock to the non-protected\npath. This is the path where above race is observed:\n\n dev_uevent+0x235/0x380\n uevent_show+0x10c/0x1f0 <= Add lock here\n dev_attr_show+0x3a/0xa0\n sysfs_kf_seq_show+0x17c/0x250\n kernfs_seq_show+0x7c/0x90\n seq_read_iter+0x2d7/0x940\n kernfs_fop_read_iter+0xc6/0x310\n vfs_read+0x5bc/0x6b0\n ksys_read+0xeb/0x1b0\n __x64_sys_read+0x42/0x50\n x64_sys_call+0x27ad/0x2d30\n do_syscall_64+0xcd/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSimilar cases are reported by syzkaller in\n\nhttps://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a\n\nBut these are regarding the *initialization* of dev->driver\n\ndev->driver = drv;\n\nAs this switches dev->driver to non-NULL these reports can be considered\nto be false-positives (which should be \"fixed\" by this commit, as well,\nthough).\n\nThe same issue was reported and tried to be fixed back in 2015 in\n\nhttps://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/\n\nalready.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39501" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39502", + "dataSource": "https://ubuntu.com/security/CVE-2024-39502", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39502" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39502", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39502", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7", + "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5", + "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84", + "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13", + "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e", + "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", + "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L rx 1 tx 1 combined 0\n ethtool -L rx 0 tx 0 combined 1\n ethtool -L rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39502" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39503", + "dataSource": "https://ubuntu.com/security/CVE-2024-39503", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39503" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39503", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39503", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f1bb77c6d837c9513943bc7c08f04c5cc5c6568", + "https://git.kernel.org/stable/c/2ba35b37f780c6410bb4bba9c3072596d8576702", + "https://git.kernel.org/stable/c/390b353d1a1da3e9c6c0fd14fe650d69063c95d6", + "https://git.kernel.org/stable/c/4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10", + "https://git.kernel.org/stable/c/90ae20d47de602198eb69e6cd7a3db3420abfc08", + "https://git.kernel.org/stable/c/93b53c202b51a69e42ca57f5a183f7e008e19f83", + "https://git.kernel.org/stable/c/c0761d1f1ce1d5b85b5e82bbb714df12de1aa8c3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39503" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39505", + "dataSource": "https://ubuntu.com/security/CVE-2024-39505", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39505" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39505", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39505", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0674ed1e58e2fdcc155e7d944f8aad007a94ac69", + "https://git.kernel.org/stable/c/3b1cf943b029c147bfacfd53dc28ffa632c0a622", + "https://git.kernel.org/stable/c/86042e3d16b7e0686db835c9e7af0f9044dd3a56", + "https://git.kernel.org/stable/c/9460961d82134ceda7377b77a3e3e3531b625dfe", + "https://git.kernel.org/stable/c/99392c98b9be0523fe76944b2264b1847512ad23", + "https://git.kernel.org/stable/c/b880018edd3a577e50366338194dee9b899947e0", + "https://git.kernel.org/stable/c/bda7cdaeebf57e46c1a488ae7a15f6f264691f59" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39505" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39506", + "dataSource": "https://ubuntu.com/security/CVE-2024-39506", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39506" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39506", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39506", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2", + "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa", + "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c", + "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349", + "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347", + "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79", + "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee", + "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39506" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39507", + "dataSource": "https://ubuntu.com/security/CVE-2024-39507", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39507" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39507", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39507", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4", + "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48", + "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa", + "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63", + "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39507" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39508", + "dataSource": "https://ubuntu.com/security/CVE-2024-39508", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39508" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39508", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39508", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf", + "https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab", + "https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39508" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39509", + "dataSource": "https://ubuntu.com/security/CVE-2024-39509", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39509" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39509", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39509", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/30f76bc468b9b2cbbd5d3eb482661e3e4798893f", + "https://git.kernel.org/stable/c/33f6832798dd3297317901cc1db556ac3ae80c24", + "https://git.kernel.org/stable/c/4aa2dcfbad538adf7becd0034a3754e1bd01b2b5", + "https://git.kernel.org/stable/c/655c6de2f215b61d0708db6b06305eee9bbfeba2", + "https://git.kernel.org/stable/c/8bac61934cd563b073cd30b8cf6d5c758ab5ab26", + "https://git.kernel.org/stable/c/955b3764671f3f157215194972d9c01a3a4bd316", + "https://git.kernel.org/stable/c/bfd546fc7fd76076f81bf41b85b51ceda30949fd", + "https://git.kernel.org/stable/c/f9db5fbeffb951cac3f0fb1c2eeffb79785399ca" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39509" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-39510", + "dataSource": "https://ubuntu.com/security/CVE-2024-39510", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-39510" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-39510", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-39510", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd", + "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d", + "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e", + "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-39510" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40899", + "dataSource": "https://ubuntu.com/security/CVE-2024-40899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40899", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc", + "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62", + "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0", + "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40900", + "dataSource": "https://ubuntu.com/security/CVE-2024-40900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40900", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013", + "https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19", + "https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598", + "https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40901", + "dataSource": "https://ubuntu.com/security/CVE-2024-40901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40901", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16", + "https://git.kernel.org/stable/c/18abb5db0aa9b2d48f7037a88b41af2eef821674", + "https://git.kernel.org/stable/c/19649e49a6df07cd2e03e0a11396fd3a99485ec2", + "https://git.kernel.org/stable/c/4254dfeda82f20844299dca6c38cbffcfd499f41", + "https://git.kernel.org/stable/c/46bab2bcd771e725ff5ca3a68ba68cfeac45676c", + "https://git.kernel.org/stable/c/521f333e644c4246ca04a4fc4772edc53dd2a801", + "https://git.kernel.org/stable/c/9079338c5a0d1f1fee34fb1c9e99b754efe414c5", + "https://git.kernel.org/stable/c/e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40902", + "dataSource": "https://ubuntu.com/security/CVE-2024-40902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40902" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40902", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a", + "https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123", + "https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69", + "https://git.kernel.org/stable/c/480e5bc21f2c42d90c2c16045d64d824dcdd5ec7", + "https://git.kernel.org/stable/c/7c55b78818cfb732680c4a72ab270cc2d2ee3d0f", + "https://git.kernel.org/stable/c/b537cb2f4c4a1357479716a9c339c0bda03d873f", + "https://git.kernel.org/stable/c/f0dedb5c511ed82cbaff4997a8decf2351ba549f", + "https://git.kernel.org/stable/c/fc745f6e83cb650f9a5f2c864158e3a5ea76dad0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40904", + "dataSource": "https://ubuntu.com/security/CVE-2024-40904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40904", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/02a4c0499fc3a02e992b4c69a9809912af372d94", + "https://git.kernel.org/stable/c/05b2cd6d33f700597e6f081b53c668a226a96d28", + "https://git.kernel.org/stable/c/217d1f44fff560b3995a685a60aa66e55a7f0f56", + "https://git.kernel.org/stable/c/22f00812862564b314784167a89f27b444f82a46", + "https://git.kernel.org/stable/c/53250b54c92fe087fd4b0c48f85529efe1ebd879", + "https://git.kernel.org/stable/c/72a3fe36cf9f0d030865e571f45a40f9c1e07e8a", + "https://git.kernel.org/stable/c/82075aff7ffccb1e72b0ac8aa349e473624d857c", + "https://git.kernel.org/stable/c/c0747d76eb05542b5d49f67069b64ef5ff732c6c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40905", + "dataSource": "https://ubuntu.com/security/CVE-2024-40905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40905", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914", + "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf", + "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef", + "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12", + "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f", + "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d", + "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40906", + "dataSource": "https://ubuntu.com/security/CVE-2024-40906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40906", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a", + "https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f", + "https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8", + "https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40908", + "dataSource": "https://ubuntu.com/security/CVE-2024-40908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40908", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3708b6c2546c9eb34aead8a34a17e8ae69004e4d", + "https://git.kernel.org/stable/c/789bd77c9342aa6125003871ae5c6034d0f6f9d2", + "https://git.kernel.org/stable/c/ae0ba0ab7475a129ef7d449966edf677367efeb4", + "https://git.kernel.org/stable/c/d0d1df8ba18abc57f28fb3bc053b2bf319367f2c", + "https://git.kernel.org/stable/c/d387805d4b4a46ee01e3dae133c81b6d80195e5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40910", + "dataSource": "https://ubuntu.com/security/CVE-2024-40910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774", + "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3", + "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", + "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n \n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40911", + "dataSource": "https://ubuntu.com/security/CVE-2024-40911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40911", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0ccc63958d8373e15a69f4f8069f3e78f7f3898a", + "https://git.kernel.org/stable/c/43e1eefb0b2094e2281150d87d09e8bc872b9fba", + "https://git.kernel.org/stable/c/642f89daa34567d02f312d03e41523a894906dae", + "https://git.kernel.org/stable/c/6d540b0317901535275020bd4ac44fac6439ca76", + "https://git.kernel.org/stable/c/dfd84ce41663be9ca3f69bd657c45f49b69344d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40912", + "dataSource": "https://ubuntu.com/security/CVE-2024-40912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", + "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", + "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", + "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", + "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", + "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", + "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", + "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40914", + "dataSource": "https://ubuntu.com/security/CVE-2024-40914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9", + "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af", + "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf", + "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794", + "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40915", + "dataSource": "https://ubuntu.com/security/CVE-2024-40915", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40915" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40915", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40915", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", + "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", + "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", + "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x1c/0x24\n[] show_stack+0x2c/0x38\n[] dump_stack_lvl+0x5a/0x72\n[] dump_stack+0x14/0x1c\n[] __might_resched+0x104/0x10e\n[] __might_sleep+0x3e/0x62\n[] down_write+0x20/0x72\n[] __set_memory+0x82/0x2fa\n[] __kernel_map_pages+0x5a/0xd4\n[] __alloc_pages_bulk+0x3b2/0x43a\n[] __vmalloc_node_range+0x196/0x6ba\n[] copy_process+0x72c/0x17ec\n[] kernel_clone+0x60/0x2fe\n[] kernel_thread+0x82/0xa0\n[] kthreadd+0x14a/0x1be\n[] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40915" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40916", + "dataSource": "https://ubuntu.com/security/CVE-2024-40916", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40916" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40916", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40916", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35bcf16b4a28c10923ff391d14f6ed0ae471ee5f", + "https://git.kernel.org/stable/c/4dfffb50316c761c59386c9b002a10ac6d7bb6c9", + "https://git.kernel.org/stable/c/510a6c0dfa6ec61d07a4b64698d8dc60045bd632", + "https://git.kernel.org/stable/c/6d6bb258d886e124e5a5328e947b36fdcb3a6028", + "https://git.kernel.org/stable/c/799d4b392417ed6889030a5b2335ccb6dcf030ab", + "https://git.kernel.org/stable/c/c3ca24dfe9a2b3f4e8899af108829b0f4b4b15ec", + "https://git.kernel.org/stable/c/e23f2eaf51ecb6ab4ceb770e747d50c1db2eb222" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40916" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40918", + "dataSource": "https://ubuntu.com/security/CVE-2024-40918", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40918" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40918", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40918", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0", + "https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49", + "https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40918" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40927", + "dataSource": "https://ubuntu.com/security/CVE-2024-40927", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40927" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40927", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40927", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228", + "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577", + "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a", + "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9", + "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40927" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40929", + "dataSource": "https://ubuntu.com/security/CVE-2024-40929", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40929" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40929", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40929", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29a18d56bd64b95bd10bda4afda512558471382a", + "https://git.kernel.org/stable/c/3c4771091ea8016c8601399078916f722dd8833b", + "https://git.kernel.org/stable/c/60d62757df30b74bf397a2847a6db7385c6ee281", + "https://git.kernel.org/stable/c/62e007bdeb91c6879a4652c3426aef1cd9d2937b", + "https://git.kernel.org/stable/c/9e719ae3abad60e245ce248ba3f08148f375a614", + "https://git.kernel.org/stable/c/f777792952d03bbaf8329fdfa99393a5a33e2640" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40929" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40931", + "dataSource": "https://ubuntu.com/security/CVE-2024-40931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/208cd22ef5e57f82d38ec11c1a1703f9401d6dde", + "https://git.kernel.org/stable/c/7b9c7fc8600b64a86e4b47b2d190bba380267726", + "https://git.kernel.org/stable/c/8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3", + "https://git.kernel.org/stable/c/ef473bf1dd7e8dd08bcc04b9e2d1bfed69a0a7ce", + "https://git.kernel.org/stable/c/f03c46eabb3a67bd2993e237ab5517f00a5f1813", + "https://git.kernel.org/stable/c/f1f0a46f8bb8890b90ab7194f0a0c8fe2a3fb57f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40932", + "dataSource": "https://ubuntu.com/security/CVE-2024-40932", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40932" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40932", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40932", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0acc356da8546b5c55aabfc2e2c5caa0ac9b0003", + "https://git.kernel.org/stable/c/38e3825631b1f314b21e3ade00b5a4d737eb054e", + "https://git.kernel.org/stable/c/540ca99729e28dbe902b01039a3b4bd74520a819", + "https://git.kernel.org/stable/c/777838c9b571674ef14dbddf671f372265879226", + "https://git.kernel.org/stable/c/a269c5701244db2722ae0fce5d1854f5d8f31224", + "https://git.kernel.org/stable/c/cb3ac233434dba130281db330c4b15665b2d2c4d", + "https://git.kernel.org/stable/c/dcba6bedb439581145d8aa6b0925209f23184ae1", + "https://git.kernel.org/stable/c/ebcf81504fef03f701b9711e43fea4fe2d82ebc8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40932" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40934", + "dataSource": "https://ubuntu.com/security/CVE-2024-40934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40934", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/15122dc140d82c51c216535c57b044c4587aae45", + "https://git.kernel.org/stable/c/1df2ead5dfad5f8f92467bd94889392d53100b98", + "https://git.kernel.org/stable/c/789c99a1d7d2c8f6096d75fc2930505840ec9ea0", + "https://git.kernel.org/stable/c/a0503757947f2e46e59c1962326b53b3208c8213", + "https://git.kernel.org/stable/c/caa9c9acb93db7ad7b74b157cf101579bac9596d", + "https://git.kernel.org/stable/c/ce3af2ee95170b7d9e15fff6e500d67deab1e7b3", + "https://git.kernel.org/stable/c/f677ca8cfefee2a729ca315f660cd4868abdf8de" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40937", + "dataSource": "https://ubuntu.com/security/CVE-2024-40937", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40937" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40937", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40937", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037", + "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", + "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc", + "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", + "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40937" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40941", + "dataSource": "https://ubuntu.com/security/CVE-2024-40941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15b37c6fab9d5e40ac399fa1c725118588ed649c", + "https://git.kernel.org/stable/c/46c59a25337049a2a230ce7f7c3b9f21d0aaaad7", + "https://git.kernel.org/stable/c/4bb95f4535489ed830cf9b34b0a891e384d1aee4", + "https://git.kernel.org/stable/c/6532f18e66b384b8d4b7e5c9caca042faaa9e8de", + "https://git.kernel.org/stable/c/65686118845d427df27ee83a6ddd4885596b0805", + "https://git.kernel.org/stable/c/a05018739a5e6b9dc112c95bd4c59904062c8940", + "https://git.kernel.org/stable/c/a8bc8276af9aeacabb773f0c267cfcdb847c6f2d", + "https://git.kernel.org/stable/c/acdfa33c3cf5e1cd185cc1e0486bd0ea9f09c154" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40942", + "dataSource": "https://ubuntu.com/security/CVE-2024-40942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40942", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/377dbb220edc8421b7960691876c5b3bef62f89b", + "https://git.kernel.org/stable/c/617dadbfb2d3e152c5753e28356d189c9d6f33c0", + "https://git.kernel.org/stable/c/63d5f89bb5664d60edbf8cf0df911aaae8ed96a4", + "https://git.kernel.org/stable/c/7518e20a189f8659b8b83969db4d33a4068fcfc3", + "https://git.kernel.org/stable/c/b7d7f11a291830fdf69d3301075dd0fb347ced84", + "https://git.kernel.org/stable/c/c4c865f971fd4a255208f57ef04d814c2ae9e0dc", + "https://git.kernel.org/stable/c/d81e244af521de63ad2883e17571b789c39b6549", + "https://git.kernel.org/stable/c/ec79670eae430b3ffb7e0a6417ad7657728b8f95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40943", + "dataSource": "https://ubuntu.com/security/CVE-2024-40943", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40943" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40943", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40943", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e", + "https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2", + "https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25", + "https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9", + "https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1", + "https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18", + "https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f", + "https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40943" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40945", + "dataSource": "https://ubuntu.com/security/CVE-2024-40945", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40945" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40945", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40945", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2973b8e7d127754de9013177c41c0b5547406998", + "https://git.kernel.org/stable/c/61a96da9649a6b6a1a5d5bde9374b045fdb5c12e", + "https://git.kernel.org/stable/c/700f564758882db7c039dfba9443fe762561a3f8", + "https://git.kernel.org/stable/c/7388ae6f26c0ba95f70cc96bf9c5d5cb06c908b6", + "https://git.kernel.org/stable/c/89e8a2366e3bce584b6c01549d5019c5cda1205e", + "https://git.kernel.org/stable/c/cf34f8f66982a36e5cba0d05781b21ec9606b91e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40945" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40953", + "dataSource": "https://ubuntu.com/security/CVE-2024-40953", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40953" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40953", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40953", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", + "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", + "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", + "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40953" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40954", + "dataSource": "https://ubuntu.com/security/CVE-2024-40954", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40954" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40954", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40954", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5", + "https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9", + "https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2", + "https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069", + "https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40954" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40956", + "dataSource": "https://ubuntu.com/security/CVE-2024-40956", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40956" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40956", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40956", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33", + "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5", + "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd", + "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7", + "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40956" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40957", + "dataSource": "https://ubuntu.com/security/CVE-2024-40957", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40957" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40957", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40957", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c", + "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779", + "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d", + "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6", + "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40957" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40958", + "dataSource": "https://ubuntu.com/security/CVE-2024-40958", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40958" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40958", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40958", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef", + "https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b", + "https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55", + "https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b", + "https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940", + "https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876", + "https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40958" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40959", + "dataSource": "https://ubuntu.com/security/CVE-2024-40959", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40959" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40959", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40959", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1", + "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf", + "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a", + "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08", + "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7", + "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3", + "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164", + "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40959" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40960", + "dataSource": "https://ubuntu.com/security/CVE-2024-40960", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40960" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40960", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1ed9849fdf9a1a617129346b11d2094ca26828dc", + "https://git.kernel.org/stable/c/51ee2f7c30790799d0ec30c0ce0c743e58f046f2", + "https://git.kernel.org/stable/c/569c9d9ea6648d099187527b93982f406ddcebc0", + "https://git.kernel.org/stable/c/6eed6d3cd19ff3cfa83aeceed86da14abaf7417b", + "https://git.kernel.org/stable/c/73e7c8ca6ad76f29b2c99c20845a6f3b203ff0c6", + "https://git.kernel.org/stable/c/b86762dbe19a62e785c189f313cda5b989931f37", + "https://git.kernel.org/stable/c/d66fc4826127c82f99c4033380f8e93833d331c7", + "https://git.kernel.org/stable/c/f0cda984e4e634b221dbf9642b8ecc5b4806b41e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40960" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40961", + "dataSource": "https://ubuntu.com/security/CVE-2024-40961", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40961" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40961", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40961", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6", + "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade", + "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668", + "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4", + "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403", + "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727", + "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40961" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40963", + "dataSource": "https://ubuntu.com/security/CVE-2024-40963", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40963" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40963", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40963", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373", + "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52", + "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d", + "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085", + "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27", + "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf", + "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40963" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40965", + "dataSource": "https://ubuntu.com/security/CVE-2024-40965", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40965" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40965", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40965", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b42e9587a7a9c7b824e0feb92958f258263963e", + "https://git.kernel.org/stable/c/4268254a39484fc11ba991ae148bacbe75d9cc0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40965" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40966", + "dataSource": "https://ubuntu.com/security/CVE-2024-40966", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40966" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40966", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40966", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/287b569a5b914903ba7c438a3c0dbc3410ebb409", + "https://git.kernel.org/stable/c/3c6332f3bb1578b5b10ac2561247b1d6272ae937", + "https://git.kernel.org/stable/c/5920ac19964f9e20181f63b410d9200ddbf8dc86", + "https://git.kernel.org/stable/c/6bd23e0c2bb6c65d4f5754d1456bc9a4427fc59b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40966" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40967", + "dataSource": "https://ubuntu.com/security/CVE-2024-40967", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40967" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40967", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40967", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/53b2c95547427c358f45515a9f144efee95e3701", + "https://git.kernel.org/stable/c/7f2b9ab6d0b26f16cd38dd9fd91d51899635f7c7", + "https://git.kernel.org/stable/c/7f9e70c68b7ace0141fe3bc94bf7b61296b71916", + "https://git.kernel.org/stable/c/982ae3376c4c91590d38dc8a676c10f7df048a44", + "https://git.kernel.org/stable/c/e533e4c62e9993e62e947ae9bbec34e4c7ae81c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40967" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40968", + "dataSource": "https://ubuntu.com/security/CVE-2024-40968", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40968" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40968", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40968", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c33fd17383f48f679186c54df78542106deeaa0", + "https://git.kernel.org/stable/c/25998f5613159fe35920dbd484fcac7ea3ad0799", + "https://git.kernel.org/stable/c/29b83a64df3b42c88c0338696feb6fdcd7f1f3b7", + "https://git.kernel.org/stable/c/38d647d509543e9434b3cc470b914348be271fe9", + "https://git.kernel.org/stable/c/64845ac64819683ad5e51b668b2ed56ee3386aee", + "https://git.kernel.org/stable/c/6bff05aaa32c2f7e1f6e68e890876642159db419", + "https://git.kernel.org/stable/c/6c1b9fe148a4e03bbfa234267ebb89f35285814a", + "https://git.kernel.org/stable/c/d996deb80398a90dd3c03590e68dad543da87d62" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40968" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40969", + "dataSource": "https://ubuntu.com/security/CVE-2024-40969", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40969" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40969", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40969", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", + "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", + "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40969" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40970", + "dataSource": "https://ubuntu.com/security/CVE-2024-40970", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40970" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40970", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40970", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697", + "https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5", + "https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe", + "https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e", + "https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40970" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40971", + "dataSource": "https://ubuntu.com/security/CVE-2024-40971", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40971" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40971", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/38a82c8d00638bb642bef787eb1d5e0e4d3b7d71", + "https://git.kernel.org/stable/c/724429db09e21ee153fef35e34342279d33df6ae", + "https://git.kernel.org/stable/c/a9cea0489c562c97cd56bb345e78939f9909e7f4", + "https://git.kernel.org/stable/c/ac5eecf481c29942eb9a862e758c0c8b68090c33", + "https://git.kernel.org/stable/c/ae39c8ec4250d2a35ddaab1c40faacfec306ff66", + "https://git.kernel.org/stable/c/eddeb8d941d5be11a9da5637dbe81ac37e8449a2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40971" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40972", + "dataSource": "https://ubuntu.com/security/CVE-2024-40972", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40972" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40972", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40972", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b", + "https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752", + "https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40972" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40973", + "dataSource": "https://ubuntu.com/security/CVE-2024-40973", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40973" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40973", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40973", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3a693c7e243b932faee5c1fb728efa73f0abc39b", + "https://git.kernel.org/stable/c/53dbe08504442dc7ba4865c09b3bbf5fe849681b", + "https://git.kernel.org/stable/c/f066882293b5ad359e44c4ed24ab1811ffb0b354" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40973" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40974", + "dataSource": "https://ubuntu.com/security/CVE-2024-40974", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40974" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40974", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40974", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca", + "https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d", + "https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048", + "https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588", + "https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c", + "https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257", + "https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18", + "https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40974" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40975", + "dataSource": "https://ubuntu.com/security/CVE-2024-40975", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40975" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40975", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40975", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3de0f2627ef849735f155c1818247f58404dddfe", + "https://git.kernel.org/stable/c/f0c982853d665597d17e4995ff479fbbf79a9cf6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40975" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40976", + "dataSource": "https://ubuntu.com/security/CVE-2024-40976", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40976" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40976", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40976", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", + "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", + "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", + "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", + "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", + "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40976" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40977", + "dataSource": "https://ubuntu.com/security/CVE-2024-40977", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40977" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40977", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40977", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b81faa05b0b9feb3ae2d69be1d21f0d126ecb08", + "https://git.kernel.org/stable/c/85edd783f4539a994d66c4c014d5858f490b7a02", + "https://git.kernel.org/stable/c/e974dd4c22a23ec3ce579fb6d31a674ac0435da9", + "https://git.kernel.org/stable/c/ecf0b2b8a37c8464186620bef37812a117ff6366" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40977" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40978", + "dataSource": "https://ubuntu.com/security/CVE-2024-40978", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40978" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40978", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40978", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7", + "https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901", + "https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5", + "https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b", + "https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0", + "https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75", + "https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241", + "https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40978" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40979", + "dataSource": "https://ubuntu.com/security/CVE-2024-40979", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40979" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40979", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40979", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", + "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40979" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40980", + "dataSource": "https://ubuntu.com/security/CVE-2024-40980", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40980" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40980", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40980", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e", + "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334", + "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0", + "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5", + "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac", + "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195", + "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40980" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40981", + "dataSource": "https://ubuntu.com/security/CVE-2024-40981", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40981" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40981", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40981", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2", + "https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8", + "https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0", + "https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11", + "https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030", + "https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07", + "https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a", + "https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40981" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40982", + "dataSource": "https://ubuntu.com/security/CVE-2024-40982", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40982" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40982", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40982", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/789c17185fb0f39560496c2beab9b57ce1d0cbe7", + "https://git.kernel.org/stable/c/7d43c8377c6fc846b1812f8df360425c9323dc56", + "https://git.kernel.org/stable/c/c5dc2d8eb3981bae261ea7d1060a80868e886813" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nssb: Fix potential NULL pointer dereference in ssb_device_uevent()\n\nThe ssb_device_uevent() function first attempts to convert the 'dev' pointer\nto 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before\nperforming the NULL check, potentially leading to a NULL pointer\ndereference if 'dev' is NULL.\n\nTo fix this issue, move the NULL check before dereferencing the 'dev' pointer,\nensuring that the pointer is valid before attempting to use it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40982" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40983", + "dataSource": "https://ubuntu.com/security/CVE-2024-40983", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40983" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40983", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40983", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269", + "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8", + "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2", + "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930", + "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76", + "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40983" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40984", + "dataSource": "https://ubuntu.com/security/CVE-2024-40984", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40984" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40984", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40984", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3", + "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98", + "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d", + "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0", + "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c", + "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f", + "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239", + "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40984" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40987", + "dataSource": "https://ubuntu.com/security/CVE-2024-40987", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40987" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40987", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40987", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c44f7759a5650acf8f13d3e0a184d09e03be9e4", + "https://git.kernel.org/stable/c/4ad7d49059358ceadd352b4e2511425bdb68f400", + "https://git.kernel.org/stable/c/4d020c1dbd2b2304f44d003e6de956ae570049dc", + "https://git.kernel.org/stable/c/b065d79ed06a0bb4377bc6dcc2ff0cb1f55a798f", + "https://git.kernel.org/stable/c/b0d612619ed70cab476c77b19e00d13aa414e14f", + "https://git.kernel.org/stable/c/d8a04a6bfa75251ba7bcc3651ed211e82f13f388", + "https://git.kernel.org/stable/c/f0d576f840153392d04b2d52cf3adab8f62e8cb6", + "https://git.kernel.org/stable/c/fc5cb952e6723c5c55e47b8cf94a891bd4af1a86" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40987" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40988", + "dataSource": "https://ubuntu.com/security/CVE-2024-40988", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40988" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40988", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40988", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b", + "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc", + "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42", + "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321", + "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad", + "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855", + "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447", + "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40988" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40989", + "dataSource": "https://ubuntu.com/security/CVE-2024-40989", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40989" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40989", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40989", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", + "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", + "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", + "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40989" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40990", + "dataSource": "https://ubuntu.com/security/CVE-2024-40990", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40990" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40990", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40990", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e692244bf7dd827dd72edc6c4a3b36ae572f03c", + "https://git.kernel.org/stable/c/36ab7ada64caf08f10ee5a114d39964d1f91e81d", + "https://git.kernel.org/stable/c/4ab99e3613139f026d2d8ba954819e2876120ab3", + "https://git.kernel.org/stable/c/7186b81c1f15e39069b1af172c6a951728ed3511", + "https://git.kernel.org/stable/c/999586418600b4b3b93c2a0edd3a4ca71ee759bf", + "https://git.kernel.org/stable/c/e0deb0e9c967b61420235f7f17a4450b4b4d6ce2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40990" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40994", + "dataSource": "https://ubuntu.com/security/CVE-2024-40994", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40994" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40994", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40994", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e", + "https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f", + "https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0", + "https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f", + "https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40994" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40995", + "dataSource": "https://ubuntu.com/security/CVE-2024-40995", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40995" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40995", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40995", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74", + "https://git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da", + "https://git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2", + "https://git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4", + "https://git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335", + "https://git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90", + "https://git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40995" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40997", + "dataSource": "https://ubuntu.com/security/CVE-2024-40997", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40997" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40997", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd", + "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582", + "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40997" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40998", + "dataSource": "https://ubuntu.com/security/CVE-2024-40998", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40998" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40998", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40998", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c", + "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798", + "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40998" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-40999", + "dataSource": "https://ubuntu.com/security/CVE-2024-40999", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-40999" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-40999", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-40999", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/42146ee5286f16f1674a84f7c274dcca65c6ff2e", + "https://git.kernel.org/stable/c/b37b98a3a0c1198bafe8c2d9ce0bc845b4e7a9a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-40999" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41000", + "dataSource": "https://ubuntu.com/security/CVE-2024-41000", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Low", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41000" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41000", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41000", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66", + "https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e", + "https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24", + "https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9", + "https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9", + "https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] \n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41000" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41001", + "dataSource": "https://ubuntu.com/security/CVE-2024-41001", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41001" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41001", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41001", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227", + "https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667", + "https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3", + "https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41001" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41002", + "dataSource": "https://ubuntu.com/security/CVE-2024-41002", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41002" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41002", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41002", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/36810d2db3496bb8b4db7ccda666674a5efc7b47", + "https://git.kernel.org/stable/c/7c42ce556ff65995c8875c9ed64141c14238e7e6", + "https://git.kernel.org/stable/c/9f21886370db451b0fdc651f6e41550a1da70601", + "https://git.kernel.org/stable/c/a886bcb0f67d1e3d6b2da25b3519de59098200c2", + "https://git.kernel.org/stable/c/bba4250757b4ae1680fea435a358d8093f254094" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41002" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41004", + "dataSource": "https://ubuntu.com/security/CVE-2024-41004", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Negligible", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41004" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41004", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41004", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3", + "https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88", + "https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45", + "https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9", + "https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3", + "https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41004" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41005", + "dataSource": "https://ubuntu.com/security/CVE-2024-41005", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41005" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41005", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41005", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d", + "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265", + "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c", + "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57", + "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916", + "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41005" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41006", + "dataSource": "https://ubuntu.com/security/CVE-2024-41006", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41006" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41006", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41006", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", + "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", + "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", + "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", + "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", + "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", + "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", + "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41006" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41007", + "dataSource": "https://ubuntu.com/security/CVE-2024-41007", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41007" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41007", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41007", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570", + "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982", + "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1", + "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4", + "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283", + "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969", + "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde", + "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.3, + "exploitabilityScore": 1.8, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41007" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41008", + "dataSource": "https://ubuntu.com/security/CVE-2024-41008", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41008" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41008", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41008", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm->task_info handling\n\nThis patch changes the handling and lifecycle of vm->task_info object.\nThe major changes are:\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm->task_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41008" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41009", + "dataSource": "https://ubuntu.com/security/CVE-2024-41009", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41009" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41009", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41009", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4", + "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225", + "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069", + "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f", + "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881", + "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk's\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We've tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41009" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41011", + "dataSource": "https://ubuntu.com/security/CVE-2024-41011", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41011" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41011", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41011", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b4cff994a27ebf7bd3fb9a798a1cdfa8d01b724", + "https://git.kernel.org/stable/c/6186c93560889265bfe0914609c274eff40bbeb5", + "https://git.kernel.org/stable/c/89fffbdf535ce659c1a26b51ad62070566e33b28", + "https://git.kernel.org/stable/c/be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\n\nWe don't get the right offset in that case. The GPU has\nan unused 4K area of the register BAR space into which you can\nremap registers. We remap the HDP flush registers into this\nspace to allow userspace (CPU or GPU) to flush the HDP when it\nupdates VRAM. However, on systems with >4K pages, we end up\nexposing PAGE_SIZE of MMIO space.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41011" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41012", + "dataSource": "https://ubuntu.com/security/CVE-2024-41012", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41012" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41012", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41012", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9", + "https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22", + "https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240", + "https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763", + "https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224", + "https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250", + "https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235", + "https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can't corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41012" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41013", + "dataSource": "https://ubuntu.com/security/CVE-2024-41013", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41013" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41013", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41013", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41013" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41014", + "dataSource": "https://ubuntu.com/security/CVE-2024-41014", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41014" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41014", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41014", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41014" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41015", + "dataSource": "https://ubuntu.com/security/CVE-2024-41015", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41015" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41015", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41015", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2", + "https://git.kernel.org/stable/c/255547c6bb8940a97eea94ef9d464ea5967763fb", + "https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7", + "https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0", + "https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c", + "https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176", + "https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd", + "https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d5067912e78d59", + "https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41015" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41016", + "dataSource": "https://ubuntu.com/security/CVE-2024-41016", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41016" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41016", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41016", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1f6a9262" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41016" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41017", + "dataSource": "https://ubuntu.com/security/CVE-2024-41017", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41017" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41017", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41017", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17440dbc66ab98b410514b04987f61deedb86751", + "https://git.kernel.org/stable/c/4e034f7e563ab723b93a59980e4a1bb33198ece8", + "https://git.kernel.org/stable/c/6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce", + "https://git.kernel.org/stable/c/7e21574195a45fc193555fa40e99fed16565ff7e", + "https://git.kernel.org/stable/c/7f91bd0f2941fa36449ce1a15faaa64f840d9746", + "https://git.kernel.org/stable/c/d0fa70aca54c8643248e89061da23752506ec0d4", + "https://git.kernel.org/stable/c/dbde7bc91093fa9c2410e418b236b70fde044b73", + "https://git.kernel.org/stable/c/f4435f476b9bf059cd9e26a69f5b29c768d00375", + "https://git.kernel.org/stable/c/fc16776a82e8df97b6c4f9a10ba95aa44cef7ba5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41017" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41019", + "dataSource": "https://ubuntu.com/security/CVE-2024-41019", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41019" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41019", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41019", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/35652dfa8cc9a8a900ec0f1e0395781f94ffc5f0", + "https://git.kernel.org/stable/c/50c47879650b4c97836a0086632b3a2e300b0f06", + "https://git.kernel.org/stable/c/617cf144c206f98978ec730b17159344fd147cb4", + "https://git.kernel.org/stable/c/6ae7265a7b816879fd0203e83b5030d3720bbb7a", + "https://git.kernel.org/stable/c/818a257428644b8873e79c44404d8fb6598d4440", + "https://git.kernel.org/stable/c/82c94e6a7bd116724738aa67eba6f5fedf3a3319" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41019" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41020", + "dataSource": "https://ubuntu.com/security/CVE-2024-41020", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41020" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41020", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41020", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f", + "https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2", + "https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02", + "https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c", + "https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860", + "https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d", + "https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4", + "https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca", + "https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41020" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41022", + "dataSource": "https://ubuntu.com/security/CVE-2024-41022", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41022" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41022", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41022", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3", + "https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06", + "https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287", + "https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2", + "https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a", + "https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7", + "https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d", + "https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41022" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41023", + "dataSource": "https://ubuntu.com/security/CVE-2024-41023", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41023" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41023", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41023", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4", + "https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41023" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41027", + "dataSource": "https://ubuntu.com/security/CVE-2024-41027", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41027" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41027", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41027", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6", + "https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694", + "https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7", + "https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384", + "https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41027" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41030", + "dataSource": "https://ubuntu.com/security/CVE-2024-41030", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41030" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41030", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41030", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035", + "https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361", + "https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa", + "https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41030" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41031", + "dataSource": "https://ubuntu.com/security/CVE-2024-41031", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41031" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41031", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41031", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21", + "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972", + "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41031" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41034", + "dataSource": "https://ubuntu.com/security/CVE-2024-41034", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41034" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41034", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41034", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231", + "https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e", + "https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5", + "https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd", + "https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d", + "https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b", + "https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4", + "https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41034" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41035", + "dataSource": "https://ubuntu.com/security/CVE-2024-41035", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41035" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41035", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41035", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188", + "https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7", + "https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78", + "https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64", + "https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646", + "https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47", + "https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf", + "https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41035" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41036", + "dataSource": "https://ubuntu.com/security/CVE-2024-41036", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41036" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41036", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41036", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c", + "https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0", + "https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05", + "https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41036" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41040", + "dataSource": "https://ubuntu.com/security/CVE-2024-41040", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41040" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41040", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41040", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3", + "https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f", + "https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae", + "https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932", + "https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55", + "https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n \n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n \n \n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41040" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41041", + "dataSource": "https://ubuntu.com/security/CVE-2024-41041", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41041" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41041", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41041", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0", + "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd", + "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940", + "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba", + "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6", + "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e", + "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41041" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41042", + "dataSource": "https://ubuntu.com/security/CVE-2024-41042", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41042" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41042", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41042", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f", + "https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b", + "https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0", + "https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e", + "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae", + "https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe", + "https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24", + "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41042" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41044", + "dataSource": "https://ubuntu.com/security/CVE-2024-41044", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41044" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41044", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41044", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78", + "https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492", + "https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56", + "https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3", + "https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37", + "https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e", + "https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f", + "https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41044" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41045", + "dataSource": "https://ubuntu.com/security/CVE-2024-41045", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41045" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41045", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41045", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1", + "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41045" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41046", + "dataSource": "https://ubuntu.com/security/CVE-2024-41046", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41046" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41046", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41046", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec", + "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1", + "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156", + "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f", + "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1", + "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54", + "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3", + "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41046" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41047", + "dataSource": "https://ubuntu.com/security/CVE-2024-41047", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41047" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41047", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41047", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc", + "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3", + "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff", + "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e", + "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] \n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] \n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41047" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41048", + "dataSource": "https://ubuntu.com/security/CVE-2024-41048", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41048" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41048", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41048", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632", + "https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc", + "https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b", + "https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97", + "https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41048" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41049", + "dataSource": "https://ubuntu.com/security/CVE-2024-41049", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41049" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41049", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41049", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967", + "https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2", + "https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92", + "https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197", + "https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a", + "https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0", + "https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41049" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41050", + "dataSource": "https://ubuntu.com/security/CVE-2024-41050", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41050" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41050", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41050", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9", + "https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6", + "https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17", + "https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41050" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41055", + "dataSource": "https://ubuntu.com/security/CVE-2024-41055", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41055" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41055", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41055", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982", + "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7", + "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e", + "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509", + "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63", + "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41055" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41057", + "dataSource": "https://ubuntu.com/security/CVE-2024-41057", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41057" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41057", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41057", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4", + "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1", + "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11", + "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41057" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41058", + "dataSource": "https://ubuntu.com/security/CVE-2024-41058", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41058" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41058", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41058", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003", + "https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36", + "https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e", + "https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41058" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41059", + "dataSource": "https://ubuntu.com/security/CVE-2024-41059", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41059" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41059", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41059", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d", + "https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c", + "https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0", + "https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335", + "https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2", + "https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4", + "https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70", + "https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41059" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41060", + "dataSource": "https://ubuntu.com/security/CVE-2024-41060", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41060" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41060", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41060", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536", + "https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af", + "https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3", + "https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342", + "https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41060" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41061", + "dataSource": "https://ubuntu.com/security/CVE-2024-41061", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41061" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41061", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41061", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03", + "https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41061" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41062", + "dataSource": "https://ubuntu.com/security/CVE-2024-41062", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41062" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41062", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41062", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629", + "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf", + "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe", + "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41062" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41063", + "dataSource": "https://ubuntu.com/security/CVE-2024-41063", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41063" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41063", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41063", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913", + "https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678", + "https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9", + "https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa", + "https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed", + "https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f", + "https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39", + "https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41063" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41064", + "dataSource": "https://ubuntu.com/security/CVE-2024-41064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1", + "https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b", + "https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff", + "https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274", + "https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3", + "https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd", + "https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41064" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41065", + "dataSource": "https://ubuntu.com/security/CVE-2024-41065", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41065" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41065", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41065", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4", + "https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586", + "https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2", + "https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd", + "https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6", + "https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a", + "https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41065" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41066", + "dataSource": "https://ubuntu.com/security/CVE-2024-41066", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41066" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41066", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41066", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561", + "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c", + "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06", + "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41066" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41067", + "dataSource": "https://ubuntu.com/security/CVE-2024-41067", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41067" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41067", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41067", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72", + "https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41067" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41068", + "dataSource": "https://ubuntu.com/security/CVE-2024-41068", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41068" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41068", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808", + "https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a", + "https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090", + "https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982", + "https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3", + "https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83", + "https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c", + "https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41068" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41069", + "dataSource": "https://ubuntu.com/security/CVE-2024-41069", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41069" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41069", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41069", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1", + "https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d", + "https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2", + "https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41069" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41070", + "dataSource": "https://ubuntu.com/security/CVE-2024-41070", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41070" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41070", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41070", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0", + "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a", + "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf", + "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe", + "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63", + "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47", + "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41070" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41071", + "dataSource": "https://ubuntu.com/security/CVE-2024-41071", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41071" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41071", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41071", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718", + "https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\n\nreq->n_channels must be set before req->channels[] can be used.\n\nThis patch fixes one of the issues encountered in [1].\n\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\n[...]\n[ 83.964264] Call Trace:\n[ 83.964267] \n[ 83.964269] dump_stack_lvl+0x3f/0xc0\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\n[ 83.964298] genl_rcv_msg+0x240/0x270\n[...]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41071" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41072", + "dataSource": "https://ubuntu.com/security/CVE-2024-41072", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41072" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41072", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41072", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f", + "https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b", + "https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b", + "https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc", + "https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b", + "https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79", + "https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac", + "https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41072" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41073", + "dataSource": "https://ubuntu.com/security/CVE-2024-41073", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41073" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41073", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41073", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b", + "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa", + "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057", + "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad", + "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41073" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41074", + "dataSource": "https://ubuntu.com/security/CVE-2024-41074", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41074" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41074", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41074", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60", + "https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0", + "https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663", + "https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41074" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41075", + "dataSource": "https://ubuntu.com/security/CVE-2024-41075", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41075" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41075", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41075", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539", + "https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a", + "https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a", + "https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41075" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41076", + "dataSource": "https://ubuntu.com/security/CVE-2024-41076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41076", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c", + "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68", + "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e", + "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41077", + "dataSource": "https://ubuntu.com/security/CVE-2024-41077", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41077" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41077", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41077", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7", + "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e", + "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1", + "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0", + "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053", + "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41077" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41078", + "dataSource": "https://ubuntu.com/security/CVE-2024-41078", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41078" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41078", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41078", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51", + "https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff", + "https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf", + "https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757", + "https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53", + "https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41078" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41079", + "dataSource": "https://ubuntu.com/security/CVE-2024-41079", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41079" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41079", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41079", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319", + "https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d", + "https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2", + "https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41079" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41080", + "dataSource": "https://ubuntu.com/security/CVE-2024-41080", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41080" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41080", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41080", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf", + "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41080" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41081", + "dataSource": "https://ubuntu.com/security/CVE-2024-41081", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41081" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41081", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41081", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316", + "https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da", + "https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a", + "https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c", + "https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a", + "https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f", + "https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c", + "https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41081" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41082", + "dataSource": "https://ubuntu.com/security/CVE-2024-41082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41082", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb", + "https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41087", + "dataSource": "https://ubuntu.com/security/CVE-2024-41087", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41087" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41087", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41087", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/010de9acbea58fbcbda08e3793d6262086a493fe", + "https://git.kernel.org/stable/c/062e256516d7db5e7dcdef117f52025cd5c456e3", + "https://git.kernel.org/stable/c/290073b2b557e4dc21ee74a1e403d9ae79e393a2", + "https://git.kernel.org/stable/c/56f1c7e290cd6c69c948fcd2e2a49e6a637ec38f", + "https://git.kernel.org/stable/c/5dde5f8b790274723640d29a07c5a97d57d62047", + "https://git.kernel.org/stable/c/702c1edbafb2e6f9d20f6d391273b5be09d366a5", + "https://git.kernel.org/stable/c/8106da4d88bbaed809e023cc8014b766223d6e76", + "https://git.kernel.org/stable/c/ab9e0c529eb7cafebdd31fe1644524e80a48b05d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\n\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41087" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41088", + "dataSource": "https://ubuntu.com/security/CVE-2024-41088", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41088" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41088", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41088", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b", + "https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729", + "https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510", + "https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: fix infinite loop when xmit fails\n\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\n\nError messages:\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\n\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\n\nThe problem occurs because tx_ring->head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\n\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring->head, remove skb from the echo stack, and drop the message.\n\n[mkl: use more imperative wording in patch description]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41088" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41089", + "dataSource": "https://ubuntu.com/security/CVE-2024-41089", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41089" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41089", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41089", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1c9f2e60150b4f13789064370e37f39e6e060f50", + "https://git.kernel.org/stable/c/30cbf6ffafbbdd8a6e4e5f0a2e9a9827ee83f3ad", + "https://git.kernel.org/stable/c/56fc4d3b0bdef691831cd95715a7ca3ebea98b2d", + "https://git.kernel.org/stable/c/5eecb49a6c268dc229005bf6e8167d4001dc09a0", + "https://git.kernel.org/stable/c/6d411c8ccc0137a612e0044489030a194ff5c843", + "https://git.kernel.org/stable/c/6e49a157d541e7e97b815a56f4bdfcbc89844a59", + "https://git.kernel.org/stable/c/7ece609b0ce7a7ea8acdf512a77d1fee26621637", + "https://git.kernel.org/stable/c/ffabad4aa91e33ced3c6ae793fb37771b3e9cb51" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\n\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41089" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41090", + "dataSource": "https://ubuntu.com/security/CVE-2024-41090", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41090" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41090", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41090", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/73d462a38d5f782b7c872fe9ae8393d9ef5483da", + "https://git.kernel.org/stable/c/7431144b406ae82807eb87d8c98e518475b0450f", + "https://git.kernel.org/stable/c/8be915fc5ff9a5e296f6538be12ea75a1a93bdea", + "https://git.kernel.org/stable/c/aa6a5704cab861c9b2ae9f475076e1881e87f5aa", + "https://git.kernel.org/stable/c/e1a786b9bbb767fd1c922d424aaa8078cc542309", + "https://git.kernel.org/stable/c/e5e5e63c506b93b89b01f522b6a7343585f784e6", + "https://git.kernel.org/stable/c/ed7f2afdd0e043a397677e597ced0830b83ba0b3", + "https://git.kernel.org/stable/c/ee93e6da30377cf2a75e16cd32bb9fcd86a61c46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41090" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41091", + "dataSource": "https://ubuntu.com/security/CVE-2024-41091", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41091" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41091", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41091", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3", + "https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9", + "https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2", + "https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319", + "https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5", + "https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb", + "https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146", + "https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41091" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41092", + "dataSource": "https://ubuntu.com/security/CVE-2024-41092", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41092" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41092", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41092", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7", + "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d", + "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc", + "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50", + "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", + "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] \n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41092" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41093", + "dataSource": "https://ubuntu.com/security/CVE-2024-41093", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41093" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41093", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41093", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800", + "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447", + "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc", + "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb", + "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41093" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41095", + "dataSource": "https://ubuntu.com/security/CVE-2024-41095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41095", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0d17604f2e44b3df21e218fe8fb3b836d41bac49", + "https://git.kernel.org/stable/c/259549b2ccf795b7f91f7b5aba47286addcfa389", + "https://git.kernel.org/stable/c/66edf3fb331b6c55439b10f9862987b0916b3726", + "https://git.kernel.org/stable/c/9289cd3450d1da3e271ef4b054d4d2932c41243e", + "https://git.kernel.org/stable/c/bdda5072494f2a7215d94fc4124ad1949a218714", + "https://git.kernel.org/stable/c/cb751e48bbcffd292090f7882b23b215111b3d72", + "https://git.kernel.org/stable/c/dbd75f32252508ed6c46c3288a282c301a57ceeb", + "https://git.kernel.org/stable/c/f95ed0f54b3d3faecae1140ddab854f904a6e7c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\n\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41097", + "dataSource": "https://ubuntu.com/security/CVE-2024-41097", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41097" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41097", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a", + "https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47", + "https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51", + "https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a", + "https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727", + "https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506", + "https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781", + "https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\n\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\n\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\n\nUnfortunately, this patch has not been tested on real hardware.\n\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41097" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-41098", + "dataSource": "https://ubuntu.com/security/CVE-2024-41098", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-41098" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-41098", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41098", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28", + "https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e", + "https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix null pointer dereference on error\n\nIf the ata_port_alloc() call in ata_host_alloc() fails,\nata_host_release() will get called.\n\nHowever, the code in ata_host_release() tries to free ata_port struct\nmembers unconditionally, which can lead to the following:\n\nBUG: unable to handle page fault for address: 0000000000003990\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? ata_host_release.cold+0x2f/0x6e [libata]\n ? ata_host_release.cold+0x2f/0x6e [libata]\n release_nodes+0x35/0xb0\n devres_release_group+0x113/0x140\n ata_host_alloc+0xed/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nDo not access ata_port struct members unconditionally.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-41098" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42063", + "dataSource": "https://ubuntu.com/security/CVE-2024-42063", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42063" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42063", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42063", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12", + "https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5", + "https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf", + "https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\n\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\n\n==========\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\n==========\n\nThe reproducer should be in the interpreter mode.\n\nThe C reproducer is trying to run the following bpf prog:\n\n 0: (18) r0 = 0x0\n 2: (18) r1 = map[id:49]\n 4: (b7) r8 = 16777216\n 5: (7b) *(u64 *)(r10 -8) = r8\n 6: (bf) r2 = r10\n 7: (07) r2 += -229\n ^^^^^^^^^^\n\n 8: (b7) r3 = 8\n 9: (b7) r4 = 0\n 10: (85) call dev_map_lookup_elem#1543472\n 11: (95) exit\n\nIt is due to the \"void *key\" (r2) passed to the helper. bpf allows uninit\nstack memory access for bpf prog with the right privileges. This patch\nuses kmsan_unpoison_memory() to mark the stack as initialized.\n\nThis should address different syzbot reports on the uninit \"void *key\"\nargument during map_{lookup,delete}_elem.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42063" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42064", + "dataSource": "https://ubuntu.com/security/CVE-2024-42064", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42064" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42064", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42064", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/27df59c6071470efce7182ee92fbb16afba551e0", + "https://git.kernel.org/stable/c/af114efe8d24b5711cfbedf7180f2ac1a296c24b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip pipe if the pipe idx not set properly\n\n[why]\nDriver crashes when pipe idx not set properly\n\n[how]\nAdd code to skip the pipe that idx not set properly", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42064" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42065", + "dataSource": "https://ubuntu.com/security/CVE-2024-42065", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42065" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42065", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42065", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74", + "https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42065" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42066", + "dataSource": "https://ubuntu.com/security/CVE-2024-42066", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42066" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42066", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42066", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4f4fcafde343a54465f85a2909fc684918507a4b", + "https://git.kernel.org/stable/c/79d54ddf0e292b810887994bb04709c5ac0e1531" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix potential integer overflow in page size calculation\n\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\nprevent overflow when assigning to min_page_size.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42066" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42067", + "dataSource": "https://ubuntu.com/security/CVE-2024-42067", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42067" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42067", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42067", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/044da7ae7afd4ef60806d73654a2e6a79aa4ed7a", + "https://git.kernel.org/stable/c/08f6c05feb1db21653e98ca84ea04ca032d014c7", + "https://git.kernel.org/stable/c/9fef36cad60d4226f9d06953cd56d1d2f9119730", + "https://git.kernel.org/stable/c/e60adf513275c3a38e5cb67f7fd12387e43a3ff5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\n\nset_memory_rox() can fail, leaving memory unprotected.\n\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42067" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42068", + "dataSource": "https://ubuntu.com/security/CVE-2024-42068", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42068" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42068", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42068", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/05412471beba313ecded95aa17b25fe84bb2551a", + "https://git.kernel.org/stable/c/7d2cc63eca0c993c99d18893214abf8f85d566d8", + "https://git.kernel.org/stable/c/a359696856ca9409fb97655c5a8ef0f549cb6e03", + "https://git.kernel.org/stable/c/e3540e5a7054d6daaf9a1415a48aacb092112a89", + "https://git.kernel.org/stable/c/e4f602e3ff749ba770bf8ff10196e18358de6720", + "https://git.kernel.org/stable/c/fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\n\nset_memory_ro() can fail, leaving memory unprotected.\n\nCheck its return and take it into account as an error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42068" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42070", + "dataSource": "https://ubuntu.com/security/CVE-2024-42070", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42070" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42070", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42070", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4", + "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f", + "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f", + "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8", + "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf", + "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c", + "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564", + "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42070" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42076", + "dataSource": "https://ubuntu.com/security/CVE-2024-42076", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42076" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42076", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42076", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/4c5dc3927e17489c1cae6f48c0d5e4acb4cae01f", + "https://git.kernel.org/stable/c/5e4ed38eb17eaca42de57d500cc0f9668d2b6abf", + "https://git.kernel.org/stable/c/a2a0ebff7fdeb2f66e29335adf64b9e457300dd4", + "https://git.kernel.org/stable/c/ab2a683938ba4416d389c2f5651cbbb2c41b779f", + "https://git.kernel.org/stable/c/b7cdf1dd5d2a2d8200efd98d1893684db48fe134", + "https://git.kernel.org/stable/c/ba7e5ae8208ac07d8e1eace0951a34c169a2d298", + "https://git.kernel.org/stable/c/f97cbce633923588307049c4aef9feb2987e371b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: Initialize unused data in j1939_send_one()\n\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1313 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\n\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42076" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42077", + "dataSource": "https://ubuntu.com/security/CVE-2024-42077", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42077" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42077", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42077", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a", + "https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6", + "https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4", + "https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687", + "https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36", + "https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix DIO failure due to insufficient transaction credits\n\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits(). This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\n\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases. For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents. Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error. This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\n\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\n\nHeming Zhao said:\n\n------\nPANIC: \"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\"\n\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \"SubmitThread-CA\"\n #0 machine_kexec at ffffffff8c069932\n #1 __crash_kexec at ffffffff8c1338fa\n #2 panic at ffffffff8c1d69b9\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42077" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42079", + "dataSource": "https://ubuntu.com/security/CVE-2024-42079", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42079" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42079", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42079", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3429ef5f50909cee9e498c50f0c499b9397116ce", + "https://git.kernel.org/stable/c/35264909e9d1973ab9aaa2a1b07cda70f12bb828", + "https://git.kernel.org/stable/c/f54f9d5368a4e92ede7dd078a62788dae3a7c6ef" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\ngfs2_log_flush).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42079" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42080", + "dataSource": "https://ubuntu.com/security/CVE-2024-42080", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42080" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42080", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42080", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/782bdaf9d01658281bc813f3f873e6258aa1fd8d", + "https://git.kernel.org/stable/c/8656ef8a9288d6c932654f8d3856dc4ab1cfc6b5", + "https://git.kernel.org/stable/c/8ac281d42337f36cf7061cf1ea094181b84bc1a9", + "https://git.kernel.org/stable/c/ca537a34775c103f7b14d7bbd976403f1d1525d8", + "https://git.kernel.org/stable/c/f45b43d17240e9ca67ebf3cc82bb046b07cc1c61" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Fix potential invalid address access\n\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\nin ib_create_cq(), while if the module exited but forgot del this\nrdma_restrack_entry, it would cause a invalid address access in\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\n\nThese code is used to help find one forgotten PD release in one of the\nULPs. But it is not needed anymore, so delete them.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42080" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42082", + "dataSource": "https://ubuntu.com/security/CVE-2024-42082", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42082" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42082", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42082", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1095b8efbb13a6a5fa583ed373ee1ccab29da2d0", + "https://git.kernel.org/stable/c/14e51ea78b4ccacb7acb1346b9241bb790a2054c", + "https://git.kernel.org/stable/c/1d3e3b3aa2cbe9bc7db9a7f8673a9fa6d2990d54", + "https://git.kernel.org/stable/c/4e0c539ee265d5c6e7fa7d229cd4aa7bc01816e2", + "https://git.kernel.org/stable/c/7e9f79428372c6eab92271390851be34ab26bfb4", + "https://git.kernel.org/stable/c/f92298b0467fd77edc4c1a2c3e48833e69840ec4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: Remove WARN() from __xdp_reg_mem_model()\n\nsyzkaller reports a warning in __xdp_reg_mem_model().\n\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\nreturns the error in two cases:\n\n 1. memory allocation fails;\n 2. rhashtable_init() fails when some fields of rhashtable_params\n struct are not initialized properly.\n\nThe second case cannot happen since there is a static const rhashtable_params\nstruct with valid fields. So, warning is only triggered when there is a\nproblem with memory allocation.\n\nThus, there is no sense in using WARN() to handle this error and it can be\nsafely removed.\n\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCall Trace:\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42082" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42084", + "dataSource": "https://ubuntu.com/security/CVE-2024-42084", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42084" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42084", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42084", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b8e88e563b5f666446d002ad0dc1e6e8e7102b0", + "https://git.kernel.org/stable/c/5ae6af68410bdad6181ec82104bb9985a7a6a0fa", + "https://git.kernel.org/stable/c/836359247b0403e0634bfbc83e5bb8063fad287a", + "https://git.kernel.org/stable/c/84bf6b64a1a0dfc6de7e1b1c776d58d608e7865a", + "https://git.kernel.org/stable/c/930a4c369f74da26816eaaa71b5888d29b759c27", + "https://git.kernel.org/stable/c/c329760749b5419769e57cb2be80955d2805f9c9", + "https://git.kernel.org/stable/c/dbb226d81cd02cee140139c2369791e6f61f2007", + "https://git.kernel.org/stable/c/f531d4bc6c5588d713359e42ed65e46816d841d8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nftruncate: pass a signed offset\n\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\n\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\n\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42084" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42085", + "dataSource": "https://ubuntu.com/security/CVE-2024-42085", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42085" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42085", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42085", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/17e2956633ca560b95f1cbbb297cfc2adf650649", + "https://git.kernel.org/stable/c/7026576e89094aa9a0062aa6d10cba18aa99944c", + "https://git.kernel.org/stable/c/7838de15bb700c2898a7d741db9b1f3cbc86c136", + "https://git.kernel.org/stable/c/d77e2b5104c51d3668b9717c825a4a06998efe63", + "https://git.kernel.org/stable/c/f1274cfab183e69a7c7bafffcb4f50703c876276" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\n\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\nto enter suspend status with below command:\necho mem > /sys/power/state\nThere will be a deadlock issue occurring. Detailed invoking path as\nbelow:\ndwc3_suspend_common()\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\n dwc3_gadget_suspend(dwc);\n dwc3_gadget_soft_disconnect(dwc);\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\nThis issue is exposed by commit c7ebd8149ee5 (\"usb: dwc3: gadget: Fix\nNULL pointer dereference in dwc3_gadget_suspend\") that removes the code\nof checking whether dwc->gadget_driver is NULL or not. It causes the\nfollowing code is executed and deadlock occurs when trying to get the\nspinlock. In fact, the root cause is the commit 5265397f9442(\"usb: dwc3:\nRemove DWC3 locking during gadget suspend/resume\") that forgot to remove\nthe lock of otg mode. So, remove the redundant lock of otg mode during\ngadget suspend/resume.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42085" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42086", + "dataSource": "https://ubuntu.com/security/CVE-2024-42086", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42086" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42086", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42086", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3add41bbda92938e9a528d74659dfc552796be4e", + "https://git.kernel.org/stable/c/6fa31bbe2ea8665ee970258eb8320cbf231dbe9e", + "https://git.kernel.org/stable/c/7a13d1357658d3a3c1cd7b3b9543c805a6e5e6e9", + "https://git.kernel.org/stable/c/b0af334616ed425024bf220adda0f004806b5feb", + "https://git.kernel.org/stable/c/b5967393d50e3c6e632efda3ea3fdde14c1bfd0e", + "https://git.kernel.org/stable/c/ba1bb3e2a38a7fef1c1818dd4f2d9abbfdde553a", + "https://git.kernel.org/stable/c/c326551e99f5416986074ce78bef94f6a404b517", + "https://git.kernel.org/stable/c/fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: bme680: Fix overflows in compensate() functions\n\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\"iio:\nchemical: Add support for Bosch BME680 sensor\").\n\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42086" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42087", + "dataSource": "https://ubuntu.com/security/CVE-2024-42087", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42087" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42087", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42087", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1618f7a875ffd916596392fd29880c0429b8af60", + "https://git.kernel.org/stable/c/489f38de3375ab84b3d269d0a1d64d6ee95d7044", + "https://git.kernel.org/stable/c/5f41401219fbe7663b3cf65ebd4ed95ebbb8ffb9", + "https://git.kernel.org/stable/c/98686ec1824728ff41d7b358131f7d0227c2ba2a", + "https://git.kernel.org/stable/c/b71348be1236398be2d04c5e145fd6eaae86a91b", + "https://git.kernel.org/stable/c/cae52f61fda0f5d2949dc177f984c9e187d4c6a0", + "https://git.kernel.org/stable/c/e646402bf82145349fcf5dcbe395afaf02a8ce47", + "https://git.kernel.org/stable/c/ee7860cd8b5763017f8dc785c2851fecb7a0c565" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\n\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42087" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42089", + "dataSource": "https://ubuntu.com/security/CVE-2024-42089", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42089" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42089", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42089", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/29bc9e7c75398b0d12fc30955f2e9b2dd29ffaed", + "https://git.kernel.org/stable/c/3662eb2170e59b58ad479982dc1084889ba757b9", + "https://git.kernel.org/stable/c/544ab46b7ece6d6bebbdee5d5659c0a0f804a99a", + "https://git.kernel.org/stable/c/7c18b4d89ff9c810b6e562408afda5ce165c4ea6", + "https://git.kernel.org/stable/c/8896e18b7c366f8faf9344abfd0971435f1c723a", + "https://git.kernel.org/stable/c/8faf91e58425c2f6ce773250dfd995f1c2d461ac", + "https://git.kernel.org/stable/c/90f3feb24172185f1832636264943e8b5e289245", + "https://git.kernel.org/stable/c/ae81535ce2503aabc4adab3472f4338070cdeb6a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl-asoc-card: set priv->pdev before using it\n\npriv->pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\n\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv->dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won't crash\nprobably due to compiler optimisations.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42089" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42090", + "dataSource": "https://ubuntu.com/security/CVE-2024-42090", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42090" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42090", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42090", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/01fe2f885f7813f8aed5d3704b384a97b1116a9e", + "https://git.kernel.org/stable/c/4038c57bf61631219b31f1bd6e92106ec7f084dc", + "https://git.kernel.org/stable/c/420ce1261907e5dbeda1e4daffd5b6c76f8188c0", + "https://git.kernel.org/stable/c/48a7a7c9571c3e62f17012dd7f2063e926179ddd", + "https://git.kernel.org/stable/c/adec57ff8e66aee632f3dd1f93787c13d112b7a1", + "https://git.kernel.org/stable/c/b36efd2e3e22a329444b6b24fa48df6d20ae66e6", + "https://git.kernel.org/stable/c/b813e3fd102a959c5b208ed68afe27e0137a561b", + "https://git.kernel.org/stable/c/e65a0dc2e85efb28e182aca50218e8a056d0ce04" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\n\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\n\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42090" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42091", + "dataSource": "https://ubuntu.com/security/CVE-2024-42091", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42091" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42091", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42091", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/583ce246c7ff9edeb0de49130cdc3d45db8545cb", + "https://git.kernel.org/stable/c/a918e771e6fbe1fa68932af5b0cdf473e23090cc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Check pat.ops before dumping PAT settings\n\nWe may leave pat.ops unset when running on brand new platform or\nwhen running as a VF. While the former is unlikely, the latter\nis valid (future) use case and will cause NPD when someone will\ntry to dump PAT settings by debugfs.\n\nIt's better to check pointer to pat.ops instead of specific .dump\nhook, as we have this hook always defined for every .ops variant.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42091" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42092", + "dataSource": "https://ubuntu.com/security/CVE-2024-42092", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42092" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42092", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42092", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2d83492259ad746b655f196cd5d1be4b3d0a3782", + "https://git.kernel.org/stable/c/70b48899f3f23f98a52c5b1060aefbdc7ba7957b", + "https://git.kernel.org/stable/c/7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164", + "https://git.kernel.org/stable/c/89d7008af4945808677662a630643b5ea89c6e8d", + "https://git.kernel.org/stable/c/a8d78984fdc105bc1a38b73e98d32b1bc4222684", + "https://git.kernel.org/stable/c/c542e51306d5f1eba3af84daa005826223382470", + "https://git.kernel.org/stable/c/cd75721984337c38a12aeca33ba301d31ca4b3fd", + "https://git.kernel.org/stable/c/e44a83bf15c4db053ac6dfe96a23af184c9136d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: davinci: Validate the obtained number of IRQs\n\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips->irqs array boundaries access in\ndavinci_gpio_probe().\n\nValidate the obtained nirq value so that it won't exceed the maximum\nnumber of IRQs per bank.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42092" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42093", + "dataSource": "https://ubuntu.com/security/CVE-2024-42093", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42093" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42093", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42093", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/48147337d7efdea6ad6e49f5b8eb894b95868ef0", + "https://git.kernel.org/stable/c/5e4f25091e6d06e99a23f724c839a58a8776a527", + "https://git.kernel.org/stable/c/69f49527aea12c23b78fb3d0a421950bf44fb4e2", + "https://git.kernel.org/stable/c/763896ab62a672d728f5eb10ac90d98c607a8509", + "https://git.kernel.org/stable/c/a55afc0f5f20ba30970aaf7271929dc00eee5e7d", + "https://git.kernel.org/stable/c/b2262b3be27cee334a2fa175ae3afb53f38fb0b1", + "https://git.kernel.org/stable/c/d33fe1714a44ff540629b149d8fab4ac6967585c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42093" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42094", + "dataSource": "https://ubuntu.com/security/CVE-2024-42094", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42094" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42094", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42094", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0af718a690acc089aa1bbb95a93df833d864ef53", + "https://git.kernel.org/stable/c/2b085521be5292016097b5e7ca81b26be3f7098d", + "https://git.kernel.org/stable/c/2d090c7f7be3b26fcb80ac04d08a4a8062b1d959", + "https://git.kernel.org/stable/c/724e7965af054079242b8d6f7e50ee226730a756", + "https://git.kernel.org/stable/c/842afb47d84536fc976fece8fb6c54bea711ad1a", + "https://git.kernel.org/stable/c/9dadab0db7d904413ea1cdaa13f127da05c31e71", + "https://git.kernel.org/stable/c/be4e1304419c99a164b4c0e101c7c2a756b635b9", + "https://git.kernel.org/stable/c/d85ca8179a54ff8cf1e1f8c3c9e3799831319bae" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42094" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42095", + "dataSource": "https://ubuntu.com/security/CVE-2024-42095", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42095" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42095", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42095", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6270051f656004ca5cde644c73cb1fa4d718792e", + "https://git.kernel.org/stable/c/87257a28271c828a98f762bf2dd803c1793d2b5b", + "https://git.kernel.org/stable/c/98840e410d53329f5331ecdce095e740791963d0", + "https://git.kernel.org/stable/c/9d141c1e615795eeb93cd35501ad144ee997a826", + "https://git.kernel.org/stable/c/cb879300669881970eabebe64bd509dbbe42b9de", + "https://git.kernel.org/stable/c/e67d7f38008e56fb691b6a72cadf16c107c2f48b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_omap: Implementation of Errata i2310\n\nAs per Errata i2310[0], Erroneous timeout can be triggered,\nif this Erroneous interrupt is not cleared then it may leads\nto storm of interrupts, therefore apply Errata i2310 solution.\n\n[0] https://www.ti.com/lit/pdf/sprz536 page 23", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42095" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42096", + "dataSource": "https://ubuntu.com/security/CVE-2024-42096", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42096" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42096", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42096", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/093d9603b60093a9aaae942db56107f6432a5dca", + "https://git.kernel.org/stable/c/161cef818545ecf980f0e2ebaf8ba7326ce53c2b", + "https://git.kernel.org/stable/c/16222beb9f8e5ceb0beeb5cbe54bef16df501a92", + "https://git.kernel.org/stable/c/27c3be840911b15a3f24ed623f86153c825b6b29", + "https://git.kernel.org/stable/c/2d07fea561d64357fb7b3f3751e653bf20306d77", + "https://git.kernel.org/stable/c/49c09ca35a5f521d7fa18caf62fdf378f15e8aa4", + "https://git.kernel.org/stable/c/65ebdde16e7f5da99dbf8a548fb635837d78384e", + "https://git.kernel.org/stable/c/a3b65c8cbc139bfce9541bc81c1bb766e5ba3f68" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: stop playing stack games in profile_pc()\n\nThe 'profile_pc()' function is used for timer-based profiling, which\nisn't really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren't necessarily\nvalid.\n\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit's not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\n\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases. We've lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\n\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\n\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\n\n\tEflags always has bits 22 and up cleared unlike kernel addresses\n\nbut that basic stack layout assumption assumes that there isn't any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\n\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\n\nWith no real practical reason for this any more, just remove the code.\n\nJust for historical interest, here's some background commits relating to\nthis code from 2006:\n\n 0cb91a229364 (\"i386: Account spinlocks to the caller during profiling for !FP kernels\")\n 31679f38d886 (\"Simplify profile_pc on x86-64\")\n\nand a code unification from 2009:\n\n ef4512882dbe (\"x86: time_32/64.c unify profile_pc\")\n\nbut the basics of this thing actually goes back to before the git tree.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42096" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42097", + "dataSource": "https://ubuntu.com/security/CVE-2024-42097", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42097" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42097", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42097", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/40d7def67841343c10f8642a41031fecbb248bab", + "https://git.kernel.org/stable/c/79d9a000f0220cdaba1682d2a23c0d0c61d620a3", + "https://git.kernel.org/stable/c/7a18293fd8d8519c2f7a03753bc1583b18e3db69", + "https://git.kernel.org/stable/c/87039b83fb7bfd7d0e0499aaa8e6c049906b4d14", + "https://git.kernel.org/stable/c/89b32ccb12ae67e630c6453d778ec30a592a212f", + "https://git.kernel.org/stable/c/d0ff2443fcbb472206d45a5d2a90cc694065804e", + "https://git.kernel.org/stable/c/d23982ea9aa438f35a8c8a6305943e98a8db90f6", + "https://git.kernel.org/stable/c/d8f5ce3cb9adf0c72e2ad6089aba02d7a32469c2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emux: improve patch ioctl data validation\n\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\n\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42097" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42098", + "dataSource": "https://ubuntu.com/security/CVE-2024-42098", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42098" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42098", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42098", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8", + "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9", + "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975", + "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df", + "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42098" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42101", + "dataSource": "https://ubuntu.com/security/CVE-2024-42101", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42101" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42101", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42101", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef", + "https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d", + "https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9", + "https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e", + "https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4", + "https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e", + "https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a", + "https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\n\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42101" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42102", + "dataSource": "https://ubuntu.com/security/CVE-2024-42102", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42102" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42102", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42102", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/000099d71648504fb9c7a4616f92c2b70c3e44ec", + "https://git.kernel.org/stable/c/145faa3d03688cbb7bbaaecbd84c01539852942c", + "https://git.kernel.org/stable/c/23a28f5f3f6ca1e4184bd0e9631cd0944cf1c807", + "https://git.kernel.org/stable/c/253f9ea7e8e53a5176bd80ceb174907b10724c1a", + "https://git.kernel.org/stable/c/2820005edae13b140f2d54267d1bd6bb23915f59", + "https://git.kernel.org/stable/c/30139c702048f1097342a31302cbd3d478f50c63", + "https://git.kernel.org/stable/c/cbbe17a324437c0ff99881a3ee453da45b228a00", + "https://git.kernel.org/stable/c/f6620df12cb6bdcad671d269debbb23573502f9d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\"\n\nPatch series \"mm: Avoid possible overflows in dirty throttling\".\n\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits. This patch series makes sure this is true (see patch 2/2 for\nmore details).\n\n\nThis patch (of 2):\n\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\n\nThe commit is broken in several ways. Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this). Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42102" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42104", + "dataSource": "https://ubuntu.com/security/CVE-2024-42104", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42104" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42104", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42104", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/07c176e7acc5579c133bb923ab21316d192d0a95", + "https://git.kernel.org/stable/c/1b7d549ed2c1fa202c751b69423a0d3a6bd5a180", + "https://git.kernel.org/stable/c/265fff1a01cdc083aeaf0d934c929db5cc64aebf", + "https://git.kernel.org/stable/c/2f2fa9cf7c3537958a82fbe8c8595a5eb0861ad7", + "https://git.kernel.org/stable/c/3ab40870edb883b9633dc5cd55f5a2a11afa618d", + "https://git.kernel.org/stable/c/b11e8fb93ea5eefb2e4e719497ea177a58ff6131", + "https://git.kernel.org/stable/c/bb76c6c274683c8570ad788f79d4b875bde0e458", + "https://git.kernel.org/stable/c/c33c2b0d92aa1c2262d999b2598ad6fbd53bd479" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: add missing check for inode numbers on directory entries\n\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\n\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\n\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\n\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\n\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42104" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42105", + "dataSource": "https://ubuntu.com/security/CVE-2024-42105", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42105" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42105", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42105", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4", + "https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a", + "https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987", + "https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476", + "https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5", + "https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783", + "https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4", + "https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2's internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs->ns_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs->ns_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42105" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42106", + "dataSource": "https://ubuntu.com/security/CVE-2024-42106", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42106" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42106", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42106", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0184bf0a349f4cf9e663abbe862ff280e8e4dfa2", + "https://git.kernel.org/stable/c/61cf1c739f08190a4cbf047b9fbb192a94d87e3f", + "https://git.kernel.org/stable/c/7094a5fd20ab66028f1da7f06e0f2692d70346f9", + "https://git.kernel.org/stable/c/76965648fe6858db7c5f3c700fef7aa5f124ca1c", + "https://git.kernel.org/stable/c/7ef519c8efde152e0d632337f2994f6921e0b7e4", + "https://git.kernel.org/stable/c/8366720519ea8d322a20780debdfd23d9fc0904a", + "https://git.kernel.org/stable/c/d6f487e0704de2f2d15f8dd5d7d723210f2b2fdb", + "https://git.kernel.org/stable/c/f9b2010e8af49fac9d9562146fb81744d8a9b051" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: Initialize pad field in struct inet_diag_req_v2\n\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\n\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\n\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42106" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42107", + "dataSource": "https://ubuntu.com/security/CVE-2024-42107", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42107" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42107", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42107", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c4e524811918600683b1ea87a5e0fc2db64fa9b", + "https://git.kernel.org/stable/c/996422e3230e41468f652d754fefd1bdbcd4604e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't process extts if PTP is disabled\n\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\nresult in a NULL pointer dereference which leads to a kernel panic.\n\nPanic occurs because the ice_ptp_extts_event() function calls\nptp_clock_event() with a NULL pointer. The ice driver has already\nreleased the PTP clock by the time the interrupt for the next external\ntimestamp event occurs.\n\nTo fix this, modify the ice_ptp_extts_event() function to check the\nPTP state and bail early if PTP is not ready.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42107" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42109", + "dataSource": "https://ubuntu.com/security/CVE-2024-42109", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42109" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42109", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42109", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09e650c3a3a7d804430260510534ccbf71c75b2e", + "https://git.kernel.org/stable/c/3325628cb36b7f216c5716e7b5124d9dc81199e4", + "https://git.kernel.org/stable/c/4c06c13317b9a08decedcd7aaf706691e336277c", + "https://git.kernel.org/stable/c/55a40406aac555defe9bdd0adec9508116ce7cb1", + "https://git.kernel.org/stable/c/9f6958ba2e902f9820c594869bd710ba74b7c4c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally flush pending work before notifier\n\nsyzbot reports:\n\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\n[..]\nWorkqueue: events nf_tables_trans_destroy_work\nCall Trace:\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\n\nProblem is that the notifier does a conditional flush, but its possible\nthat the table-to-be-removed is still referenced by transactions being\nprocessed by the worker, so we need to flush unconditionally.\n\nWe could make the flush_work depend on whether we found a table to delete\nin nf-next to avoid the flush for most cases.\n\nAFAICS this problem is only exposed in nf-next, with\ncommit e169285f8c56 (\"netfilter: nf_tables: do not store nft_ctx in transaction objects\"),\nwith this commit applied there is an unconditional fetch of\ntable->family which is whats triggering the above splat.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42109" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42110", + "dataSource": "https://ubuntu.com/security/CVE-2024-42110", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42110" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42110", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42110", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4b3b6c7efee69f077b86ef7f088fb96768e46e1f", + "https://git.kernel.org/stable/c/858ae09f03677a4ab907a15516893bc2cc79d4c3", + "https://git.kernel.org/stable/c/e15a5d821e5192a3769d846079bc9aa380139baf", + "https://git.kernel.org/stable/c/e3af5b14e7632bf12058533d69055393e2d126c9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\n\nThe following is emitted when using idxd (DSA) dmanegine as the data\nmover for ntb_transport that ntb_netdev uses.\n\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\n[74412.556784] caller is netif_rx_internal+0x42/0x130\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\n[74412.581699] Call Trace:\n[74412.584514] \n[74412.586933] dump_stack_lvl+0x55/0x70\n[74412.591129] check_preemption_disabled+0xc8/0xf0\n[74412.596374] netif_rx_internal+0x42/0x130\n[74412.600957] __netif_rx+0x20/0xd0\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\n[74412.634046] irq_thread_fn+0x21/0x60\n[74412.638134] ? irq_thread+0xa8/0x290\n[74412.642218] irq_thread+0x1a0/0x290\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\n[74412.660686] kthread+0x100/0x130\n[74412.664384] ? __pfx_kthread+0x10/0x10\n[74412.668639] ret_from_fork+0x31/0x50\n[74412.672716] ? __pfx_kthread+0x10/0x10\n[74412.676978] ret_from_fork_asm+0x1a/0x30\n[74412.681457] \n\nThe cause is due to the idxd driver interrupt completion handler uses\nthreaded interrupt and the threaded handler is not hard or soft interrupt\ncontext. However __netif_rx() can only be called from interrupt context.\nChange the call to netif_rx() in order to allow completion via normal\ncontext for dmaengine drivers that utilize threaded irq handling.\n\nWhile the following commit changed from netif_rx() to __netif_rx(),\nbaebdf48c360 (\"net: dev: Makes sure netif_rx() can be invoked in any context.\"),\nthe change should've been a noop instead. However, the code precedes this\nfix should've been using netif_rx_ni() or netif_rx_any_context().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42110" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42114", + "dataSource": "https://ubuntu.com/security/CVE-2024-42114", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42114" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42114", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42114", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/33ac5a4eb3d4bea2146658f1b6d1fa86d62d2b22", + "https://git.kernel.org/stable/c/3fc06f6d142d2840735543216a60d0a8c345bdec", + "https://git.kernel.org/stable/c/80ac0cc9c0bef984e29637b1efa93d7214b42f53", + "https://git.kernel.org/stable/c/8a3ac7fb36962c34698f884bd697938054ff2afa", + "https://git.kernel.org/stable/c/d1cba2ea8121e7fdbe1328cea782876b1dd80993", + "https://git.kernel.org/stable/c/e87c2f098f52aa2fe20258a5bb1738d6a74e9ed7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\n\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\n\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __list_del include/linux/list.h:195 [inline]\n pc : __list_del_entry include/linux/list.h:218 [inline]\n pc : list_move_tail include/linux/list.h:310 [inline]\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n lr : __list_del_entry include/linux/list.h:218 [inline]\n lr : list_move_tail include/linux/list.h:310 [inline]\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n __list_del include/linux/list.h:195 [inline]\n __list_del_entry include/linux/list.h:218 [inline]\n list_move_tail include/linux/list.h:310 [inline]\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_fini\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42114" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42115", + "dataSource": "https://ubuntu.com/security/CVE-2024-42115", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42115" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42115", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42115", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05fc1ef892f862c1197b11b288bc00f602d2df0c", + "https://git.kernel.org/stable/c/0b3246052e01e61a55bb3a15b76acb006759fe67", + "https://git.kernel.org/stable/c/5ca26334fc8a3711fed14db7f9eb1c621be4df65", + "https://git.kernel.org/stable/c/6d6d94287f6365282bbf41e9a5b5281985970789", + "https://git.kernel.org/stable/c/751987a5d8ead0cc405fad96e83ebbaa51c82dbc", + "https://git.kernel.org/stable/c/af9a8730ddb6a4b2edd779ccc0aceb994d616830", + "https://git.kernel.org/stable/c/b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8", + "https://git.kernel.org/stable/c/d0bbbf31462a400bef4df33e22de91864f475455" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Fix potential illegal address access in jffs2_free_inode\n\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829] ESR = 0x96000004\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564] SET = 0, FnV = 0\n[ 2430.650795] EA = 0, S1PTW = 0\n[ 2430.651032] FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683] ISV = 0, ISS = 0x00000004\n[ 2430.652001] CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528] kfree+0x78/0x348\n[ 2430.664855] jffs2_free_inode+0x24/0x48\n[ 2430.665233] i_callback+0x24/0x50\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\n[ 2430.665892] rcu_core+0x28c/0x3c8\n[ 2430.666151] rcu_core_si+0x18/0x28\n[ 2430.666473] __do_softirq+0x138/0x3cc\n[ 2430.666781] irq_exit+0xf0/0x110\n[ 2430.667065] handle_domain_irq+0x6c/0x98\n[ 2430.667447] gic_handle_irq+0xac/0xe8\n[ 2430.667739] call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\n\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\n\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42115" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42116", + "dataSource": "https://ubuntu.com/security/CVE-2024-42116", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42116" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42116", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42116", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/86167183a17e03ec77198897975e9fdfbd53cb0b", + "https://git.kernel.org/stable/c/96839f3f588236593de36465f142b0126267f8b6", + "https://git.kernel.org/stable/c/98c8958980e829f023a490b9a9816ca1fe2f8b79", + "https://git.kernel.org/stable/c/991f036cabc3d13e886a37faeea1b6800181fdda", + "https://git.kernel.org/stable/c/d478ec838cf2b1e1051a8709cfc744fe1c03110f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix a log entry using uninitialized netdev\n\nDuring successful probe, igc logs this:\n\n[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nThe reason is that igc_ptp_init() is called very early, even before\nregister_netdev() has been called. So the netdev_info() call works\non a partially uninitialized netdev.\n\nFix this by calling igc_ptp_init() after register_netdev(), right\nafter the media autosense check, just as in igb. Add a comment,\njust as in igb.\n\nNow the log message is fine:\n\n[ 5.200987] igc 0000:01:00.0 eth0: PHC added", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42116" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42117", + "dataSource": "https://ubuntu.com/security/CVE-2024-42117", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42117" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42117", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42117", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/01eb50e53c1ce505bf449348d433181310288765", + "https://git.kernel.org/stable/c/a9c047a5cf3135b8b66bd28fbe2c698b9cace0b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\n\n[WHY]\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\nan array index and they return -1 when not found; however, -1 is not a\nvalid index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a positive number (which is\nfewer than callers' array size) instead.\n\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42117" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42118", + "dataSource": "https://ubuntu.com/security/CVE-2024-42118", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42118" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42118", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42118", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ac31c9a707dd1c7c890b95333182f955e9dcb57", + "https://git.kernel.org/stable/c/a76fa9c4f0fc0aa6f517da3fa7d7c23e8a32c7d0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not return negative stream id for array\n\n[WHY]\nresource_stream_to_stream_idx returns an array index and it return -1\nwhen not found; however, -1 is not a valid array index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a zero instead.\n\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42118" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42119", + "dataSource": "https://ubuntu.com/security/CVE-2024-42119", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42119" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42119", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42119", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3", + "https://git.kernel.org/stable/c/874261358d31fc772f2823604167e670983cc1ca", + "https://git.kernel.org/stable/c/881fb6afc0004c5e6392ae2848f825bf051dae14", + "https://git.kernel.org/stable/c/95ad20ee3c4efbb91f9a4ab08e070aa3697f5879", + "https://git.kernel.org/stable/c/9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9", + "https://git.kernel.org/stable/c/afaaebdee9bb9f26d9e13cc34b33bd0a7bf59488", + "https://git.kernel.org/stable/c/eacca028a623f608607d02457122ee5284491e18", + "https://git.kernel.org/stable/c/ffa7bd3ca9cfa902b857d1dc9a5f46fededf86c8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip finding free audio for unknown engine_id\n\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\n\n[HOW]\nSkip and return NULL.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42119" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42120", + "dataSource": "https://ubuntu.com/security/CVE-2024-42120", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42120" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42120", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42120", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0b3702f9d43d163fd05e43b7d7e22e766dbef329", + "https://git.kernel.org/stable/c/5396a70e8cf462ec5ccf2dc8de103c79de9489e6", + "https://git.kernel.org/stable/c/96bf81cc1bd058bb8af6e755a548e926e934dfd1", + "https://git.kernel.org/stable/c/b2e9abc95583ac7bbb2c47da4d476a798146dfd6", + "https://git.kernel.org/stable/c/c5ec2afeeee4c91cebc4eff6d4f1ecf4047259f4", + "https://git.kernel.org/stable/c/d2c3645a4a5ae5d933b4116c305d9d82b8199dbf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check pipe offset before setting vblank\n\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\n\nThis fixes an OVERRUN issue reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42120" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42121", + "dataSource": "https://ubuntu.com/security/CVE-2024-42121", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42121" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42121", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42121", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/59d99deb330af206a4541db0c4da8f73880fba03", + "https://git.kernel.org/stable/c/9933eca6ada0cd612e19522e7a319bcef464c0eb", + "https://git.kernel.org/stable/c/a31ea49dc8064a557565725cf045944307476a6e", + "https://git.kernel.org/stable/c/ae91ffbc8b8d942e3e7f188728cad557b7ed5ee4", + "https://git.kernel.org/stable/c/b5b8837d066cc182ff69fb5629ad32ade5484567", + "https://git.kernel.org/stable/c/fbb0701af9734cff13917a4b98b5ee9da2fde48d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index msg_id before read or write\n\n[WHAT]\nmsg_id is used as an array index and it cannot be a negative value, and\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\n\n[HOW]\nCheck whether msg_id is valid before reading and setting.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42121" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42122", + "dataSource": "https://ubuntu.com/security/CVE-2024-42122", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42122" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42122", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42122", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/062edd612fcd300f0f79a36fca5b8b6a5e2fce70", + "https://git.kernel.org/stable/c/8e65a1b7118acf6af96449e1e66b7adbc9396912" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42122" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42123", + "dataSource": "https://ubuntu.com/security/CVE-2024-42123", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42123" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42123", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42123", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/506c245f3f1cd989cb89811a7f06e04ff8813a0d", + "https://git.kernel.org/stable/c/8e24beb3c2b08a4763f920399a9cc577ed440a1a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix double free err_addr pointer warnings\n\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\nwill be run many times so that double free err_addr in some special case.\nSo set the err_addr to NULL to avoid the warnings.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42123" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42124", + "dataSource": "https://ubuntu.com/security/CVE-2024-42124", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42124" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42124", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42124", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a8a91932b2772e75bf3f6d133ca4225d1d3e920", + "https://git.kernel.org/stable/c/0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec", + "https://git.kernel.org/stable/c/2b9c7787cfcd1e76d873a78f16cf45bfa4b100ea", + "https://git.kernel.org/stable/c/4f314aadeed8cdf42c8cf30769425b5e44702748", + "https://git.kernel.org/stable/c/5ceb40cdee721e13cbe15a0515cacf984e11236b", + "https://git.kernel.org/stable/c/b6ded5316ec56e973dcf5f9997945aad01a9f062", + "https://git.kernel.org/stable/c/fa49c65a1cec6a3901ef884fdb24d98068b63493" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\n\nStop calling smp_processor_id() from preemptible code in\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\n\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42124" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42125", + "dataSource": "https://ubuntu.com/security/CVE-2024-42125", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42125" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42125", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42125", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/bb38626f3f97e16e6d368a9ff6daf320f3fe31d9", + "https://git.kernel.org/stable/c/ce4ba62f8bc5195a9a0d49c6235a9c99e619cadc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\n\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\nto avoid crash.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42125" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42126", + "dataSource": "https://ubuntu.com/security/CVE-2024-42126", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42126" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42126", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42126", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0db880fc865ffb522141ced4bfa66c12ab1fbb70", + "https://git.kernel.org/stable/c/0f37946c62c48a907625348cbc720a7a0c547d1e", + "https://git.kernel.org/stable/c/2c78c9411e685dbc9eac8c2845111b03501975b8", + "https://git.kernel.org/stable/c/8d3f83dfb23674540c827a8d65fba20aa300b252", + "https://git.kernel.org/stable/c/e2afb26615adf6c3ceaaa7732aa839bcd587a057", + "https://git.kernel.org/stable/c/fb6675db04c4b79883373edc578d5df7bbc84848" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\n\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\n\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\n\nWith kernel command line \"percpu_alloc=page\" we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\n\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[ 1.215719] --- interrupt: 200\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\n\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42126" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42127", + "dataSource": "https://ubuntu.com/security/CVE-2024-42127", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42127" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42127", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42127", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/04d531b9a1875846d4f89953b469ad463aa7a770", + "https://git.kernel.org/stable/c/0a487e977cb8897ae4c51ecd34bbaa2b005266c9", + "https://git.kernel.org/stable/c/0d60c43df59ef01c08dc7b0c45495178f9d05a13", + "https://git.kernel.org/stable/c/17fe8b75aaf0bb1bdc31368963446b421c22d0af", + "https://git.kernel.org/stable/c/25d0d9b83d855cbc5d5aa5ae3cd79d55ea0c84a8", + "https://git.kernel.org/stable/c/a6683c690bbfd1f371510cb051e8fa49507f3f5e", + "https://git.kernel.org/stable/c/b5daf9217a50636a969bc1965f827878aeb09ffe" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix shared irq handling on driver remove\n\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42127" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42128", + "dataSource": "https://ubuntu.com/security/CVE-2024-42128", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42128" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42128", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42128", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3ead19aa341de89a8c3d88a091d8093ebea622e8", + "https://git.kernel.org/stable/c/9dba44460bfca657ca43f03ea9bafa4f9f7dd077", + "https://git.kernel.org/stable/c/c382e2e3eccb6b7ca8c7aff5092c1668428e7de6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: an30259a: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42128" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42129", + "dataSource": "https://ubuntu.com/security/CVE-2024-42129", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42129" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42129", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42129", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b62888307ae44b68512d3f7735c26a4c8e45b51", + "https://git.kernel.org/stable/c/efc347b9efee1c2b081f5281d33be4559fa50a16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42129" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42130", + "dataSource": "https://ubuntu.com/security/CVE-2024-42130", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42130" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42130", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42130", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/056478b4321b36ca33567089d39ac992f6c9c37a", + "https://git.kernel.org/stable/c/068648aab72c9ba7b0597354ef4d81ffaac7b979", + "https://git.kernel.org/stable/c/22a72c1c10f43ca645a98725e0faff34592f4d08", + "https://git.kernel.org/stable/c/41f5e2840cd0629f049ce5ce2f8dd10a8299de42", + "https://git.kernel.org/stable/c/f07bcd8bba803c9e6ad2048543185d6c56587a2f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc/nci: Add the inconsistency check between the input data length and count\n\nwrite$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB=\"610501\"], 0xf)\n\nSyzbot constructed a write() call with a data length of 3 bytes but a count value\nof 15, which passed too little data to meet the basic requirements of the function\nnci_rf_intf_activated_ntf_packet().\n\nTherefore, increasing the comparison between data length and count value to avoid\nproblems caused by inconsistent data length and count.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42130" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42131", + "dataSource": "https://ubuntu.com/security/CVE-2024-42131", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42131" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42131", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42131", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff", + "https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2", + "https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a", + "https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290", + "https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805", + "https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2", + "https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0", + "https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42131" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42134", + "dataSource": "https://ubuntu.com/security/CVE-2024-42134", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42134" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42134", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42134", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5e2024b0b9b3d5709e3f7e9b92951d7e29154106", + "https://git.kernel.org/stable/c/c8fae27d141a32a1624d0d0d5419d94252824498" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev->is_avq.\n\n[fix]\nCheck whether it is vp_dev->is_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42134" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42135", + "dataSource": "https://ubuntu.com/security/CVE-2024-42135", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42135" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42135", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42135", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/abe067dc3a662eef7d5cddbbc41ed50a0b68b0af", + "https://git.kernel.org/stable/c/db5247d9bf5c6ade9fd70b4e4897441e0269b233", + "https://git.kernel.org/stable/c/dec987fe2df670827eb53b97c9552ed8dfc63ad4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_task: Handle SIGKILL by flushing work and exiting\n\nInstead of lingering until the device is closed, this has us handle\nSIGKILL by:\n\n1. marking the worker as killed so we no longer try to use it with\n new virtqueues and new flush operations.\n2. setting the virtqueue to worker mapping so no new works are queued.\n3. running all the exiting works.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42135" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42136", + "dataSource": "https://ubuntu.com/security/CVE-2024-42136", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42136" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42136", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42136", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b", + "https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3", + "https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c", + "https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42136" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42137", + "dataSource": "https://ubuntu.com/security/CVE-2024-42137", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42137" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42137", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42137", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/215a26c2404fa34625c725d446967fa328a703eb", + "https://git.kernel.org/stable/c/4ca6013cd18e58ac1044908c40d4006a92093a11", + "https://git.kernel.org/stable/c/88e72239ead9814b886db54fc4ee39ef3c2b8f26", + "https://git.kernel.org/stable/c/977b9dc65e14fb80de4763d949c7dec2ecb15b9b", + "https://git.kernel.org/stable/c/e2d8aa4c763593704ac21e7591aed4f13e32f3b5", + "https://git.kernel.org/stable/c/e6e200b264271f62a3fadb51ada9423015ece37b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42137" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42139", + "dataSource": "https://ubuntu.com/security/CVE-2024-42139", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42139" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42139", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42139", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/00d3b4f54582d4e4a02cda5886bb336eeab268cc", + "https://git.kernel.org/stable/c/9f69b31ae9e25dec27ad31fbc64dd99af16ee3d3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper extts handling\n\nExtts events are disabled and enabled by the application ts2phc.\nHowever, in case where the driver is removed when the application is\nrunning, a specific extts event remains enabled and can cause a kernel\ncrash.\nAs a side effect, when the driver is reloaded and application is started\nagain, remaining extts event for the channel from a previous run will\nkeep firing and the message \"extts on unexpected channel\" might be\nprinted to the user.\n\nTo avoid that, extts events shall be disabled when PTP is released.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42139" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42140", + "dataSource": "https://ubuntu.com/security/CVE-2024-42140", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42140" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42140", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42140", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/484dd545271d02d1571e1c6b62ea7df9dbe5e692", + "https://git.kernel.org/stable/c/653deee48a4682ea17a05b96fb6842795ab5943c", + "https://git.kernel.org/stable/c/7692c9b6baacdee378435f58f19baf0eb69e4155", + "https://git.kernel.org/stable/c/bb80a7911218bbab2a69b5db7d2545643ab0073d", + "https://git.kernel.org/stable/c/c562ba719df570c986caf0941fea2449150bcbc4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kexec: Avoid deadlock in kexec crash path\n\nIf the kexec crash code is called in the interrupt context, the\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\nirq_set_irqchip_state() function.\n\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\nwithout any use. So we simply remove it.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42140" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42143", + "dataSource": "https://ubuntu.com/security/CVE-2024-42143", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42143" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42143", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42143", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42143" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42144", + "dataSource": "https://ubuntu.com/security/CVE-2024-42144", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42144" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42144", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42144", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/79ef1a5593fdb8aa4dbccf6085c48f1739338bc9", + "https://git.kernel.org/stable/c/a1191a77351e25ddf091bb1a231cae12ee598b5d", + "https://git.kernel.org/stable/c/fd7ae1cabfedd727be5bee774c87acbc7b10b886" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42144" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42145", + "dataSource": "https://ubuntu.com/security/CVE-2024-42145", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42145" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42145", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42145", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb", + "https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f", + "https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa", + "https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4", + "https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b", + "https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6", + "https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894", + "https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Implement a limit on UMAD receive List\n\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\n\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\n\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42145" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42146", + "dataSource": "https://ubuntu.com/security/CVE-2024-42146", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42146" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42146", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42146", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0888d15ea45ba8ef4508edd1123ea5ad95b58994", + "https://git.kernel.org/stable/c/f9116f658a6217b101e3b4e89f845775b6fb05d9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\n\nAny kunit doing any memory access should get their own runtime_pm\nouter references since they don't use the standard driver API\nentries. In special this dma_buf from the same driver.\n\nFound by pre-merge CI on adding WARN calls for unprotected\ninner callers:\n\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\n<4> [318.639957] ------------[ cut here ]------------\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42146" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42147", + "dataSource": "https://ubuntu.com/security/CVE-2024-42147", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42147" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42147", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42147", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7fc8d9a525b5c3f8dfa5ed50901e764d8ede7e1e", + "https://git.kernel.org/stable/c/8be0913389718e8d27c4f1d4537b5e1b99ed7739", + "https://git.kernel.org/stable/c/e0a2d2df9ba7bd6bd7e0a9b6a5e3894f7e8445b3", + "https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\n\nDuring the zip probe process, the debugfs failure does not stop\nthe probe. When debugfs initialization fails, jumping to the\nerror branch will also release regs, in addition to its own\nrollback operation.\n\nAs a result, it may be released repeatedly during the regs\nuninit process. Therefore, the null check needs to be added to\nthe regs uninit process.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42147" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42148", + "dataSource": "https://ubuntu.com/security/CVE-2024-42148", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42148" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42148", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42148", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b", + "https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7", + "https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f", + "https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce", + "https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d", + "https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f", + "https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e", + "https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\n\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\n\nCurrently there is a read/write out of bounds that occurs on the array\n\"struct stats_query_entry query\" present inside the \"bnx2x_fw_stats_req\"\nstruct in \"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\".\nLooking at the definition of the \"struct stats_query_entry query\" array:\n\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n BNX2X_FIRST_QUEUE_QUERY_IDX];\n\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \"struct stats_query_entry query\" are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\n\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\n\n/*\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n * control by the number of fast-path status blocks supported by the\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n * status block represents an independent interrupts context that can\n * serve a regular L2 networking queue. However special L2 queues such\n * as the FCoE queue do not require a FP-SB and other components like\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\n *\n * If the maximum number of FP-SB available is X then:\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n * regular L2 queues is Y=X-1\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\n * is Y+1\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\n * FP interrupt context for the CNIC).\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\n */\n\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\"bnx2x: Add 57712 support\").\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \"stats_query_entry query\" was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\n\nThis patch increases the size of the \"stats_query_entry query\" array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\n\nStack traces:\n\nUBSAN: array-index-out-of-bounds in\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type 'stats_query_entry [19]'\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42148" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42151", + "dataSource": "https://ubuntu.com/security/CVE-2024-42151", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42151" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42151", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42151", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d", + "https://git.kernel.org/stable/c/7f79097b0de97a486b137b750d7dd7b20b519d23" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\n\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\nparameter of the test_1() function. Mark this parameter as nullable to\nmake verifier aware of such possibility.\nOtherwise, NULL check in the test_1() code:\n\n SEC(\"struct_ops/test_1\")\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\n {\n if (!state)\n return ...;\n\n ... access state ...\n }\n\nMight be removed by verifier, thus triggering NULL pointer dereference\nunder certain conditions.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42151" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42152", + "dataSource": "https://ubuntu.com/security/CVE-2024-42152", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42152" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42152", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42152", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa", + "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1", + "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33", + "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da", + "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5", + "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42152" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42153", + "dataSource": "https://ubuntu.com/security/CVE-2024-42153", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42153" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42153", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42153", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/27cd3873fa76ebeb9f948baae40cb9a6d8692289", + "https://git.kernel.org/stable/c/2849a1b747cf37aa5b684527104d3a53f1e296d2", + "https://git.kernel.org/stable/c/3503372d0bf7b324ec0bd6b90606703991426176", + "https://git.kernel.org/stable/c/3d32327f5cfc087ee3922a3bcdcc29880dcdb50f", + "https://git.kernel.org/stable/c/92e494a7568b60ae80d57fc0deafcaf3a4029ab3", + "https://git.kernel.org/stable/c/a349e5ab4dc9954746e836cd10b407ce48f9b2f6", + "https://git.kernel.org/stable/c/effe0500afda017a86c94482b1e36bc37586c9af", + "https://git.kernel.org/stable/c/f63b94be6942ba82c55343e196bd09b53227618e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\n\nWhen del_timer_sync() is called in an interrupt context it throws a warning\nbecause of potential deadlock. The timer is used only to exit from\nwait_for_completion() after a timeout so replacing the call with\nwait_for_completion_timeout() allows to remove the problematic timer and\nits related functions altogether.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42153" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42154", + "dataSource": "https://ubuntu.com/security/CVE-2024-42154", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42154" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42154", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42154", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9", + "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c", + "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3", + "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321", + "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff", + "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99", + "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98", + "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn't have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42154" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42155", + "dataSource": "https://ubuntu.com/security/CVE-2024-42155", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42155" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42155", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42155", + "namespace": "nvd:cpe", + "severity": "Low", + "urls": [ + "https://git.kernel.org/stable/c/c746f7ced4ad88ee48d0b6c92710e4674403185b", + "https://git.kernel.org/stable/c/f2ebdadd85af4f4d0cae1e5d009c70eccc78c207" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of protected- and secure-keys\n\nAlthough the clear-key of neither protected- nor secure-keys is\naccessible, this key material should only be visible to the calling\nprocess. So wipe all copies of protected- or secure-keys from stack,\neven in case of an error.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", + "metrics": { + "baseScore": 1.9, + "exploitabilityScore": 0.5, + "impactScore": 1.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42155" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42156", + "dataSource": "https://ubuntu.com/security/CVE-2024-42156", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42156" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42156", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42156", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/7f6243edd901b75aaece326c90a1cc0dcb60cc3d", + "https://git.kernel.org/stable/c/d65d76a44ffe74c73298ada25b0f578680576073" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of clear-key structures on failure\n\nWipe all sensitive data from stack for all IOCTLs, which convert a\nclear-key into a protected- or secure-key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42156" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42157", + "dataSource": "https://ubuntu.com/security/CVE-2024-42157", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42157" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42157", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42157", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d8c270de5eb74245d72325d285894a577a945d9", + "https://git.kernel.org/stable/c/4889f117755b2f18c23045a0f57977f3ec130581", + "https://git.kernel.org/stable/c/6e2e374403bf73140d0efc9541cb1b3bea55ac02", + "https://git.kernel.org/stable/c/90a01aefb84b09ccb6024d75d85bb8f620bd3487", + "https://git.kernel.org/stable/c/93c034c4314bc4c4450a3869cd5da298502346ad", + "https://git.kernel.org/stable/c/b5eb9176ebd4697bc248bf8d145e66d782cf5250", + "https://git.kernel.org/stable/c/c44a2151e5d21c66b070a056c26471f30719b575", + "https://git.kernel.org/stable/c/c51795885c801b6b7e976717e0d6d45b1e5be0f0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe sensitive data on failure\n\nWipe sensitive data from stack also if the copy_to_user() fails.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42157" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42158", + "dataSource": "https://ubuntu.com/security/CVE-2024-42158", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42158" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42158", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42158", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/22e6824622e8a8889df0f8fc4ed5aea0e702a694", + "https://git.kernel.org/stable/c/62151a0acde90823bdfa991d598c85cf4b1d387d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\n\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\nwarnings reported by Coccinelle:\n\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42158" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42160", + "dataSource": "https://ubuntu.com/security/CVE-2024-42160", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42160" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42160", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42160", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e", + "https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77", + "https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d", + "https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42160" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42161", + "dataSource": "https://ubuntu.com/security/CVE-2024-42161", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42161" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42161", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42161", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/009367099eb61a4fc2af44d4eb06b6b4de7de6db", + "https://git.kernel.org/stable/c/3364c2ed1c241989847f19cf83e3db903ce689e3", + "https://git.kernel.org/stable/c/7e5471b5efebc30dd0bc035cda86693a5c73d45f", + "https://git.kernel.org/stable/c/a21d76bd0b0d39518e9a4c19f6cf7c042a974aff", + "https://git.kernel.org/stable/c/b694989bb13ed5f166e633faa1eb0f21c6d261a6", + "https://git.kernel.org/stable/c/ff941a8449e712eaf7efca1a13bfb9afd3d99fc2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\n\n[Changes from V1:\n - Use a default branch in the switch statement to initialize `val'.]\n\nGCC warns that `val' may be used uninitialized in the\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\n\n\t[...]\n\tunsigned long long val;\t\t\t\t\t\t \\\n\t[...]\t\t\t\t\t\t\t\t \\\n\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\t\t\t \\\n\tcase 1: val = *(const unsigned char *)p; break;\t\t\t \\\n\tcase 2: val = *(const unsigned short *)p; break;\t\t \\\n\tcase 4: val = *(const unsigned int *)p; break;\t\t\t \\\n\tcase 8: val = *(const unsigned long long *)p; break;\t\t \\\n } \t\t\t\t\t\t\t \\\n\t[...]\n\tval;\t\t\t\t\t\t\t\t \\\n\t}\t\t\t\t\t\t\t\t \\\n\nThis patch adds a default entry in the switch statement that sets\n`val' to zero in order to avoid the warning, and random values to be\nused in case __builtin_preserve_field_info returns unexpected values\nfor BPF_FIELD_BYTE_SIZE.\n\nTested in bpf-next master.\nNo regressions.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42161" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42223", + "dataSource": "https://ubuntu.com/security/CVE-2024-42223", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42223" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42223", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42223", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1121d8a5c6ed6b8fad492e43b63b386cb6a3a9d8", + "https://git.kernel.org/stable/c/1663e2474e4d777187d749a5c90ae83232db32bd", + "https://git.kernel.org/stable/c/1aa1329a67cc214c3b7bd2a14d1301a795760b07", + "https://git.kernel.org/stable/c/5c72587d024f087aecec0221eaff2fe850d856ce", + "https://git.kernel.org/stable/c/8167e4d7dc086d4f7ca7897dcff3827e4d22c99a", + "https://git.kernel.org/stable/c/8ac224e9371dc3c4eb666033e6b42d05cf5184a1", + "https://git.kernel.org/stable/c/bd5620439959a7e02012588c724c6ff5143b80af", + "https://git.kernel.org/stable/c/e1ba22618758e95e09c9fd30c69ccce38edf94c0" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: tda10048: Fix integer overflow\n\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\n\nCreate a new 64 bit variable to hold the calculations.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42223" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42224", + "dataSource": "https://ubuntu.com/security/CVE-2024-42224", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42224" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42224", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42224", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/2a2fe25a103cef73cde356e6d09da10f607e93f5", + "https://git.kernel.org/stable/c/3bf8d70e1455f87856640c3433b3660a31001618", + "https://git.kernel.org/stable/c/3f25b5f1635449036692a44b771f39f772190c1d", + "https://git.kernel.org/stable/c/47d28dde172696031c880c5778633cdca30394ee", + "https://git.kernel.org/stable/c/4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b", + "https://git.kernel.org/stable/c/8c2c3cca816d074c75a2801d1ca0dea7b0148114", + "https://git.kernel.org/stable/c/aa03f591ef31ba603a4a99d05d25a0f21ab1cd89", + "https://git.kernel.org/stable/c/f75625db838ade28f032dacd0f0c8baca42ecde4" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Correct check for empty list\n\nSince commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\") mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\n\nThis appears to be intended to guard against the list chip->mdios being\nempty. However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\n\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\n\nFlagged by Smatch.\nCompile tested only.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42224" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42225", + "dataSource": "https://ubuntu.com/security/CVE-2024-42225", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42225" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42225", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42225", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657", + "https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074", + "https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578", + "https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2", + "https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42225" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42226", + "dataSource": "https://ubuntu.com/security/CVE-2024-42226", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42226" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42226", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42226", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [], + "description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42226" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42228", + "dataSource": "https://ubuntu.com/security/CVE-2024-42228", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42228" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42228", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42228", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef", + "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944", + "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7, + "exploitabilityScore": 1, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42228" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42229", + "dataSource": "https://ubuntu.com/security/CVE-2024-42229", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42229" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42229", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42229", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210", + "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534", + "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d", + "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133", + "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb", + "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42229" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42230", + "dataSource": "https://ubuntu.com/security/CVE-2024-42230", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42230" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42230", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42230", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011", + "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3", + "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c", + "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn't easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.4, + "exploitabilityScore": 0.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42230" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42232", + "dataSource": "https://ubuntu.com/security/CVE-2024-42232", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42232" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42232", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42232", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf", + "https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7", + "https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a", + "https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e", + "https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c", + "https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea", + "https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883", + "https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting(). Both of\nthese can requeue the delayed work which wouldn't be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn't mess with the delayed work in order\nto avoid interfering with the hunting interval logic. This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon < 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc->auth and monc->monmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc->cur_mon and monc->hunting as part of closing the session\n in ceph_monc_stop()\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\n- call cancel_delayed_work_sync() after the session is closed", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42232" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42236", + "dataSource": "https://ubuntu.com/security/CVE-2024-42236", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42236" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42236", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42236", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70", + "https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0", + "https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce", + "https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0", + "https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa", + "https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a", + "https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490", + "https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\n\nUserspace provided string 's' could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == '\\n') followed closely by an OOB write in the form\n`str[0 - 1] = '\\0'`.\n\nThere is already a validating check to catch strings that are too long.\nLet's supply an additional check for invalid strings that are too short.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42236" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42239", + "dataSource": "https://ubuntu.com/security/CVE-2024-42239", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42239" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42239", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42239", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a", + "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7", + "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42239" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42240", + "dataSource": "https://ubuntu.com/security/CVE-2024-42240", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42240" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42240", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42240", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513", + "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364", + "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0", + "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf", + "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n <#DB>\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \n \n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \n\n [ bp: Massage commit message. ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42240" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42243", + "dataSource": "https://ubuntu.com/security/CVE-2024-42243", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42243" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42243", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42243", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b", + "https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a", + "https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can't support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc > 1 && !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd < 0) {\n\t\tfprintf(stderr, \"Unable to open <%s>\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42243" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42244", + "dataSource": "https://ubuntu.com/security/CVE-2024-42244", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42244" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42244", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42244", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856", + "https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4", + "https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348", + "https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33", + "https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4", + "https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42244" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42246", + "dataSource": "https://ubuntu.com/security/CVE-2024-42246", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42246" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42246", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42246", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde", + "https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414", + "https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6", + "https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\n\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\nthe kernel to potentially freeze up.\n\nNeil suggested:\n\n This will propagate -EPERM up into other layers which might not be ready\n to handle it. It might be safer to map EPERM to an error we would be more\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\n\nECONNREFUSED as error seems reasonable. For programs setting a different error\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\nwhich do not have f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err\ninstead of allow boolean\"), thus given that it is better to simply remap for\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42246" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42247", + "dataSource": "https://ubuntu.com/security/CVE-2024-42247", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42247" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42247", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42247", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/217978a29c6ceca76d3c640bf94bdf50c268d801", + "https://git.kernel.org/stable/c/2fb34bf76431e831f9863cd59adc0bd1f67b0fbf", + "https://git.kernel.org/stable/c/6638a203abad35fa636d59ac47bdbc4bc100fd74", + "https://git.kernel.org/stable/c/948f991c62a4018fb81d85804eeab3029c6209f8", + "https://git.kernel.org/stable/c/ae630de24efb123d7199a43256396d7758f4cb75", + "https://git.kernel.org/stable/c/b4764f0ad3d68de8a0b847c05f427afb86dd54e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\n\nOn the parisc platform, the kernel issues kernel warnings because\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\nmemory location:\n\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\n\nAvoid such unaligned memory accesses by instead using the\nget_unaligned_be64() helper macro.\n\n[Jason: replace src[8] in original patch with src+8]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42247" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42252", + "dataSource": "https://ubuntu.com/security/CVE-2024-42252", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42252" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42252", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42252", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/339b84ab6b1d66900c27bd999271cb2ae40ce812", + "https://git.kernel.org/stable/c/5d85f2ab79d5918a66539ebf046c099f7448db8d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclosures: Change BUG_ON() to WARN_ON()\n\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\n\nFor reference, this has popped up once in the CI, and we'll need more\ninfo to debug it:\n\n03240 ------------[ cut here ]------------\n03240 kernel BUG at lib/closure.c:21!\n03240 kernel BUG at lib/closure.c:21!\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n03240 Modules linked in:\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\n03240 Hardware name: linux,dummy-virt (DT)\n03240 Workqueue: btree_update btree_interior_update_work\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n03240 pc : closure_put+0x224/0x2a0\n03240 lr : closure_put+0x24/0x2a0\n03240 sp : ffff0000d12071c0\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\n03240 Call trace:\n03240 closure_put+0x224/0x2a0\n03240 bch2_check_for_deadlock+0x910/0x1028\n03240 bch2_six_check_for_deadlock+0x1c/0x30\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\n03240 six_lock_ip_waiter+0xa8/0xf8\n03240 __bch2_btree_node_lock_write+0x14c/0x298\n03240 bch2_trans_lock_write+0x6d4/0xb10\n03240 __bch2_trans_commit+0x135c/0x5520\n03240 btree_interior_update_work+0x1248/0x1c10\n03240 process_scheduled_works+0x53c/0xd90\n03240 worker_thread+0x370/0x8c8\n03240 kthread+0x258/0x2e8\n03240 ret_from_fork+0x10/0x20\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\n03240 ---[ end trace 0000000000000000 ]---\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\n03240 SMP: stopping secondary CPUs\n03241 SMP: failed to stop secondary CPUs 13,15\n03241 Kernel Offset: disabled\n03241 CPU features: 0x00,00000003,80000008,4240500b\n03241 Memory Limit: none\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42252" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42253", + "dataSource": "https://ubuntu.com/security/CVE-2024-42253", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42253" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42253", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42253", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/58a5c93bd1a6e949267400080f07e57ffe05ec34", + "https://git.kernel.org/stable/c/bfc6444b57dc7186b6acc964705d7516cbaf3904", + "https://git.kernel.org/stable/c/de7cffa53149c7b48bd1bb29b02390c9f05b7f41", + "https://git.kernel.org/stable/c/e2ecdddca80dd845df42376e4b0197fe97018ba2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\n\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\npca953x_irq_bus_sync_unlock() in order to avoid races.\n\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\nlock is held before calling pca953x_write_regs().\n\nThe problem occurred when a request raced against irq_bus_sync_unlock()\napproximately once per thousand reboots on an i.MX8MP based system.\n\n * Normal case\n\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n\n * Race case\n\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42253" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42259", + "dataSource": "https://ubuntu.com/security/CVE-2024-42259", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42259" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42259", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42259", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3e06073d24807f04b4694108a8474decb7b99e60", + "https://git.kernel.org/stable/c/4b09513ce93b3dcb590baaaff2ce96f2d098312d", + "https://git.kernel.org/stable/c/50111a8098fb9ade621eeff82228a997d42732ab", + "https://git.kernel.org/stable/c/8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3", + "https://git.kernel.org/stable/c/911f8055f175c82775d0fd8cedcd0b75413f4ba7", + "https://git.kernel.org/stable/c/a256d019eaf044864c7e50312f0a65b323c24f39", + "https://git.kernel.org/stable/c/e8a68aa842d3f8dd04a46b9d632e5f67fde1da9b", + "https://git.kernel.org/stable/c/ead9289a51ea82eb5b27029fcf4c34b2dd60cf06" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\n\nCalculating the size of the mapped area as the lesser value\nbetween the requested size and the actual size does not consider\nthe partial mapping offset. This can cause page fault access.\n\nFix the calculation of the starting and ending addresses, the\ntotal size is now deduced from the difference between the end and\nstart addresses.\n\nAdditionally, the calculations have been rewritten in a clearer\nand more understandable form.\n\n[Joonas: Add Requires: tag]\nRequires: 60a2066c5005 (\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\")\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42259" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42267", + "dataSource": "https://ubuntu.com/security/CVE-2024-42267", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42267" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42267", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42267", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0c710050c47d45eb77b28c271cddefc5c785cb40", + "https://git.kernel.org/stable/c/20dbdebc5580cd472a310d56a6e252275ee4c864", + "https://git.kernel.org/stable/c/59be4a167782d68e21068a761b90b01fadc09146", + "https://git.kernel.org/stable/c/917f598209f3f5e4ab175d5079d8aeb523e58b1f", + "https://git.kernel.org/stable/c/d4e7db757e2d7f4c407a007e92c98477eab215d2", + "https://git.kernel.org/stable/c/d7ccf2ca772bfe33e2c53ef80fa20d2d87eb6144" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\n\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\nkill the process and we don't BUG() the kernel.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42267" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42269", + "dataSource": "https://ubuntu.com/security/CVE-2024-42269", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42269" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42269", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42269", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/419ee6274c5153b89c4393c1946faa4c3cad4f9e", + "https://git.kernel.org/stable/c/87dba44e9471b79b255d0736858a897332db9226", + "https://git.kernel.org/stable/c/91b6df6611b7edb28676c4f63f90c56c30d3e601", + "https://git.kernel.org/stable/c/c22921df777de5606f1047b1345b8d22ef1c0b34", + "https://git.kernel.org/stable/c/e85b9b6a87be4cb3710082038b677e97f2389003" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\n\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\nbut the function is exposed to user space before the entry is allocated\nvia register_pernet_subsys().\n\nLet's call register_pernet_subsys() before xt_register_template().", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42269" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42270", + "dataSource": "https://ubuntu.com/security/CVE-2024-42270", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42270" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42270", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42270", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc", + "https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d", + "https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626", + "https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b", + "https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42270" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42271", + "dataSource": "https://ubuntu.com/security/CVE-2024-42271", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42271" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42271", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42271", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84", + "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0", + "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d", + "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01", + "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876", + "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5", + "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895", + "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv->path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42271" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42272", + "dataSource": "https://ubuntu.com/security/CVE-2024-42272", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42272" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42272", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42272", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2191a54f63225b548fd8346be3611c3219a24738", + "https://git.kernel.org/stable/c/3a5b68869dbe14f1157c6a24ac71923db060eeab", + "https://git.kernel.org/stable/c/3ddefcb8f75e312535e2e7d5fef9932019ba60f2", + "https://git.kernel.org/stable/c/7c03ab555eb1ba26c77fd7c25bdf44a0ac23edee", + "https://git.kernel.org/stable/c/d06daf0ad645d9225a3ff6958dd82e1f3988fa64", + "https://git.kernel.org/stable/c/d7cc186d0973afce0e1237c37f7512c01981fb79" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42272" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42273", + "dataSource": "https://ubuntu.com/security/CVE-2024-42273", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42273" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42273", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42273", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0cd106612396656d6f1ca17ef192c6759bb60791", + "https://git.kernel.org/stable/c/4239571c5db46a42f723b8fa8394039187c34439", + "https://git.kernel.org/stable/c/5fd057160ab240dd816ae09b625395d54c297de1", + "https://git.kernel.org/stable/c/8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\n\nmkdir /mnt/test/comp\nf2fs_io setflags compression /mnt/test/comp\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\ntruncate --size 13 /mnt/test/comp/testfile\n\nIn the above scenario, we can get a BUG_ON.\n kernel BUG at fs/f2fs/segment.c:3589!\n Call Trace:\n do_write_page+0x78/0x390 [f2fs]\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\n do_writepages+0xcf/0x270\n __writeback_single_inode+0x44/0x350\n writeback_sb_inodes+0x242/0x530\n __writeback_inodes_wb+0x54/0xf0\n wb_writeback+0x192/0x310\n wb_workfn+0x30d/0x400\n\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\npage was set the gcing flag by set_cluster_dirty().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42273" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42274", + "dataSource": "https://ubuntu.com/security/CVE-2024-42274", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42274" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42274", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42274", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/36c255db5a25edd42d1aca48e38b8e95ee5fd9ef", + "https://git.kernel.org/stable/c/3dab73ab925a51ab05543b491bf17463a48ca323", + "https://git.kernel.org/stable/c/7c07220cf634002f93a87ca2252a32766850f2d1", + "https://git.kernel.org/stable/c/b239a37d68e8bc59f9516444da222841e3b13ba9", + "https://git.kernel.org/stable/c/f5043e69aeb2786f32e84132817a007a6430aa7d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elapse event in process context\"\n\nCommit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period elapse event\nin process context\") removed the process context workqueue from\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\nits overhead.\n\nWith RME Fireface 800, this lead to a regression since\nKernels 5.14.0, causing an AB/BA deadlock competition for the\nsubstream lock with eventual system freeze under ALSA operation:\n\nthread 0:\n * (lock A) acquire substream lock by\n\tsnd_pcm_stream_lock_irq() in\n\tsnd_pcm_status64()\n * (lock B) wait for tasklet to finish by calling\n \ttasklet_unlock_spin_wait() in\n\ttasklet_disable_in_atomic() in\n\tohci_flush_iso_completions() of ohci.c\n\nthread 1:\n * (lock B) enter tasklet\n * (lock A) attempt to acquire substream lock,\n \twaiting for it to be released:\n\tsnd_pcm_stream_lock_irqsave() in\n \tsnd_pcm_period_elapsed() in\n\tupdate_pcm_pointers() in\n\tprocess_ctx_payloads() in\n\tprocess_rx_packets() of amdtp-stream.c\n\n? tasklet_unlock_spin_wait\n \n \nohci_flush_iso_completions firewire_ohci\namdtp_domain_stream_pcm_pointer snd_firewire_lib\nsnd_pcm_update_hw_ptr0 snd_pcm\nsnd_pcm_status64 snd_pcm\n\n? native_queued_spin_lock_slowpath\n \n \n_raw_spin_lock_irqsave\nsnd_pcm_period_elapsed snd_pcm\nprocess_rx_packets snd_firewire_lib\nirq_target_callback snd_firewire_lib\nhandle_it_packet firewire_ohci\ncontext_tasklet firewire_ohci\n\nRestore the process context work queue to prevent deadlock\nAB/BA deadlock competition for ALSA substream lock of\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\n\nrevert commit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period\nelapse event in process context\")\n\nReplace inline description to prevent future deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42274" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42276", + "dataSource": "https://ubuntu.com/security/CVE-2024-42276", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42276" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42276", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42276", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f8ec1d6b0ebd8268307d52be8301973fa5a01ec", + "https://git.kernel.org/stable/c/70100fe721840bf6d8e5abd25b8bffe4d2e049b7", + "https://git.kernel.org/stable/c/77848b379e9f85a08048a2c8b3b4a7e8396f5f83", + "https://git.kernel.org/stable/c/7cc1f4cd90a00b6191cb8cda2d1302fdce59361c", + "https://git.kernel.org/stable/c/be23ae63080e0bf9e246ab20207200bca6585eba", + "https://git.kernel.org/stable/c/c31fad1470389666ac7169fe43aa65bf5b7e2cfd", + "https://git.kernel.org/stable/c/d135c3352f7c947a922da93c8e763ee6bc208b64" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: add missing condition check for existence of mapped data\n\nnvme_map_data() is called when request has physical segments, hence\nthe nvme_unmap_data() should have same condition to avoid dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42276" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42277", + "dataSource": "https://ubuntu.com/security/CVE-2024-42277", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42277" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42277", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42277", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/630482ee0653decf9e2482ac6181897eb6cde5b8", + "https://git.kernel.org/stable/c/8c79ceb4ecf823e6ec10fee6febb0fca3de79922", + "https://git.kernel.org/stable/c/b62841e49a2b7938f6fdeaaf93fb57e4eb880bdb", + "https://git.kernel.org/stable/c/d5fe884ce28c5005f8582c35333c195a168f841c", + "https://git.kernel.org/stable/c/dfe90030a0cfa26dca4cb6510de28920e5ad22fb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\n\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\ndom->sdev is equal to NULL, which leads to null dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42277" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42280", + "dataSource": "https://ubuntu.com/security/CVE-2024-42280", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42280" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42280", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42280", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/4d8b642985ae24f4b3656438eb8489834a17bb80", + "https://git.kernel.org/stable/c/61ab751451f5ebd0b98e02276a44e23a10110402", + "https://git.kernel.org/stable/c/70db2c84631f50e02e6b32b543700699dd395803", + "https://git.kernel.org/stable/c/7e4a539bca7d8d20f2c5d93c18cce8ef77cd78e0", + "https://git.kernel.org/stable/c/8f4030277dfb9dbe04fd78566b19931097c9d629", + "https://git.kernel.org/stable/c/9460ac3dd1ae033bc2b021a458fb535a0c36ddb2", + "https://git.kernel.org/stable/c/d3e4d4a98c5629ccdcb762a0ff6c82ba9738a0c3", + "https://git.kernel.org/stable/c/ddc79556641ee070d36be0de4a1f0a16a71f1fc7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix a use after free in hfcmulti_tx()\n\nDon't dereference *sp after calling dev_kfree_skb(*sp).", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42280" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42281", + "dataSource": "https://ubuntu.com/security/CVE-2024-42281", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42281" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42281", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42281", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11ec79f5c7f74261874744039bc1551023edd6b2", + "https://git.kernel.org/stable/c/a689f5eb13a90f892a088865478b3cd39f53d5dc", + "https://git.kernel.org/stable/c/c3496314c53e7e82ddb544c825defc3e8c0e45cf", + "https://git.kernel.org/stable/c/dda518dea60d556a2d171c0122ca7d9fdb7d473a", + "https://git.kernel.org/stable/c/ec4eea14d75f7b0491194dd413f540dd19b8c733", + "https://git.kernel.org/stable/c/f6bb8c90cab97a3e03f8d30e3069efe6a742e0be", + "https://git.kernel.org/stable/c/fa5ef655615a01533035c6139248c5b33aa27028" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a segment issue when downgrading gso_size\n\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42281" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42283", + "dataSource": "https://ubuntu.com/security/CVE-2024-42283", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42283" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42283", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42283", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1377de719652d868f5317ba8398b7e74c5f0430b", + "https://git.kernel.org/stable/c/5cc4d71dda2dd4f1520f40e634a527022e48ccd8", + "https://git.kernel.org/stable/c/6d745cd0e9720282cd291d36b9db528aea18add2", + "https://git.kernel.org/stable/c/7704460acd7f5d35eb07c52500987dc9b95313fb", + "https://git.kernel.org/stable/c/9e8f558a3afe99ce51a642ce0d3637ddc2b5d5d0", + "https://git.kernel.org/stable/c/a13d3864b76ac87085ec530b2ff8e37482a63a96", + "https://git.kernel.org/stable/c/fd06cb4a5fc7bda3dea31712618a62af72a1c6cb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n # ip nexthop add id 1 dev lo\n # ip nexthop add id 101 group 1\n # strace -e recvmsg ip nexthop get id 101\n ...\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42283" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42284", + "dataSource": "https://ubuntu.com/security/CVE-2024-42284", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42284" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42284", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42284", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/253405541be2f15ffebdeac2f4cf4b7e9144d12f", + "https://git.kernel.org/stable/c/2abe350db1aa599eeebc6892237d0bce0f1de62a", + "https://git.kernel.org/stable/c/5eea127675450583680c8170358bcba43227bd69", + "https://git.kernel.org/stable/c/728734352743a78b4c5a7285b282127696a4a813", + "https://git.kernel.org/stable/c/76ddf84a52f0d8ec3f5db6ccce08faf202a17d28", + "https://git.kernel.org/stable/c/7ec3335dd89c8d169e9650e4bac64fde71fdf15b", + "https://git.kernel.org/stable/c/aa38bf74899de07cf70b50cd17f8ad45fb6654c8", + "https://git.kernel.org/stable/c/fa96c6baef1b5385e2f0c0677b32b3839e716076" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Return non-zero value from tipc_udp_addr2str() on error\n\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42284" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42285", + "dataSource": "https://ubuntu.com/security/CVE-2024-42285", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42285" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42285", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42285", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/557d035fe88d78dd51664f4dc0e1896c04c97cf6", + "https://git.kernel.org/stable/c/7f25f296fc9bd0435be14e89bf657cd615a23574", + "https://git.kernel.org/stable/c/94ee7ff99b87435ec63211f632918dc7f44dac79", + "https://git.kernel.org/stable/c/aee2424246f9f1dadc33faa78990c1e2eb7826e4", + "https://git.kernel.org/stable/c/d91d253c87fd1efece521ff2612078a35af673c6", + "https://git.kernel.org/stable/c/dc8074b8901caabb97c2d353abd6b4e7fa5a59a5", + "https://git.kernel.org/stable/c/ee39384ee787e86e9db4efb843818ef0ea9cb8ae", + "https://git.kernel.org/stable/c/ff5bbbdee08287d75d72e65b72a2b76d9637892a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n conn_id->cm_id.iw = cm_id;\n cm_id->context = conn_id;\n cm_id->cm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42285" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42286", + "dataSource": "https://ubuntu.com/security/CVE-2024-42286", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42286" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42286", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42286", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b", + "https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430", + "https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e", + "https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c", + "https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f", + "https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c", + "https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9", + "https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: validate nvme_local_port correctly\n\nThe driver load failed with error message,\n\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\n\nand with a kernel crash,\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\n\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\n\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\n\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\n\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\n\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\n\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\n\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\n\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\n\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\n\tCall Trace:\n\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\n\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\n\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\n\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\n\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\nfails and correctly validate nvme_local_port.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42286" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42287", + "dataSource": "https://ubuntu.com/security/CVE-2024-42287", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42287" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42287", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42287", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/314efe3f87949a568f512f05df20bf47b81cf232", + "https://git.kernel.org/stable/c/36fdc5319c4d0ec8b8938ec4769764098a246bfb", + "https://git.kernel.org/stable/c/4475afa2646d3fec176fc4d011d3879b26cb26e3", + "https://git.kernel.org/stable/c/57ba7563712227647f82a92547e82c96cd350553", + "https://git.kernel.org/stable/c/814f4a53cc86f7ea8b501bfb1723f24fd29ef5ee", + "https://git.kernel.org/stable/c/9117337b04d789bd08fdd9854a40bec2815cd3f6", + "https://git.kernel.org/stable/c/af46649304b0c9cede4ccfc2be2561ce8ed6a2ea" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Complete command early within lock\n\nA crash was observed while performing NPIV and FW reset,\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x16f/0x4a0\n ? do_user_addr_fault+0x174/0x7f0\n ? exc_page_fault+0x69/0x1a0\n ? asm_exc_page_fault+0x22/0x30\n ? dma_direct_unmap_sg+0x51/0x1e0\n ? preempt_count_sub+0x96/0xe0\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\n\nThe command completion was done early while aborting the commands in driver\nunload path but outside lock to avoid the WARN_ON condition of performing\ndma_free_attr within the lock. However this caused race condition while\ncommand completion via multiple paths causing system crash.\n\nHence complete the command early in unload path but within the lock to\navoid race condition.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42287" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42288", + "dataSource": "https://ubuntu.com/security/CVE-2024-42288", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42288" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42288", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42288", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2a15b59a2c5afac89696e44acf5bbfc0599c6c5e", + "https://git.kernel.org/stable/c/571d7f2a08836698c2fb0d792236424575b9829b", + "https://git.kernel.org/stable/c/8192c533e89d9fb69b2490398939236b78cda79b", + "https://git.kernel.org/stable/c/87db8d7b7520e99de71791260989f06f9c94953d", + "https://git.kernel.org/stable/c/b0302ffc74123b6a99d7d1896fcd9b2e4072d9ce", + "https://git.kernel.org/stable/c/c03d740152f78e86945a75b2ad541bf972fab92a", + "https://git.kernel.org/stable/c/dae67169cb35a37ecccf60cfcd6bf93a1f4f5efb" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix for possible memory corruption\n\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42288" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42289", + "dataSource": "https://ubuntu.com/security/CVE-2024-42289", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42289" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42289", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42289", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/086489256696eb774654a5410e86381c346356fe", + "https://git.kernel.org/stable/c/171ac4b495f9473bc134356a00095b47e6409e52", + "https://git.kernel.org/stable/c/76f480d7c717368f29a3870f7d64471ce0ff8fb2", + "https://git.kernel.org/stable/c/87c25fcb95aafabb6a4914239f4ab41b07a4f9b7", + "https://git.kernel.org/stable/c/b12c54e51ba83c1fbc619d35083d7872e42ecdef", + "https://git.kernel.org/stable/c/b35d6d5a2f38605cddea7d5c64cded894fbe8ede", + "https://git.kernel.org/stable/c/d28a2075bb530489715a3b011e1dd8765ba20313", + "https://git.kernel.org/stable/c/e5ed6a26ffdec0c91cf0b6138afbd675c00ad5fc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: During vport delete send async logout explicitly\n\nDuring vport delete, it is observed that during unload we hit a crash\nbecause of stale entries in outstanding command array. For all these stale\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\nI/Os could not complete while vport delete is in process of deleting.\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\n Call Trace:\n \n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\n ? qla2x00_status_entry+0x768/0x2830\n ? newidle_balance+0x2f0/0x430\n ? dequeue_entity+0x100/0x3c0\n ? qla24xx_process_response_queue+0x6a1/0x19e0\n ? __schedule+0x2d5/0x1140\n ? qla_do_work+0x47/0x60\n ? process_one_work+0x267/0x440\n ? process_one_work+0x440/0x440\n ? worker_thread+0x2d/0x3d0\n ? process_one_work+0x440/0x440\n ? kthread+0x156/0x180\n ? set_kthread_struct+0x50/0x50\n ? ret_from_fork+0x22/0x30\n \n\nSend out async logout explicitly for all the ports during vport delete.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42289" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42290", + "dataSource": "https://ubuntu.com/security/CVE-2024-42290", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42290" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42290", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42290", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/21bd3f9e7f924cd2fc892a484e7a50c7e1847565", + "https://git.kernel.org/stable/c/33b1c47d1fc0b5f06a393bb915db85baacba18ea", + "https://git.kernel.org/stable/c/3a2884a44e5cda192df1b28e9925661f79f599a1", + "https://git.kernel.org/stable/c/58c56735facb225a5c46fa4b8bbbe7f31d1cb894", + "https://git.kernel.org/stable/c/a590e8dea3df2639921f874d763be961dd74e8f9", + "https://git.kernel.org/stable/c/f8ae38f1dfe652779c7c613facbc257cec00ac44", + "https://git.kernel.org/stable/c/fa1803401e1c360efe6342fb41d161cc51748a11" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/imx-irqsteer: Handle runtime power management correctly\n\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\ncontext switch path during device probing:\n\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n __schedule_bug+0x54/0x6c\n __schedule+0x7f0/0xa94\n schedule+0x5c/0xc4\n schedule_preempt_disabled+0x24/0x40\n __mutex_lock.constprop.0+0x2c0/0x540\n __mutex_lock_slowpath+0x14/0x20\n mutex_lock+0x48/0x54\n clk_prepare_lock+0x44/0xa0\n clk_prepare+0x20/0x44\n imx_irqsteer_resume+0x28/0xe0\n pm_generic_runtime_resume+0x2c/0x44\n __genpd_runtime_resume+0x30/0x80\n genpd_runtime_resume+0xc8/0x2c0\n __rpm_callback+0x48/0x1d8\n rpm_callback+0x6c/0x78\n rpm_resume+0x490/0x6b4\n __pm_runtime_resume+0x50/0x94\n irq_chip_pm_get+0x2c/0xa0\n __irq_do_set_handler+0x178/0x24c\n irq_set_chained_handler_and_data+0x60/0xa4\n mxc_gpio_probe+0x160/0x4b0\n\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\n\n[ tglx: Rewrote change log, added Fixes tag ]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42290" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42291", + "dataSource": "https://ubuntu.com/security/CVE-2024-42291", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42291" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42291", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42291", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/292081c4e7f575a79017d5cbe1a0ec042783976f", + "https://git.kernel.org/stable/c/6ebbe97a488179f5dc85f2f1e0c89b486e99ee97", + "https://git.kernel.org/stable/c/8e02cd98a6e24389d476e28436d41e620ed8e559", + "https://git.kernel.org/stable/c/d62389073a5b937413e2d1bc1da06ccff5103c0c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add a per-VF limit on number of FDIR filters\n\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\nfilters that the VF can request, a malicious VF driver can request more\nthan that and exhaust the resources for other VFs.\n\nAdd a similar limit in ice.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42291" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42292", + "dataSource": "https://ubuntu.com/security/CVE-2024-42292", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42292" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42292", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42292", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/57fe01d3d04276875c7e3a6dc763517fc05b8762", + "https://git.kernel.org/stable/c/648d5490460d38436640da0812bf7f6351c150d2", + "https://git.kernel.org/stable/c/68d63ace80b76395e7935687ecdb86421adc2168", + "https://git.kernel.org/stable/c/81a15d28f32af01493ae8c5457e0d55314a4167d", + "https://git.kernel.org/stable/c/b59a5e86a3934f1b6a5bd1368902dbc79bdecc90", + "https://git.kernel.org/stable/c/c5ee8adc8d98a49703320d13878ba2b923b142f5", + "https://git.kernel.org/stable/c/d4663536754defff75ff1eca0aaebc41da165a8d", + "https://git.kernel.org/stable/c/dd6e9894b451e7c85cceb8e9dc5432679a70e7dc" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject_uevent: Fix OOB access within zap_modalias_env()\n\nzap_modalias_env() wrongly calculates size of memory block to move, so\nwill cause OOB memory access issue if variable MODALIAS is not the last\none within its @env parameter, fixed by correcting size to memmove.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42292" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42294", + "dataSource": "https://ubuntu.com/security/CVE-2024-42294", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42294" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42294", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42294", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/5a5625a83eac91fdff1d5f0202ecfc45a31983c9", + "https://git.kernel.org/stable/c/7e04da2dc7013af50ed3a2beb698d5168d1e594b", + "https://git.kernel.org/stable/c/f5418f48a93b69ed9e6a2281eee06b412f14a544" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between sd_remove & sd_release\n\nOur test report the following hung task:\n\n[ 2538.459400] INFO: task \"kworker/0:0\":7 blocked for more than 188 seconds.\n[ 2538.459427] Call trace:\n[ 2538.459430] __switch_to+0x174/0x338\n[ 2538.459436] __schedule+0x628/0x9c4\n[ 2538.459442] schedule+0x7c/0xe8\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\n[ 2538.459459] mutex_lock+0x30/0xd8\n[ 2538.459462] del_gendisk+0xdc/0x350\n[ 2538.459466] sd_remove+0x30/0x60\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459474] device_release_driver+0x18/0x28\n[ 2538.459478] bus_remove_device+0x15c/0x174\n[ 2538.459483] device_del+0x1d0/0x358\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\n[ 2538.459493] scsi_forget_host+0x50/0x70\n[ 2538.459497] scsi_remove_host+0x80/0x180\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459514] device_release_driver+0x18/0x28\n[ 2538.459518] bus_remove_device+0x15c/0x174\n[ 2538.459523] device_del+0x1d0/0x358\n[ 2538.459528] usb_disable_device+0x84/0x194\n[ 2538.459532] usb_disconnect+0xec/0x300\n[ 2538.459537] hub_event+0xb80/0x1870\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\n[ 2538.459545] worker_thread+0x244/0x334\n[ 2538.459549] kthread+0x114/0x1bc\n\n[ 2538.461001] INFO: task \"fsck.\":15415 blocked for more than 188 seconds.\n[ 2538.461014] Call trace:\n[ 2538.461016] __switch_to+0x174/0x338\n[ 2538.461021] __schedule+0x628/0x9c4\n[ 2538.461025] schedule+0x7c/0xe8\n[ 2538.461030] blk_queue_enter+0xc4/0x160\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\n[ 2538.461051] sd_release+0x50/0x94\n[ 2538.461054] blkdev_put+0x190/0x28c\n[ 2538.461058] blkdev_release+0x28/0x40\n[ 2538.461063] __fput+0xf8/0x2a8\n[ 2538.461066] __fput_sync+0x28/0x5c\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\n[ 2538.461073] invoke_syscall+0x58/0x114\n[ 2538.461078] el0_svc_common+0xac/0xe0\n[ 2538.461082] do_el0_svc+0x1c/0x28\n[ 2538.461087] el0_svc+0x38/0x68\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\n\n T1:\t\t\t\tT2:\n sd_remove\n del_gendisk\n __blk_mark_disk_dead\n blk_freeze_queue_start\n ++q->mq_freeze_depth\n \t\t\t\tbdev_release\n \t\t\t\tmutex_lock(&disk->open_mutex)\n \t\t\t\tsd_release\n \t\t\t\tscsi_execute_cmd\n \t\t\t\tblk_queue_enter\n \t\t\t\twait_event(!q->mq_freeze_depth)\n mutex_lock(&disk->open_mutex)\n\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\nmake sure we don't try to acquire disk->open_mutex after freezing\nthe queue.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42294" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42295", + "dataSource": "https://ubuntu.com/security/CVE-2024-42295", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42295" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42295", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42295", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/012be828a118bf496e666ef1fc47fc0e7358ada2", + "https://git.kernel.org/stable/c/02b87e6334a38c65eef49848d3f1ac422f0b2a44", + "https://git.kernel.org/stable/c/19cce46238ffe3546e44b9c74057103ff8b24c62", + "https://git.kernel.org/stable/c/366c3f688dd0288cbe38af1d3a886b5c62372e4a", + "https://git.kernel.org/stable/c/4811f7af6090e8f5a398fbdd766f903ef6c0d787", + "https://git.kernel.org/stable/c/5f0a6800b8aec1b453c7fe4c44fcaac5ffe9d52e", + "https://git.kernel.org/stable/c/be56dfc9be0604291267c07b0e27a69a6bda4899", + "https://git.kernel.org/stable/c/e34191cce3ee63dfa5fb241904aaf2a042d5b6d8" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\n\nSyzbot reported that a buffer state inconsistency was detected in\nnilfs_btnode_create_block(), triggering a kernel bug.\n\nIt is not appropriate to treat this inconsistency as a bug; it can occur\nif the argument block address (the buffer index of the newly created\nblock) is a virtual block number and has been reallocated due to\ncorruption of the bitmap used to manage its allocation state.\n\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\npossible filesystem error, rather than triggering a kernel bug.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42295" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42296", + "dataSource": "https://ubuntu.com/security/CVE-2024-42296", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42296" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42296", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42296", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/077f0e24b27c4b44841593c7edbd1993be9eecb5", + "https://git.kernel.org/stable/c/1e7725814361c8c008d131db195cef8274ff26b8", + "https://git.kernel.org/stable/c/47a8ddcdcaccd9b891db4574795e46a33a121ac2", + "https://git.kernel.org/stable/c/70f5ef5f33c333cfb286116fa3af74ac9bc84f1b", + "https://git.kernel.org/stable/c/a8eb3de28e7a365690c61161e7a07a4fc7c60bbf" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_convert_inline_inode()\n\nIf device is readonly, make f2fs_convert_inline_inode()\nreturn EROFS instead of zero, otherwise it may trigger\npanic during writeback of inline inode's dirty page as\nbelow:\n\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\n generic_write_sync include/linux/fs.h:2806 [inline]\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\n call_write_iter include/linux/fs.h:2114 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42296" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42297", + "dataSource": "https://ubuntu.com/security/CVE-2024-42297", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42297" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42297", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42297", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/192b8fb8d1c8ca3c87366ebbef599fa80bb626b8", + "https://git.kernel.org/stable/c/2434344559f6743efb3ac15d11af9a0db9543bd3", + "https://git.kernel.org/stable/c/2d2916516577f2239b3377d9e8d12da5e6ccdfcf", + "https://git.kernel.org/stable/c/54162974aea37a8cae00742470a78c7f6bd6f915", + "https://git.kernel.org/stable/c/54bc4e88447e385c4d4ffa85d93e0dce628fcfa6", + "https://git.kernel.org/stable/c/9ce8135accf103f7333af472709125878704fdd4", + "https://git.kernel.org/stable/c/e62ff092a42f4a1bae3b310cf46673b4f3aac3b5", + "https://git.kernel.org/stable/c/ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't dirty inode for readonly filesystem\n\nsyzbot reports f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n - __f2fs_find_entry\n - f2fs_i_depth_write\n - f2fs_mark_inode_dirty_sync\n - f2fs_dirty_inode\n - set_inode_flag(inode, FI_DIRTY_INODE)\n\n- umount\n - kill_f2fs_super\n - kill_block_super\n - generic_shutdown_super\n - sync_filesystem\n : sb is readonly, skip sync_filesystem()\n - evict_inodes\n - iput\n - f2fs_evict_inode\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n : trigger kernel panic\n\nWhen we try to repair i_current_depth in readonly filesystem, let's\nskip dirty inode to avoid panic in later f2fs_evict_inode().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42297" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42299", + "dataSource": "https://ubuntu.com/security/CVE-2024-42299", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42299" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42299", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42299", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0484adcb5fbcadd9ba0fd4485c42630f72e97da9", + "https://git.kernel.org/stable/c/0a4ae2644e2a3b3b219aad9639fb2b0691d08420", + "https://git.kernel.org/stable/c/2cac0df3324b5e287d8020bc0708f7d2dec88a6f", + "https://git.kernel.org/stable/c/2fef55d8f78383c8e6d6d4c014b9597375132696", + "https://git.kernel.org/stable/c/b90ceffdc975502bc085ce8e79c6adeff05f9521" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\n\nIf an NTFS file system is mounted to another system with different\nPAGE_SIZE from the original system, log->page_size will change in\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\nThis will cause a panic because \"u32 bytes = log->page_size - page_off\"\nwill get a negative value in the later read_log_page().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42299" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42301", + "dataSource": "https://ubuntu.com/security/CVE-2024-42301", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42301" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42301", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42301", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/166a0bddcc27de41fe13f861c8348e8e53e988c8", + "https://git.kernel.org/stable/c/47b3dce100778001cd76f7e9188944b5cb27a76d", + "https://git.kernel.org/stable/c/7789a1d6792af410aa9b39a1eb237ed24fa2170a", + "https://git.kernel.org/stable/c/7f4da759092a1a6ce35fb085182d02de8cc4cc84", + "https://git.kernel.org/stable/c/a44f88f7576bc1916d8d6293f5c62fbe7cbe03e0", + "https://git.kernel.org/stable/c/ab11dac93d2d568d151b1918d7b84c2d02bacbd5", + "https://git.kernel.org/stable/c/b579ea3516c371ecf59d073772bc45dfd28c8a0e", + "https://git.kernel.org/stable/c/c719b393374d3763e64900ee19aaed767d5a08d6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndev/parport: fix the array out-of-bounds risk\n\nFixed array out-of-bounds issues caused by sprintf\nby replacing it with snprintf for safer data copying,\nensuring the destination buffer is not overflowed.\n\nBelow is the stack trace I encountered during the actual issue:\n\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42301" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42302", + "dataSource": "https://ubuntu.com/security/CVE-2024-42302", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42302" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42302", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42302", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed", + "https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7", + "https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f", + "https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62", + "https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d", + "https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred. To do so, it polls the\nconfig space of the first child device on the secondary bus. If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device. Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume. Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently. (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase. And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event. Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently. The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n BUG: unable to handle page fault for address: 00000000091400c0\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n RIP: pci_bus_read_config_dword+0x17/0x50\n pci_dev_wait()\n pci_bridge_wait_for_secondary_bus()\n dpc_reset_link()\n pcie_do_recovery()\n dpc_handler()", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42302" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42304", + "dataSource": "https://ubuntu.com/security/CVE-2024-42304", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42304" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42304", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42304", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/299bc6ffa57e04e74c6cce866d6c0741fb4897a1", + "https://git.kernel.org/stable/c/9771e3d8365ae1dd5e8846a204cb9af14e3e656a", + "https://git.kernel.org/stable/c/b609753cbbd38f8c0affd4956c0af178348523ac", + "https://git.kernel.org/stable/c/c3893d9de8ee153baac56d127d844103488133b5", + "https://git.kernel.org/stable/c/d81d7e347d1f1f48a5634607d39eb90c161c8afe", + "https://git.kernel.org/stable/c/de2a011a13a46468a6e8259db58b1b62071fe136", + "https://git.kernel.org/stable/c/e02f9941e8c011aa3eafa799def6a134ce06bcfa", + "https://git.kernel.org/stable/c/f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: make sure the first directory block is not a hole\n\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\n\n ext4_mknod\n ...\n ext4_add_entry\n // Read block 0\n ext4_read_dirblock(dir, block, DIRENT)\n bh = ext4_bread(NULL, inode, block, 0)\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\n // The first directory block is a hole\n // But type == DIRENT, so no error is reported.\n\nAfter that, we get a directory block without '.' and '..' but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\n\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42304" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42305", + "dataSource": "https://ubuntu.com/security/CVE-2024-42305", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42305" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42305", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42305", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8", + "https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa", + "https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7", + "https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a", + "https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2", + "https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c", + "https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db", + "https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check dot and dotdot of dx_root before making dir indexed\n\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\n\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\n\n do_split\n unsigned split\n dx_make_map\n count = 1\n split = count/2 = 0;\n continued = hash2 == map[split - 1].hash;\n ---> map[4294967295]\n\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\n\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\n\n bus dentry1 hole dentry2 free\n|xx--|xx-------------|...............|xx-------------|...............|\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\n\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\n\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That's why count is equal to 1.\n\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42305" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42306", + "dataSource": "https://ubuntu.com/security/CVE-2024-42306", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42306" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42306", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42306", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2199e157a465aaf98294d3932797ecd7fce942d5", + "https://git.kernel.org/stable/c/271cab2ca00652bc984e269cf1208699a1e09cdd", + "https://git.kernel.org/stable/c/57053b3bcf3403b80db6f65aba284d7dfe7326af", + "https://git.kernel.org/stable/c/6a43e3c210df6c5f00570f4be49a897677dbcb64", + "https://git.kernel.org/stable/c/8ca170c39eca7cad6e0cfeb24e351d8f8eddcd65", + "https://git.kernel.org/stable/c/a90d4471146de21745980cba51ce88e7926bcc4f", + "https://git.kernel.org/stable/c/cae9e59cc41683408b70b9ab569f8654866ba914" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid using corrupted block bitmap buffer\n\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42306" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42308", + "dataSource": "https://ubuntu.com/security/CVE-2024-42308", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42308" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42308", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42308", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89", + "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa", + "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a", + "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692", + "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb", + "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40", + "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why & how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42308" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42309", + "dataSource": "https://ubuntu.com/security/CVE-2024-42309", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42309" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42309", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42309", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/13b5f3ee94bdbdc4b5f40582aab62977905aedee", + "https://git.kernel.org/stable/c/2df7aac81070987b0f052985856aa325a38debf6", + "https://git.kernel.org/stable/c/46d2ef272957879cbe30a884574320e7f7d78692", + "https://git.kernel.org/stable/c/475a5b3b7c8edf6e583a9eb59cf28ea770602e14", + "https://git.kernel.org/stable/c/6735d02ead7dd3adf74eb8b70aebd09e0ce78ec9", + "https://git.kernel.org/stable/c/7e52c62ff029f95005915c0a11863b5fb5185c8c", + "https://git.kernel.org/stable/c/d6ad202f73f8edba0cbc0065aa57a79ffe8fdcdc", + "https://git.kernel.org/stable/c/f70ffeca546452d1acd3a70ada56ecb2f3e7f811" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\n\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42309" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42310", + "dataSource": "https://ubuntu.com/security/CVE-2024-42310", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42310" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42310", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42310", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/08f45102c81ad8bc9f85f7a25e9f64e128edb87d", + "https://git.kernel.org/stable/c/2d209b2f862f6b8bff549ede541590a8d119da23", + "https://git.kernel.org/stable/c/977ee4fe895e1729cd36cc26916bbb10084713d6", + "https://git.kernel.org/stable/c/a658ae2173ab74667c009e2550455e6de5b33ddc", + "https://git.kernel.org/stable/c/b6ac46a00188cde50ffba233e6efb366354a1de5", + "https://git.kernel.org/stable/c/cb520c3f366c77e8d69e4e2e2781a8ce48d98e79", + "https://git.kernel.org/stable/c/e74eb5e8089427c8c49e0dd5067e5f39ce3a4d56", + "https://git.kernel.org/stable/c/f392c36cebf4c1d6997a4cc2c0f205254acef42a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\n\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42310" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42311", + "dataSource": "https://ubuntu.com/security/CVE-2024-42311", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42311" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42311", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42311", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65", + "https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b", + "https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2", + "https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971", + "https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4", + "https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1", + "https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3", + "https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\n\nSyzbot reports uninitialized value access issue as below:\n\nloop0: detected capacity change from 0 to 64\n=====================================================\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n d_revalidate fs/namei.c:862 [inline]\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\n walk_component fs/namei.c:2001 [inline]\n link_path_walk+0x817/0x1480 fs/namei.c:2332\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\n filename_lookup+0x22e/0x740 fs/namei.c:2515\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\n user_path_at include/linux/namei.h:57 [inline]\n do_mount fs/namespace.c:3689 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\n do_read_cache_page mm/filemap.c:3595 [inline]\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\n read_mapping_page include/linux/pagemap.h:755 [inline]\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\n mount_bdev+0x628/0x920 fs/super.c:1359\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2190 [inline]\n allocate_slab mm/slub.c:2354 [inline]\n new_slab+0x2d7/0x1400 mm/slub.c:2407\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\n __slab_alloc mm/slub.c:3625 [inline]\n __slab_alloc_node mm/slub.c:3678 [inline]\n slab_alloc_node mm/slub.c:3850 [inline]\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3018 [inline]\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\n alloc_inode+0x83/0x440 fs/inode.c:260\n new_inode_pseudo fs/inode.c:1005 [inline]\n new_inode+0x38/0x4f0 fs/inode.c:1031\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\n do_mkdirat+0x529/0x810 fs/namei.c:4149\n __do_sys_mkdirat fs/namei.c:4164 [inline]\n __se_sys_mkdirat fs/namei.c:4162 [inline]\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42311" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42312", + "dataSource": "https://ubuntu.com/security/CVE-2024-42312", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42312" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42312", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42312", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1deae34db9f4f8e0e03f891be2e2e15c15c8ac05", + "https://git.kernel.org/stable/c/34a86adea1f2b3c3f9d864c8cce09dca644601ab", + "https://git.kernel.org/stable/c/98ca62ba9e2be5863c7d069f84f7166b45a5b2f4", + "https://git.kernel.org/stable/c/b2591c89a6e2858796111138c38fcb6851aa1955", + "https://git.kernel.org/stable/c/c7e2f43d182f5dde473389dbb39f16c9f0d64536", + "https://git.kernel.org/stable/c/ffde3af4b29bf97d62d82e1d45275587e10a991a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: always initialize i_uid/i_gid\n\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\ncan safely skip setting them.\n\nCommit 5ec27ec735ba (\"fs/proc/proc_sysctl.c: fix the default values of\ni_uid/i_gid on /proc/sys inodes.\") added defaults for i_uid/i_gid when\nset_ownership() was not implemented. It also missed adjusting\nnet_ctl_set_ownership() to use the same default values in case the\ncomputation of a better value failed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42312" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42313", + "dataSource": "https://ubuntu.com/security/CVE-2024-42313", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42313" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42313", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42313", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/4c9d235630d35db762b85a4149bbb0be9d504c36", + "https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635", + "https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2", + "https://git.kernel.org/stable/c/72aff311194c8ceda934f24fd6f250b8827d7567", + "https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e", + "https://git.kernel.org/stable/c/ad8cf035baf29467158e0550c7a42b7bb43d1db6", + "https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad", + "https://git.kernel.org/stable/c/f8e9a63b982a8345470c225679af4ba86e4a7282" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free in vdec_close\n\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\n\nFix it by cancelling the work in vdec_close.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42313" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42315", + "dataSource": "https://ubuntu.com/security/CVE-2024-42315", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42315" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42315", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42315", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62", + "https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9", + "https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi->s_lock between the two processes may occur.\n\n CPU0 CPU1\n ---- ----\n kswapd\n balance_pgdat\n lock(fs_reclaim)\n exfat_iterate\n lock(&sbi->s_lock)\n exfat_readdir\n exfat_get_uniname_from_ext_entry\n exfat_get_dentry_set\n __exfat_get_dentry_set\n kmalloc_array\n ...\n lock(fs_reclaim)\n ...\n evict\n exfat_evict_inode\n lock(&sbi->s_lock)\n\nTo fix this, let's allocate bh-array with GFP_NOFS.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42315" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42318", + "dataSource": "https://ubuntu.com/security/CVE-2024-42318", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42318" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42318", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42318", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=2566", + "https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c", + "https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49", + "https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1", + "https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117", + "https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff", + "https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/", + "https://www.openwall.com/lists/oss-security/2024/08/17/2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don't lose track of restrictions on cred_transfer\n\nWhen a process' cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42318" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42319", + "dataSource": "https://ubuntu.com/security/CVE-2024-42319", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42319" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42319", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42319", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/11fa625b45faf0649118b9deaf2d31c86ac41911", + "https://git.kernel.org/stable/c/a8bd68e4329f9a0ad1b878733e0f80be6a971649" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\n\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\npm_runtime_get_sync() < 0 occurs.\n\nAccording to the call tracei below:\n cmdq_mbox_shutdown\n mbox_free_channel\n mbox_controller_unregister\n __devm_mbox_controller_unregister\n ...\n\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\ncalling pm_runtime_disable() as observed below:\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\n to bind the cmdq device to the mbox_controller, so\n devm_mbox_controller_unregister() will automatically unregister\n the device bound to the mailbox controller when the device-managed\n resource is removed. That means devm_mbox_controller_unregister()\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\n will be called after cmdq_remove(), but before\n devm_mbox_controller_unregister().\n\nTo fix this problem, cmdq_probe() needs to move\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\ndevm_pm_runtime_disable() be called after\ndevm_mbox_controller_unregister().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42319" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42320", + "dataSource": "https://ubuntu.com/security/CVE-2024-42320", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42320" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42320", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42320", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2", + "https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8", + "https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace", + "https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42320" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42321", + "dataSource": "https://ubuntu.com/security/CVE-2024-42321", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42321" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42321", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42321", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/120f1c857a73e52132e473dee89b340440cb692b", + "https://git.kernel.org/stable/c/4afbac11f2f629d1e62817c4e210bdfaa7521107", + "https://git.kernel.org/stable/c/c5d21aabf1b31a79f228508af33aee83456bc1b0", + "https://git.kernel.org/stable/c/eb03d9826aa646577342a952d658d4598381c035" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nThe following splat is easy to reproduce upstream as well as in -stable\nkernels. Florian Westphal provided the following commit:\n\n d1dab4f71d37 (\"net: add and use __skb_get_hash_symmetric_net\")\n\nbut this complementary fix has been also suggested by Willem de Bruijn\nand it can be easily backported to -stable kernel which consists in\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\nto identify packets in traces.\n\n[69133.561393] ------------[ cut here ]------------\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\n[...]\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\n[69133.562040] Call Trace:\n[69133.562044] \n[69133.562049] ? __warn+0x9f/0x1a0\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\n[...]\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\n[ 1211.841753] __skb_get_hash+0x97/0x280\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\n[ 1211.841776] ? mod_find+0xbf/0xe0\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\n[ 1211.841964] ? get_stack_info+0x2b/0x80\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42321" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-42322", + "dataSource": "https://ubuntu.com/security/CVE-2024-42322", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-42322" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-42322", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-42322", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3dd428039e06e1967ce294e2cd6342825aaaad77", + "https://git.kernel.org/stable/c/c420cd5d5bc6797f3a8824e7d74f38f0c286fca5", + "https://git.kernel.org/stable/c/cbd070a4ae62f119058973f6d2c984e325bce6e7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: properly dereference pe in ip_vs_add_service\n\nUse pe directly to resolve sparse warning:\n\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-42322" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43817", + "dataSource": "https://ubuntu.com/security/CVE-2024-43817", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43817" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43817", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43817", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/27874ca77bd2b05a3779c7b3a5c75d8dd7f0b40f", + "https://git.kernel.org/stable/c/5b1997487a3f3373b0f580c8a20b56c1b64b0775", + "https://git.kernel.org/stable/c/90d41ebe0cd4635f6410471efc1dd71b33e894cf", + "https://git.kernel.org/stable/c/e269d79c7d35aa3808b1f3c1737d63dab504ddc8", + "https://git.kernel.org/stable/c/e9164903b8b303c34723177b02fe91e49e3c4cd7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: missing check virtio\n\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\nto crash kernels again\n\n1. After the skb_segment function the buffer may become non-linear\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\nthe __skb_linearize function will not be executed, then the buffer will\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\n\n2. The struct sk_buff and struct virtio_net_hdr members must be\nmathematically related.\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) may be 0 if division is without remainder.\n\noffset+2 (4191) > skb_headlen() (1116)\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nModules linked in:\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:451 [inline]\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3545 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n __sys_sendto+0x255/0x340 net/socket.c:2190\n __do_sys_sendto net/socket.c:2202 [inline]\n __se_sys_sendto net/socket.c:2198 [inline]\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43817" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43819", + "dataSource": "https://ubuntu.com/security/CVE-2024-43819", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43819" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43819", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43819", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6", + "https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43819" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43823", + "dataSource": "https://ubuntu.com/security/CVE-2024-43823", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43823" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43823", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43823", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0a6f1b5fe8ef8268aaa069035639968ceeea0a23", + "https://git.kernel.org/stable/c/a231707a91f323af1e5d9f1722055ec2fc1c7775", + "https://git.kernel.org/stable/c/bbba48ad67c53feea05936ea1e029dcca8057506", + "https://git.kernel.org/stable/c/dbcdd1863ba2ec9b76ec131df25d797709e05597" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\n\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\n\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43823" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43824", + "dataSource": "https://ubuntu.com/security/CVE-2024-43824", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43824" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43824", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43824", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a", + "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), 'epc_features' got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43824" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43828", + "dataSource": "https://ubuntu.com/security/CVE-2024-43828", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43828" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43828", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43828", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121", + "https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2", + "https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1", + "https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178", + "https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706", + "https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix infinite loop when replaying fast_commit\n\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the 'es' variable.\n\nBecause 'es' contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\n\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\n\nThanks to Zhang Yi, for figuring out the real problem!", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43828" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43829", + "dataSource": "https://ubuntu.com/security/CVE-2024-43829", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43829" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43829", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3efe34f95b1ac8c138a46b14ce75956db0d6ee7c", + "https://git.kernel.org/stable/c/4b1f303bdeceac049e56e4b20eb5280bd9e02f4f", + "https://git.kernel.org/stable/c/4e87f592a46bb804d8f833da6ce702ae4b55053f", + "https://git.kernel.org/stable/c/62ef8d7816c8e4a6088275553818b9afc0ffaa03", + "https://git.kernel.org/stable/c/7bd09a2db0f617377027a2bb0b9179e6959edff3", + "https://git.kernel.org/stable/c/d4c57354a06cb4a77998ff8aa40af89eee30e07b", + "https://git.kernel.org/stable/c/f28b353c0c6c7831a70ccca881bf2db5e6785cdd" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/qxl: Add check for drm_cvt_mode\n\nAdd check for the return value of drm_cvt_mode() and return the error if\nit fails in order to avoid NULL pointer dereference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43829" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43830", + "dataSource": "https://ubuntu.com/security/CVE-2024-43830", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43830" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43830", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43830", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0788a6f3523d3686a9eed5ea1e6fcce6841277b2", + "https://git.kernel.org/stable/c/09c1583f0e10c918855d6e7540a79461a353e5d6", + "https://git.kernel.org/stable/c/3fb6a9d67cfd812a547ac73ec02e1077c26c640d", + "https://git.kernel.org/stable/c/734ba6437e80dfc780e9ee9d95f912392d12b5ea", + "https://git.kernel.org/stable/c/c0dc9adf9474ecb7106e60e5472577375aedaed3", + "https://git.kernel.org/stable/c/c3b7a650c8717aa89df318364609c86cbc040156", + "https://git.kernel.org/stable/c/cb8aa9d2a4c8a15d6a43ccf901ef3d094aa60374", + "https://git.kernel.org/stable/c/d1415125b701ef13370e2761f691ec632a5eb93a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: Unregister sysfs attributes before calling deactivate()\n\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\n\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\n\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\n\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43830" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43831", + "dataSource": "https://ubuntu.com/security/CVE-2024-43831", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43831" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43831", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43831", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1c109f23b271a02b9bb195c173fab41e3285a8db", + "https://git.kernel.org/stable/c/59d438f8e02ca641c58d77e1feffa000ff809e9f", + "https://git.kernel.org/stable/c/cdf05ae76198c513836bde4eb55f099c44773280" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Handle invalid decoder vsi\n\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43831" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43832", + "dataSource": "https://ubuntu.com/security/CVE-2024-43832", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43832" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43832", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43832", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1a1eb2f3fc453dcd52726d13e863938561489cb7", + "https://git.kernel.org/stable/c/3f29f6537f54d74e64bac0a390fb2e26da25800d", + "https://git.kernel.org/stable/c/8736604ef53359a718c246087cd21dcec232d2fb", + "https://git.kernel.org/stable/c/b21aba72aadd94bdac275deab021fc84d6c72b16" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/uv: Don't call folio_wait_writeback() without a folio reference\n\nfolio_wait_writeback() requires that no spinlocks are held and that\na folio reference is held, as documented. After we dropped the PTL, the\nfolio could get freed concurrently. So grab a temporary reference.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43832" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43834", + "dataSource": "https://ubuntu.com/security/CVE-2024-43834", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43834" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43834", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43834", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/12144069209eec7f2090ce9afa15acdcc2c2a537", + "https://git.kernel.org/stable/c/3fc1be360b99baeea15cdee3cf94252cd3a72d26", + "https://git.kernel.org/stable/c/59a931c5b732ca5fc2ca727f5a72aeabaafa85ec", + "https://git.kernel.org/stable/c/6c390ef198aa69795427a5cb5fd7cb4bc7e6cd7a", + "https://git.kernel.org/stable/c/be9d08ff102df3ac4f66e826ea935cf3af63a4bd", + "https://git.kernel.org/stable/c/bf0ce5aa5f2525ed1b921ba36de96e458e77f482" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: fix invalid wait context of page_pool_destroy()\n\nIf the driver uses a page pool, it creates a page pool with\npage_pool_create().\nThe reference count of page pool is 1 as default.\nA page pool will be destroyed only when a reference count reaches 0.\npage_pool_destroy() is used to destroy page pool, it decreases a\nreference count.\nWhen a page pool is destroyed, ->disconnect() is called, which is\nmem_allocator_disconnect().\nThis function internally acquires mutex_lock().\n\nIf the driver uses XDP, it registers a memory model with\nxdp_rxq_info_reg_mem_model().\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\nreference count if a memory model is a page pool.\nNow the reference count is 2.\n\nTo destroy a page pool, the driver should call both page_pool_destroy()\nand xdp_unreg_mem_model().\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\nOnly page_pool_destroy() decreases a reference count.\n\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\nwill face an invalid wait context warning.\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\nrcu_read_lock().\nThe page_pool_destroy() internally acquires mutex_lock().\n\nSplat looks like:\n=============================\n[ BUG: Invalid wait context ]\n6.10.0-rc6+ #4 Tainted: G W\n-----------------------------\nethtool/1806 is trying to lock:\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\nother info that might help us debug this:\ncontext-{5:5}\n3 locks held by ethtool/1806:\nstack backtrace:\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nCall Trace:\n\ndump_stack_lvl+0x7e/0xc0\n__lock_acquire+0x1681/0x4de0\n? _printk+0x64/0xe0\n? __pfx_mark_lock.part.0+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\nlock_acquire+0x1b3/0x580\n? mem_allocator_disconnect+0x73/0x150\n? __wake_up_klogd.part.0+0x16/0xc0\n? __pfx_lock_acquire+0x10/0x10\n? dump_stack_lvl+0x91/0xc0\n__mutex_lock+0x15c/0x1690\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_prb_read_valid+0x10/0x10\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_llist_add_batch+0x10/0x10\n? console_unlock+0x193/0x1b0\n? lockdep_hardirqs_on+0xbe/0x140\n? __pfx___mutex_lock+0x10/0x10\n? tick_nohz_tick_stopped+0x16/0x90\n? __irq_work_queue_local+0x1e5/0x330\n? irq_work_queue+0x39/0x50\n? __wake_up_klogd.part.0+0x79/0xc0\n? mem_allocator_disconnect+0x73/0x150\nmem_allocator_disconnect+0x73/0x150\n? __pfx_mem_allocator_disconnect+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? rcu_is_watching+0x11/0xb0\npage_pool_release+0x36e/0x6d0\npage_pool_destroy+0xd7/0x440\nxdp_unreg_mem_model+0x1a7/0x2a0\n? __pfx_xdp_unreg_mem_model+0x10/0x10\n? kfree+0x125/0x370\n? bnxt_free_ring.isra.0+0x2eb/0x500\n? bnxt_free_mem+0x5ac/0x2500\nxdp_rxq_info_unreg+0x4a/0xd0\nbnxt_free_mem+0x1356/0x2500\nbnxt_close_nic+0xf0/0x3b0\n? __pfx_bnxt_close_nic+0x10/0x10\n? ethnl_parse_bit+0x2c6/0x6d0\n? __pfx___nla_validate_parse+0x10/0x10\n? __pfx_ethnl_parse_bit+0x10/0x10\nbnxt_set_features+0x2a8/0x3e0\n__netdev_update_features+0x4dc/0x1370\n? ethnl_parse_bitset+0x4ff/0x750\n? __pfx_ethnl_parse_bitset+0x10/0x10\n? __pfx___netdev_update_features+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? _raw_spin_unlock_irqrestore+0x42/0x70\n? __pm_runtime_resume+0x7d/0x110\nethnl_set_features+0x32d/0xa20\n\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\nrhashtable_lookup() with rcu_read_lock().\nUsing xa without rcu_read_lock() here is safe.\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\ncall_rcu() of mem_xa_remove().\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\ncount reaches 0.\nThe xa is already protected by the reference count mechanism well in the\ncontrol plane.\nSo removing rcu_read_lock() for page_pool_destroy() is safe.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43834" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43835", + "dataSource": "https://ubuntu.com/security/CVE-2024-43835", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43835" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43835", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43835", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/468a729b78895893d0e580ceea49bed8ada2a2bd", + "https://git.kernel.org/stable/c/f8321fa75102246d7415a6af441872f6637c93ab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix napi_skb_cache_put warning\n\nAfter the commit bdacf3e34945 (\"net: Use nested-BH locking for\nnapi_alloc_cache.\") was merged, the following warning began to appear:\n\n\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\n\n\t __warn+0x12f/0x340\n\t napi_skb_cache_put+0x82/0x4b0\n\t napi_skb_cache_put+0x82/0x4b0\n\t report_bug+0x165/0x370\n\t handle_bug+0x3d/0x80\n\t exc_invalid_op+0x1a/0x50\n\t asm_exc_invalid_op+0x1a/0x20\n\t __free_old_xmit+0x1c8/0x510\n\t napi_skb_cache_put+0x82/0x4b0\n\t __free_old_xmit+0x1c8/0x510\n\t __free_old_xmit+0x1c8/0x510\n\t __pfx___free_old_xmit+0x10/0x10\n\nThe issue arises because virtio is assuming it's running in NAPI context\neven when it's not, such as in the netpoll case.\n\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\nis available. Same for virtnet_poll_cleantx(), which always assumed that\nit was in a NAPI context.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43835" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43839", + "dataSource": "https://ubuntu.com/security/CVE-2024-43839", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43839" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43839", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43839", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1", + "https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3", + "https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef", + "https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43", + "https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76", + "https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da", + "https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5", + "https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43839" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43841", + "dataSource": "https://ubuntu.com/security/CVE-2024-43841", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43841" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43841", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43841", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414", + "https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29", + "https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d", + "https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942", + "https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d", + "https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a49f985c7", + "https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\n\nWhen user issues a connection with a different SSID than the one\nvirt_wifi has advertised, the __cfg80211_connect_result() will\ntrigger the warning: WARN_ON(bss_not_found).\n\nThe issue is because the connection code in virt_wifi does not\ncheck the SSID from user space (it only checks the BSSID), and\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\neven if the SSID is different from the one virt_wifi has advertised.\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\nthe warning.\n\nFixed it by checking the SSID (from user space) in the connection code.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43841" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43842", + "dataSource": "https://ubuntu.com/security/CVE-2024-43842", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43842" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43842", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43842", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74", + "https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891", + "https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58", + "https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\n\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\n\"copy-paste\" mistake.\n\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43842" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43844", + "dataSource": "https://ubuntu.com/security/CVE-2024-43844", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43844" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43844", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43844", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/dda364c345913fe03ddbe4d5ae14a2754c100296", + "https://git.kernel.org/stable/c/ef0d9d2f0dc1133db3d3a1c5167190c6627146b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\n\nWe mistakenly put skb too large and that may exceed skb->end.\nTherefore, we fix it.\n\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:192!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:skb_panic+0x5d/0x60\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? skb_panic+0x5d/0x60\n ? do_error_trap+0x6d/0x90\n ? skb_panic+0x5d/0x60\n ? handle_invalid_op+0x30/0x40\n ? skb_panic+0x5d/0x60\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_panic+0x5d/0x60\n skb_put+0x49/0x50\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n dpm_run_callback+0x3c/0x140\n device_resume+0x1f9/0x3c0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n process_scheduled_works+0x1d8/0x3d0\n worker_thread+0x1fc/0x2f0\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\n cfg80211 ecc\ngsmi: Log Shutdown \n---truncated---", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43844" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43846", + "dataSource": "https://ubuntu.com/security/CVE-2024-43846", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43846" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43846", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43846", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1936fa05a180834c3b52e0439a6bddc07814d3eb", + "https://git.kernel.org/stable/c/22ae17a267f4812861f0c644186c3421ff97dbfc", + "https://git.kernel.org/stable/c/499f742fed42e74f1321f4b12ca196a66a2b49fc", + "https://git.kernel.org/stable/c/565213e005557eb6cc4e42189d26eb300e02f170", + "https://git.kernel.org/stable/c/5adc61d29bbb461d7f7c2b48dceaa90ecd182eb7", + "https://git.kernel.org/stable/c/8161263362154cbebfbf4808097b956a6a8cb98a", + "https://git.kernel.org/stable/c/b4a3a89fffcdf09702b1f161b914e52abca1894d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: objagg: Fix general protection fault\n\nThe library supports aggregation of objects into other objects only if\nthe parent object does not have a parent itself. That is, nesting is not\nsupported.\n\nAggregation happens in two cases: Without and with hints, where hints\nare a pre-computed recommendation on how to aggregate the provided\nobjects.\n\nNesting is not possible in the first case due to a check that prevents\nit, but in the second case there is no check because the assumption is\nthat nesting cannot happen when creating objects based on hints. The\nviolation of this assumption leads to various warnings and eventually to\na general protection fault [1].\n\nBefore fixing the root cause, error out when nesting happens and warn.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43846" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43849", + "dataSource": "https://ubuntu.com/security/CVE-2024-43849", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43849" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43849", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43849", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/107924c14e3ddd85119ca43c26a4ee1056fa9b84", + "https://git.kernel.org/stable/c/3e815626d73e05152a8142f6e44aecc4133e6e08", + "https://git.kernel.org/stable/c/475a77fb3f0e1d527f56c60b79f5879661df5b80", + "https://git.kernel.org/stable/c/8543269567e2fb3d976a8255c5e348aed14f98bc", + "https://git.kernel.org/stable/c/d0870c4847e77a49c2f91bb2a8e0fa3c1f8dea5c", + "https://git.kernel.org/stable/c/eab05737ee22216250fe20d27f5a596da5ea6eb7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: protect locator_addr with the main mutex\n\nIf the service locator server is restarted fast enough, the PDR can\nrewrite locator_addr fields concurrently. Protect them by placing\nmodification of those fields under the main pdr->lock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43849" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43853", + "dataSource": "https://ubuntu.com/security/CVE-2024-43853", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43853" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43853", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43853", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a", + "https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4", + "https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e", + "https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nAn UAF can happen when /proc/cpuset is read as reported in [1].\n\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc//cpuset repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/ repeatly.\n\nThe race that cause this bug can be shown as below:\n\n(umount)\t\t|\t(cat /proc//cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css->cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(&cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\n\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n&cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\n\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp->root will not be freed.\n\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\"cgroup: Make operations on the cgroup root_list RCU safe\"),\ncss->cgroup won't be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\n\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43853" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43854", + "dataSource": "https://ubuntu.com/security/CVE-2024-43854", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43854" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43854", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43854", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644", + "https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f", + "https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2", + "https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1", + "https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn't used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43854" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43856", + "dataSource": "https://ubuntu.com/security/CVE-2024-43856", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43856" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43856", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43856", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130", + "https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e", + "https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7", + "https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20", + "https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9", + "https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954", + "https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb", + "https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43856" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43858", + "dataSource": "https://ubuntu.com/security/CVE-2024-43858", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43858" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43858", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43858", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/538a27c8048f081a5ddd286f886eb986fbbc7f80", + "https://git.kernel.org/stable/c/55b732c8b09b41148eaab2fa8e31b0af47671e00", + "https://git.kernel.org/stable/c/63f7fdf733add82f126ea00e2e48f6eba15ac4b9", + "https://git.kernel.org/stable/c/6aa6892a90a5a7fabffe5692ab9f06a7a46c6e42", + "https://git.kernel.org/stable/c/8d8f9a477de0d7962342eedf2a599215b7c63d28", + "https://git.kernel.org/stable/c/9b3a4345957f5372041bc4f59de322f62653e862", + "https://git.kernel.org/stable/c/f73f969b2eb39ad8056f6c7f3a295fa2f85e313a", + "https://git.kernel.org/stable/c/ff14eadc278663cac69d57d3ca7fb2f394e1f8a7" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix array-index-out-of-bounds in diFree", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43858" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43860", + "dataSource": "https://ubuntu.com/security/CVE-2024-43860", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43860" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43860", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43860", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982", + "https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21", + "https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa", + "https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66", + "https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2", + "https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0", + "https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8", + "https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43860" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43861", + "dataSource": "https://ubuntu.com/security/CVE-2024-43861", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43861" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43861", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43861", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/37c093449704017870604994ba9b813cdb9475a4", + "https://git.kernel.org/stable/c/3c90a69533b5bba73401ef884d033ea49ee99662", + "https://git.kernel.org/stable/c/7ab107544b777c3bd7feb9fe447367d8edd5b202", + "https://git.kernel.org/stable/c/c4251a3deccad852b27e60625f31fba6cc14372f", + "https://git.kernel.org/stable/c/c6c5b91424fafc0f83852d961c10c7e43a001882", + "https://git.kernel.org/stable/c/da518cc9b64df391795d9952aed551e0f782e446", + "https://git.kernel.org/stable/c/e87f52225e04a7001bf55bbd7a330fa4252327b5", + "https://git.kernel.org/stable/c/f2c353227de14b0289298ffc3ba92058c4768384" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43861" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43863", + "dataSource": "https://ubuntu.com/security/CVE-2024-43863", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43863" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43863", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43863", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3b933b16c996af8adb6bc1b5748a63dfb41a82bc", + "https://git.kernel.org/stable/c/9e20d028d8d1deb1e7fed18f22ffc01669cf3237", + "https://git.kernel.org/stable/c/a8943969f9ead2fd3044fc826140a21622ef830e", + "https://git.kernel.org/stable/c/c98ab18b9f315ff977c2c65d7c71298ef98be8e3", + "https://git.kernel.org/stable/c/e58337100721f3cc0c7424a18730e4f39844934f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43863" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43866", + "dataSource": "https://ubuntu.com/security/CVE-2024-43866", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43866" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43866", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43866", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b75da22ed1e6171e261bc9265370162553d5393", + "https://git.kernel.org/stable/c/6048dec754554a1303d632be6042d3feb3295285", + "https://git.kernel.org/stable/c/6b6c2ebd83f2bf97e8f221479372aaca97a4a9b2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43866" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43867", + "dataSource": "https://ubuntu.com/security/CVE-2024-43867", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43867" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43867", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43867", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16998763c62bb465ebc409d0373b9cdcef1a61a6", + "https://git.kernel.org/stable/c/2a1b327d57a8ac080977633a18999f032d7e9e3f", + "https://git.kernel.org/stable/c/3bcb8bba72ce89667fa863054956267c450c47ef", + "https://git.kernel.org/stable/c/906372e753c5027a1dc88743843b6aa2ad1aaecf", + "https://git.kernel.org/stable/c/a9bf3efc33f1fbf88787a277f7349459283c9b95", + "https://git.kernel.org/stable/c/ebebba4d357b6c67f96776a48ddbaf0060fa4c10", + "https://git.kernel.org/stable/c/f23cd66933fe76b84d8e282e5606b4d99068c320" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43867" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43869", + "dataSource": "https://ubuntu.com/security/CVE-2024-43869", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43869" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43869", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43869", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/104e258a004037bc7dba9f6085c71dad6af57ad4", + "https://git.kernel.org/stable/c/3a5465418f5fd970e86a86c7f4075be262682840", + "https://git.kernel.org/stable/c/9ad46f1fef421d43cdab3a7d1744b2f43b54dae0", + "https://git.kernel.org/stable/c/ed2c202dac55423a52d7e2290f2888bf08b8ee99", + "https://git.kernel.org/stable/c/f34d8307a73a18de5320fcc6f40403146d061891" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> \n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= \n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> \n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= \n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43869" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43870", + "dataSource": "https://ubuntu.com/security/CVE-2024-43870", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43870" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43870", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43870", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51", + "https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b", + "https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a", + "https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7", + "https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43870" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43871", + "dataSource": "https://ubuntu.com/security/CVE-2024-43871", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43871" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43871", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43871", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96", + "https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d", + "https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85", + "https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c", + "https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf", + "https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701", + "https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c", + "https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43871" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43872", + "dataSource": "https://ubuntu.com/security/CVE-2024-43872", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43872" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43872", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43872", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/06580b33c183c9f98e2a2ca96a86137179032c08", + "https://git.kernel.org/stable/c/2fdf34038369c0a27811e7b4680662a14ada1d6b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43872" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43873", + "dataSource": "https://ubuntu.com/security/CVE-2024-43873", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43873" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43873", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43873", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22", + "https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb", + "https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582", + "https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c", + "https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43873" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43875", + "dataSource": "https://ubuntu.com/security/CVE-2024-43875", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43875" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43875", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43875", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f", + "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832", + "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0", + "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429", + "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43875" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43879", + "dataSource": "https://ubuntu.com/security/CVE-2024-43879", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43879" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43879", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43879", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/16ad67e73309db0c20cc2a651992bd01c05e6b27", + "https://git.kernel.org/stable/c/19eaf4f2f5a981f55a265242ada2bf92b0c742dd", + "https://git.kernel.org/stable/c/2e201b3d162c6c49417c438ffb30b58c9f85769f", + "https://git.kernel.org/stable/c/45d20a1c54be4f3173862c7b950d4468447814c9", + "https://git.kernel.org/stable/c/576c64622649f3ec07e97bac8fec8b8a2ef4d086", + "https://git.kernel.org/stable/c/67b5f1054197e4f5553047759c15c1d67d4c8142", + "https://git.kernel.org/stable/c/b289ebb0516526cb4abae081b7ec29fd4fa1209d", + "https://git.kernel.org/stable/c/bcbd771cd5d68c0c52567556097d75f9fc4e7cd6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43879" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43880", + "dataSource": "https://ubuntu.com/security/CVE-2024-43880", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43880" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43880", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43880", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037", + "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624", + "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb", + "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb", + "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf", + "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e", + "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43880" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43882", + "dataSource": "https://ubuntu.com/security/CVE-2024-43882", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43882" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43882", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43882", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759", + "https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada", + "https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e", + "https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64", + "https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e", + "https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f", + "https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb", + "https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43882" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43883", + "dataSource": "https://ubuntu.com/security/CVE-2024-43883", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43883" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43883", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43883", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/128e82e41cf7d74a562726c1587d9d2ede1a0a37", + "https://git.kernel.org/stable/c/4dacdb9720aaab10b6be121eae55820174d97174", + "https://git.kernel.org/stable/c/585e6bc7d0a9bf73a8be3d3fb34e86b90cc61a14", + "https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89", + "https://git.kernel.org/stable/c/9c3746ce8d8fcb3a2405644fc0eec7fc5312de80", + "https://git.kernel.org/stable/c/afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a", + "https://git.kernel.org/stable/c/c3d0857b7fc2c49f68f89128a5440176089a8f54", + "https://git.kernel.org/stable/c/e8c1e606dab8c56cf074b43b98d0805de7322ba2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: vhci-hcd: Do not drop references before new references are gained\n\nAt a few places the driver carries stale pointers\nto references that can still be used. Make sure that does not happen.\nThis strictly speaking closes ZDI-CAN-22273, though there may be\nsimilar races in the driver.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43883" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43884", + "dataSource": "https://ubuntu.com/security/CVE-2024-43884", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43884" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43884", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43884", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/538fd3921afac97158d4177139a0ad39f056dbb2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Add error handling to pair_device()\n\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\npointer dereference causing a crash.\n\nFixed by adding error handling in the function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43884" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43886", + "dataSource": "https://ubuntu.com/security/CVE-2024-43886", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43886" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43886", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43886", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/899d92fd26fe780aad711322aa671f68058207a6", + "https://git.kernel.org/stable/c/c36e922a36bdf69765c340a0857ca74092003bee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\n\n[WHY]\nWhen switching from \"Extend\" to \"Second Display Only\" we sometimes\ncall resource_get_otg_master_for_stream on a stream for the eDP,\nwhich is disconnected. This leads to a null pointer dereference.\n\n[HOW]\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43886" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43889", + "dataSource": "https://ubuntu.com/security/CVE-2024-43889", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43889" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43889", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43889", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/6d45e1c948a8b7ed6ceddb14319af69424db730c", + "https://git.kernel.org/stable/c/8f5ffd2af7274853ff91d6cd62541191d9fbd10d", + "https://git.kernel.org/stable/c/924f788c906dccaca30acab86c7124371e1d6f2c", + "https://git.kernel.org/stable/c/a29cfcb848c31f22b4de6a531c3e1d68c9bfe09f", + "https://git.kernel.org/stable/c/ab8b397d5997d8c37610252528edc54bebf9f6d3", + "https://git.kernel.org/stable/c/da0ffe84fcc1627a7dff82c80b823b94236af905" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\n\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\nbootup time.\n\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\n :\n [ 10.017963] Call Trace:\n [ 10.017968] \n [ 10.018004] ? padata_mt_helper+0x39/0xb0\n [ 10.018084] process_one_work+0x174/0x330\n [ 10.018093] worker_thread+0x266/0x3a0\n [ 10.018111] kthread+0xcf/0x100\n [ 10.018124] ret_from_fork+0x31/0x50\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\n [ 10.018147] \n\nLooking at the padata_mt_helper() function, the only way a divide-by-0\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\nmin_chunk in the passed-in padata_mt_job structure is 0.\n\nFix this divide-by-0 panic by making sure that chunk_size will be at least\n1 no matter what the input parameters are.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43889" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43890", + "dataSource": "https://ubuntu.com/security/CVE-2024-43890", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43890" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43890", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43890", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/236bb4690773ab6869b40bedc7bc8d889e36f9d6", + "https://git.kernel.org/stable/c/302ceb625d7b990db205a15e371f9a71238de91c", + "https://git.kernel.org/stable/c/788ea62499b3c18541fd6d621964d8fafbc4aec5", + "https://git.kernel.org/stable/c/a172c7b22bc2feaf489cfc6d6865f7237134fdf8", + "https://git.kernel.org/stable/c/bcf86c01ca4676316557dd482c8416ece8c2e143", + "https://git.kernel.org/stable/c/cd10d186a5409a1fe6e976df82858e9773a698da", + "https://git.kernel.org/stable/c/d3e4dbc2858fe85d1dbd2e72a9fc5dea988b5c18", + "https://git.kernel.org/stable/c/eb223bf01e688dfe37e813c8988ee11c8c9f8d0a" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix overflow in get_free_elt()\n\n\"tracing_map->next_elt\" in get_free_elt() is at risk of overflowing.\n\nOnce it overflows, new elements can still be inserted into the tracing_map\neven though the maximum number of elements (`max_elts`) has been reached.\nContinuing to insert elements after the overflow could result in the\ntracing_map containing \"tracing_map->max_size\" elements, leaving no empty\nentries.\nIf any attempt is made to insert an element into a full tracing_map using\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\ndisabled, leading to a CPU hang problem.\n\nFix this by preventing any further increments to \"tracing_map->next_elt\"\nonce it reaches \"tracing_map->max_elt\".", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43890" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43892", + "dataSource": "https://ubuntu.com/security/CVE-2024-43892", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43892" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43892", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43892", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/37a060b64ae83b76600d187d76591ce488ab836b", + "https://git.kernel.org/stable/c/51c0b1bb7541f8893ec1accba59eb04361a70946", + "https://git.kernel.org/stable/c/9972605a238339b85bd16b084eed5f18414d22db" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: protect concurrent access to mem_cgroup_idr\n\nCommit 73f576c04b94 (\"mm: memcontrol: fix cgroup creation failure after\nmany small jobs\") decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures. It introduced IDR to maintain the memcg ID\nspace. The IDR depends on external synchronization mechanisms for\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero. Fix that.\n\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time. These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode. Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block's list_lru didn't have list_lru_one for the\nmemcg of that object. The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success. No evidence were found for these cases.\n\nLooking more deeply, we started seeing situations where valid memcg's id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them. Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43892" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43893", + "dataSource": "https://ubuntu.com/security/CVE-2024-43893", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43893" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43893", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43893", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba", + "https://git.kernel.org/stable/c/52b138f1021113e593ee6ad258ce08fe90693a9e", + "https://git.kernel.org/stable/c/55b2a5d331a6ceb1c4372945fdb77181265ba24f", + "https://git.kernel.org/stable/c/68dc02f319b9ee54dc23caba742a5c754d1cccc8", + "https://git.kernel.org/stable/c/6eabce6608d6f3440f4c03aa3d3ef50a47a3d193", + "https://git.kernel.org/stable/c/9196e42a3b8eeff1707e6ef769112b4b6096be49", + "https://git.kernel.org/stable/c/e13ba3fe5ee070f8a9dab60029d52b1f61da5051", + "https://git.kernel.org/stable/c/e3ad503876283ac3fcca922a1bf243ef9eb0b0e2" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divide by zero\n\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\n\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nRule: add", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43893" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43894", + "dataSource": "https://ubuntu.com/security/CVE-2024-43894", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43894" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43894", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43894", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f", + "https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6", + "https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e", + "https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff", + "https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52", + "https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62", + "https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset->mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43894" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43895", + "dataSource": "https://ubuntu.com/security/CVE-2024-43895", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43895" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43895", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43895", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/282f0a482ee61d5e863512f3c4fcec90216c20d9", + "https://git.kernel.org/stable/c/50e376f1fe3bf571d0645ddf48ad37eb58323919", + "https://git.kernel.org/stable/c/70275bb960c71d313254473d38c14e7101cee5ad", + "https://git.kernel.org/stable/c/718d83f66fb07b2cab89a1fc984613a00e3db18f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.\n\n(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43895" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43898", + "dataSource": "https://ubuntu.com/security/CVE-2024-43898", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43898" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43898", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43898", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e", + "https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652", + "https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: sanity check for NULL pointer after ext4_force_shutdown\n\nTest case: 2 threads write short inline data to a file.\nIn ext4_page_mkwrite the resulting inline data is converted.\nHandling ext4_grp_locked_error with description \"block bitmap\nand bg descriptor inconsistent: X vs Y free clusters\" calls\next4_force_shutdown. The conversion clears\nEXT4_STATE_MAY_INLINE_DATA but fails for\next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due\nto ext4_forced_shutdown. The restoration of inline data fails\nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.\nWithout the flag set a regular process path in ext4_da_write_end\nfollows trying to dereference page folio private pointer that has\nnot been set. The fix calls early return with -EIO error shall the\npointer to private be NULL.\n\nSample crash report:\n\nUnable to handle kernel paging request at virtual address dfff800000000004\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000004] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160\nsp : ffff8000a1957600\nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0\nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000\nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020\nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196\nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0\nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020\nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0\nCall trace:\n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167\n block_write_end+0xb4/0x104 fs/buffer.c:2253\n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]\n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028\n generic_perform_write+0x394/0x588 mm/filemap.c:3985\n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299\n ext4_file_write_iter+0x188/0x1780\n call_write_iter include/linux/fs.h:2110 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x968/0xc3c fs/read_write.c:590\n ksys_write+0x15c/0x26c fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652\n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)\n---[ end trace 0000000000000000 ]---\n----------------\nCode disassembly (best guess):\n 0:\t97f85911 \tbl\t0xffffffffffe16444\n 4:\tf94002da \tldr\tx26, [x22]\n 8:\t91008356 \tadd\tx22, x26, #0x20\n c:\td343fec8 \tlsr\tx8, x22, #3\n* 10:\t38796908 \tldrb\tw8, [x8, x25] <-- trapping instruction", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43898" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43899", + "dataSource": "https://ubuntu.com/security/CVE-2024-43899", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43899" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43899", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43899", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/974fccd61758599a9716c4b909d9226749efe37e", + "https://git.kernel.org/stable/c/ecbf60782662f0a388493685b85a645a0ba1613c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\n\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\n\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\n\nand then enabling fullscreen playback (double click on the video)\n\nThe following calltrace will be seen:\n\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\n[ 181.844003] #PF: error_code(0x0010) - not-present page\n[ 181.844009] PGD 0 P4D 0\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\n[ 181.844044] RIP: 0010:0x0\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\n[ 181.844141] Call Trace:\n[ 181.844146] \n[ 181.844153] ? show_regs+0x6d/0x80\n[ 181.844167] ? __die+0x24/0x80\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43899" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43900", + "dataSource": "https://ubuntu.com/security/CVE-2024-43900", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43900" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43900", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43900", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5", + "https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60", + "https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b", + "https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\n\nsyzkaller reported use-after-free in load_firmware_cb() [1].\nThe reason is because the module allocated a struct tuner in tuner_probe(),\nand then the module initialization failed, the struct tuner was released.\nA worker which created during module initialization accesses this struct\ntuner later, it caused use-after-free.\n\nThe process is as follows:\n\ntask-6504 worker_thread\ntuner_probe <= alloc dvb_frontend [2]\n...\nrequest_firmware_nowait <= create a worker\n...\ntuner_remove <= free dvb_frontend\n...\n request_firmware_work_func <= the firmware is ready\n load_firmware_cb <= but now the dvb_frontend has been freed\n\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\nnull, report a warning and just return.\n\n[1]:\n ==================================================================\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\n\n Call trace:\n load_firmware_cb+0x1310/0x17a0\n request_firmware_work_func+0x128/0x220\n process_one_work+0x770/0x1824\n worker_thread+0x488/0xea0\n kthread+0x300/0x430\n ret_from_fork+0x10/0x20\n\n Allocated by task 6504:\n kzalloc\n tuner_probe+0xb0/0x1430\n i2c_device_probe+0x92c/0xaf0\n really_probe+0x678/0xcd0\n driver_probe_device+0x280/0x370\n __device_attach_driver+0x220/0x330\n bus_for_each_drv+0x134/0x1c0\n __device_attach+0x1f4/0x410\n device_initial_probe+0x20/0x30\n bus_probe_device+0x184/0x200\n device_add+0x924/0x12c0\n device_register+0x24/0x30\n i2c_new_device+0x4e0/0xc44\n v4l2_i2c_new_subdev_board+0xbc/0x290\n v4l2_i2c_new_subdev+0xc8/0x104\n em28xx_v4l2_init+0x1dd0/0x3770\n\n Freed by task 6504:\n kfree+0x238/0x4e4\n tuner_remove+0x144/0x1c0\n i2c_device_remove+0xc8/0x290\n __device_release_driver+0x314/0x5fc\n device_release_driver+0x30/0x44\n bus_remove_device+0x244/0x490\n device_del+0x350/0x900\n device_unregister+0x28/0xd0\n i2c_unregister_device+0x174/0x1d0\n v4l2_device_unregister+0x224/0x380\n em28xx_v4l2_init+0x1d90/0x3770\n\n The buggy address belongs to the object at ffff8000d7ca2000\n which belongs to the cache kmalloc-2k of size 2048\n The buggy address is located 776 bytes inside of\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\n The buggy address belongs to the page:\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\n flags: 0x7ff800000000100(slab)\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\n[2]\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43900" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43901", + "dataSource": "https://ubuntu.com/security/CVE-2024-43901", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43901" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43901", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43901", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351", + "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] \n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43901" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43902", + "dataSource": "https://ubuntu.com/security/CVE-2024-43902", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43902" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43902", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43902", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2", + "https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175", + "https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a", + "https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d", + "https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43902" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43903", + "dataSource": "https://ubuntu.com/security/CVE-2024-43903", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43903" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43903", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43903", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/31a679a880102dee6e10985a7b1789af8dc328cc", + "https://git.kernel.org/stable/c/38e6f715b02b572f74677eb2f29d3b4bc6f1ddff", + "https://git.kernel.org/stable/c/94220b35aeba2b68da81deeefbb784d94eeb5c04", + "https://git.kernel.org/stable/c/ce5d090af683137cb779ed7e3683839f9c778b35" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43903" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43904", + "dataSource": "https://ubuntu.com/security/CVE-2024-43904", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43904" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43904", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43904", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/15c2990e0f0108b9c3752d7072a97d45d4283aea", + "https://git.kernel.org/stable/c/16a8a2a839d19c4cf7253642b493ffb8eee1d857" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\n\nThis commit adds null checks for the 'stream' and 'plane' variables in\nthe dcn30_apply_idle_power_optimizations function. These variables were\npreviously assumed to be null at line 922, but they were used later in\nthe code without checking if they were null. This could potentially lead\nto a null pointer dereference, which would cause a crash.\n\nThe null checks ensure that 'stream' and 'plane' are not null before\nthey are used, preventing potential crashes.\n\nFixes the below static smatch checker:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43904" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43905", + "dataSource": "https://ubuntu.com/security/CVE-2024-43905", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43905" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43905", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43905", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80", + "https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab", + "https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239", + "https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43905" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43906", + "dataSource": "https://ubuntu.com/security/CVE-2024-43906", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43906" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43906", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43906", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/030ffd4d43b433bc6671d9ec34fc12c59220b95d", + "https://git.kernel.org/stable/c/4fd52f7c2c11d330571c6bde06e5ea508ec25c9d", + "https://git.kernel.org/stable/c/641dac64178ccdb9e45c92b67120316896294d05" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/admgpu: fix dereferencing null pointer context\n\nWhen user space sets an invalid ta type, the pointer context will be empty.\nSo it need to check the pointer context before using it", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43906" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43907", + "dataSource": "https://ubuntu.com/security/CVE-2024-43907", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43907" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43907", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43907", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac", + "https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82", + "https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30", + "https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622", + "https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054", + "https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43907" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43908", + "dataSource": "https://ubuntu.com/security/CVE-2024-43908", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43908" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43908", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43908", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/033187a70ba9743c73a810a006816e5553d1e7d4", + "https://git.kernel.org/stable/c/48cada0ac79e4775236d642e9ec5998a7c7fb7a4", + "https://git.kernel.org/stable/c/4c11d30c95576937c6c35e6f29884761f2dddb43", + "https://git.kernel.org/stable/c/56e848034ccabe44e8f22ffcf49db771c17b0d0a", + "https://git.kernel.org/stable/c/b89616333979114bb0da5fa40fb6e4a2f5294ca2", + "https://git.kernel.org/stable/c/d81c1eeb333d84b3012a91c0500189dc1d71e46c", + "https://git.kernel.org/stable/c/ff5c4eb71ee8951c789b079f6e948f86708b04ed" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\n\nCheck ras_manager before using it", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43908" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43909", + "dataSource": "https://ubuntu.com/security/CVE-2024-43909", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43909" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43909", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43909", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/09544cd95c688d3041328a4253bd7514972399bb", + "https://git.kernel.org/stable/c/1b8aa82b80bd947b68a8ab051d960a0c7935e22d", + "https://git.kernel.org/stable/c/37b9df457cbcf095963d18f17d6cb7dfa0a03fce", + "https://git.kernel.org/stable/c/7f56f050f02c27ed89cce1ea0c04b34abce32751", + "https://git.kernel.org/stable/c/c02c1960c93eede587576625a1221205a68a904f" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\n\noptimize the code to avoid pass a null pointer (hwmgr->backend)\nto function smu7_update_edc_leakage_table.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43909" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43910", + "dataSource": "https://ubuntu.com/security/CVE-2024-43910", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43910" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43910", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43910", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/13663a7c644bf1dedaf461d07252db5d76c8759a", + "https://git.kernel.org/stable/c/ec2b9a5e11e51fea1bb04c1e7e471952e887e874" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\n\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\na global function as an argument. The adverse effects of this is that\nBPF helpers can continue to make use of this modified\nCONST_PTR_TO_DYNPTR from within the context of the global function,\nwhich can unintentionally result in out-of-bounds memory accesses and\ntherefore compromise overall system stability i.e.\n\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\n[ 244.174318] Call Trace:\n[ 244.175787] \n[ 244.177356] dump_stack_lvl+0x66/0xa0\n[ 244.179531] print_report+0xce/0x670\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\n[ 244.184908] kasan_report+0xd7/0x110\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\n[ 244.192020] bpf_dynptr_data+0x137/0x140\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\n[ 244.204744] ? 0xffffffffc0009e58\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\n[ 244.220912] do_syscall_64+0xc1/0x1d0\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\n[ 244.268303] \n\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\nverifies the arguments of global function arguments, specifically\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\nexplicit and strict type matching on the supplied register type, so\nlet's also enforce that a register either type PTR_TO_STACK or\nCONST_PTR_TO_DYNPTR is by the caller.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43910" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43911", + "dataSource": "https://ubuntu.com/security/CVE-2024-43911", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43911" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43911", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43911", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b", + "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43911" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43912", + "dataSource": "https://ubuntu.com/security/CVE-2024-43912", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43912" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43912", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43912", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/23daf1b4c91db9b26f8425cc7039cf96d22ccbfe", + "https://git.kernel.org/stable/c/3d42f2125f6c89e1e71c87b9f23412afddbba45e", + "https://git.kernel.org/stable/c/ac3bf6e47fd8da9bfe8027e1acfe0282a91584fc", + "https://git.kernel.org/stable/c/c6ea738e3feb407a3283197d9a25d0788f4f3cee" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: disallow setting special AP channel widths\n\nSetting the AP channel width is meant for use with the normal\n20/40/... MHz channel width progression, and switching around\nin S1G or narrow channels isn't supported. Disallow that.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43912" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43913", + "dataSource": "https://ubuntu.com/security/CVE-2024-43913", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43913" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43913", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43913", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210", + "https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43913" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-43914", + "dataSource": "https://ubuntu.com/security/CVE-2024-43914", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-43914" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-43914", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-43914", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/2c92f8c1c456d556f15cbf51667b385026b2e6a0", + "https://git.kernel.org/stable/c/305a5170dc5cf3d395bb4c4e9239bca6d0b54b49", + "https://git.kernel.org/stable/c/3b33740c1750a39e046339ff9240e954f0156707", + "https://git.kernel.org/stable/c/4811d6e5d9f4090c3e0ff9890eb24077108046ab", + "https://git.kernel.org/stable/c/6b33c468d543f6a83de2d61f09fec74b27e19fd2", + "https://git.kernel.org/stable/c/775a9ba16c9ffe98fe54ebf14e55d5660f2bf600", + "https://git.kernel.org/stable/c/bf0ff69a42a3d2d46876d0514ecf13dffc516666", + "https://git.kernel.org/stable/c/c384dd4f1fb3b14a2fd199360701cc163ea88705" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\n\nCurrently, mdadm support --revert-reshape to abort the reshape while\nreassembling, as the test 07revert-grow. However, following BUG_ON()\ncan be triggerred by the test:\n\nkernel BUG at drivers/md/raid5.c:6278!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nirq event stamp: 158985\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\nRIP: 0010:reshape_request+0x3f1/0xe60\nCall Trace:\n \n raid5_sync_request+0x43d/0x550\n md_do_sync+0xb7a/0x2110\n md_thread+0x294/0x2b0\n kthread+0x147/0x1c0\n ret_from_fork+0x59/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\nwhile reshape position is still set, and after reassembling the array,\nreshape position will be read from super block, then during reshape the\nchecking of 'writepos' that is caculated by old reshape position will\nfail.\n\nFix this panic the easy way first, by converting the BUG_ON() to\nWARN_ON(), and stop the reshape if checkings fail.\n\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\nshould enhance metadata validation as well, however this means\nreassemble will fail and there must be user tools to fix the wrong\nmetadata.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-43914" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44931", + "dataSource": "https://ubuntu.com/security/CVE-2024-44931", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44931" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44931", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44931", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc", + "https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb", + "https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\n\nUserspace may trigger a speculative read of an address outside the gpio\ndescriptor array.\nUsers can do that by calling gpio_ioctl() with an offset out of range.\nOffset is copied from user and then used as an array index to get\nthe gpio descriptor without sanitization in gpio_device_get_desc().\n\nThis change ensures that the offset is sanitized by using\narray_index_nospec() to mitigate any possibility of speculative\ninformation leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44931" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44934", + "dataSource": "https://ubuntu.com/security/CVE-2024-44934", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44934" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44934", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44934", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f", + "https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f", + "https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078", + "https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658", + "https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44934" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44935", + "dataSource": "https://ubuntu.com/security/CVE-2024-44935", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44935" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44935", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44935", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://git.kernel.org/stable/c/05e4a0fa248240efd99a539853e844f0f0a9e6a5", + "https://git.kernel.org/stable/c/1407be30fc17eff918a98e0a990c0e988f11dc84", + "https://git.kernel.org/stable/c/52319d9d2f522ed939af31af70f8c3a0f0f67e6c", + "https://git.kernel.org/stable/c/54b303d8f9702b8ab618c5032fae886b16356928", + "https://git.kernel.org/stable/c/9ab0faa7f9ffe31296dbb9bbe6f76c72c14eea18", + "https://git.kernel.org/stable/c/c9b3fc4f157867e858734e31022ebee8a24f0de7", + "https://git.kernel.org/stable/c/e809a84c802377ef61525a298a1ec1728759b913" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix null-ptr-deref in reuseport_add_sock().\n\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\nreuseport_add_sock(). [0]\n\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\nanother listener on the same port and concurrently closes the first\nlistener.\n\nThe second listen() calls reuseport_add_sock() with the first listener as\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\nbut the close() does clear it by reuseport_detach_sock().\n\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\nreuseport_add_sock(), and reuseport_detach_sock().\n\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\nprovide synchronisation for sockets that are classified into the same\nreuseport group.\n\nOtherwise, such sockets form multiple identical reuseport groups, and\nall groups except one would be silently dead.\n\n 1. Two sockets call listen() concurrently\n 2. No socket in the same group found in sctp_ep_hashtable[]\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\n incoming packets\n\nAlso, the reported null-ptr-deref could occur.\n\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\n\nLet's apply the locking strategy to __sctp_hash_endpoint() and\n__sctp_unhash_endpoint().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\n sctp_listen_start net/sctp/socket.c:8570 [inline]\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]\n __se_sys_listen net/socket.c:1900 [inline]\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f24e46039b9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\nR13:\n---truncated---", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.5, + "exploitabilityScore": 1.8, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44935" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44938", + "dataSource": "https://ubuntu.com/security/CVE-2024-44938", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44938" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44938", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44938", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/234e6ea0855cdb5673d54ecaf7dc5c78f3e84630", + "https://git.kernel.org/stable/c/7063b80268e2593e58bee8a8d709c2f3ff93e2f2", + "https://git.kernel.org/stable/c/f650148b43949ca9e37e820804bb6026fff404f3" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix shift-out-of-bounds in dbDiscardAG\n\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\ncausing shift exponent -1 to be negative.\n\nThis patch fixes the issue by exiting the loop directly when negative\nshift is found.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44938" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44939", + "dataSource": "https://ubuntu.com/security/CVE-2024-44939", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44939" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44939", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44939", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6", + "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702", + "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44939" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44940", + "dataSource": "https://ubuntu.com/security/CVE-2024-44940", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44940" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44940", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44940", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59", + "https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79", + "https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44940" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44941", + "dataSource": "https://ubuntu.com/security/CVE-2024-44941", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44941" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44941", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44941", + "namespace": "nvd:cpe", + "severity": "Unknown", + "urls": [ + "https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8", + "https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d", + "https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", + "cvss": [] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44941" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + }, + { + "vulnerability": { + "id": "CVE-2024-44942", + "dataSource": "https://ubuntu.com/security/CVE-2024-44942", + "namespace": "ubuntu:distro:ubuntu:22.04", + "severity": "Medium", + "urls": [ + "https://ubuntu.com/security/CVE-2024-44942" + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-44942", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-44942", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://git.kernel.org/stable/c/26c07775fb5dc74351d1c3a2bc3cdf609b03e49f", + "https://git.kernel.org/stable/c/ae00e6536a2dd54b64b39e9a39548870cf835745", + "https://git.kernel.org/stable/c/fc01008c92f40015aeeced94750855a7111b6929" + ], + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inline.c:258!\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\nCall Trace:\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f2/0x390 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nThe root cause is: inline_data inode can be fuzzed, so that there may\nbe valid blkaddr in its direct node, once f2fs triggers background GC\nto migrate the block, it will hit f2fs_bug_on() during dirty page\nwriteback.\n\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\nso that, it can forbid migrating inline_data inode's data block for\nfixing.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 1.8, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "dpkg-matcher", + "searchedBy": { + "distro": { + "type": "ubuntu", + "version": "22.04" + }, + "namespace": "ubuntu:distro:ubuntu:22.04", + "package": { + "name": "linux", + "version": "5.15.0-113.123" + } + }, + "found": { + "versionConstraint": "none (deb)", + "vulnerabilityID": "CVE-2024-44942" + } + } + ], + "artifact": { + "id": "ae4822e3cd5a96ea", + "name": "linux-libc-dev", + "version": "5.15.0-113.123", + "type": "deb", + "locations": [ + { + "path": "/usr/share/doc/linux-libc-dev/copyright", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/info/linux-libc-dev:amd64.md5sums", + "layerID": "sha256:0bbf3e64c8b076609ce0a0b49a39e3392992b82dea57fba51f0aa1304e821869" + }, + { + "path": "/var/lib/dpkg/status", + "layerID": "sha256:8b4c7a90e5edb88774351f3fd5c661a3fa0f8fedcf68f696981d3a5fdae85d86" + } + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "cpe:2.3:a:linux-libc-dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc-dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc_dev:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux-libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux_libc:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux-libc-dev:5.15.0-113.123:*:*:*:*:*:*:*", + "cpe:2.3:a:linux:linux_libc_dev:5.15.0-113.123:*:*:*:*:*:*:*" + ], + "purl": "pkg:deb/ubuntu/linux-libc-dev@5.15.0-113.123?arch=amd64&upstream=linux&distro=ubuntu-22.04", + "upstreams": [ + { + "name": "linux" + } + ] + }, + "appliedIgnoreRules": [ + { + "package": { + "name": "linux-libc-dev", + "type": "deb", + "upstream-name": "linux" + }, + "match-type": "exact-indirect-match" + } + ] + } + ] + } + } + } +} \ No newline at end of file